** Description changed: [Impact] SSSD has GPO_CROND set to "crond" in its code while Debian/Ubuntu use "cron" as a PAM service. This difference makes AD users have cron blocked by default, instead of having it enabled. [Test Case] - With an Active Directory user created (e.g. logonuser@TESTS.LOCAL), set a cron task: logonuser@tests.local@xenial-sssd-ad:~$ crontab -l | grep -v ^# * * * * * true /tmp/crontest - If the default is set to "crond" the task is blocked: # ag pam /var/log/ | grep -i denied | head -n 2 /var/log/auth.log.1:772:Feb 21 11:00:01 xenial-sssd-ad CRON[2387]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) /var/log/auth.log.1:773:Feb 21 11:01:01 xenial-sssd-ad CRON[2390]: pam_sss(cron:account): Access denied for user logonuser@tests.local: 6 (Permission denied) - Setting GPO_CROND to "cron" or adding "ad_gpo_map_batch = +cron" to the configuration file solves the issue. [Regression potential] + Minimal. The default value does not apply to Debian/Ubuntu, and those + who added a configuration option to circumvent the issue + ("ad_gpo_map_batch = +cron") will continue working after this patch is + applied. + [Other Info] + + Upstream commit: + https://github.com/SSSD/sssd/commit/bc65ba9a07a924a58b13a0d5a935114ab72b7524 [Original description] User cron jobs has Access denied for user pr 21 11:05:02 edvlw08 CRON[6848]: pam_sss(cron:account): Access denied for user XXXX: 6 (Zugriff verweigert) Apr 21 11:05:02 edvlw08 CRON[6848]: Zugriff verweigert Apr 21 11:05:02 edvlw08 cron[965]: Zugriff verweigert SSSD-AD Login works, i see also my AD groups Description: Ubuntu 16.04 LTS Release: 16.04 sssd: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status sssd-ad: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status libpam-sss: Installed: 1.13.4-1ubuntu1 Candidate: 1.13.4-1ubuntu1 Version table: *** 1.13.4-1ubuntu1 500 500 http://at.archive.ubuntu.com/ubuntu xenial/main amd64 Packages 100 /var/lib/dpkg/status /ect/sssd/sssd.conf [sssd] services = nss, pam config_file_version = 2 domains = test.at [nss] default_shell = /bin/false [domain/test.at] decription = TEST - ActiveDirectory enumerate = false cache_credentials = true id_provider = ad auth_provider = ad chpass_provider = ad ad_domain = test.at access_provider = ad subdomains_provider = none ldap_use_tokengroups = false dyndns_update = true krb5_realm = TEST.AT krb5_store_password_if_offline = true ldap_id_mapping = false krb5_keytab = /etc/krb5.host.keytab ldap_krb5_keytab = /etc/krb5.host.keytab ldap_use_tokengroups = false ldap_referrals = false
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1572908 Title: sssd-ad pam_sss(cron:account): Access denied for user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs