On 05/12/2015 06:25 AM, Ulrich Hiller wrote: > > i have set logging in sssd to 9: 7 might be good enough for what you want to find. I added this to domain/default section: access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host debug_level = 7 /var/log/sssd/sssd_default.log logged the following for one user which had no "host" attribute, and was denied login: ----- (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=private,dc=example,dc=net] (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=gordon)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))][dc=private,dc=example,dc=net]. (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass] ... (Tue May 12 10:35:35 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host] ----- So, the user lookup definitely requested the host attribute. The authentication process logs to the same file: ----- (Tue May 12 10:35:36 2015) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): user: gordon (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): ruser: (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 10.1.10.41 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 7871 (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [gordon] (Tue May 12 10:35:36 2015) [sssd[be[default]]] [sdap_access_host] (0x0020): Missing hosts. Access denied ----- Your log excerpt did not include "performing access check". I don't know if that's because it isn't in your log or because your excerpt was too short.