Thanks, Bob/Simo.

On Tue, Feb 5, 2013 at 8:24 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Simo Sorce wrote:
>>
>> On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
>>>
>>> Rajnesh Kumar Siwal wrote:
>>>>
>>>> Looking into the sssd logs, I came to know there there was one more
>>>> rule allowing access:-
>>>> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [hbac_get_category] (5): Category is set to 'all'.
>>>> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
>>>> (Mon Feb  4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
>>>> [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
>>>> [Success]
>>>>
>>>> I disabled that allow_all rule, now it is fine.
>>>
>>>
>>> I don't know why that would make any difference. HBAC != sudo.
>>
>>
>> sudo uses pam so HBAC may be involved during auth
>>
>> Simo.
>>
>
> That's true but it isn't going to grant sudo access to users that aren't in
> the rule.
>
> rob



-- 
Regards,
Rajnesh Kumar Siwal

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to