Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message:
You (user@ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information
If we add the user user@ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are:
1. Is this the expected behavior for users in IPA that are granted access to the crond service?
2. If so, what is the purpose of the crond service in IPA?
3. Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
Hello all. Just checking to see if anyone has any insight into the issue I describe below. My searching hasn’t really brought me to a clear understanding of what is going on here.
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message:
You (user@ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information
If we add the user user@ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are:
Is this the expected behavior for users in IPA that are granted access to the crond service?
If so, what is the purpose of the crond service in IPA?
Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On to, 12 joulu 2019, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all. Just checking to see if anyone has any insight into the issue I describe below. My searching hasn’t really brought me to a clear understanding of what is going on here.
Hi Bob,
we have most of developers right now attending a Red Hat-hosted hackfest in Washington, D.C., so people are busy and have not much time to respond. I myself will be back by next week and hopefully be able to process freeipa-users@ enquiries by next week.
Not an answer that you are probably expecting but hopefully this would clean up why no responses so far.
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
On Dec 9, 2019, at 4:20 PM, Jones, Bob (rwj5d) via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message:
You (user@ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information
If we add the user user@ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are:
Is this the expected behavior for users in IPA that are granted access to the crond service?
If so, what is the purpose of the crond service in IPA?
Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files?
Pertinent version details:
IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, Dec 09, 2019 at 09:20:13PM +0000, Jones, Bob (rwj5d) via FreeIPA-users wrote:
Hello all,
We have been in the process of migrating our RHEL/CentOS 7 systems into using IPA. One problem we are encountering is with usage of cron (and specifically crontab to edit/list users cron entries). We have HBAC enabled, and have crond as allowed in the list of services users can access. If I perform a hbactest it shows users have access granted.
On the local system, we have the /etc/cron.allow file that just lists user root. I have also test with no cron.allow and cron.deny file existing. Users in IPA cannot issue the crontab command, they get the following message:
You (user@ipa.domain.com) are not allowed to use this program (crontab) See crontab(1) for more information
If we add the user user@ipa.domain.com to the /etc/cron.allow file then the user can run the crontab command.
If you read the man page for crontab this is the correct described behavior in conjunction with the cron.[allow|deny] files. I have also commented out pam_access.so in the crond pam file to make sure the access.conf file is not interacting with any of this. So I guess my questions are:
- Is this the expected behavior for users in IPA that are granted access to the crond service?
Yes, by default the HABC rules allow access to all services.
- If so, what is the purpose of the crond service in IPA?
You can control similar to the way pam_access.so does it only that the PAM module here is pam_sss.so. Instead of managing /etc/security/access.conf locally on every host you can create HABC rules in the IPA server to allow access to some users and groups dan deny access to anyone else.
- Is there a way to allow IPA users to use the crontab command without adding them to local /etc/cron.[allow|deny] files?
As long as you use /etc/cron.allow you have to add them to /etc/cron.allow as well. If you only use /etc/cron.deny and /etc/cron.allow does not exist all IPA users can do cron (as long as they are not listed in /etc/cron.deny).
HTH
bye, Sumit
Pertinent version details:
IPA servers on RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4 389 directory server version 1.3.9.1-10
Clients on CentOS/RHEL 7.7: IPA VERSION: 4.6.5, API_VERSION: 2.231 sssd version 1.16.4
Thanks, — Bob Jones Lead Linux Services Engineer ITS ECP - Linux Services
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Jones, Bob (rwj5d) -
Sumit Bose