On 11/29/2013 03:17 PM, Jakub Hrozek wrote:
> On Fri, Nov 29, 2013 at 03:08:44PM +0100, Fred van Zwieten wrote:
>> Jakub,
>> Yes, I could do this. But then the local root account cannot su to local
>> users (without password). But that is actually a normal use-case. I just
>> think local root should not be allowed to transition to a domain user, by
>> default.
>> Fred
> Ah, in that case I'm not sure if there's an easy solution, at least I
> don't know any off hand. I think Alexander is right that SELinux would
> be a good choice.

Right. Root could uncomment the pam_rootok.so line anyway if he wanted to
access other user's account again.


Freeipa-users mailing list

Reply via email to