sssd-ad pam_sss(cron:account): Access denied for user

Bug #1572908 reported by Franz on 2016-04-21
42
This bug affects 7 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Status tracked in Eoan
Xenial
Medium
Victor Tapia
Bionic
Medium
Victor Tapia
Cosmic
Medium
Victor Tapia
Disco
Medium
Victor Tapia
Eoan
Medium
Victor Tapia

Bug Description

[Impact]

SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use "cron" as a PAM service. This difference makes AD users have cron blocked by default, instead of having it enabled.

[Test Case]

- With an Active Directory user created (e.g. <email address hidden>), set a cron task:

<email address hidden>@xenial-sssd-ad:~$ crontab -l | grep -v ^#
* * * * * true /tmp/crontest

- If the default is set to "crond" the task is blocked:

# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user <email address hidden>: 6 (Permission denied)
/var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user <email address hidden>: 6 (Permission denied)

- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to the configuration file solves the issue.

[Regression potential]

Minimal. The default value does not apply to Debian/Ubuntu, and those who added a configuration option to circumvent the issue ("ad_gpo_map_batch = +cron") will continue working after this patch is applied.

[Other Info]

Upstream commit:
https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524

# git describe --contains bc65ba9a07a924a58b13a0d5a935114ab72b7524
sssd-2_1_0~14

# rmadison sssd
=> sssd | 1.13.4-1ubuntu1.13 | xenial-proposed
=> sssd | 1.16.1-1ubuntu1.1 | bionic-updates
=> sssd | 1.16.3-1ubuntu2 | cosmic
=> sssd | 1.16.3-3ubuntu1 | disco

[Original description]

User cron jobs has Access denied for user

pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert)
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert

SSSD-AD Login works, i see also my AD groups

Description: Ubuntu 16.04 LTS
Release: 16.04

sssd:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
sssd-ad:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status
libpam-sss:
  Installed: 1.13.4-1ubuntu1
  Candidate: 1.13.4-1ubuntu1
  Version table:
 *** 1.13.4-1ubuntu1 500
        500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at

[nss]
default_shell = /bin/false

[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_tokengroups = false
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_password_if_offline = true
ldap_id_mapping = false
krb5_keytab = /etc/krb5.host.keytab
ldap_krb5_keytab = /etc/krb5.host.keytab
ldap_use_tokengroups = false
ldap_referrals = false

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu):
status: New → Confirmed
Jakub Hrozek (jakub-hrozek) wrote :

Please follow https://fedorahosted.org/sssd/wiki/Troubleshooting to see why you're denied access, there is no way for anyone to make an informed decision without log files.

Also ldap_use_tokengroups = false is likely to have negative performance impact on your environment.

Lastly, drop ldap_use_tokengroups = false from the config file, it's already the default for the ad provider.

Jakub Hrozek (jakub-hrozek) wrote :

One though..in AD code we had some issues with GPO policy enforcement. You can test if its your case by setting:
ad_gpo_access_control = permissive

Franz (franz.pammer) wrote :

ad_gpo_access_control = permissive
works

now my user cronjobs works again

thx

Robie Basak (racb) wrote :

Thank you for helping with this Jakub. From Franz's response I presume this issue is now resolved? Setting this bug as Invalid accordingly. If this is incorrect please feel free to open with an explanation.

Changed in sssd (Ubuntu):
status: Confirmed → Invalid

On 05/03/2016 06:27 AM, Robie Basak wrote:
> Thank you for helping with this Jakub. From Franz's response I presume
> this issue is now resolved? Setting this bug as Invalid accordingly. If
> this is incorrect please feel free to open with an explanation.
>
> ** Changed in: sssd (Ubuntu)
> Status: Confirmed => Invalid
>

That is incorrect. By changing that setting, it actually disables policy
enforcement from AD (which is probably not what is desired).

The error code 6 indicates PAM_SYSTEM_ERR, which means that a bug happened and
SSSD was unable to make a proper determination of access (thus it defaults to
denial for safety).

So this is still a bug and logs will be needed to figure out what failed.

See: https://fedorahosted.org/sssd/wiki/Troubleshooting

Jakub Hrozek (jakub-hrozek) wrote :

6 is access denied, 4 would be system error :-)

I'm happy the workaround helps you, but it would still be nice to see the logs. We've had, for example, issues with certain GPO files not being INI-formatted (some lines were missing the equals sign) and at the moment sssd can't parse them. Or this can be a completely different issue...really, tough to say what's going on without the logs..

Timo Aaltonen (tjaalton) wrote :

reopening

Changed in sssd (Ubuntu):
status: Invalid → Confirmed
Wojciech Giel (wkg21) wrote :

Check if you have /var/lib/sss/gpo_cache/test.at directory. I had to crate manually both gpo_cache and mydomain.

mkdir -pv /var/lib/sss/gpo_cache/test.at
chown -R sssd. /var/lib/sss/gpo_cache
systemctl restart sssd

Timo Aaltonen (tjaalton) wrote :

just create /var/lib/sss/gpo_cache/ and chmod it, sssd should be able to create the subdirectory

supremesyntax (supremesyntax) wrote :

Same problem on xubuntu 16.10 incl. all updates.

Cronjob throws 'no permission' error.

Had to do both:
- create /var/lib/sss/gpo_cache/domain.lan
and add
- ad_gpo_access_control = permissive to sssd.conf

RN (rnickle-hccoll) wrote :

Is it possible to use local user access control for cron with /etc/security/access.conf?

+ : username : cron crond : ALL

Presuming I need to do this:

/etc/pam.d/cron:account required pam_access.so

Andreas Hasenack (ahasenack) wrote :

This seems to be the current troubleshooting guide:

https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html

Please obtain relevant log files and attach them to this bug, otherwise we won't be able to make progress.

Thanks

Changed in sssd (Ubuntu):
status: Confirmed → Incomplete
Launchpad Janitor (janitor) wrote :

[Expired for sssd (Ubuntu) because there has been no activity for 60 days.]

Changed in sssd (Ubuntu):
status: Incomplete → Expired
syed abu zain (syed.zain) wrote :

I am getting the same error. It looks like the below site ha expired:
https://fedorahosted.org/sssd/wiki/Troubleshooting

Please suggest.

According to man sssd-ad, the default configuration of sssd should allow cron jobs to be run:
---
       ad_gpo_map_batch (string)
           A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.

           Note: Using the Group Policy Management Editor this value is called "Allow log on as a batch job" and "Deny log on as a batch job".

           It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example, in order to replace a default PAM
           service name for this logon right (e.g. “crond”) with a custom pam service name (e.g. “my_pam_service”), you would use the following configuration:

               ad_gpo_map_batch = +my_pam_service, -crond

           Default: the default set of PAM service names includes:

           · crond
---

Could it be that the service name in Ubuntu differs from the configured service name (crond).

From the log:
Feb 8 10:40:01 host CRON[10308]: pam_sss(cron:account): Access denied for user someone: 6 (Permission denied)

Mateusz Pawlowski (teluka) wrote :

As johannes-martin pointed out default value for ad_gpo_map_batch doesn't work on Ubuntu Xenial and newer because cron service runs as cron not crond.

Solution to this issue would be listing cron as PAM service name and restarting sssd.

ad_gpo_map_batch = +cron

Victor Tapia (vtapia) on 2019-02-25
description: updated
Changed in sssd (Ubuntu Xenial):
assignee: nobody → Victor Tapia (vtapia)
Changed in sssd (Ubuntu Bionic):
assignee: nobody → Victor Tapia (vtapia)
Changed in sssd (Ubuntu Cosmic):
assignee: nobody → Victor Tapia (vtapia)
Changed in sssd (Ubuntu Disco):
assignee: nobody → Victor Tapia (vtapia)
Victor Tapia (vtapia) on 2019-02-28
Changed in sssd (Ubuntu Disco):
status: Expired → Confirmed
importance: Undecided → Medium
Victor Tapia (vtapia) on 2019-02-28
description: updated
Victor Tapia (vtapia) wrote :
tags: added: sts
Victor Tapia (vtapia) wrote :
Victor Tapia (vtapia) wrote :
Victor Tapia (vtapia) wrote :

The attachment "disco-sssd-gpo.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Dan Streetman (ddstreet) on 2019-03-11
tags: added: sts-sponsor
Changed in sssd (Ubuntu Xenial):
importance: Undecided → Medium
Changed in sssd (Ubuntu Bionic):
importance: Undecided → Medium
Changed in sssd (Ubuntu Cosmic):
importance: Undecided → Medium
Eric Desrochers (slashd) on 2019-03-21
description: updated
Changed in sssd (Ubuntu Disco):
status: Confirmed → In Progress
Dan Streetman (ddstreet) wrote :

note: waiting until after disco release to upload this due to freeze.

