On Mon, Aug 11, 2014 at 12:10:28PM -0400, Simo Sorce wrote:
On Mon, 2014-08-11 at 11:59 -0400, Yassir Elley wrote:
>
> In our case, when a user calls "sudo ls", I think it is a three-step
> procedure:
> 1) sudo calls pam_authenticate to authenticate the user
> 2) sudo calls pam_acct_mgmt to make sure that the account is not
> locked, that the ldap/gpo policies permit the user to run sudo, etc
> 3) sudo refers to /etc/sudoers to determine if it can perform the sudo
> action (i.e. "ls").
>
> The GPO Logon Rights relate to step (2) of this procedure.
Except we do not have a logon right in windows that really matches what
sudo is/does ... besiodes given sudo does its own authorization checks,
what's the point of 2 ?
I assume by 'its own authorization checks', you mean /etc/sudoers,
right?
Anyway, this is not something we can influence, can we? /etc/pam.d/sudo
includes system-auth on Fedora, so account management is going to be
called...
[..]
> Are you suggesting that sudo skip all of the pam_acct_mgmt checks
> (checking for locked accounts, ldap filter policies), or that it skip
> only the gpo policy check?
Yes I think that is what Michichael and I ended up agreeing is the most
sensible solution, given any other would prevent the rightful use of
sudo in some situations where it should be allowed.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel