[Freeipa-users] user can't run crons after setting rhel 5 servers as ipa client

[Alexander Bokovoy]

On Fri, 14 Nov 2014, Justean wrote:
>I have one other possibly related question though. I also get access
>denied errors in the logs for local service accounts running crons or
>other services on my IPA client servers:
>
>pam_sss(crond:account):Access denied for user username: 10 (User not
>known to the underlying authentication module)
>
>pam_sss(sshd:account): Access denied for user username: 10 (User not
>known to the underlying authentication module) su:
>pam_sss(su-l:account): Access denied for user username: 10 (User not
>known to the underlying authentication module)
>
>These crons still run but errors fill the logs. SInce I can't add an
>external user to an HBAC rule I am not sure how to rectify.
These messages can safely be ignored.

PAM is a _stack_, multiple modules can be combined to serve together.
It is perfectly OK and even expected that some modules in the stack will
not make a decision as they don't know about the user in question.

The second value in brackets is the type of PAM stack. In the log above
you have account stack and indeed one of account modules has to succeed.

Most likely pam_sss is earlier than pam_unix.

You may see the reversed situation with pam_unix in the authentication
stack -- it will complain it doesn't know about users provided by SSSD.

However, it is all dependent on exact positioning of the modules in the
PAM stack.

-- 
/ Alexander Bokovoy