SSSD logs would show this better, but I wonder if this is related to also using the AD domain name in the simple access filter. Do logins work if you use the name of the sssd section there instead of the AD domain name? Or, do the logins work if you comment out the access provider for a test?
> On 3 Sep 2018, at 10:32, D R <d...@fedoraproject.org> wrote: > > An user belonging to the Simple Users group is resolved correctly via either > one of these commands: > > id simpleuser@FOOBAR_NOLOGIN.GLOBAL > id simpleuser@FOOBAR.GLOBAL > > Similarly, an user belonging to the Administrators group can be seen via > either one of these commands: > > id adminuser@FOOBAR_ADMINS.GLOBAL > id adminuser@FOOBAR.GLOBAL > > However, no user is able to log in. I've tried all these commands: > > ssh simpleuser@FOOBAR_NOLOGIN.GLOBAL@<server> > ssh simpleuser@FOOBAR.GLOBAL@<server> > ssh adminuser@FOOBAR_ADMINS.GLOBAL@<server> > ssh adminuser@FOOBAR.GLOBAL@<server> > > Here's the ssh -vvv output after that <server> requests the password: > > debug3: send packet: type 50 > debug2: we sent a password packet, wait for reply > Authentication failed. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org