sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #01127
[Bug 1572908] [NEW] sssd-ad pam_sss(cron:account): Access denied for user
You have been subscribed to a public bug by Eric Desrochers (slashd):
[Impact]
SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
"cron" as a PAM service. This difference makes AD users have cron
blocked by default, instead of having it enabled.
[Test Case]
- With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
set a cron task:
logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest
- If the default is set to "crond" the task is blocked:
# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied)
- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
the configuration file solves the issue.
[Regression potential]
Minimal. The default value does not apply to Debian/Ubuntu, and those
who added a configuration option to circumvent the issue
("ad_gpo_map_batch = +cron") will continue working after this patch is
applied.
[Other Info]
Upstream commit:
https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524
[Original description]
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
sssd-ad:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libpam-sss:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false
** Affects: sssd (Ubuntu)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: Confirmed
** Affects: sssd (Ubuntu Xenial)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: New
** Affects: sssd (Ubuntu Bionic)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: New
** Affects: sssd (Ubuntu Cosmic)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: New
** Affects: sssd (Ubuntu Disco)
Importance: Medium
Assignee: Victor Tapia (vtapia)
Status: Confirmed
** Tags: patch sts sts-sponsor
--
sssd-ad pam_sss(cron:account): Access denied for user
https://bugs.launchpad.net/bugs/1572908
You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report.
