Bug 869574

Summary: cron does not work for authorized ldap users
Product: Red Hat Enterprise Linux 5 Reporter: orglube <orglube>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.5   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-31 10:31:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description orglube 2012-10-24 10:04:57 UTC 
Version-Release number of selected component (if applicable):

cat /etc/issue
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

# rpm -qa pam
pam-0.99.6.2-6.el5_5.2

# rpm -qa | grep cron
crontabs-1.10-8
vixie-cron-4.1-81.el5
anacron-2.3-45.el5

Description of problem: 

I have deployed and configured sssd/openldap/pam
to authentify users when they log on my servers.

I have configured pam to provide access to users
on the machines based on posixgroup membership, for
example members of the ldap posixgroup "network" are
granted for everything from everywhere :

Extract from access.conf :

...

+:network:ALL

...

That works properly : if "john" is a member of ldap
posixgroup "network", then login access is granted.

The problem is that john can't execute any cron job:

<john>$ crontab -l

Autorisation refusé
You (john) are not allowed to access to (crontab) because of pam configuration.

Since john had cronjobs before sssd authentication
was installed, here is what I get into cron logs :

# tail -f /var/log/cron
...
Oct 23 14:35:01 boxmax crond[30085]: Autorisation refused
Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: failed to open
PAM security session: Mauvais descripteur de fichier
Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: cannot set
security context


If I add john explicitely in access.conf :

...

+:john:ALL

...

Then john is now autorized to execute cron jobs
(but I don't wan't to have to deal with autorizations
 with individual rules on each machines !)


Here is the "boxmax" configuration :

# cat /etc/issue
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

Here is also my pam.d config for crond :

# cat /etc/pam.d/crond

#
# The PAM configuration file for the cron daemon
#
#
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth















How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Mraz 2012-10-24 10:52:33 UTC 
Have you tried to simply restart the crond?
Do you see anything related in /var/log/secure?
Comment 2 orglube 2012-10-24 12:20:05 UTC 
(In reply to comment #1)

> Have you tried to simply restart the crond?

Yes : I have updated and restarted.

> Do you see anything related in /var/log/secure?

Yes, I see this :
Oct 24 14:13:01 boxmax crond[8221]: pam_access(crond:account): access denied for user `john' from `cron'

Also if I change in pam.d/system-auth this line

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

By this one:

session     [success=1 default=ignore] pam_succeed_if.so service in crond use_uid debug

I see the two following additional lines in /var/log/secure when john's cron job tries to execute :

Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): 'service' resolves to 'crond'
Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): requirement "service in crond" was met by user "root"
Comment 3 Tomas Mraz 2012-10-24 12:54:16 UTC 
Could SElinux be causing this? Also what do you see in 'getent group network' output - is there the 'john' user?

Nevertheless this looks like rather a support case than a clear bug report. I don't see a real reason why the LDAP groups should not work with pam_access.

Please see http://www.redhat.com/support/ and use the regular support channels to report the issue.
Comment 4 orglube 2012-10-24 14:54:23 UTC 
Thank you Tomas,

first: john is well found in the list of "getent group network" output.

May be this additional information could help :

I have configured my redhat6 servers in the same way, and I don't
have any problem for users to execute cron.

The only difference I see between RHEL6 and RHEL5 is that groups
into access.conf must be declared using a different syntax. Under
RHEL5 I must write this in access.conf :

...

+:network:ALL

...

Under RHEL6 i must write this:

...

+:(network):ALL

...

The second form is the correct one if I look into access.conf man pages :

"
To differentiate user entries from group entries, group entries should be written with brackets, e.g.  (group).
"

But this syntax for groups doesn't work for me under redhat5, it
only works (for login accesses at least) if I remove the parenthesis.
Comment 5 Tomas Mraz 2013-10-31 10:31:21 UTC 
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification.