Are you using a SUDO domain? and LDAP as your sudo and id provider? What does your sssd look like? If you have the Sudoers object class in ldap you can use match users/groups, deny certain hosts, or certain users/groups......
sudoUser: %MyGroup sudoUser: !YourGroup sudoHost: !Notthishost.example.com sudoHost: ALL sudoCommand: ALL SudoCommand: !shutdown
Here is a generic sample of what I use:
[domain/SUDO] id_provider = ldap sudo_provider = ldap ldap_uri = ldaps://myldap.example.com ldap_tls_cacertdir = /etc/openssl/ ldap_tls_cacert = /etc/openssl/cacert.pem ldap_tls_cipher_suite = SSLv3 ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = ou=people,dc=example,dc=com ldap_group_search_base = ou=group,dc=example,dc=com ldap_search_base = dc=example,dc=com ldap_group_member = memberUid ldap_schema = rfc2307 cache_credentials = false ldap_purge_cache_timeout = 20 entry_cache_timeout = 20 ldap_enumeration_refresh_timeout = 20
On January 17, 2020 at 4:24 AM Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote:
On 1/17/20 8:40 AM, Jannis Mann wrote:
Hi, I've implemented sssd with id, auth and access provider as ldap. So I am using a binding account and didn't joined the domain with the server.
In general everything works. Only members of mentioned SG within the sssd.conf can login to the server, just as I wish to.
However, as sudo user I can run something as following
sudo su - UserThatIsNotAllowed
So I (a sudo user) can switch to any user that is within the search base I've specified in the sssd.conf But these users are not allowed to use the server.
I understand that not the user himself is logging in but I actually don't want sudo users to be able to switch to users that aren't allowed on the server.
I'd like that it is only allowed to switch to users that are allowed on the server on local accounts of course.
Is this a normal behaviour? Can it be changed?
Thank you! Jannis
So you want to be able to run 'sudo su - AllowedUser' but not all users are allowed, right?
Sudo rules can match also command parameters so in theory you could create rule to allow commands "/bin/su - User1", "/bin/su - User2" ... but if you have many users, it would be tedious.
If the purpose is to allow specific users to be able to call all commands as allowed user, it would be better to use runAsUser ability of sudo (to run command as specific user instead of root) and just setup a rule like:
sudoUser: my-user sudoHost: ALL sudoCommand: ALL sudoRunAsUser: allowed-user
Couldn't you also put sudo into the acct pam substack? IIRC RHEL started doing that some time ago.. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...