← Back to team overview

sts-sponsors team mailing list archive

[Bug 1572908] [NEW] sssd-ad pam_sss(cron:account): Access denied for user

 

You have been subscribed to a public bug by Eric Desrochers (slashd):

[Impact]

SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
"cron" as a PAM service. This difference makes AD users have cron
blocked by default, instead of having it enabled.

[Test Case]

- With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
set a cron task:

logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest

- If the default is set to "crond" the task is blocked:

# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied)

- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
the configuration file solves the issue.

[Regression potential]

Minimal. The default value does not apply to Debian/Ubuntu, and those
who added a configuration option to circumvent the issue
("ad_gpo_map_batch = +cron") will continue working after this patch is
applied.

[Other Info]

Upstream commit: 
https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524

[Original description]

User cron jobs has Access denied for user

pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert

SSSD-AD Login works, i see also my AD groups

Description:    Ubuntu 16.04 LTS
Release:        16.04

sssd:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
sssd-ad:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
libpam-sss:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at

[nss]
default_shell = /bin/false

[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false

** Affects: sssd (Ubuntu)
     Importance: Medium
     Assignee: Victor Tapia (vtapia)
         Status: Confirmed

** Affects: sssd (Ubuntu Xenial)
     Importance: Medium
     Assignee: Victor Tapia (vtapia)
         Status: New

** Affects: sssd (Ubuntu Bionic)
     Importance: Medium
     Assignee: Victor Tapia (vtapia)
         Status: New

** Affects: sssd (Ubuntu Cosmic)
     Importance: Medium
     Assignee: Victor Tapia (vtapia)
         Status: New

** Affects: sssd (Ubuntu Disco)
     Importance: Medium
     Assignee: Victor Tapia (vtapia)
         Status: Confirmed


** Tags: patch sts sts-sponsor
-- 
sssd-ad pam_sss(cron:account): Access denied for user
https://bugs.launchpad.net/bugs/1572908
You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report.