The problem is clear, there is a misunderstanding of the service "su"
and "su-l", this is about the target users. Hence; su - to user winfried
is allowed since su and su-l are added to the hbac service list of this
This looks a bit strange from the ui perspective, all other HBAC
services are what this user is allow to do; "su" and "su-l" defines that
OTHER user may become this user by using su.
A bit strange, but this is how is works. Anyone disagree?
Op 24-11-15 om 14:04 schreef Jakub Hrozek:
On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote:
[winfried@ipa ~]$ ipa hbacrule-show allow_all
Rule name: allow_all
User category: all
Host category: all
Service category: all
Description: Allow all users to access any host from any host
[winfried@ipa ~]$ ipa hbacrule-show testuser
Rule name: testuser
[winfried@ipa ~]$ ipa user-show winfried
User login: winfried
First name: Winfried
Last name: de Heiden
Home directory: /home/winfried
Login shell: /bin/bash
[winfried@ipa ~]$ ipa user-show testuser
User login: testuser
First name: test
Last name: user
Home directory: /home/testuser
Login shell: /bin/bash
Email address: testu...@blabla.bla
Account disabled: False
Member of groups: ipausers
Member of HBAC rule: testuser
Kerberos keys available: True
[[testuser@fedora23-server ~]$ su winfried
[winfried@fedora23-server testuser]$ id
So yes, I can su to another IPA-user :(
sssd_pam now shows information, but nothing seems to go wrong...
I think you forgot to CC freeipa-users.
In this case, can you look into /var/log/secure again and into the
Op 24-11-15 om 11:43 schreef Jakub Hrozek:
On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
Running as an ordinary user, straight from the beginning.
Is the (default) suid of/usr/bin/su causing this?
Anyway: the info requested:
/var/log/secure will tell:
Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
session: Already running in a session
Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
for user root by testuser(uid=10005)
Sorry, I missed this previously. So you're running "su -" as testuser
right? That's not hitting SSSD, because the target user is root, so "su"
pam_start("su", "root", ...)
So what you're seeing is expected. Try su-ing to testuser from another
non-root user, it's going to fail.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project