Bug 869574 - cron does not work for authorized ldap users
cron does not work for authorized ldap users
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
Unspecified Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2012-10-24 06:04 EDT by orglube
Modified: 2013-10-31 06:31 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-31 06:31:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description orglube 2012-10-24 06:04:57 EDT
Version-Release number of selected component (if applicable):

cat /etc/issue
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

# rpm -qa pam

# rpm -qa | grep cron

Description of problem: 

I have deployed and configured sssd/openldap/pam
to authentify users when they log on my servers.

I have configured pam to provide access to users
on the machines based on posixgroup membership, for
example members of the ldap posixgroup "network" are
granted for everything from everywhere :

Extract from access.conf :




That works properly : if "john" is a member of ldap
posixgroup "network", then login access is granted.

The problem is that john can't execute any cron job:

<john>$ crontab -l

Autorisation refusé
You (john) are not allowed to access to (crontab) because of pam configuration.

Since john had cronjobs before sssd authentication
was installed, here is what I get into cron logs :

# tail -f /var/log/cron
Oct 23 14:35:01 boxmax crond[30085]: Autorisation refused
Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: failed to open
PAM security session: Mauvais descripteur de fichier
Oct 23 14:35:01 boxmax crond[30085]: CRON (john) ERROR: cannot set
security context

If I add john explicitely in access.conf :




Then john is now autorized to execute cron jobs
(but I don't wan't to have to deal with autorizations
 with individual rules on each machines !)

Here is the "boxmax" configuration :

# cat /etc/issue
Red Hat Enterprise Linux Server release 5.5 (Tikanga)

Here is also my pam.d config for crond :

# cat /etc/pam.d/crond

# The PAM configuration file for the cron daemon
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Tomas Mraz 2012-10-24 06:52:33 EDT
Have you tried to simply restart the crond?
Do you see anything related in /var/log/secure?
Comment 2 orglube 2012-10-24 08:20:05 EDT
(In reply to comment #1)

> Have you tried to simply restart the crond?

Yes : I have updated and restarted.

> Do you see anything related in /var/log/secure?

Yes, I see this :
Oct 24 14:13:01 boxmax crond[8221]: pam_access(crond:account): access denied for user `john' from `cron'

Also if I change in pam.d/system-auth this line

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

By this one:

session     [success=1 default=ignore] pam_succeed_if.so service in crond use_uid debug

I see the two following additional lines in /var/log/secure when john's cron job tries to execute :

Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): 'service' resolves to 'crond'
Oct 24 14:16:01 boxmax crond[8327]: pam_succeed_if(crond:session): requirement "service in crond" was met by user "root"
Comment 3 Tomas Mraz 2012-10-24 08:54:16 EDT
Could SElinux be causing this? Also what do you see in 'getent group network' output - is there the 'john' user?

Nevertheless this looks like rather a support case than a clear bug report. I don't see a real reason why the LDAP groups should not work with pam_access.

Please see http://www.redhat.com/support/ and use the regular support channels to report the issue.
Comment 4 orglube 2012-10-24 10:54:23 EDT
Thank you Tomas,

first: john is well found in the list of "getent group network" output.

May be this additional information could help :

I have configured my redhat6 servers in the same way, and I don't
have any problem for users to execute cron.

The only difference I see between RHEL6 and RHEL5 is that groups
into access.conf must be declared using a different syntax. Under
RHEL5 I must write this in access.conf :




Under RHEL6 i must write this:




The second form is the correct one if I look into access.conf man pages :

To differentiate user entries from group entries, group entries should be written with brackets, e.g.  (group).

But this syntax for groups doesn't work for me under redhat5, it
only works (for login accesses at least) if I remove the parenthesis.
Comment 5 Tomas Mraz 2013-10-31 06:31:21 EDT
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business

Note You need to log in before you can comment on or make changes to this bug.