#3664 LOGS: Improve debugging in case the PAM service is not mapped to any GPO rule
Closed: Fixed 4 months ago by mzidek. Opened 7 months ago by mzidek.

The logs should give better hints on what went wrong incase the user is denied access due to PAM service not being mapped to any GPO rule.

Here is feedback from user:

The issue is with the logging. The man page was fairly clear once I figured out what to look for.

The standard error message gives absolutely no hint as to why access is denied:

Mar  8 15:13:51 ubuntu1604 pamtester: pam_sss(thinlinc:account): Access denied for user ossman: 6 (Permission denied)

The debug message at least says that it has to do with GPOs and services, but no clue beyond that:

(Thu Mar  8 15:13:51 2018) [sssd[be[lab.lkpg.cendio.se]]] [ad_gpo_access_send] (0x0400): service thinlinc maps to Denied

I would have preferred if the standard log message informed me that access was denied because the service thinlinc is not mapped to any GPO rule.


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

7 months ago

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue tagged with: PR

4 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata