Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
On Fri, 14 Nov 2014, Justean wrote: I have one other possibly related question though. I also get access denied errors in the logs for local service accounts running crons or other services on my IPA client servers: pam_sss(crond:account):Access denied for user username: 10 (User not known to the underlying authentication module) pam_sss(sshd:account): Access denied for user username: 10 (User not known to the underlying authentication module) su: pam_sss(su-l:account): Access denied for user username: 10 (User not known to the underlying authentication module) These crons still run but errors fill the logs. SInce I can't add an external user to an HBAC rule I am not sure how to rectify. These messages can safely be ignored. PAM is a _stack_, multiple modules can be combined to serve together. It is perfectly OK and even expected that some modules in the stack will not make a decision as they don't know about the user in question. The second value in brackets is the type of PAM stack. In the log above you have account stack and indeed one of account modules has to succeed. Most likely pam_sss is earlier than pam_unix. You may see the reversed situation with pam_unix in the authentication stack -- it will complain it doesn't know about users provided by SSSD. However, it is all dependent on exact positioning of the modules in the PAM stack. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Ahh, I got you. We do use hbac rules, I did not think I need to add crond as a service to allow because it isn't even in the list of services available but I see that I do have to just manually add the service. Thank you, it is working now From: Rob Crittenden To: Justean ; "freeipa-users@redhat.com" Sent: Friday, November 14, 2014 11:43 AM Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client Justean wrote: > Our Redhat 5.10 servers that were moved into our IPA domain cannot run > any IPA user's crons we can't even list the crons: > > crontab -l "you (/username/) are not allowed to access to (crontab) > because of pam configuration" > > I don't know if I should be manually editing the > /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working > and if so what I should put for the config. > > The client version is ipa-client-2.1.3-7.el5.x86_64 and the server > version is ipa-server-3.0.0-42.el6.x86_64 I would suspect this is due to HBAC. Do you use the HBAC feature? Perhaps you need to add rules for these hosts. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
I have one other possibly related question though. I also get access denied errors in the logs for local service accounts running crons or other services on my IPA client servers: pam_sss(crond:account):Access denied for user username: 10 (User not known to the underlying authentication module) pam_sss(sshd:account): Access denied for user username: 10 (User not known to the underlying authentication module) su: pam_sss(su-l:account): Access denied for user username: 10 (User not known to the underlying authentication module) These crons still run but errors fill the logs. SInce I can't add an external user to an HBAC rule I am not sure how to rectify From: Justean To: Rob Crittenden ; "freeipa-users@redhat.com" Sent: Friday, November 14, 2014 12:24 PM Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client Ahh, I got you. We do use hbac rules, I did not think I need to add crond as a service to allow because it isn't even in the list of services available but I see that I do have to just manually add the service. Thank you, it is working now From: Rob Crittenden To: Justean ; "freeipa-users@redhat.com" Sent: Friday, November 14, 2014 11:43 AM Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client Justean wrote: > Our Redhat 5.10 servers that were moved into our IPA domain cannot run > any IPA user's crons we can't even list the crons: > > crontab -l "you (/username/) are not allowed to access to (crontab) > because of pam configuration" > > I don't know if I should be manually editing the > /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working > and if so what I should put for the config. > > The client version is ipa-client-2.1.3-7.el5.x86_64 and the server > version is ipa-server-3.0.0-42.el6.x86_64 I would suspect this is due to HBAC. Do you use the HBAC feature? Perhaps you need to add rules for these hosts. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Justean wrote: > Our Redhat 5.10 servers that were moved into our IPA domain cannot run > any IPA user's crons we can't even list the crons: > > crontab -l "you (/username/) are not allowed to access to (crontab) > because of pam configuration" > > I don't know if I should be manually editing the > /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working > and if so what I should put for the config. > > The client version is ipa-client-2.1.3-7.el5.x86_64 and the server > version is ipa-server-3.0.0-42.el6.x86_64 I would suspect this is due to HBAC. Do you use the HBAC feature? Perhaps you need to add rules for these hosts. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Our Redhat 5.10 servers that were moved into our IPA domain cannot run any IPA user's crons we can't even list the crons: crontab -l "you (username) are not allowed to access to (crontab) becauseof pam configuration" I don't know if I should be manually editing the /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working and if so what I should put for the config. The client version is ipa-client-2.1.3-7.el5.x86_64 and the server version is ipa-server-3.0.0-42.el6.x86_64 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project