Active-Directory

/var/log/cron.log 返回 CRON磷一世D磷一世DPID: 域加入帳戶的權限被拒絕

  • November 27, 2018

我正在嘗試執行 cron 作業,但不是以 root 身份執行。

在使用者 (domainuser@contoso.com) 的上下文中,以下是 crontab 和 cron.log 的輸出:

crontab -l 的輸出

   # Edit this file to introduce tasks to be run by cron.
   #
   # Each task to run has to be defined through a single line
   # indicating with different fields when the task will be run
   # and what command to run for the task
   #
   # To define the time you can provide concrete values for
   # minute (m), hour (h), day of month (dom), month (mon),
   # and day of week (dow) or use '*' in these fields (for 'any').#
   # Notice that tasks will be started based on the cron's system
   # daemon's notion of time and timezones.
   #
   # Output of the crontab jobs (including errors) is sent through
   # email to the user the crontab file belongs to (unless redirected).
   #
   # For example, you can run a backup of all your user accounts
   # at 5 a.m every week with:
   # 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
   #
   # For more information see the manual pages of crontab(5) and cron(8)
   #
   # m h  dom mon dow   command
   */1 * * * *     whoami

/var/log/cron.log 的輸出(最後 10 行)

   Nov 27 04:24:28 tor-car-rclone CRON[1865]: Permission denied
   Nov 27 04:25:01 tor-car-rclone CRON[1870]: Permission denied
   Nov 27 04:25:25 tor-car-rclone crontab[1871]: (domainuser@contoso.com) LIST (domainuser@contoso.com)
   Nov 27 04:26:01 tor-car-rclone CRON[1875]: Permission denied
   Nov 27 04:27:01 tor-car-rclone CRON[1877]: Permission denied
   Nov 27 04:28:01 tor-car-rclone CRON[1879]: Permission denied
   Nov 27 04:29:01 tor-car-rclone CRON[1884]: Permission denied
   Nov 27 04:30:01 tor-car-rclone CRON[1887]: Permission denied
   Nov 27 04:31:01 tor-car-rclone CRON[1889]: Permission denied
   Nov 27 04:32:01 tor-car-rclone CRON[1894]: Permission denied

這顯然是一個權限問題,但我不確定我需要在哪里分配權限。

因此問題與 GPO 相關,因為該框已加入 AD 域。

根據https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908,以下修復了它:

編輯/etc/sssd/sssd.conf

添加ad_gpo_access_control = permissive到該[domain/corp.contoso.com]部分。

完整的例子/etc/sssd/sssd.conf

   [sssd]
   domains = corp.contoso.com
   config_file_version = 2
   services = nss, pam

   [domain/corp.contoso.com]
   ad_domain = corp.contoso.com
   krb5_realm = CORP.CONTOSO.com
   realmd_tags = manages-system joined-with-adcli
   cache_credentials = True
   id_provider = ad
   krb5_store_password_if_offline = True
   default_shell = /bin/bash
   ldap_id_mapping = True
   use_fully_qualified_names = True
   fallback_homedir = /home/%d/%u
   access_provider = ad
   ad_gpo_access_control = permissive

引用自:https://serverfault.com/questions/941753