Hello all. Just checking to see if anyone has any insight into the issue I describe
below. My searching hasn’t really brought me to a clear understanding of what is going on
here.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One
problem we are encountering is with usage of cron (and specifically crontab to edit/list
users cron entries). We have HBAC enabled, and have crond as allowed in the list of
services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have
also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the
crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run
the crontab command.
If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond
service?
2. If so, what is the purpose of the crond service in IPA?
3. Is there a way to allow IPA users to use the crontab command without adding them to
local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...