On 08/08/2017 12:02 PM, Steve Weeks via FreeIPA-users wrote:
We are running FreeIPA 4.4. Even though sudo is listed as one of the
services in the HBAC rule, it seems like only the Sudo rules are what
really controls sudo. Sudo ignores what is in the HBAC rules.
Is this expected behavior? It doesn't really which way it really works,
we are more concerned that we might be confused and screwing something up.
HBAC rules restrict and grant access to certain services based on how
these rules are configured. If HBAC evaluation prevents access for a
user to sudo then sudo commands will be denied for that user regardless
of how sudo rules are configured. HBAC Access is evaluated first and
must be allowed for sudo operations to succeed, sudo and HBAC should be
considered as two separate operations in IPA.
You can test the HBAC component using the 'ipa hbactest' command with
'--service=sudo' to see if sudo access would be allowed on a certain
host for a certain user.
If this is still confusing, could you provide an example of what you
mean exactly ?
Kind regards,
Justin Stephenson
Thanks,
Steve
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
