All, I know sssctl user-checks <user> will tell you whether this account is conferred login or not.
You're looking for line: pam_acct_mgmt: Success Is there a utility (or some verbose output on sssctl user-checks) that tells you membership in which group is conferring you access? I know a commercial product where the equivalent login test outputs something like this: [root@gordita root]# vastool user checkaccess admben_lee Access allowed. (RULE ALLOWING: membership in group gbllinuxsup) Particularly with nested subgroups (bad practice I know) and a user member of 10 - 12 AD groups, it's often a challenge to chase which group membership is allowing login. Do the sssd logs in debug level 9 give this info? I just tried this, running sssctl user-checks against myself. I just checked the sssd logs and it says I'm a member of 110 supplemental AD groups! (Luckily not all are UNIX-enabled, so cannot confer me login access).. I see this in the sssd logs: (2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x4000): [RID#2] Checking against allow list group name [ [email protected]]. (2024-10-02 10:22:53): [be[amer.company.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain amer.company.com is Active (2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x4000): [RID#2] Checking against allow list group name [ [email protected]]. (2024-10-02 10:22:53): [be[amer.company.com]] [sss_domain_get_state] (0x1000): [RID#2] Domain amer.company.com is Active (2024-10-02 10:22:53): [be[amer.company.com]] [simple_check_groups] (0x1000): [RID#2] Group [[email protected]] found in allow list, access granted. (2024-10-02 10:22:53): [be[amer.company.com]] [simple_access_check_done] (0x2000): [RID#2] Group check done (2024-10-02 10:22:53): [be[amer.company.com]] [simple_access_check_recv] (0x1000): [RID#2] Access granted So it's in the sssd logs. Is there a simpler command that will give this same info? Spike White
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
