3:20 p.m.
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One
problem we are encountering is with usage of cron (and specifically crontab to edit/list
users cron entries). We have HBAC enabled, and have crond as allowed in the list of
services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have
also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the
crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run
the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction
with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond
pam file to make sure the access.conf file is not interacting with any of this. So I
guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond
service?
2. If so, what is the purpose of the crond service in IPA?
3. Is there a way to allow IPA users to use the crontab command without adding them to
local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
7:24 a.m.
New subject: Crontab not being allowed when using FreeIPA, so what is purpose of crond HBAC service?
Hello all. Just checking to see if anyone has any insight into the issue I describe
below. My searching hasn’t really brought me to a clear understanding of what is going on
here.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One
problem we are encountering is with usage of cron (and specifically crontab to edit/list
users cron entries). We have HBAC enabled, and have crond as allowed in the list of
services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have
also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the
crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run
the crontab command.
If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond
service?
2. If so, what is the purpose of the crond service in IPA?
3. Is there a way to allow IPA users to use the crontab command without adding them to
local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
8:38 a.m.
New subject: Crontab not being allowed when using FreeIPA, so what is purpose of crond HBAC service?
On to, 12 joulu 2019, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all. Just checking to see if anyone has any insight into the
issue I describe below. My searching hasn’t really brought me to a
clear understanding of what is going on here.
Hi Bob,
we have most of developers right now attending a Red Hat-hosted hackfest
in Washington, D.C., so people are busy and have not much time to
respond. I myself will be back by next week and hopefully be able to
process freeipa-users@ enquiries by next week.
Not an answer that you are probably expecting but hopefully this would
clean up why no responses so far.
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
> On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Hello all,
>
> We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA.
One problem we are encountering is with usage of cron (and specifically crontab to
edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the
list of services users can access. If I perform a hbactest it shows users have access
granted.
>
> On the local system, we have the /etc/cron.allow file that just lists user root. I
have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue
the crontab command, they get the following message:
>
> You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
> See crontab(1) for more information
>
> If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can
run the crontab command.
>
> If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
>
> 1. Is this the expected behavior for users in IPA that are granted access to the
crond service?
>
> 2. If so, what is the purpose of the crond service in IPA?
>
> 3. Is there a way to allow IPA users to use the crontab command without adding them
to local /etc/cron.[allow|deny] files?
>
> Pertinent version details:
>
> IPA servers on RHEL 7.7:
> IPA VERSION: 4.6.5, API_VERSION: 2.231
> sssd version 1.16.4
> 389 directory server version 1.3.9.1-10
>
> Clients on CentOS/RHEL 7.7:
> IPA VERSION: 4.6.5, API_VERSION: 2.231
> sssd version 1.16.4
>
> Thanks,
> —
> Bob Jones
> Lead Linux Services Engineer
> ITS ECP - Linux Services
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
9:09 a.m.
New subject: Crontab not being allowed when using FreeIPA, so what is purpose of crond HBAC service?
On Mon, Dec 09, 2019 at 09:20:13PM +0000, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One
problem we are encountering is with usage of cron (and specifically crontab to edit/list
users cron entries). We have HBAC enabled, and have crond as allowed in the list of
services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have
also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the
crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run
the crontab command.
If you read the man page for crontab this is the correct described behavior in
conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in
the crond pam file to make sure the access.conf file is not interacting with any of this.
So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond
service?
Yes, by default the HABC rules allow access to all services.
2. If so, what is the purpose of the crond service in IPA?
You can control similar to the way pam_access.so does it only that the
PAM module here is pam_sss.so. Instead of managing
/etc/security/access.conf locally on every host you can create HABC
rules in the IPA server to allow access to some users and groups dan
deny access to anyone else.
3. Is there a way to allow IPA users to use the crontab command without adding them to
local /etc/cron.[allow|deny] files?
As long as you use /etc/cron.allow you have to add them to
/etc/cron.allow as well. If you only use /etc/cron.deny and
/etc/cron.allow does not exist all IPA users can do cron (as long as
they are not listed in /etc/cron.deny).
HTH
bye,
Sumit
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1597
days inactive
1600
days old
freeipa-users@lists.fedorahosted.org
3 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Jones, Bob (rwj5d) -
Sumit Bose