[Freeipa-users] Unable to login where previously OK

[Jakub Hrozek]

On Thu, Apr 12, 2012 at 04:09:20AM +0000, Steven Jones wrote:
> Hi,
> 
> I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to....
> 
> The /var/log/secure log  appears to be telling me my password is wrong, so I reset it in IPA, but on initial login I cant put in the temp password and then reset it....I still get denied. I am also having a similar problem for a new user....
> 
> So I went to another client/host and I can login and set a new password...so IPA looks to be OK....so its either a rule or the client/host is broken....
> 
> next I went into the allow_all HBAC policy and turned it back on but I am still denied.....
> 
> So where do I look for a specific failure msg to tell me the issue?  I assume its the host/client side....
> 

Can you paste what /var/log/secure or /var/log/messages had to say? If
there is nothing to trace the error with, can you enable debugging(*) in SSSD
and paste the relevant contents of the SSSD log?

(*) put debug_level=6 or higher into the [domain/*] section of the SSSD,
service sssd restart, retry the login