Hello, guys,
I am running FreeIPA at home, and I can enroll clients just fine. The issue I am facing, however, is with Fedora. If I have it enrolled, I can only log in with the single user I have set in the enterprise login. No other FreeIPA user is able to log in. When you try to log in with any other account, you get the message “Sorry, password authentication didn’t work, please try again,” even when the password is 100% correct. I am only facing this with Fedora; Ubuntu and openSUSE work just fine, and people are, in fact, able to log in.
Additionally, when attempting to log in with a FreeIPA user, it does display the user’s full name as set in FreeIPA, indicating that a connection is present.
EDIT: Figured it out. for some reason on fedora inside sssd.conf it automatically adds “simple_allow_users” and on ubuntu and opensuse it doesn’t do this. Removing this single line in the config file allows other users to login.
Is this something you set on the client it self or on the freeipa server for the host?. I never set such a option for any client though. i did enroll the other clients with the “freeipa-client-install” command and tried fedora with the initial setup. so their might be a difference in it how to enrolls?
Ah, my apologies - that was for sudo rules. No, I don’t think you’d need to define that whilst setting up the user.
Maybe this video will help you a bit: https://www.youtube.com/watch?v=GAHVU42ouOE&t=335s
Also, check the authentication methods you enabled for the user
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=GAHVU42ouOE&t=335s
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
I found the allow_all rule and it is enabled.