[Freeipa-users] Re: error: PAM: User account has expired for <user>

Restarting sssd made the problem go away. For better or worse. I've increased the debug and will update if it comes back. Memo to future self: "User account has expired" doesn't necessarily mean the account has expired - it can also mean that the account is invalid for some other reason, such as not having a HBAC rule. (This was the problem with my test account, but not with the original user's account)