Victor Tapia (vtapia) wrote :
Victor Tapia (vtapia) wrote :

The fix is included in sssd 1.16.4, currently in debian experimental

Eric Desrochers (slashd) wrote :

Sponsored for 'eoan', considering the patch is merged upstream and already part of debian.

Nitpick:
- Rename quilt patch d/p/GPO_CROND-customization.diff to d/p/GPO_CROND-customization.patch
- Rework the DEP3 header

Note for next sponsoring (Disco debdiff) I haven't look others yet.
A quick look at the Disco debdiff, the actual proposed disco version would need to be changed from "1.16.3-3ubuntu2" to "1.16.3-3ubuntu1.1"

Thanks
Eric

Changed in sssd (Ubuntu Eoan):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.3-3ubuntu2

---------------
sssd (1.16.3-3ubuntu2) eoan; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <email address hidden> Mon, 23 Apr 2019 13:48:26 +0100

Changed in sssd (Ubuntu Eoan):
status: Fix Committed → Fix Released
Eric Desrochers (slashd) wrote :

# Pending SRU page :
xenial
Package -release -updates -proposed (signer, creator) changelog bugs days
sssd 1.13.4-1ubuntu1 1.13.4-1ubuntu1.12 1.13.4-1ubuntu1.13 (ahasenack) 1722936 1793882 52

I left an irc message to andreas for him to have a look.

The above is blocking us to sponsor 'X' but we can sponsor D, C & B for now.
'X' will need to wait until it is released.

Regards,
Eric

Changed in sssd (Ubuntu Cosmic):
status: New → In Progress
Changed in sssd (Ubuntu Bionic):
status: New → In Progress
Changed in sssd (Ubuntu Xenial):
status: New → Confirmed
Eric Desrochers (slashd) wrote :

Sponsored for D/C/B/X.

Thanks Victor !

Changed in sssd (Ubuntu Xenial):
status: Confirmed → In Progress

Hello Franz, or anyone else affected,

Accepted sssd into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.16.3-1ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Cosmic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Changed in sssd (Ubuntu Disco):
status: In Progress → Fix Committed
tags: added: verification-needed-disco
Timo Aaltonen (tjaalton) wrote :

Hello Franz, or anyone else affected,

Accepted sssd into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.16.3-3ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Timo Aaltonen (tjaalton) wrote :

Hello Franz, or anyone else affected,

Accepted sssd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.16.1-1ubuntu1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Timo Aaltonen (tjaalton) wrote :

Hello Franz, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.14 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Victor Tapia (vtapia) wrote :
Download full text (4.0 KiB)

# VERIFICATION: BIONIC
- Before the upgrade, the cron job does not run:
ubuntu@bionic-sssd-ad:~$ dpkg -l|grep sssd
ii sssd 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- proxy back end
ii sssd-tools 1.16.1-1ubuntu1.1 amd64 System Security Services Daemon -- tools

ubuntu@bionic-sssd-ad:~$ sudo tail /var/spool/cron/crontabs/logonuser\@tests.local | grep -v ^#
* * * * * touch /tmp/crontest

ubuntu@bionic-sssd-ad:~$ tail -n20 /var/log/syslog | grep -i CRON
May 6 11:04:01 bionic-sssd-ad cron[933]: Permission denied
May 6 11:04:01 bionic-sssd-ad CRON[4605]: Permission denied

ubuntu@bionic-sssd-ad:~$ date
Mon May 6 11:04:22 UTC 2019

- Using the version in -proposed, the cron job works:

ubuntu@bionic-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.16.1-1ubuntu1.2 amd64 System Security Services Daemon -- Kerberos ba...

Read more...

Victor Tapia (vtapia) wrote :
Download full text (3.9 KiB)

# VERIFICATION: COSMIC
- Before the upgrade, the cron job does not run:

ubuntu@cosmic-sssd-ad:~$ tail /var/log/syslog | grep -i cron
May 6 12:02:01 cosmic-sssd-ad cron[18740]: Permission denied
May 6 12:02:01 cosmic-sssd-ad CRON[18771]: Permission denied

ubuntu@cosmic-sssd-ad:~$ date
Mon May 6 12:02:23 UTC 2019

ubuntu@cosmic-sssd-ad:~$ sudo tail /var/spool/cron/crontabs/logonuser\@tests.local | grep -v ^#
* * * * * touch /tmp/crontest

ubuntu@cosmic-sssd-ad:~$ dpkg -l |grep sssd
ii sssd 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- proxy back end
ii sssd-tools 1.16.3-1ubuntu2 amd64 System Security Services Daemon -- tools

- Using the version in -proposed, the cron job works:

ubuntu@cosmic-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.3-1ubuntu2.1 amd64 System Security Services Daemon -- Kerberos he...

