hi Jon,
I updated my crond file content according to your reply but result does not change.
=========== /etc/pam.d/crond ================
#
# The PAM configuration file for the cron daemon
#
#
auth sufficient pam_env.so
auth required pam_rootok.so
auth include system-auth
account sufficient pam_rootok.so
#account required pam_access.so
#account include system-auth
account required pam_unix.so
account required pam_tally.so
session required pam_loginuid.so
session include system-auth
===================================
On Thu, Dec 29, 2011 at 2:39 PM, Jon Miller <jonebird@xxxxxxxxx> wrote:
What I do in these situations is manually do the "include" for
system-auth and then remove the unnecessary lines.
That is, keep your first two lines, then replace the third line with
the "account" entries of system-auth. At that point you have an
identical setup but you can now try commenting out the pam_access
account line without needing to affect any other pam files which may
also include system-auth.
-- Jon Miller
On Thu, Dec 29, 2011 at 3:18 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx> wrote:
> Hi Ben,
>
> /etc/pam.d/crond includes the following lines;
>
> account sufficient pam_rootok.so
> account required pam_access.so
> account include system-auth
>
> crond with the above lines exits with an account expiration error if root
> password is expired.
>
> If crond uses "account sufficient pam_access.so" instead of "account
> required pam_access.so", root's jobs can be run.
>
> Does "sufficient" flag cause to access problem?
>
>
>
> On Wed, Dec 28, 2011 at 7:12 PM, ben <ben@xxxxxxxxxxxxxxxxxx> wrote:
>>
>> On 12/28/2011 5:39 AM, Jon Miller wrote:
>> > Sorry but I do not have a direct answer to your question, however it
>> > is my opinion that the use of pam_access doesn't make much sense for
>> > /etc/pam.d/crond. Cronjobs are for users which already have access
>> > whereas pam_access would be controlling who gained access in the first
>> > place. My suggestion is to completely remove that line from crond.
>> >
>> > -- Jon Miller
>>
>> I suspect that pam_access is used to deny expired users. you might look
>> at adding a root ok module first.
>>
>> --
>> Ben Hildred
>> Estimator
>> Applied Plastic Coatings, Inc.
>> 5000 Tabor St.
>> Wheat Ridge, CO 80033
>> 303 424 9200
>> F: 303 424 8800
>> ben@xxxxxxxxxxxxxxxxxx
>> http://appliedplastic.com
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/pam-list
>
>
>
>
> --
> Anıl KARADAĞ
> http://anilkaradag.info/blog
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
Anıl KARADAĞ
http://anilkaradag.info/blog
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
