hi guys

I think it was asked on the list before but I still cannot find the thread.

Should AD's users be able to login to IPA's clients(non-replica) in a pretty vanilla setup? Those users can login to IPA masters okey.

I have not created any HBACs yet, nor added new hostgroups etc.

When I ssh to IPA's client that client denies that user & shows:

pam_sss(sshd:auth): received for user user1@private: 6 (Permission denied)

...

many thanks, L.