Read more...

Victor Tapia (vtapia) wrote :
Download full text (4.2 KiB)

# VERIFICATION: DISCO
- Before the upgrade, the cron job does not run:

ubuntu@disco-sssd-ad:~$ date
Mon May 6 11:30:29 UTC 2019
ubuntu@disco-sssd-ad:~$ tail /var/log/syslog | grep -i cron
May 6 11:30:02 disco-sssd-ad cron[690]: Permission denied
May 6 11:30:02 disco-sssd-ad CRON[14325]: Permission denied
ubuntu@disco-sssd-ad:~$ sudo tail /var/spool/cron/crontabs/logonuser\@tests.local | grep -v ^#
* * * * * touch /tmp/crontest
ubuntu@disco-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- IPA back end
ii sssd-kcm 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- Kerberos KCM server implementation
ii sssd-krb5 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- proxy back end
ii sssd-tools 1.16.3-3ubuntu1 amd64 System Security Services Daemon -- tools

- Using the version in -proposed, the cron job works:

ubuntu@disco-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- common files
ii sssd-dbus 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- D-Bus responder
ii sssd-ipa 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- IPA back end
ii sssd-kcm 1.16.3-3ubuntu1.1 amd64 System Security Services Daemon -- Kerberos ...

Read more...

Victor Tapia (vtapia) wrote :
Download full text (3.8 KiB)

# VERIFICATION: XENIAL
- Before the upgrade, the cron job does not run:

ubuntu@xenial-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- LDAP back end
ii sssd-proxy 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- proxy back end
ii sssd-tools 1.13.4-1ubuntu1.13 amd64 System Security Services Daemon -- tools

ubuntu@xenial-sssd-ad:~$ tail /var/log/syslog -n20 | grep -i cron | tail -n2
May 6 14:54:01 xenial-sssd-ad cron[1048]: Permission denied
May 6 14:54:01 xenial-sssd-ad CRON[24800]: Permission denied
ubuntu@xenial-sssd-ad:~$ date
Mon May 6 14:54:33 UTC 2019
ubuntu@xenial-sssd-ad:~$ sudo tail /var/spool/cron/crontabs/logonuser\@tests.local | grep -v ^#
* * * * * touch /tmp/crontest

- Using the version in -proposed, the cron job works:

ubuntu@xenial-sssd-ad:~$ dpkg -l | grep sssd
ii sssd 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- metapackage
ii sssd-ad 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- Active Directory back end
ii sssd-ad-common 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- PAC responder
ii sssd-common 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- common files
ii sssd-ipa 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- IPA back end
ii sssd-krb5 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- Kerberos back end
ii sssd-krb5-common 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- Kerberos helpers
ii sssd-ldap 1.13.4-1ubuntu1.14 amd64 System Security Services Daemon -- LDAP back e...

Read more...

tags: added: verification-done verification-done-bionic verification-done-cosmic verification-done-disco verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco verification-needed-xenial

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.3-3ubuntu1.1

---------------
sssd (1.16.3-3ubuntu1.1) disco; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <email address hidden> Mon, 11 Mar 2019 13:48:26 +0100

Changed in sssd (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.3-1ubuntu2.1

---------------
sssd (1.16.3-1ubuntu2.1) cosmic; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <email address hidden> Wed, 27 Feb 2019 15:57:53 +0100

Changed in sssd (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.1-1ubuntu1.2

---------------
sssd (1.16.1-1ubuntu1.2) bionic; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <email address hidden> Wed, 27 Feb 2019 14:53:11 +0100

Changed in sssd (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.14

---------------
sssd (1.13.4-1ubuntu1.14) xenial; urgency=medium

  * d/p/GPO_CROND-customization.patch: Set GPO_CROND to cron instead of
    crond for Debian and Ubuntu (LP: #1572908)

 -- Victor Tapia <email address hidden> Mon, 11 Mar 2019 15:30:35 +0100

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers