[Group.of.nepali.translators] [Bug 1572908] Re: sssd-ad pam_sss(cron:account): Access denied for user

Mon, 13 May 2019 02:00:22 -0700 

This bug was fixed in the package sssd - 1.16.3-3ubuntu1.1

---------------
sssd (1.16.3-3ubuntu1.1) disco; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <victor.ta...@canonical.com>  Mon, 11 Mar 2019 13:48:26
+0100

** Changed in: sssd (Ubuntu Disco)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1572908

Title:
  sssd-ad pam_sss(cron:account): Access denied for user

Status in sssd package in Ubuntu:
  Fix Released
Status in sssd source package in Xenial:
  Fix Committed
Status in sssd source package in Bionic:
  Fix Committed
Status in sssd source package in Cosmic:
  Fix Released
Status in sssd source package in Disco:
  Fix Released
Status in sssd source package in Eoan:
  Fix Released

Bug description:
  [Impact]

  SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
  "cron" as a PAM service. This difference makes AD users have cron
  blocked by default, instead of having it enabled.

  [Test Case]

  - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
  set a cron task:

  logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
  * * * * * true /tmp/crontest

  - If the default is set to "crond" the task is blocked:

  # ag pam /var/log/ | grep -i denied | head -n 2
  /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)
  /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)

  - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
  the configuration file solves the issue.

  [Regression potential]

  Minimal. The default value does not apply to Debian/Ubuntu, and those
  who added a configuration option to circumvent the issue
  ("ad_gpo_map_batch = +cron") will continue working after this patch is
  applied.

  [Other Info]

  Upstream commit:
  https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524

  # git describe --contains bc65ba9a07a924a58b13a0d5a935114ab72b7524
  sssd-2_1_0~14

  # rmadison sssd        
  => sssd | 1.13.4-1ubuntu1.13 | xenial-proposed                 
  => sssd | 1.16.1-1ubuntu1.1  | bionic-updates
  => sssd | 1.16.3-1ubuntu2    | cosmic          
  => sssd | 1.16.3-3ubuntu1    | disco                

  
  [Original description]

  User cron jobs has Access denied for user

  pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for 
user XXXX: 6 (Zugriff verweigert)
  Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
  Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert

  SSSD-AD Login works, i see also my AD groups

  Description:    Ubuntu 16.04 LTS
  Release:        16.04

  sssd:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  sssd-ad:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  libpam-sss:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  /ect/sssd/sssd.conf
  [sssd]
  services = nss, pam
  config_file_version = 2
  domains = test.at

  [nss]
  default_shell = /bin/false

  [domain/test.at]
  decription = TEST - ActiveDirectory
  enumerate = false
  cache_credentials = true
  id_provider = ad
  auth_provider = ad
  chpass_provider = ad
  ad_domain = test.at
  access_provider = ad
  subdomains_provider = none
  ldap_use_tokengroups = false
  dyndns_update = true
  krb5_realm = TEST.AT
  krb5_store_password_if_offline = true
  ldap_id_mapping = false
  krb5_keytab = /etc/krb5.host.keytab
  ldap_krb5_keytab = /etc/krb5.host.keytab
  ldap_use_tokengroups = false
  ldap_referrals = false

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to     : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help   : https://help.launchpad.net/ListHelp

Reply via email to