[Freeipa-users] hbac service allowed despite not listed

Jakub Hrozek jhrozek at redhat.com
Tue Nov 24 13:04:22 UTC 2015 

On Tue, Nov 24, 2015 at 12:58:42PM +0100, Winfried de Heiden wrote:
> Hi all,
> 
> [winfried at ipa ~]$ ipa hbacrule-show allow_all
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: FALSE
> 
> [winfried at ipa ~]$ ipa hbacrule-show testuser
>   Rule name: testuser
>   Enabled: TRUE
>   Users: testuser
>   Hosts: fedora23-server.blabla.bla
>   Services: sshd
> 
> [winfried at ipa ~]$ ipa user-show winfried
>   User login: winfried
>   First name: Winfried
>   Last name: de Heiden
>   Home directory: /home/winfried
>   Login shell: /bin/bash
> etc. .etc.
> 
> [winfried at ipa ~]$ ipa user-show testuser
>   User login: testuser
>   First name: test
>   Last name: user
>   Home directory: /home/testuser
>   Login shell: /bin/bash
>   Email address: testuser at blabla.bla
>   UID: 10005
>   GID: 10005
>   Account disabled: False
>   Password: True
>   Member of groups: ipausers
>   Member of HBAC rule: testuser
>   Kerberos keys available: True
> 
> 
> 
> [[testuser at fedora23-server ~]$ su winfried
> Wachtwoord:
> [winfried at fedora23-server testuser]$ id
> UID=10001(winfried) GID=10001(winfried)
> groepen=10001(winfried),10000(admins),10003(linuxadmins),10004(linuxusers)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> So yes, I can su to another IPA-user :(
> 
> sssd_pam now shows information, but nothing seems to go wrong...

I think you forgot to CC freeipa-users.

In this case, can you look into /var/log/secure again and into the
domain logs?

> 
> What's happening?
> 
> Winny
> 
> Op 24-11-15 om 11:43 schreef Jakub Hrozek:
> >On Tue, Nov 24, 2015 at 11:10:11AM +0100, Winfried de Heiden wrote:
> >>    Hi all,
> >>
> >>    Running as an ordinary user, straight from the beginning.
> >>
> >>    Is the (default) suid of/usr/bin/su causing this?
> >>    Anyway: the info requested:
> >>
> >>    /var/log/secure will tell:
> >>    Nov 24 11:04:11 fedora23-server su: pam_systemd(su:session): Cannot create
> >>    session: Already running in a session
> >>    Nov 24 11:04:11 fedora23-server su: pam_unix(su:session): session opened
> >>    for user root by testuser(uid=10005)
> >          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >Sorry, I missed this previously. So you're running "su -" as testuser
> >right? That's not hitting SSSD, because the target user is root, so "su"
> >would do:
> >     pam_start("su", "root", ...)
> >     pam_authenticate();
> >
> >So what you're seeing is expected. Try su-ing to testuser from another
> >non-root user, it's going to fail.
>

More information about the Freeipa-users mailing list