Re: [Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule

Rob Crittenden Tue, 05 Feb 2013 06:57:10 -0800

Simo Sorce wrote:

On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:

Rajnesh Kumar Siwal wrote:

Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to 'all'.
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
[Success]


I disabled that allow_all rule, now it is fine.


I don't know why that would make any difference. HBAC != sudo.


sudo uses pam so HBAC may be involved during auth

Simo.

That's true but it isn't going to grant sudo access to users that aren'tin the rule.


rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule

Reply via email to