Restarting IPA removed the rule that was deleted manually through GUI . It looks like a bug the IPA Webui was not able to delete the sudo rule "cn: All Except Shell"
On Mon, Feb 4, 2013 at 3:54 PM, Rajnesh Kumar Siwal <rajnesh.si...@gmail.com> wrote: > I deleted the following entry from the IPA WebUI "All Except Shell" > (Sudo Role) but ldapsearch still fetches it (Effectively sudo works > after the deletion of the rule) :- > > dn: cn=All Except Shell,ou=sudoers,dc=example,dc=com > objectClass: sudoRole > sudoUser: %ctsadmin > sudoHost: ALL > sudoCommand: ALL > sudoRunAsUser: ALL > sudoOption: !authenticate > cn: All Except Shell > > Is it present in cache somewhere ? > > On Mon, Feb 4, 2013 at 2:18 PM, Rajnesh Kumar Siwal > <rajnesh.si...@gmail.com> wrote: >> Looking into the sssd logs, I came to know there there was one more >> rule allowing access:- >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [hbac_get_category] (5): Category is set to 'all'. >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all] >> (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]] >> [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>) >> [Success] >> >> I disabled that allow_all rule, now it is fine. >> >> On Mon, Feb 4, 2013 at 2:02 PM, Rajnesh Kumar Siwal >> <rajnesh.si...@gmail.com> wrote: >>> Here is the outuput of ldapsearch :- >>> dn: cn=Admins,ou=sudoers,dc=example,dc=com >>> objectClass: sudoRole >>> sudoUser: %ctsadmin >>> sudoHost: ALL >>> sudoCommand: ALL >>> sudoRunAsUser: ALL >>> cn: Admins >>> >>> The rule still says that the group ctsadmin is allowed (Which should >>> not happen after I remove the ctsadmin group from sudo access) >>> On the IPA Web Interface there is not sudo role attached to the User >>> "rsiwal" (Neither Direct nor Indirect). >>> May be there is some bug. >>> >>> >>> On Mon, Feb 4, 2013 at 1:22 PM, Rajnesh Kumar Siwal >>> <rajnesh.si...@gmail.com> wrote: >>>> Hi all, >>>> >>>> I have just created a setup for sudo on the IPA Server 2.2. >>>> I modified nsswitch.conf to use ldap. >>>> ldap.conf has been modified to fetch sudo users from the IPA Server. >>>> >>>> Now, th euser in group "admin" can do sudo. >>>> 1. rsiwal being a user of group sudo can run all commands as sudo >>>> (FINE) >>>> 2. If I disable the rule "Admins" (that I admin group access to >>>> sudo), the sudo still works for the user rsiwal (Which should not work >>>> logically). >>>> 3. Removed the group "Admins" (including rsiwal) from the Sudo >>>> rule. The rule is still allowing user rsiwal to run "sudo su -". (It >>>> should Fail) >>>> >>>> Is there some kind of caching being at the Server / client end ? >>>> >>>> -- >>>> Regards, >>>> Rajnesh Kumar Siwal >>> >>> >>> >>> -- >>> Regards, >>> Rajnesh Kumar Siwal >> >> >> >> -- >> Regards, >> Rajnesh Kumar Siwal > > > > -- > Regards, > Rajnesh Kumar Siwal -- Regards, Rajnesh Kumar Siwal _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users