** Description changed:
+ [Impact]
+
+ SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
+ "cron" as a PAM service. This difference makes AD users have cron
+ blocked by default, instead of having it enabled.
+
+ [Test Case]
+
+ - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
+ set a cron task:
+
+ logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
+ * * * * * true /tmp/crontest
+
+ - If the default is set to "crond" the task is blocked:
+
+ # ag pam /var/log/ | grep -i denied | head -n 2
+ /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]:
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6
(Permission denied)
+ /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]:
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6
(Permission denied)
+
+ - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
+ the configuration file solves the issue.
+
+ [Regression potential]
+
+ [Other Info]
+
+ [Original description]
+
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for
user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
-
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
- Installed: 1.13.4-1ubuntu1
- Candidate: 1.13.4-1ubuntu1
- Version table:
- *** 1.13.4-1ubuntu1 500
- 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 1.13.4-1ubuntu1
+ Candidate: 1.13.4-1ubuntu1
+ Version table:
+ *** 1.13.4-1ubuntu1 500
+ 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
sssd-ad:
- Installed: 1.13.4-1ubuntu1
- Candidate: 1.13.4-1ubuntu1
- Version table:
- *** 1.13.4-1ubuntu1 500
- 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
+ Installed: 1.13.4-1ubuntu1
+ Candidate: 1.13.4-1ubuntu1
+ Version table:
+ *** 1.13.4-1ubuntu1 500
+ 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
libpam-sss:
- Installed: 1.13.4-1ubuntu1
- Candidate: 1.13.4-1ubuntu1
- Version table:
- *** 1.13.4-1ubuntu1 500
- 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
- 100 /var/lib/dpkg/status
-
+ Installed: 1.13.4-1ubuntu1
+ Candidate: 1.13.4-1ubuntu1
+ Version table:
+ *** 1.13.4-1ubuntu1 500
+ 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
+ 100 /var/lib/dpkg/status
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false
** Also affects: sssd (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: sssd (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: sssd (Ubuntu Disco)
Importance: Undecided
Status: Expired
** Also affects: sssd (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Changed in: sssd (Ubuntu Xenial)
Assignee: (unassigned) => Victor Tapia (vtapia)
** Changed in: sssd (Ubuntu Bionic)
Assignee: (unassigned) => Victor Tapia (vtapia)
** Changed in: sssd (Ubuntu Cosmic)
Assignee: (unassigned) => Victor Tapia (vtapia)
** Changed in: sssd (Ubuntu Disco)
Assignee: (unassigned) => Victor Tapia (vtapia)
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1572908
Title:
sssd-ad pam_sss(cron:account): Access denied for user
Status in sssd package in Ubuntu:
Expired
Status in sssd source package in Xenial:
New
Status in sssd source package in Bionic:
New
Status in sssd source package in Cosmic:
New
Status in sssd source package in Disco:
Expired
Bug description:
[Impact]
SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
"cron" as a PAM service. This difference makes AD users have cron
blocked by default, instead of having it enabled.
[Test Case]
- With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
set a cron task:
logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest
- If the default is set to "crond" the task is blocked:
# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]:
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6
(Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]:
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6
(Permission denied)
- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
the configuration file solves the issue.
[Regression potential]
[Other Info]
[Original description]
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for
user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
sssd-ad:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libpam-sss:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
