Bug 869574
Summary: | cron does not work for authorized ldap users | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | orglube <orglube> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 5.5 | ||
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-31 10:31:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
orglube
2012-10-24 10:04:57 UTC
Have you tried to simply restart the crond? Do you see anything related in /var/log/secure? (In reply to comment #1) > Have you tried to simply restart the crond? Yes : I have updated and restarted. > Do you see anything related in /var/log/secure? Yes, I see this : Oct 24 14:13:01 boxmax crond[8221]: pam_access(crond:account): access denied for user `john' from `cron' Also if I change in pam.d/system-auth this line session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid By this one: session [success=1 default=ignore] pam_succeed_if.so service in crond use_uid debug I see the two following additional lines in /var/log/secure when john's cron job tries to execute : Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): 'service' resolves to 'crond' Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): requirement "service in crond" was met by user "root" Could SElinux be causing this? Also what do you see in 'getent group network' output - is there the 'john' user? Nevertheless this looks like rather a support case than a clear bug report. I don't see a real reason why the LDAP groups should not work with pam_access. Please see http://www.redhat.com/support/ and use the regular support channels to report the issue. Thank you Tomas, first: john is well found in the list of "getent group network" output. May be this additional information could help : I have configured my redhat6 servers in the same way, and I don't have any problem for users to execute cron. The only difference I see between RHEL6 and RHEL5 is that groups into access.conf must be declared using a different syntax. Under RHEL5 I must write this in access.conf : ... +:network:ALL ... Under RHEL6 i must write this: ... +:(network):ALL ... The second form is the correct one if I look into access.conf man pages : " To differentiate user entries from group entries, group entries should be written with brackets, e.g. (group). " But this syntax for groups doesn't work for me under redhat5, it only works (for login accesses at least) if I remove the parenthesis. This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 5, and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification. |