On to, 12 joulu 2019, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all. Just checking to see if anyone has any insight into the
issue I describe below. My searching hasn’t really brought me to a
clear understanding of what is going on here.
Hi Bob,
we have most of developers right now attending a Red Hat-hosted hackfest
in Washington, D.C., so people are busy and have not much time to
respond. I myself will be back by next week and hopefully be able to
process freeipa-users@ enquiries by next week.
Not an answer that you are probably expecting but hopefully this would
clean up why no responses so far.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
> On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hello all,
>
> We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA.
One problem we are encountering is with usage of cron (and specifically crontab to
edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the
list of services users can access. If I perform a hbactest it shows users have access
granted.
>
> On the local system, we have the /etc/cron.allow file that just lists user root. I
have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue
the crontab command, they get the following message:
>
> You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
> See crontab(1) for more information
>
> If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can
run the crontab command.
>
> If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
>
> 1. Is this the expected behavior for users in IPA that are granted access to the
crond service?
>
> 2. If so, what is the purpose of the crond service in IPA?
>
> 3. Is there a way to allow IPA users to use the crontab command without adding them
to local /etc/cron.[allow|deny] files?
>
> Pertinent version details:
>
> IPA servers on RHEL 7.7:
> IPA VERSION: 4.6.5, API_VERSION: 2.231
> sssd version 1.16.4
> 389 directory server version 1.3.9.1-10
>
> Clients on CentOS/RHEL 7.7:
> IPA VERSION: 4.6.5, API_VERSION: 2.231
> sssd version 1.16.4
>
> Thanks,
> —
> Bob Jones
> Lead Linux Services Engineer
> ITS ECP - Linux Services
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland