Hi, I have a problem with access to RHEL 8 servers by SSH. I want to allow access to hosts allowed on the host attribute of the LDAP.. For instance: $ ldapsearch -LLL -Q -Z uid=a-testuser host dn: uid=a-testuser,ou=People,dc=old,dc=domain,dc=net host: rhel801.network.lan $ ldapsearch -LLL -Q -Z uid=a-admin host dn: uid=a-makhov,ou=People,dc=old,dc=domain,dc=net host: * So a-testuser has access to the rhel801 server only and a-admin has access to all servers. But when I try to log in with the a-testuser I get the error: $ ssh a-testuser@rhel801 Password: Connection closed by 10.1.129.99 port 22 a-admin can connect without any issues. The full logs of a-testuser connection are below: (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.getAccountInfo on /sssd (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_get_account_info_send] (0x0200): Got request for [0x3][BE_REQ_INITGROUPS][name=a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sss_domain_get_state] (0x1000): Domain OLD.DOMAIN.NET is Active (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#10] DP Request [Initgroups #10]: REQ_TRACE: New request. [sssd.pam CID #4] Flags [0x0001]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#10] Number of active DP request: 1 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sss_domain_get_state] (0x1000): [RID#10] Domain OLD.DOMAIN.NET is Active (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_id_op_connect_step] (0x4000): [RID#10] reusing cached connection (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_send] (0x4000): [RID#10] Retrieving info for initgroups call (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_id_op_connect_step] (0x4000): [RID#10] reusing cached connection (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_next_base] (0x0400): [RID#10] Searching for users with base [dc=old,dc=domain,dc=net] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_print_server] (0x2000): [RID#10] Searching 10.204.55.12:389 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x0400): [RID#10] calling ldap_search_ext with [(&(uid=a-testuser)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=old,dc=do main,dc=net]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [objectClass] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [uid] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [userPassword] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [uidNumber] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [gidNumber] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [gecos] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [homeDirectory] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [loginShell] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [krbPrincipalName] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [cn] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [modifyTimestamp] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [modifyTimestamp] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowLastChange] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowMin] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowMax] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowWarning] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowInactive] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowExpire] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [shadowFlag] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [krbLastPwdChange] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [krbPasswordExpiration] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [pwdAttribute] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [authorizedService] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [accountExpires] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [userAccountControl] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [nsAccountLock] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [host] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [rhost] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [loginDisabled] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [loginExpirationTime] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [loginAllowedTimeMap] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [sshPublicKey] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [userCertificate;binary] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [mail] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x2000): [RID#10] ldap_search_ext called, msgid = 13 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_op_add] (0x2000): [RID#10] New operation 13 timeout 6 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: sh[0x559ddcff2330], connected[1], ops[0x559ddd0b6020], ldap[0x559ddd04d220] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_message] (0x4000): [RID#10] Message type: [LDAP_RES_SEARCH_ENTRY] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_entry] (0x1000): [RID#10] OriginalDN: [uid=a-testuser,ou=People,dc=old,dc=domain,dc=net]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [objectClass] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [cn] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [loginShell] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [homeDirectory] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [uid] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [mail] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [uidNumber] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [gidNumber] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [host] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_parse_range] (0x2000): [RID#10] No sub-attributes for [modifyTimestamp] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: sh[0x559ddcff2330], connected[1], ops[0x559ddd0b6020], ldap[0x559ddd04d220] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_message] (0x4000): [RID#10] Message type: [LDAP_RES_SEARCH_RESULT] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_op_finished] (0x0400): [RID#10] Search result: Success(0), no errmsg set (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_op_destructor] (0x2000): [RID#10] Operation 13 finished (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_user] (0x4000): [RID#10] Receiving info for the user (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_user] (0x4000): [RID#10] Storing the user (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x0400): [RID#10] Save user (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_get_sid_str] (0x1000): [RID#10] No [objectSID] attribute. [0][Success] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x4000): [RID#10] objectSID: not available for user (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x4000): [RID#10] Failed to retrieve UUID [2][No such file or directory]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_primary_name] (0x0400): [RID#10] Processing object a-testuser (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x0400): [RID#10] Processing user