[Bug 1572908] Re: sssd-ad pam_sss(cron:account): Access denied for user
Eric Desrochers
eric.desrochers at canonical.com
Thu Mar 21 14:35:06 UTC 2019
** Description changed:
[Impact]
SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
"cron" as a PAM service. This difference makes AD users have cron
blocked by default, instead of having it enabled.
[Test Case]
- With an Active Directory user created (e.g. logonuser at TESTS.LOCAL),
set a cron task:
logonuser at tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest
- If the default is set to "crond" the task is blocked:
# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser at tests.local: 6 (Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser at tests.local: 6 (Permission denied)
- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
the configuration file solves the issue.
[Regression potential]
Minimal. The default value does not apply to Debian/Ubuntu, and those
who added a configuration option to circumvent the issue
("ad_gpo_map_batch = +cron") will continue working after this patch is
applied.
[Other Info]
- Upstream commit:
+ Upstream commit:
https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524
+
+ # git describe --contains bc65ba9a07a924a58b13a0d5a935114ab72b7524
+ sssd-2_1_0~14
+
+ # rmadison sssd
+ => sssd | 1.13.4-1ubuntu1.13 | xenial-proposed
+ => sssd | 1.16.1-1ubuntu1.1 | bionic-updates
+ => sssd | 1.16.3-1ubuntu2 | cosmic
+ => sssd | 1.16.3-3ubuntu1 | disco
+
[Original description]
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
sssd-ad:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libpam-sss:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false
** Changed in: sssd (Ubuntu Disco)
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1572908
Title:
sssd-ad pam_sss(cron:account): Access denied for user
Status in sssd package in Ubuntu:
In Progress
Status in sssd source package in Xenial:
New
Status in sssd source package in Bionic:
New
Status in sssd source package in Cosmic:
New
Status in sssd source package in Disco:
In Progress
Bug description:
[Impact]
SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use
"cron" as a PAM service. This difference makes AD users have cron
blocked by default, instead of having it enabled.
[Test Case]
- With an Active Directory user created (e.g. logonuser at TESTS.LOCAL),
set a cron task:
logonuser at tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest
- If the default is set to "crond" the task is blocked:
# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser at tests.local: 6 (Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser at tests.local: 6 (Permission denied)
- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to
the configuration file solves the issue.
[Regression potential]
Minimal. The default value does not apply to Debian/Ubuntu, and those
who added a configuration option to circumvent the issue
("ad_gpo_map_batch = +cron") will continue working after this patch is
applied.
[Other Info]
Upstream commit:
https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524
# git describe --contains bc65ba9a07a924a58b13a0d5a935114ab72b7524
sssd-2_1_0~14
# rmadison sssd
=> sssd | 1.13.4-1ubuntu1.13 | xenial-proposed
=> sssd | 1.16.1-1ubuntu1.1 | bionic-updates
=> sssd | 1.16.3-1ubuntu2 | cosmic
=> sssd | 1.16.3-3ubuntu1 | disco
[Original description]
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
sssd-ad:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
libpam-sss:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
100 /var/lib/dpkg/status
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions
More information about the Ubuntu-sponsors
mailing list