** Description changed: + [Impact] + + SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use + "cron" as a PAM service. This difference makes AD users have cron + blocked by default, instead of having it enabled. + + [Test Case] + + - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL), + set a cron task: + + logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^# + * * * * * true /tmp/crontest + + - If the default is set to "crond" the task is blocked: + + # ag pam /var/log/ | grep -i denied | head -n 2 + /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) + /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) + + - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to + the configuration file solves the issue. + + [Regression potential] + + [Other Info] + + [Original description] + User cron jobs has Access denied for user pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert) Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert SSSD-AD Login works, i see also my AD groups - Description: Ubuntu 16.04 LTS Release: 16.04 sssd: - Installed: 1.13.4-1ubuntu1 - Candidate: 1.13.4-1ubuntu1 - Version table: - *** 1.13.4-1ubuntu1 500 - 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.13.4-1ubuntu1 + Candidate: 1.13.4-1ubuntu1 + Version table: + *** 1.13.4-1ubuntu1 500 + 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 100 /var/lib/dpkg/status sssd-ad: - Installed: 1.13.4-1ubuntu1 - Candidate: 1.13.4-1ubuntu1 - Version table: - *** 1.13.4-1ubuntu1 500 - 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 100 /var/lib/dpkg/status + Installed: 1.13.4-1ubuntu1 + Candidate: 1.13.4-1ubuntu1 + Version table: + *** 1.13.4-1ubuntu1 500 + 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 100 /var/lib/dpkg/status libpam-sss: - Installed: 1.13.4-1ubuntu1 - Candidate: 1.13.4-1ubuntu1 - Version table: - *** 1.13.4-1ubuntu1 500 - 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages - 100 /var/lib/dpkg/status - + Installed: 1.13.4-1ubuntu1 + Candidate: 1.13.4-1ubuntu1 + Version table: + *** 1.13.4-1ubuntu1 500 + 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages + 100 /var/lib/dpkg/status /ect/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = test.at [nss] default_shell = /bin/false [domain/test.at] decription = TEST - ActiveDirectory enumerate = false cache_credentials = true id_provider = ad auth_provider = ad chpass_provider = ad ad_domain = test.at access_provider = ad subdomains_provider = none ldap_use_tokengroups = false dyndns_update = true krb5_realm = TEST.AT krb5_store_password_if_offline = true ldap_id_mapping = false krb5_keytab = /etc/krb5.host.keytab ldap_krb5_keytab = /etc/krb5.host.keytab ldap_use_tokengroups = false ldap_referrals = false
** Also affects: sssd (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Disco) Importance: Undecided Status: Expired ** Also affects: sssd (Ubuntu Cosmic) Importance: Undecided Status: New ** Changed in: sssd (Ubuntu Xenial) Assignee: (unassigned) => Victor Tapia (vtapia) ** Changed in: sssd (Ubuntu Bionic) Assignee: (unassigned) => Victor Tapia (vtapia) ** Changed in: sssd (Ubuntu Cosmic) Assignee: (unassigned) => Victor Tapia (vtapia) ** Changed in: sssd (Ubuntu Disco) Assignee: (unassigned) => Victor Tapia (vtapia) -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1572908 Title: sssd-ad pam_sss(cron:account): Access denied for user Status in sssd package in Ubuntu: Expired Status in sssd source package in Xenial: New Status in sssd source package in Bionic: New Status in sssd source package in Cosmic: New Status in sssd source package in Disco: Expired Bug description: [Impact] SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use "cron" as a PAM service. This difference makes AD users have cron blocked by default, instead of having it enabled. [Test Case] - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL), set a cron task: logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^# * * * * * true /tmp/crontest - If the default is set to "crond" the task is blocked: # ag pam /var/log/ | grep -i denied | head -n 2 /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to the configuration file solves the issue. [Regression potential] [Other Info] [Original description] User cron jobs has Access denied for user pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert) Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert SSSD-AD Login works, i see also my AD groups Description: Ubuntu 16.04 LTS Release: 16.04 sssd: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status sssd-ad: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libpam-sss: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status /ect/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = test.at [nss] default_shell = /bin/false [domain/test.at] decription = TEST - ActiveDirectory enumerate = false cache_credentials = true id_provider = ad auth_provider = ad chpass_provider = ad ad_domain = test.at access_provider = ad subdomains_provider = none ldap_use_tokengroups = false dyndns_update = true krb5_realm = TEST.AT krb5_store_password_if_offline = true ldap_id_mapping = false krb5_keytab = /etc/krb5.host.keytab ldap_krb5_keytab = /etc/krb5.host.keytab ldap_use_tokengroups = false ldap_referrals = false To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp