[Freeipa-users] SOLVED: Re: sudo rule working even after the user has been removed from the sudo rule
Simo Sorce
simo at redhat.com
Tue Feb 5 14:48:31 UTC 2013
On Mon, 2013-02-04 at 09:21 -0500, Rob Crittenden wrote:
> Rajnesh Kumar Siwal wrote:
> > Looking into the sssd logs, I came to know there there was one more
> > rule allowing access:-
> > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> > [hbac_get_category] (5): Category is set to 'all'.
> > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> > [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [allow_all]
> > (Mon Feb 4 14:13:01 2013) [sssd[be[chargepoint.dmz]]]
> > [be_pam_handler_callback] (4): Backend returned: (0, 0, <NULL>)
> > [Success]
> >
> > I disabled that allow_all rule, now it is fine.
>
> I don't know why that would make any difference. HBAC != sudo.
sudo uses pam so HBAC may be involved during auth
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list