Sure - I've got tomorrow off, so it will be Friday morning. cheers L.
------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 20 July 2016 at 17:14, Jakub Hrozek <jhro...@redhat.com> wrote: > On Wed, Jul 20, 2016 at 09:28:06AM +1000, Lachlan Musicman wrote: > > On 19 July 2016 at 16:40, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > On Tue, Jul 19, 2016 at 11:26:02AM +1000, Lachlan Musicman wrote: > > > > I think the thing that frustrates the most is that id > u...@domain.com is > > > > returning correct data on both but they can't login....and I can't > even > > > > show that this is the case because now they can login. Difficult to > > > > reproduce :/ > > > > > > Debugging from HBAC should at least tell you why the rules didn't > > > match... > > > > > > > > > Sorry, I should have been clear - the issue is exactly the same. HBAC > > rejected the user because they weren't in the correct groups, but sssd > > hadn't got the correct number of groups from the AD server, and had > missed > > the group in question. > > Do you have the logs from the server and the client? If yes, feel free > to send them in private mail if they are confidential, I'll try to > find something in them. > > Specifying which groups are missing would help as well. >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project