#3664 LOGS: Improve debugging in case the PAM service is not mapped to any GPO rule

Created 2 months ago by mzidek
Modified 2 months ago

The logs should give better hints on what went wrong incase the user is denied access due to PAM service not being mapped to any GPO rule.

Here is feedback from user:

The issue is with the logging. The man page was fairly clear once I figured out what to look for.

The standard error message gives absolutely no hint as to why access is denied:

Mar  8 15:13:51 ubuntu1604 pamtester: pam_sss(thinlinc:account): Access denied for user ossman: 6 (Permission denied)

The debug message at least says that it has to do with GPOs and services, but no clue beyond that:

(Thu Mar  8 15:13:51 2018) [sssd[be[lab.lkpg.cendio.se]]] [ad_gpo_access_send] (0x0400): service thinlinc maps to Denied

I would have preferred if the standard log message informed me that access was denied because the service thinlinc is not mapped to any GPO rule.

2 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

Login to comment on this ticket.