[Freeipa-users] hbac service allowed despite not listed
Jakub Hrozek
jhrozek at redhat.com
Tue Nov 24 13:04:22 UTC 2015
On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote:
> Hi all,
>
> [winfried at ipa ~]$ ipa hbacrule-show allow_all
> Rule name: allow_all
> User category: all
> Host category: all
> Service category: all
> Description: Allow all users to access any host from any host
> Enabled: FALSE
>
> [winfried at ipa ~]$ ipa hbacrule-show testuser
> Rule name: testuser
> Enabled: TRUE
> Users: testuser
> Hosts: fedora23-server.blabla.bla
> Services: sshd
>
> [winfried at ipa ~]$ ipa user-show winfried
> User login: winfried
> First name: Winfried
> Last name: de Heiden
> Home directory: /home/winfried
> Login shell: /bin/bash
> etc. .etc.
>
> [winfried at ipa ~]$ ipa user-show testuser
> User login: testuser
> First name: test
> Last name: user
> Home directory: /home/testuser
> Login shell: /bin/bash
> Email address: testuser at blabla.bla
> UID: 10005
> GID: 10005
> Account disabled: False
> Password: True
> Member of groups: ipausers
> Member of HBAC rule: testuser
> Kerberos keys available: True
>
>
>
> [[testuser at fedora23-server ~]$ su winfried
> Wachtwoord:
> [winfried at fedora23-server testuser]$ id
> UID=10001(winfried) GID=10001(winfried)
> groepen=10001(winfried),10000(admins),10003(linuxadmins),10004(linuxusers)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> So yes, I can su to another IPA-user :(
>
> sssd_pam now shows information, but nothing seems to go wrong...
I think you forgot to CC freeipa-users.
In this case, can you look into /var/log/secure again and into the
domain logs?
>
> What's happening?
>
> Winny
>
> Op 24-11-15 om 11:43 schreef Jakub Hrozek:
> >On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
> >> Hi all,
> >>
> >> Running as an ordinary user, straight from the beginning.
> >>
> >> Is the (default) suid of/usr/bin/su causing this?
> >> Anyway: the info requested:
> >>
> >> /var/log/secure will tell:
> >> Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
> >> session: Already running in a session
> >> Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
> >> for user root by testuser(uid=10005)
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Sorry, I missed this previously. So you're running "su -" as testuser
> >right? That's not hitting SSSD, because the target user is root, so "su"
> >would do:
> > pam_start("su", "root", ...)
> > pam_authenticate();
> >
> >So what you're seeing is expected. Try su-ing to testuser from another
> >non-root user, it's going to fail.
>
More information about the Freeipa-users
mailing list