Re: [pam_access.so] How to ignore account expiration error(s)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




hi Jon,


I updated my crond file content according to your reply but result does not change.

===========  /etc/pam.d/crond  ================
#
# The PAM configuration file for the cron daemon
#
#
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth

account    sufficient pam_rootok.so
#account    required   pam_access.so
#account    include   system-auth
account    required   pam_unix.so
account    required   pam_tally.so

session    required   pam_loginuid.so
session    include    system-auth

===================================



On Thu, Dec 29, 2011 at 2:39 PM, Jon Miller <jonebird@xxxxxxxxx> wrote:
What I do in these situations is manually do the "include" for
system-auth and then remove the unnecessary lines.
That is, keep your first two lines, then replace the third line with
the "account" entries of system-auth. At that point you have an
identical setup but you can now try commenting out the pam_access
account line without needing to affect any other pam files which may
also include system-auth.

-- Jon Miller

On Thu, Dec 29, 2011 at 3:18 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx> wrote:
> Hi Ben,
>
> /etc/pam.d/crond includes the following lines;
>
> account    sufficient  pam_rootok.so
> account    required   pam_access.so
> account    include    system-auth
>
> crond with the above lines exits with an account expiration error if root
> password is expired.
>
> If crond uses "account    sufficient   pam_access.so" instead of "account
>  required   pam_access.so", root's jobs can be run.
>
> Does "sufficient" flag cause to access problem?
>
>
>
> On Wed, Dec 28, 2011 at 7:12 PM, ben <ben@xxxxxxxxxxxxxxxxxx> wrote:
>>
>> On 12/28/2011 5:39 AM, Jon Miller wrote:
>> > Sorry but I do not have a direct answer to your question, however it
>> > is my opinion that the use of pam_access doesn't make much sense for
>> > /etc/pam.d/crond. Cronjobs are for users which already have access
>> > whereas pam_access would be controlling who gained access in the first
>> > place. My suggestion is to completely remove that line from crond.
>> >
>> > -- Jon Miller
>>
>> I suspect that pam_access is used to deny expired users. you might look
>> at adding a root ok module first.
>>
>> --
>> Ben Hildred
>> Estimator
>> Applied Plastic Coatings, Inc.
>> 5000 Tabor St.
>> Wheat Ridge, CO 80033
>> 303 424 9200
>> F: 303 424 8800
>> ben@xxxxxxxxxxxxxxxxxx
>> http://appliedplastic.com
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
>
> --
> Anıl KARADAĞ
> http://anilkaradag.info/blog
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



--
Anıl KARADAĞ
http://anilkaradag.info/blog
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux