On Fri, 14 Nov 2014, Justean wrote:
I have one other possibly related question though. I also get access
denied errors in the logs for local service accounts running crons or
other services on my IPA client servers:
pam_sss(crond:account):Access denied for user username: 10 (User not
known to the underlying authentication module)
pam_sss(sshd:account): Access denied for user username: 10 (User not
known to the underlying authentication module) su:
pam_sss(su-l:account): Access denied for user username: 10 (User not
known to the underlying authentication module)
These crons still run but errors fill the logs. SInce I can't add an
external user to an HBAC rule I am not sure how to rectify.
These messages can safely be ignored.
PAM is a _stack_, multiple modules can be combined to serve together.
It is perfectly OK and even expected that some modules in the stack will
not make a decision as they don't know about the user in question.
The second value in brackets is the type of PAM stack. In the log above
you have account stack and indeed one of account modules has to succeed.
Most likely pam_sss is earlier than pam_unix.
You may see the reversed situation with pam_unix in the authentication
stack -- it will complain it doesn't know about users provided by SSSD.
However, it is all dependent on exact positioning of the modules in the
PAM stack.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
