On pe, 12 touko 2017, Thomas Lau wrote:

let's say I am user thomas, and user "temp1" already marked as "disabled"
on FreeIPA, but tho...@domain.com is on /home/temp1/.k5login list, how come
I could still "sudo su - temp1"? It seems skip the checking on FreeIPA even
account is disabled. Did I miss any setting or it's normal?
This is normal.

sudo brings you to root. PAM module for su (/etc/pam.d/su) has this:

 auth           sufficient      pam_rootok.so

E.g. if su is executed as root, it is enough, no other authentication
checks are done.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to