sssctl user-check is very good. In particular, when you want to see if a
particular user is conferred access, you look for the:
pam_acct_mgmt: Permission denied
But often, users are members of multiple various groups. It's often
difficult to track down which of the particular groups or user entries are
actually conferring the access to the user.
It would be nice to output on success, which user or group is conferring
the login access.
I'm not saying it needs to be exhaustive. I.e., no need to parse every
group to see which groups.
But sssctl at that point in time has determined (based on some rule) that
login access is permitted. Just output whatever that matching rule is.
If you wanted this additional output only in a verbose mode, that'd be
I suppose I could probably turn on debug level on sssd, restart it and grub
through all the sssd log files to find which user or group conferred
access. But that'd be painful. Usually I construct a list of all AD
groups this individual is a member of (often it's 15-20). Then which of
these groups are UNIX-enabled in AD. Then of those, which are permitted.
Show replies by date