[Freeipa-users] hbac service allowed despite not listed
Jakub Hrozek
jhrozek at redhat.com
Tue Nov 24 10:43:27 UTC 2015
On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
> Hi all,
>
> Running as an ordinary user, straight from the beginning.
>
> Is the (default) suid of/usr/bin/su causing this?
>
> Anyway: the info requested:
>
> /var/log/secure will tell:
> Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
> session: Already running in a session
> Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
> for user root by testuser(uid=10005)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sorry, I missed this previously. So you're running "su -" as testuser
right? That's not hitting SSSD, because the target user is root, so "su"
would do:
pam_start("su", "root", ...)
pam_authenticate();
So what you're seeing is expected. Try su-ing to testuser from another
non-root user, it's going to fail.
More information about the Freeipa-users
mailing list