Bug 2070325

Summary: sssd profile with-smartcard prevents local users from accessing cron
Product: Red Hat Enterprise Linux 8 Reporter: Orion Poplawski <orion>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.5CC: aboscatt, dlavu, sgadekar, sssd-qe
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: sgadekar: needinfo-
pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authselect-1.2.5-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:51:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2022-03-30 20:05:09 UTC 
Description of problem:

On EL8 with:

Profile ID: sssd
Enabled features:
- with-smartcard
- with-smartcard-lock-on-removal
- with-sudo
- with-custom-automount

A local user (tempmon uid 1000 in /etc/passwd) cannot access cron:

You (tempmon) are not allowed to access to (crontab) because of pam configuration.

pam_sssd:

[pam_reply] (0x0200): Returning [10]: User not known to the underlying authentication module to the client [CID #2872]


Version-Release number of selected component (if applicable):
authselect-1.2.2-3.el8.x86_64
sssd-2.5.2-2.el8_5.4.x86_64

Note that I have also switched the crond auth to system-auth per bug #2005526

Proposed fix upstream:
https://github.com/authselect/authselect/pull/301
Comment 1 Pavel Březina 2022-04-29 12:15:20 UTC 
Thank you for the patch. Can you please confirm that this scratch build fixes the issue for you? (It is current 8.5 content with your patch applied).

https://pbrezina.fedorapeople.org/scratch/2070325/
Comment 2 Pavel Březina 2022-05-04 11:49:06 UTC 
Pushed upstream:
- master 5cce90e58b663b5aa2915e263b7c9d0f86945b72
- 1.2.x 804b44ad4d3cea11026b08c86b66de02c95c15a3
Comment 4 Orion Poplawski 2022-05-06 19:22:18 UTC 
It seems to resolve my particular issue.  Hopefully it doesn't break anything else :)
Comment 12 errata-xmlrpc 2022-11-08 10:51:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (authselect bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7738