Thanks Pavel, I opened a redhat ticket that includes couple of additional information, see here :
https://bugzilla.redhat.com/show_bug.cgi?id=869574 The problem appears under redhat5. --- Olivier 2012/10/25 Pavel Březina <pbrez...@redhat.com>: > On 10/23/2012 03:04 PM, Olivier wrote: >> >> Hello everyone, >> >> I have deployed sssd to authentify users when they log in my servers, >> that works well : thanks! >> >> However, since then user's cron jobs don't execute anymore. >> >> I suspect that this is a pam issue : >> >> # tail -f /var/log/cron >> ... >> Oct 23 14:35:01 boxmax crond[30085]: Autorisation refused >> Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: failed to open >> PAM security session: Mauvais descripteur de fichier >> Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: cannot set >> security context >> >> Here is the "boxmax" configuration : >> >> # cat /etc/issue >> Red Hat Enterprise Linux Server release 5.5 (Tikanga) >> >> # cat /etc/pam.d/crond >> >> # >> # The PAM configuration file for the cron daemon >> # >> # >> auth sufficient pam_env.so >> auth required pam_rootok.so >> auth include system-auth >> account required pam_access.so >> account include system-auth >> session required pam_loginuid.so >> session include system-auth >> >> Here is an extract of my access.conf >> >> # cat /etc/security/access.conf : >> >> ... >> +:network:ALL >> >> -:ALL:ALL >> >> John is member of ldap posixgroup "network". >> >> I know that this access rule and john's group are correctly set up >> since if I remove this rule : "+:reseau:ALL" then john can't login >> anymore (he properly does if I add the rule). >> >> I also have tested with the new syntax in access.conf with no success: >> >> +:(reseau):ALL >> -:ALL:ALL >> >> but it doesn't work neither. >> >> If I try to add this line in access.conf : >> >> +:john:ALL >> -:ALL:ALL >> >> Then it works : john's cron jobs are executed. >> >> It sounds like pam.d/crond doesn't get the users groups ? >> >> Could anyone help ? >> >> Thanks; >> >> >> For information, here is what my pam.d/ sshd system-auth looks like : >> >> # cat /etc/pam.d/sshd >> #%PAM-1.0 >> auth include system-auth >> account required pam_nologin.so >> account include system-auth >> password include system-auth >> session optional pam_keyinit.so force revoke >> session include system-auth >> session required pam_loginuid.so >> >> # cat /etc/pam.d/system-auth >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth required pam_env.so >> auth sufficient pam_unix.so try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_sss.so use_first_pass >> auth sufficient pam_ldap.so use_first_pass >> auth required pam_deny.so >> >> account required pam_access.so >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> account [default=bad success=ok user_unknown=ignore] pam_ldap.so >> account required pam_permit.so >> >> password requisite pam_cracklib.so try_first_pass retry=3 >> password sufficient pam_unix.so md5 shadow nullok try_first_pass >> use_authtok >> password sufficient pam_sss.so use_authtok >> password sufficient pam_ldap.so use_authtok >> password required pam_deny.so >> >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_mkhomedir.so >> session [success=1 default=ignore] pam_succeed_if.so service in >> crond quiet use_uid >> session required pam_unix.so >> session optional pam_sss.so >> session optional pam_ldap.so > > > Hi, > the pam configuration looks good to me. > > Does the user have a password set? > > What does /var/log/secure, /var/log/audit/audit.log and /var/log/messages > says? > > Thanks, > Pavel. > > _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
