On Mon, Dec 09, 2019 at 09:20:13PM +0000, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One
problem we are encountering is with usage of cron (and specifically crontab to edit/list
users cron entries). We have HBAC enabled, and have crond as allowed in the list of
services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have
also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the
crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run
the crontab command.
If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond
service?
Yes, by default the HABC rules allow access to all services.
2. If so, what is the purpose of the crond service in IPA?
You can control similar to the way pam_access.so does it only that the
PAM module here is pam_sss.so. Instead of managing
/etc/security/access.conf locally on every host you can create HABC
rules in the IPA server to allow access to some users and groups dan
deny access to anyone else.
3. Is there a way to allow IPA users to use the crontab command without adding them to
local /etc/cron.[allow|deny] files?
As long as you use /etc/cron.allow you have to add them to
/etc/cron.allow as well. If you only use /etc/cron.deny and
/etc/cron.allow does not exist all IPA users can do cron (as long as
they are not listed in /etc/cron.deny).
HTH
bye,
Sumit
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...