[Bug 1572908] Re: sssd-ad pam_sss(cron:account): Access denied for user

Mon, 25 Feb 2019 07:45:59 -0800 

** Description changed:

+ [Impact]
+ 
+ SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
+ "cron" as a PAM service. This difference makes AD users have cron
+ blocked by default, instead of having it enabled.
+ 
+ [Test Case]
+ 
+ - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
+ set a cron task:
+ 
+ logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
+ * * * * * true /tmp/crontest
+ 
+ - If the default is set to "crond" the task is blocked:
+ 
+ # ag pam /var/log/ | grep -i denied | head -n 2
+ /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)
+ /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)
+ 
+ - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
+ the configuration file solves the issue.
+ 
+ [Regression potential]
+ 
+ [Other Info]
+ 
+ [Original description]
+ 
  User cron jobs has Access denied for user
  
  pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for 
user XXXX: 6 (Zugriff verweigert)
  Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
  Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
  
  SSSD-AD Login works, i see also my AD groups
  
- 
  Description:    Ubuntu 16.04 LTS
  Release:        16.04
  
  sssd:
-   Installed: 1.13.4-1ubuntu1
-   Candidate: 1.13.4-1ubuntu1
-   Version table:
-  *** 1.13.4-1ubuntu1 500
-         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
-         100 /var/lib/dpkg/status
+   Installed: 1.13.4-1ubuntu1
+   Candidate: 1.13.4-1ubuntu1
+   Version table:
+  *** 1.13.4-1ubuntu1 500
+         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+         100 /var/lib/dpkg/status
  sssd-ad:
-   Installed: 1.13.4-1ubuntu1
-   Candidate: 1.13.4-1ubuntu1
-   Version table:
-  *** 1.13.4-1ubuntu1 500
-         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
-         100 /var/lib/dpkg/status
+   Installed: 1.13.4-1ubuntu1
+   Candidate: 1.13.4-1ubuntu1
+   Version table:
+  *** 1.13.4-1ubuntu1 500
+         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+         100 /var/lib/dpkg/status
  libpam-sss:
-   Installed: 1.13.4-1ubuntu1
-   Candidate: 1.13.4-1ubuntu1
-   Version table:
-  *** 1.13.4-1ubuntu1 500
-         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
-         100 /var/lib/dpkg/status
- 
+   Installed: 1.13.4-1ubuntu1
+   Candidate: 1.13.4-1ubuntu1
+   Version table:
+  *** 1.13.4-1ubuntu1 500
+         500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+         100 /var/lib/dpkg/status
  
  /ect/sssd/sssd.conf
  [sssd]
  services = nss, pam
  config_file_version = 2
  domains = test.at
  
  [nss]
  default_shell = /bin/false
  
  [domain/test.at]
  decription = TEST - ActiveDirectory
  enumerate = false
  cache_credentials = true
  id_provider = ad
  auth_provider = ad
  chpass_provider = ad
  ad_domain = test.at
  access_provider = ad
  subdomains_provider = none
  ldap_use_tokengroups = false
  dyndns_update = true
  krb5_realm = TEST.AT
  krb5_store_password_if_offline = true
  ldap_id_mapping = false
  krb5_keytab = /etc/krb5.host.keytab
  ldap_krb5_keytab = /etc/krb5.host.keytab
  ldap_use_tokengroups = false
  ldap_referrals = false

** Also affects: sssd (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: sssd (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: sssd (Ubuntu Disco)
   Importance: Undecided
       Status: Expired

** Also affects: sssd (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Changed in: sssd (Ubuntu Xenial)
     Assignee: (unassigned) => Victor Tapia (vtapia)

** Changed in: sssd (Ubuntu Bionic)
     Assignee: (unassigned) => Victor Tapia (vtapia)

** Changed in: sssd (Ubuntu Cosmic)
     Assignee: (unassigned) => Victor Tapia (vtapia)

** Changed in: sssd (Ubuntu Disco)
     Assignee: (unassigned) => Victor Tapia (vtapia)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1572908

Title:
  sssd-ad pam_sss(cron:account): Access denied for user

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to