First, before we go any further: is it supported to use sssd when the client machines domain differs from the realm name? If not, then the rest of this is moot.
Client box is a RHEL 5.something. I didn't do "ipa-client-install" because I wanted to configure by hand as a test. The client box has a DNS name of stlmoracsbx01.domain.com, and the realm is UNIX.DOMAIN.COM I've configured the box with sssd, and I can log in with my personal credentials because I have a wide-open rule for admins. I've created a simple rule for a test user, and it's not working. [xxx@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access Rule name: stlmoracsbx01-access Source host category: all Service category: all Enabled: TRUE Users: testuser Hosts: stlmoracsbx01.domain.com However: [xxx@slpidml01 ~]$ ipa hbactest --user=testuser --host=stlmoracsbx01.domain.com --service=sshd --------------------- Access granted: False --------------------- And my access: [xxx@slpidml01 ~]$ ipa hbactest --user=xxx --host=stlmoracsbx01.domain.com --service=sshd -------------------- Access granted: True -------------------- Matched rules: admin access I also tried opening that host up to everyone: [jebalicki@slpidml01 ~]$ ipa hbacrule-show stlmoracsbx01-access Rule name: stlmoracsbx01-access User category: all Source host category: all Service category: all Enabled: TRUE Hosts: stlmoracsbx01.domain.com But the rule fails. I thought maybe there might be something with the user "testuser", so I tried another user and I still get a failure. Any ideas would be appreciated. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users