Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8864: Not allowed to use crontab command after joining AD

28 April,17 at 04:19 PM

Applies to: All versions of Centrify DirectControl on all platforms
 
Question :
After joining a Solaris 10 server to the AD, users are no longer allowed to use crontab command:
[bgamblin@ledccdapp1 ~]$ crontab -l
You (bgamblin) are not allowed to use this program (crontab)
See crontab(1) for more information
[bgamblin@ledccdapp1 ~]$ crontab -e
You (bgamblin) are not allowed to use this program (crontab)
See crontab(1) for more information
 
The following errors were found in the debug log files :
 
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27 PAMIsUserAllowedAccess2 > base.osutil Module=Base : User 'webuser' denied
access to application 'crond' by DirectAuthorize (reference ipcclient2.cpp:1833 rc: 0)
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: INFO <fd:27 PAMIsUserAllowedAccess2 > audit User 'webuser' is not authorized: User
'webuser' denied access to application 'crond' by DirectAuthorize Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27
PAMIsUserAllowedAccess2 > daemon.ipcclient2 User 'webuser' is not allowed access
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: DEBUG <fd:27 PAMIsUserAllowedAccess2 > daemon.ipcclient2 request 'PAMIsUserAllowedAccess2' complete
Aug 8 08:57:24 ledpegqapp2 adclient[39186]: INFO <fd:20 crontab(51058)> client.crontab Cannot display error 'No access allowed.#012
Please contact your system administrator.': No conversation function
 
===
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.debug] DEBUG <fd:27 PAMIsUserAllowedAccess2 > dz.interface SAM, is user cn=barry gamblin,ou=users,ou=network services,dc=tsys,dc=tss,dc=net allowed to use PAM cron? N
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.debug] DEBUG <fd:27 PAMIsUserAllowedAccess2 > base.osutil Module=Base : User 'bgamblin' denied access to application 'cron' by DirectAuthorize (reference ipcclient2.cpp:1833 rc: 0)
Aug 8 13:36:00 seiiso03uapp01 adclient[11846]: [ID 702911 auth.info] INFO <fd:27 PAMIsUserAllowedAccess2 > audit User 'bgamblin' is not authorized: User 'bgamblin' denied access to application 'cron' by DirectAuthorize
====

Followed KB-0373: User's cron jobs fails to execute after installing Centrify agent crond was restarted and I even rebooted the server with no change in the result. 
 
Answer:
The current users only have the right to run "sshd" in the PAM application as below :
PAM Application Avail Source Roles
--------------- ----- --------------------
sshd Yes SSH Login/Global
 
From the log files, it shows that the user "webuser" and "bgamblin" have no access to applications “crond” and “cron”. Please add the "crond" and "cron" in the "PAM Application" list, then run adflush –f.    Please refer to page 150 to 152 Configuring rights for access to PAM applications of the "Centrify-unix-adminguide.pdf" manual.

 

Related Articles

 articleKB-3393: crontab works for local account but not AD users articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6041: How to show current license type in use by adclient articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-6056: How to report the group policy settings that are in effect for the local computer?