Simo Sorce wrote:
On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
Rajnesh Kumar Siwal wrote:
Looking into the sssd logs, I came to know there there was one more
rule allowing access:-
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[hbac_get_category] (5): Category is set to 'all'.
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
(Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
[be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)

I disabled that allow_all rule, now it is fine.

I don't know why that would make any difference. HBAC != sudo.

sudo uses pam so HBAC may be involved during auth


That's true but it isn't going to grant sudo access to users that aren't in the rule.


Freeipa-users mailing list

Reply via email to