[Bug 1572908] Re: sssd-ad pam_sss(cron:account): Access denied for user

Eric Desrochers Thu, 21 Mar 2019 07:46:28 -0700

** Description changed:

  [Impact]
  
  SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
  "cron" as a PAM service. This difference makes AD users have cron
  blocked by default, instead of having it enabled.
  
  [Test Case]
  
  - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL),
  set a cron task:
  
  logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
  * * * * * true /tmp/crontest
  
  - If the default is set to "crond" the task is blocked:
  
  # ag pam /var/log/ | grep -i denied | head -n 2
  /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)
  /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: 
pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 
(Permission denied)
  
  - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
  the configuration file solves the issue.
  
  [Regression potential]
  
  Minimal. The default value does not apply to Debian/Ubuntu, and those
  who added a configuration option to circumvent the issue
  ("ad_gpo_map_batch = +cron") will continue working after this patch is
  applied.
  
  [Other Info]
  
- Upstream commit: 
+ Upstream commit:
  https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524
+ 
+ # git describe --contains bc65ba9a07a924a58b13a0d5a935114ab72b7524
+ sssd-2_1_0~14
+ 
+ # rmadison sssd        
+ => sssd | 1.13.4-1ubuntu1.13 | xenial-proposed                 
+ => sssd | 1.16.1-1ubuntu1.1  | bionic-updates
+ => sssd | 1.16.3-1ubuntu2    | cosmic          
+ => sssd | 1.16.3-3ubuntu1    | disco                
+ 
  
  [Original description]
  
  User cron jobs has Access denied for user
  
  pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for 
user XXXX: 6 (Zugriff verweigert)
  Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
  Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
  
  SSSD-AD Login works, i see also my AD groups
  
  Description:    Ubuntu 16.04 LTS
  Release:        16.04
  
  sssd:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  sssd-ad:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  libpam-sss:
    Installed: 1.13.4-1ubuntu1
    Candidate: 1.13.4-1ubuntu1
    Version table:
   *** 1.13.4-1ubuntu1 500
          500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status
  
  /ect/sssd/sssd.conf
  [sssd]
  services = nss, pam
  config_file_version = 2
  domains = test.at
  
  [nss]
  default_shell = /bin/false
  
  [domain/test.at]
  decription = TEST - ActiveDirectory
  enumerate = false
  cache_credentials = true
  id_provider = ad
  auth_provider = ad
  chpass_provider = ad
  ad_domain = test.at
  access_provider = ad
  subdomains_provider = none
  ldap_use_tokengroups = false
  dyndns_update = true
  krb5_realm = TEST.AT
  krb5_store_password_if_offline = true
  ldap_id_mapping = false
  krb5_keytab = /etc/krb5.host.keytab
  ldap_krb5_keytab = /etc/krb5.host.keytab
  ldap_use_tokengroups = false
  ldap_referrals = false


** Changed in: sssd (Ubuntu Disco)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1572908

Title:
  sssd-ad pam_sss(cron:account): Access denied for user

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1572908] Re: sssd-ad pam_sss(cron:account): Access denied for user

Reply via email to