Oliver Kiddle via FreeIPA-devel wrote: > Using FreeIPA on RHEL 9, I have sudo rules and an HBAC rule. The HBAC > rules are there to disable all access to certain accounts on some > machines. Testing with: > ipa hbactest --service=sudo-i --user=user --host=host > I get the expected "Access granted: False" response - regardless of the > choice of service or whether I use a short or fully-qualified hostname. > Using ssh to connect to the host is blocked, as are attempts to log in > with gnome, vnc etc - again matching my expectations. However, when > sudo -u user -i is used on the host this just works regardless. There > are sudo rules permitting the initial users (which aren't just root) to > switch to the target user but I would have expected the HBAC rule to > apply and the login to be blocked. > > ipa hbacsvc-find does list services like sudo and sudo-i which would > imply that sudo is supposed to support HBAC rules. At what stage is > this supposed to be enforced? I would assume that pam_sss.so should be > responsible for this. The pam configuration I have is unchanged from > RHEL 9.4 defaults and does include pam_sss.so for all of auth, account, > password and session. Do I need to change the configuration somewhere > for HBAC rules to apply to the sudo-i service? Or am I misunderstanding > something? > > I'm aware that I could specify host restrictions in the sudo rule but > there are many of them and they apply to a mix of blocked and allowed > accounts so this is not trivial. And it would be duplicating what is > already in the HBAC rule to block ssh, gdm, etc.
You'll want to start here https://docs.pagure.org/sssd.sssd/users/sudo_troubleshooting.html The SSSD team will need logs showing what is going on. rob -- _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
