[Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client

Justean justeank at yahoo.com
Fri Nov 14 20:37:07 UTC 2014 

I have one other possibly related question though. I also get access denied errors in the logs for local service accounts running crons or other services on my IPA client servers: 

pam_sss(crond:account):Access denied for user username: 10 (User not known to the underlying authentication module)

pam_sss(sshd:account): Access denied for user username: 10 (User not known to the underlying authentication module)
su: pam_sss(su-l:account): Access denied for user username: 10 (User not known to the underlying authentication module)

These crons still run but errors fill the logs. SInce I can't add an external user to an HBAC rule I am not sure how to rectify
      From: Justean <justeank at yahoo.com>
 To: Rob Crittenden <rcritten at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
 Sent: Friday, November 14, 2014 12:24 PM
 Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
   
Ahh, I got you. We do use hbac rules, I did not think I need to add crond as a service to allow because it isn't even in the list of services available but I see that I do have to just manually add the service. Thank you, it is working now

 

     From: Rob Crittenden <rcritten at redhat.com>
 To: Justean <justeank at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com> 
 Sent: Friday, November 14, 2014 11:43 AM
 Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
   
Justean wrote:


> Our Redhat 5.10 servers that were moved into our IPA domain cannot run
> any IPA user's crons we can't even list the crons:
> 
> crontab -l "you (/username/) are not allowed to access to (crontab)
> because of pam configuration"
> 
> I don't know if I should be manually editing the
> /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working
> and if so what I should put for the config.
> 
> The client version is ipa-client-2.1.3-7.el5.x86_64 and the server
> version is ipa-server-3.0.0-42.el6.x86_64

I would suspect this is due to HBAC. Do you use the HBAC feature?
Perhaps you need to add rules for these hosts.

rob



   

   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141114/67d36ca9/attachment.htm>

More information about the Freeipa-users mailing list