On 11/29/2013 03:17 PM, Jakub Hrozek wrote: > On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote: >> Jakub, >> >> Yes, I could do this. But then the local root account cannot su to local >> users (without password). But that is actually a normal use-case. I just >> think local root should not be allowed to transition to a domain user, by >> default. >> >> Fred > > Ah, in that case I'm not sure if there's an easy solution, at least I > don't know any off hand. I think Alexander is right that SELinux would > be a good choice.
Right. Root could uncomment the pam_rootok.so line anyway if he wanted to access other user's account again. Martin _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users