> You should be able to 'see' them via getent passwd but they should not be > allowed to login when HBAC_ALLOW_ALL is disabled.
Ah, OK, thanks, that's what is happening. I can see them with getent passwd and id, and I can su to them, but I can't log in as them. On the other hand, I also can't log in as a user that SHOULD have permission (as a member of the appropriate AD group), but I'm still troubleshooting that one. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project