[Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Justean
justeank at yahoo.com
Fri Nov 14 20:37:07 UTC 2014
I have one other possibly related question though. I also get access denied errors in the logs for local service accounts running crons or other services on my IPA client servers:
pam_sss(crond:account):Access denied for user username: 10 (User not known to the underlying authentication module)
pam_sss(sshd:account): Access denied for user username: 10 (User not known to the underlying authentication module)
su: pam_sss(su-l:account): Access denied for user username: 10 (User not known to the underlying authentication module)
These crons still run but errors fill the logs. SInce I can't add an external user to an HBAC rule I am not sure how to rectify
From: Justean <justeank at yahoo.com>
To: Rob Crittenden <rcritten at redhat.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, November 14, 2014 12:24 PM
Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Ahh, I got you. We do use hbac rules, I did not think I need to add crond as a service to allow because it isn't even in the list of services available but I see that I do have to just manually add the service. Thank you, it is working now
From: Rob Crittenden <rcritten at redhat.com>
To: Justean <justeank at yahoo.com>; "freeipa-users at redhat.com" <freeipa-users at redhat.com>
Sent: Friday, November 14, 2014 11:43 AM
Subject: Re: [Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client
Justean wrote:
> Our Redhat 5.10 servers that were moved into our IPA domain cannot run
> any IPA user's crons we can't even list the crons:
>
> crontab -l "you (/username/) are not allowed to access to (crontab)
> because of pam configuration"
>
> I don't know if I should be manually editing the
> /etc/pam.d/system-auth-ac and/or /etc/pam.d/crond to get this working
> and if so what I should put for the config.
>
> The client version is ipa-client-2.1.3-7.el5.x86_64 and the server
> version is ipa-server-3.0.0-42.el6.x86_64
I would suspect this is due to HBAC. Do you use the HBAC feature?
Perhaps you need to add rules for these hosts.
rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141114/67d36ca9/attachment.htm>
More information about the Freeipa-users
mailing list