Thanks a lot, it works. Changed
simple_allow_groups = Simple Users(a)FOOBAR.GLOBAL
to
simple_allow_groups = Simple Users(a)FOOBAR_NOLOGIN.GLOBAL
and it works as intended.
One thing to keep in mind: These AD users must now be referenced in Linux (e.g.
in /etc/sudoers) not by their AD domain
SSSD logs would show this better, but I wonder if this is related to also using
the AD domain name in the simple access filter. Do logins work if you use the
name of the sssd section there instead of the AD domain name? Or, do the logins
work if you comment out the access provider for a test?
An user belonging to the Simple Users group is resolved correctly via either
one of these commands:
id simpleuser@FOOBAR_NOLOGIN.GLOBAL
id simpleuser@FOOBAR.GLOBAL
Similarly, an user belonging to the Administrators group can be seen via either
one of these commands:
id
> On 31 Aug 2018, at 17:34, Daniele Raffo wrote:
>
> Hello,
>
> I'm trying to define two sssd groups in order to assign a different login
> shell to AD users belonging to two different AD groups in our domain
> FOOBAR.GLOBAL.
> However, all users are unable to login and get an error
If you're reading this via web, note that the @ sign got mutated to (a) in the
simple_allow_groups configuration lines.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to