Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message:
You (user(a)ipa.domain.com) are not allowed to use this program (crontab)
See crontab(1) for more information
If we add the user user(a)ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond service?
2. If so, what is the purpose of the crond service in IPA?
3. Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7:
IPA VERSION: 4.6.5, API_VERSION: 2.231
sssd version 1.16.4
Thanks,
—
Bob Jones
Lead Linux Services Engineer
ITS ECP - Linux Services