sssd-ad pam_sss(cron:account): Access denied for user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Ubuntu) |
Fix Released
|
Medium
|
Victor Tapia | ||
Xenial |
Fix Released
|
Medium
|
Victor Tapia | ||
Bionic |
Fix Released
|
Medium
|
Victor Tapia | ||
Cosmic |
Fix Released
|
Medium
|
Victor Tapia | ||
Disco |
Fix Released
|
Medium
|
Victor Tapia | ||
Eoan |
Fix Released
|
Medium
|
Victor Tapia |
Bug Description
[Impact]
SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use "cron" as a PAM service. This difference makes AD users have cron blocked by default, instead of having it enabled.
[Test Case]
- With an Active Directory user created (e.g. <email address hidden>), set a cron task:
<email address hidden>
* * * * * true /tmp/crontest
- If the default is set to "crond" the task is blocked:
# ag pam /var/log/ | grep -i denied | head -n 2
/var/log/
/var/log/
- Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to the configuration file solves the issue.
[Regression potential]
Minimal. The default value does not apply to Debian/Ubuntu, and those who added a configuration option to circumvent the issue ("ad_gpo_map_batch = +cron") will continue working after this patch is applied.
[Other Info]
Upstream commit:
https:/
# git describe --contains bc65ba9a07a924a
sssd-2_1_0~14
# rmadison sssd
=> sssd | 1.13.4-1ubuntu1.13 | xenial-proposed
=> sssd | 1.16.1-1ubuntu1.1 | bionic-updates
=> sssd | 1.16.3-1ubuntu2 | cosmic
=> sssd | 1.16.3-3ubuntu1 | disco
[Original description]
User cron jobs has Access denied for user
pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(
Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert
Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert
SSSD-AD Login works, i see also my AD groups
Description: Ubuntu 16.04 LTS
Release: 16.04
sssd:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://
100 /var/lib/
sssd-ad:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://
100 /var/lib/
libpam-sss:
Installed: 1.13.4-1ubuntu1
Candidate: 1.13.4-1ubuntu1
Version table:
*** 1.13.4-1ubuntu1 500
500 http://
100 /var/lib/
/ect/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = test.at
[nss]
default_shell = /bin/false
[domain/test.at]
decription = TEST - ActiveDirectory
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain = test.at
access_provider = ad
subdomains_provider = none
ldap_use_
dyndns_update = true
krb5_realm = TEST.AT
krb5_store_
ldap_id_mapping = false
krb5_keytab = /etc/krb5.
ldap_krb5_keytab = /etc/krb5.
ldap_use_
ldap_referrals = false
description: | updated |
Changed in sssd (Ubuntu Xenial): | |
assignee: | nobody → Victor Tapia (vtapia) |
Changed in sssd (Ubuntu Bionic): | |
assignee: | nobody → Victor Tapia (vtapia) |
Changed in sssd (Ubuntu Cosmic): | |
assignee: | nobody → Victor Tapia (vtapia) |
Changed in sssd (Ubuntu Disco): | |
assignee: | nobody → Victor Tapia (vtapia) |
Changed in sssd (Ubuntu Disco): | |
status: | Expired → Confirmed |
importance: | Undecided → Medium |
description: | updated |
tags: | added: sts-sponsor |
Changed in sssd (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in sssd (Ubuntu Cosmic): | |
importance: | Undecided → Medium |
description: | updated |
Changed in sssd (Ubuntu Disco): | |
status: | Confirmed → In Progress |
Status changed to 'Confirmed' because the bug affects multiple users.