Applies to: All versions of Centrify DirectControl on all platforms
Question :
After joining a Solaris 10 server to the AD, users are no longer allowed to use crontab command:
[bgamblin@ledccdapp1 ~]$ crontab -l
You (bgamblin) are not allowed to use this program (crontab)
See crontab(1) for more information
[bgamblin@ledccdapp1 ~]$ crontab -e
You (bgamblin) are not allowed to use this program (crontab)
See crontab(1) for more information
The following errors were found in the debug log files :
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27 PAMIsUserAllowedAccess2 > base.osutil Module=Base : User 'webuser' denied
access to application 'crond' by DirectAuthorize (reference ipcclient2.cpp:1833 rc: 0)
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: INFO <fd:27 PAMIsUserAllowedAccess2 > audit User 'webuser' is not authorized: User
'webuser' denied access to application 'crond' by DirectAuthorize Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27
PAMIsUserAllowedAccess2 > daemon.ipcclient2 User 'webuser' is not allowed access
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27 PAMIsUserAllowedAccess2 > daemon.ipcclient2 request 'PAMIsUserAllowedAccess2' complete
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: INFO <fd:20 crontab(51058)> client.crontab Cannot display error 'No access allowed.#012
Please contact your system administrator.': No conversation function
===
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.debug] DEBUG <fd:27 PAMIsUserAllowedAccess2 > dz.interface SAM, is user cn=barry gamblin,ou=users,ou=network services,dc=tsys,dc=tss,dc=net allowed to use PAM cron? N
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.debug] DEBUG <fd:27 PAMIsUserAllowedAccess2 > base.osutil Module=Base : User 'bgamblin' denied access to application 'cron' by DirectAuthorize (reference ipcclient2.cpp:1833 rc: 0)
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.info] INFO <fd:27 PAMIsUserAllowedAccess2 > audit User 'bgamblin' is not authorized: User 'bgamblin' denied access to application 'cron' by DirectAuthorize
====
Answer:
The current users only have the right to run "sshd" in the PAM application as below :
PAM Application Avail Source Roles
--------------- ----- --------------------
sshd Yes SSH Login/Global
From the log files, it shows that the user "webuser" and "bgamblin" have no access to applications “crond” and “cron”. Please add the "crond" and "cron" in the "PAM Application" list, then run adflush –f. Please refer to page 150 to 152 Configuring rights for access to PAM applications of the "Centrify-unix-adminguide.pdf" manual.