Sorry, I thought when you said it worked with "account sufficient pam_access.so", you had already figured out a working combination of pam modules. I can not claim to be a PAM expert but rather I merely use a handful of techniques to solve my PAM issues: 1. Identify the culprit pam module. a. Sometime this means increasing my syslog verbosity. Other times involves adding a "debug" option at the end of particular pam lines. b. In other cases, I use the crude method of trial and error where I systematically comment out each line one at a time until I find the module causing me the trouble. 2. Modify / Replace / Remove the pam module line. This is where the answer gets tricky depending on what you need to do without compromising the overall security of your system. In your case, I thought you'd be okay with removing a line for crond but I could now be missing something. Having said all of that, I suspect the account expiration catch is being performed by pam_unix. My machine's README.pam_unix (/usr/share/doc/pam-*/txts/README.pam_unix) mentions that it consults user account information including expiration. At this point, I'd suggest changing the root user to non-expiring or changing the pam_unix line to "sufficient". -- Jon Miller On Thu, Dec 29, 2011 at 9:29 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx> wrote: > > hi Jon, > > > I updated my crond file content according to your reply but result does not > change. > > =========== /etc/pam.d/crond ================ > # > # The PAM configuration file for the cron daemon > # > # > auth sufficient pam_env.so > auth required pam_rootok.so > auth include system-auth > > account sufficient pam_rootok.so > #account required pam_access.so > #account include system-auth > account required pam_unix.so > account required pam_tally.so > > session required pam_loginuid.so > session include system-auth > > =================================== > > > > On Thu, Dec 29, 2011 at 2:39 PM, Jon Miller <jonebird@xxxxxxxxx> wrote: >> >> What I do in these situations is manually do the "include" for >> system-auth and then remove the unnecessary lines. >> That is, keep your first two lines, then replace the third line with >> the "account" entries of system-auth. At that point you have an >> identical setup but you can now try commenting out the pam_access >> account line without needing to affect any other pam files which may >> also include system-auth. >> >> -- Jon Miller >> >> On Thu, Dec 29, 2011 at 3:18 AM, ANIL KARADAĞ <anil.karadag@xxxxxxxxx> >> wrote: >> > Hi Ben, >> > >> > /etc/pam.d/crond includes the following lines; >> > >> > account sufficient pam_rootok.so >> > account required pam_access.so >> > account include system-auth >> > >> > crond with the above lines exits with an account expiration error if >> > root >> > password is expired. >> > >> > If crond uses "account sufficient pam_access.so" instead of >> > "account >> > required pam_access.so", root's jobs can be run. >> > >> > Does "sufficient" flag cause to access problem? >> > >> > >> > >> > On Wed, Dec 28, 2011 at 7:12 PM, ben <ben@xxxxxxxxxxxxxxxxxx> wrote: >> >> >> >> On 12/28/2011 5:39 AM, Jon Miller wrote: >> >> > Sorry but I do not have a direct answer to your question, however it >> >> > is my opinion that the use of pam_access doesn't make much sense for >> >> > /etc/pam.d/crond. Cronjobs are for users which already have access >> >> > whereas pam_access would be controlling who gained access in the >> >> > first >> >> > place. My suggestion is to completely remove that line from crond. >> >> > >> >> > -- Jon Miller >> >> >> >> I suspect that pam_access is used to deny expired users. you might look >> >> at adding a root ok module first. >> >> >> >> -- >> >> Ben Hildred >> >> Estimator >> >> Applied Plastic Coatings, Inc. >> >> 5000 Tabor St. >> >> Wheat Ridge, CO 80033 >> >> 303 424 9200 >> >> F: 303 424 8800 >> >> ben@xxxxxxxxxxxxxxxxxx >> >> http://appliedplastic.com >> >> >> >> _______________________________________________ >> >> Pam-list mailing list >> >> Pam-list@xxxxxxxxxx >> >> https://www.redhat.com/mailman/listinfo/pam-list >> > >> > >> > >> > >> > -- >> > Anıl KARADAĞ >> > http://anilkaradag.info/blog >> > >> > _______________________________________________ >> > Pam-list mailing list >> > Pam-list@xxxxxxxxxx >> > https://www.redhat.com/mailman/listinfo/pam-list >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list > > > > > -- > Anıl KARADAĞ > http://anilkaradag.info/blog > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
