On 11/29/2013 03:17 PM, Jakub Hrozek wrote:
> On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote:
>> Yes, I could do this. But then the local root account cannot su to local
>> users (without password). But that is actually a normal use-case. I just
>> think local root should not be allowed to transition to a domain user, by
> Ah, in that case I'm not sure if there's an easy solution, at least I
> don't know any off hand. I think Alexander is right that SELinux would
> be a good choice.
Right. Root could uncomment the pam_rootok.so line anyway if he wanted to
access other user's account again.
Freeipa-users mailing list