a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x2000): [RID#10] Adding originalDN [uid=a-testuser,ou=People,dc=old,dc=domain,dc=net] to attributes of [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x0400): [RID#10] Original memberOf is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] Adding original mod-Timestamp [20220317130050Z] to attributes of [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x0400): [RID#10] User principal is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowLastChange is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowMin is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowMax is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowWarning is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowInactive is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowExpire is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] shadowFlag is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] krbLastPwdChange is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] krbPasswordExpiration is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] pwdAttribute is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] authorizedService is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] adAccountExpires is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] adUserAccountControl is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] nsAccountLock is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] Adding authorizedHost [nlud-rhel801.network.lan] to attributes of [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] authorizedRHost is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] ndsLoginDisabled is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] ndsLoginExpirationTime is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] ndsLoginAllowedTimeMap is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] sshPublicKey is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] authType is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] userCertificate is not available for [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_attrs_add_ldap_attr] (0x2000): [RID#10] Adding mail [aleksandr.makhov@xxxxxxxxxxx] to attributes of [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_save_user] (0x0400): [RID#10] Storing info for user a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_set_entry_attr] (0x0200): [RID#10] Entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] has set [ts_cache] attrs. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [userPassword] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [userPrincipalName] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowLastChange] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowMin] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowMax] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowWarning] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowInactive] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowExpire] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [shadowFlag] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [krbLastPwdChange] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [krbPasswordExpiration] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [pwdAttribute] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [authorizedService] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [adAccountExpires] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [adUserAccountControl] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [nsAccountLock] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [authorizedRHost] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [ndsLoginDisabled] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [ndsLoginExpirationTime] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [ndsLoginAllowedTimeMap] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [sshPublicKey] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_remove_attrs] (0x2000): [RID#10] Removing attribute [userCertificate] from [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_store_user] (0x0400): [RID#10] User "a-testuser@xxxxxxxxxxxxxx" has been stored (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_user] (0x4000): [RID#10] Commit change (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_user] (0x4000): [RID#10] Process user's groups (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_initgr_rfc2307_next_base] (0x0400): [RID#10] Searching for groups with base [dc=old,dc=domain,dc=net] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_print_server] (0x2000): [RID#10] Searching 10.204.55.12:389 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x0400): [RID#10] calling ldap_search_ext with [(&(memberuid=a-testuser)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][dc =old,dc=domain,dc=net]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [objectClass] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [cn] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [userPassword] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [gidNumber] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [modifyTimestamp] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x1000): [RID#10] Requesting attrs: [modifyTimestamp] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_ext_step] (0x2000): [RID#10] ldap_search_ext called, msgid = 14 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_op_add] (0x2000): [RID#10] New operation 14 timeout 6 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: sh[0x559ddcff2330], connected[1], ops[0x559ddd0c34c0], ldap[0x559ddd04d220] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: sh[0x559ddcff2330], connected[1], ops[0x559ddd0c34c0], ldap[0x559ddd04d220] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_message] (0x4000): [RID#10] Message type: [LDAP_RES_SEARCH_RESULT] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_generic_op_finished] (0x0400): [RID#10] Search result: Success(0), no errmsg set (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_op_destructor] (0x2000): [RID#10] Operation 14 finished (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_initgr_common_store] (0x2000): [RID#10] Updating memberships for a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_done] (0x4000): [RID#10] Initgroups done (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_done] (0x0400): [RID#10] Primary group already cached, nothing to do. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_get_initgr_done] (0x4000): [RID#10] No need to check for domain local group memberships. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_id_op_destroy] (0x4000): [RID#10] releasing operation connection (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_id_op_done] (0x4000): [RID#10] releasing operation connection (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_done] (0x0400): [RID#10] DP Request [Initgroups #10]: Request handler finished [0]: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [_dp_req_recv] (0x0400): [RID#10] DP Request [Initgroups #10]: Receiving request data. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#10] DP Request [Initgroups #10]: Request removed. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#10] Number of active DP request: 0 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_get_account_info_initgroups_step] (0x0400): [RID#10] Ordering NSS responder to update memory cache (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_set_entry_attr] (0x0200): [RID#10] Entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] has set [ts_cache] attrs. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: sh[0x559ddcff2330], connected[1], ops[(nil)], ldap[0x559ddd04d220] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_process_result] (0x2000): Trace: end of ldap_result list (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_reply_std] (0x1000): DP Request [Initgroups #10]: Returning [Success]: 0,0,Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.getAccountInfo: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_pam_handler_send] (0x0100): Got request with the following data (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] command: SSS_PAM_AUTHENTICATE (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] domain: OLD.DOMAIN.NET (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] user: a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] service: sshd (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] tty: ssh (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] ruser: (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] rhost: 10.204.55.199 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] authtok type: 1 (Password) (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] newauthtok type: 0 (No authentication token available) (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] priv: 1 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] cli_pid: 864553 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] logon name: not set (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] flags: 0 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#11] DP Request [PAM Authenticate #11]: REQ_TRACE: New request. [sssd.pam CID #4] Flags [0000]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#11] Number of active DP request: 1 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sss_domain_get_state] (0x1000): [RID#11] Domain OLD.DOMAIN.NET is Active (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_auth_queue_send] (0x1000): [RID#11] Wait queue of user [a-testuser@xxxxxxxxxxxxxx] is empty, running request [0x559ddd0abb00] immediately. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_setup] (0x4000): [RID#11] No mapping for: a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_get_simple_upn] (0x4000): [RID#11] Using simple UPN [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [check_ccache_re] (0x1000): [RID#11] Ccache directory name [/tmp] does not contain illegal patterns. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [check_ccache_re] (0x1000): [RID#11] Ccache directory name [FILE:/tmp/krb5cc_21496_XXXXXX] does not contain illegal patterns. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [fo_resolve_service_send] (0x0100): [RID#11] Trying to resolve service 'KERBEROS' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [get_server_status] (0x1000): [RID#11] Status of server 'krb01.network.lan' is 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [get_port_status] (0x1000): [RID#11] Port status of port 88 for server 'krb01.network.lan' is 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [fo_resolve_service_activate_timeout] (0x2000): [RID#11] Resolve timeout [dns_resolver_timeout] set to 6 seconds (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [get_server_status] (0x1000): [RID#11] Status of server 'krb01.network.lan' is 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [be_resolve_server_process] (0x1000): [RID#11] Saving the first resolved server (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [be_resolve_server_process] (0x0200): [RID#11] Found address for server krb01.network.lan: [10.204.55.12] TTL 2921 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_add_krb5info_offline_callback] (0x4000): [RID#11] Removal callback already available for service [KERBEROS]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [unique_filename_destructor] (0x2000): [RID#11] Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_u2fDad] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [unlink_dbg] (0x2000): [RID#11] File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_u2fDad] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_add_krb5info_offline_callback] (0x4000): [RID#11] Removal callback already available for service [KERBEROS]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [unique_filename_destructor] (0x2000): [RID#11] Unlinking [/var/lib/sss/pubconf/.krb5info_dummy_lLSbah] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [unlink_dbg] (0x2000): [RID#11] File already removed: [/var/lib/sss/pubconf/.krb5info_dummy_lLSbah] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sss_domain_get_state] (0x1000): [RID#11] Domain OLD.DOMAIN.NET is Active (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [child_handler_setup] (0x2000): [RID#11] Setting up signal handler up for pid [864575] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [child_handler_setup] (0x2000): [RID#11] Signal handler set up for pid [864575] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [write_pipe_handler] (0x0400): [RID#11] All data has been sent! (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [child_sig_handler] (0x1000): [RID#11] Waiting for child [864575]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [child_sig_handler] (0x0100): [RID#11] child [864575] finished successfully. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [read_pipe_handler] (0x0400): [RID#11] EOF received, client finished (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [parse_krb5_child_response] (0x1000): [RID#11] child response: status code: 0 (Success), msg type: 3 (Env variable to be set with pam_putenv(3)), len: 41 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [parse_krb5_child_response] (0x1000): [RID#11] child response: status code: 0 (Success), msg type: -1073741822 (UPN info), len: 28 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [parse_krb5_child_response] (0x1000): [RID#11] child response: status code: 0 (Success), msg type: -1073741823 (TGT lifetime info), len: 32 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [parse_krb5_child_response] (0x1000): [RID#11] TGT times are [1647865464][1647865464][1647951864][1647865464]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [parse_krb5_child_response] (0x1000): [RID#11] child response: status code: 0 (Success), msg type: 6 (Message to be displayed to the user), len: 8 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [_be_fo_set_port_status] (0x8000): [RID#11] Setting status: PORT_WORKING. Called from: src/providers/krb5/krb5_auth.c: krb5_auth_done: 1087 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [fo_set_port_status] (0x0100): [RID#11] Marking port 88 of server 'krb01.network.lan' as 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [set_server_common_status] (0x0100): [RID#11] Marking server 'krb01.network.lan' as 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [fo_set_port_status] (0x0400): [RID#11] Marking port 88 of duplicate server 'krb01.network.lan' as 'working' (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_mod_ccname] (0x4000): [RID#11] Save ccname [FILE:/tmp/krb5cc_21496_kNHZbi] for user [a-testuser@xxxxxxxxxxxxxx]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_ldb_msg_difference] (0x2000): [RID#11] Replaced/extended attr [ccacheFile] of entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_set_entry_attr] (0x0200): [RID#11] Entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] has set [cache, ts_cache] attrs. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_ldb_msg_difference] (0x2000): [RID#11] Replaced/extended attr [cachedPassword] of entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sysdb_set_entry_attr] (0x0200): [RID#11] Entry [name=a-testuser@xxxxxxxxxxxxxx,cn=users,cn=OLD.DOMAIN.NET,cn=sysdb] has set [cache, ts_cache] attrs. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [check_wait_queue] (0x1000): [RID#11] Wait queue for user [a-testuser@xxxxxxxxxxxxxx] is empty. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [krb5_auth_queue_done] (0x1000): [RID#11] krb5_auth_queue request [0x559ddd0abb00] done. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_done] (0x0400): [RID#11] DP Request [PAM Authenticate #11]: Request handler finished [0]: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [_dp_req_recv] (0x0400): [RID#11] DP Request [PAM Authenticate #11]: Receiving request data. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#11] DP Request [PAM Authenticate #11]: Request removed. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#11] Number of active DP request: 0 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_method_enabled] (0x0400): [RID#11] Target selinux is not configured (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_method_handler] (0x2000): Received D-Bus method sssd.dataprovider.pamHandler on /sssd (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_senders_lookup] (0x2000): Looking for identity of sender [sssd.pam] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_pam_handler_send] (0x0100): Got request with the following data (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] command: SSS_PAM_ACCT_MGMT (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] domain: OLD.DOMAIN.NET (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] user: a-testuser@xxxxxxxxxxxxxx (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] service: sshd (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] tty: ssh (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] ruser: (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] rhost: 10.204.55.199 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] authtok type: 0 (No authentication token available) (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] newauthtok type: 0 (No authentication token available) (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] priv: 1 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] cli_pid: 864553 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] logon name: not set (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [pam_print_data] (0x0100): [CID #4] flags: 0 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#12] DP Request [PAM Account #12]: REQ_TRACE: New request. [sssd.pam CID #4] Flags [0000]. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_attach_req] (0x0400): [RID#12] Number of active DP request: 1 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sss_domain_get_state] (0x1000): [RID#12] Domain OLD.DOMAIN.NET is Active (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_access_send] (0x0400): [RID#12] Performing access check for user [a-testuser@xxxxxxxxxxxxxx] (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sdap_access_host] (0x0100): [RID#12] No matching host rule found (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_done] (0x0400): [RID#12] DP Request [PAM Account #12]: Request handler finished [0]: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [_dp_req_recv] (0x0400): [RID#12] DP Request [PAM Account #12]: Receiving request data. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#12] DP Request [PAM Account #12]: Request removed. (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_req_destructor] (0x0400): [RID#12] Number of active DP request: 0 (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [dp_method_enabled] (0x0400): [RID#12] Target selinux is not configured (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_issue_request_done] (0x0400): sssd.dataprovider.pamHandler: Success (2022-03-21 13:24:24): [be[OLD.DOMAIN.NET]] [sbus_dispatch] (0x4000): Dispatching. So, I see in logs the line "Adding authorizedHost [nlud-rhel801.itservices.lan] to attributes of [a-testuser@xxxxxxxxxxxxxxxx].". but it doesn't relp to ssh there. sssd.conf: [sssd] domains = OLD.DOMAIN.NET, NETWORK.LAN config_file_version = 2 services = nss, pam [domain/OLD.DOMAIN.NET] krb5_server = krb01.network.lan:88, krb02.network.lan:88, krb03.network.lan:88, krb04.network.lan krb5_realm = OLD.DOMAIN.NET krb5_keytab = /etc/krb5.keytab krb5_renewable_lifetime = 24h krb5_lifetime = 24h krb5_canonicalize = true cache_credentials = true id_provider = ldap auth_provider = krb5 access_provider = ldap debug_level = 9 ldap_id_use_start_tls = true ldap_uri = ldap://ldap01.network.lan, ldap://ldap02.network.lan, ldap://ldap03.network.lan ldap_search_base = dc=old,dc=domain,dc=net ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/it-hosting-and-network-ca.pem ldap_network_timeout = 20 ldap_sasl_mech = GSSAPI ldap_access_order = host ldap_user_authorized_host = host If I change ldap_access_order to filter, and hardcode the host name in the ldap_access_filter parameter, I can log in with ssh, ldap_access_filter = (&(objectClass=posixAccount)(host=rhel801.network.lan)) but it's not a solition, because diffrent users have different allowed hosts. Do you have emy idea how to fix the problem? Software versions: Red Hat Enterprise Linux release 8.5 (Ootpa) sssd-client-2.5.2-2.el8_5.4.x86_64 sssd-ad-2.5.2-2.el8_5.4.x86_64 sssd-kcm-2.5.2-2.el8_5.4.x86_64 sssd-common-2.5.2-2.el8_5.4.x86_64 sssd-nfs-idmap-2.5.2-2.el8_5.4.x86_64 sssd-krb5-common-2.5.2-2.el8_5.4.x86_64 sssd-krb5-2.5.2-2.el8_5.4.x86_64 python3-sssdconfig-2.5.2-2.el8_5.4.noarch sssd-common-pac-2.5.2-2.el8_5.4.x86_64 sssd-ldap-2.5.2-2.el8_5.4.x86_64 sssd-2.5.2-2.el8_5.4.x86_64 sssd-proxy-2.5.2-2.el8_5.4.x86_64 sssd-ipa-2.5.2-2.el8_5.4.x86_64 krb5-workstation-1.18.2-14.el8.x86_64 krb5-libs-1.18.2-14.el8.x86_64 Thank you inm advance. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
