RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1650314 - authconfig --enablerequiresmartcard breaks cron
Summary: authconfig --enablerequiresmartcard breaks cron
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: cronie
Version: 7.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Marcel Plch
QA Contact: Jan Houska
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-15 20:23 UTC by Orion Poplawski
Modified: 2019-08-06 12:35 UTC (History)
6 users (show)

Fixed In Version: 1.4.11-22
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1656825 (view as bug list)
Environment:
Last Closed: 2019-08-06 12:35:18 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2041 0 None None None 2019-08-06 12:35:25 UTC

Description Orion Poplawski 2018-11-15 20:23:28 UTC 
Description of problem:

After running:

authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall

cron no longer works for any user (including root):

crond[3783]: (root) PAM ERROR (Failure setting user credentials)
crond[3783]: (root) FAILED to authorize user with PAM (Failure setting user credentials)

This appears to be the same situation described in https://access.redhat.com/solutions/550293

Version-Release number of selected component (if applicable):
authconfig-6.2.8-30.el7.x86_64
cronie-1.4.11-19.el7.x86_64
Comment 2 Orion Poplawski 2018-11-15 20:41:09 UTC 
Perhaps cronie should be using system-auth instead of password-auth?  That seems to fix it.
Comment 3 Sumit Bose 2018-11-26 13:27:28 UTC 
The reason for the failure is that although cronie does not call pam_authenticate() is calls pam_setcred() which uses the 'auth' type configuration as well.

I agree that system-auth might be better suited for cronie because in general it is expected that if Smartcard authentication is required there will be a pam_deny in the password-auth configuration.

However in the given case where

    authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall

is called there should be a message like:

    authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored.

But pam_deny is still added in password-auth.

I think this might because some patch might not be applied correctly. While the git repository https://pagure.io/authconfig/blob/master/f/authinfo.py#_3832 only has:

                                        (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or                                                                                                                 
                                        (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or                                                                                                
                                        (enableFprintd and module[NAME] == "fprintd") or


there is an extra line in the installed version in RHEL-7.6:

                                        (enableSmartcard and not use_sssd_smartcard_support and module[NAME] == "pkcs11") or
                                        (enableSmartcard and not use_sssd_smartcard_support and forceSmartcard and module[NAME] == "deny") or
                                        (enableSmartcard and forceSmartcard and module[NAME] == "deny") or
                                        (enableFprintd and module[NAME] == "fprintd") or


which is responsible for the unexpected pam_deny in password-auth.
Comment 7 Pavel Březina 2018-12-06 12:08:05 UTC 
It looks that there are two issues:

1) Authconfig does not really ignore --enablerequiresmartcard when sssd module is used even though the message is presented:

# authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall
authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
[root@kvm-guest-01 ~]# cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_deny.so
...

2) However the same problem with cron applies to pkcs11 module which supports requiresmartcard:
# authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=pkcs11 --smartcardaction=0 --enablerequiresmartcard --updateall

We should split this in two bugs, one for authconfig to actually ignore the requiresmartcard option for sssd module and one for cronie to use system-auth instead of password auth.
Comment 9 Pavel Březina 2018-12-06 12:11:44 UTC 
Authconfig bug: https://bugzilla.redhat.com/show_bug.cgi?id=1656825
Comment 13 Jan Houska 2019-06-24 10:47:13 UTC 
VERIFIED


OLD FAIL:
cronie-1.4.11-20.el7_6


:: [ 13:59:42 ] :: [   PASS   ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 13:58:51 EDT; 50s ago
 Main PID: 29444 (crond)
   CGroup: /system.slice/crond.service
           └─29444 /usr/sbin/crond -n

Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2019-06-20 13:59:42 EDT; 2s ago
  Process: 29444 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
 Main PID: 29444 (code=exited, status=0/SUCCESS)

Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 28% if used.)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (running with inotify support)
Jun 20 13:58:51 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29444]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 13:59:42 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 13:59:44 ] :: [   LOG    ] :: rlServiceStart: Service crond started successfully
:: [ 14:00:25 ] :: [  BEGIN   ] :: Running 'tail /var/log/cron > cron.log.30'
:: [ 14:00:25 ] :: [   PASS   ] :: Command 'tail /var/log/cron > cron.log.30' (Expected 0, got 0)
:: [ 14:00:25 ] :: [   PASS   ] :: File 'cron.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)' 
:: [ 14:00:25 ] :: [   PASS   ] :: File 'cron.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' 
:: [ 14:00:25 ] :: [  BEGIN   ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 14:00:33 ] :: [   PASS   ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 13:59:44 EDT; 49s ago
 Main PID: 29639 (crond)
   CGroup: /system.slice/crond.service
           └─29639 /usr/sbin/crond -n

Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2019-06-20 14:00:33 EDT; 2s ago
  Process: 29639 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
 Main PID: 29639 (code=exited, status=0/SUCCESS)

Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 12% if used.)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (running with inotify support)
Jun 20 13:59:44 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[29639]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 14:00:33 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 14:00:35 ] :: [   LOG    ] :: rlServiceStart: Service crond started successfully
:: [ 14:01:16 ] :: [  BEGIN   ] :: Running 'tail /var/log/cron > cron2.log.30'
:: [ 14:01:16 ] :: [   PASS   ] :: Command 'tail /var/log/cron > cron2.log.30' (Expected 0, got 0)
:: [ 14:01:16 ] :: [   FAIL   ] :: File 'cron2.log.30' should not contain '(root) PAM ERROR (Failure setting user credentials)' 
:: [ 14:01:17 ] :: [   FAIL   ] :: File 'cron2.log.30' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' 
:: [ 14:01:17 ] :: [   LOG    ] :: Closing loop - FAIL detected!!! 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 3184s
::   Assertions: 246 good, 2 bad
::   RESULT: FAIL


NEW PASS:
cronie-1.4.11-23.el7

:: [ 16:59:04 ] :: [  BEGIN   ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: --enablerequiresmartcard is not supported for module 'sssd', option is ignored.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 16:59:13 ] :: [   PASS   ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 16:58:23 EDT; 50s ago
 Main PID: 7265 (crond)
   CGroup: /system.slice/crond.service
           └─7265 /usr/sbin/crond -n

Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2019-06-20 16:59:13 EDT; 2s ago
  Process: 7265 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
 Main PID: 7265 (code=exited, status=0/SUCCESS)

Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 58% if used.)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (running with inotify support)
Jun 20 16:58:23 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7265]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 16:59:13 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 16:59:15 ] :: [   LOG    ] :: rlServiceStart: Service crond started successfully
:: [ 16:59:56 ] :: [  BEGIN   ] :: Running 'tail /var/log/cron > cron.log.100'
:: [ 16:59:56 ] :: [   PASS   ] :: Command 'tail /var/log/cron > cron.log.100' (Expected 0, got 0)
:: [ 16:59:56 ] :: [   PASS   ] :: File 'cron.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)' 
:: [ 16:59:56 ] :: [   PASS   ] :: File 'cron.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' 
:: [ 16:59:56 ] :: [  BEGIN   ] :: Running 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall'
authconfig: Authentication module /usr/lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly.
authconfig: Authentication module /usr/lib64/security/pam_sss.so is missing. Authentication process might not work correctly.
:: [ 17:00:06 ] :: [   PASS   ] :: Command 'authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=coolkey --smartcardaction=0 --enablerequiresmartcard --updateall' (Expected 0, got 0)
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 16:59:15 EDT; 51s ago
 Main PID: 7471 (crond)
   CGroup: /system.slice/crond.service
           └─7471 /usr/sbin/crond -n

Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Redirecting to /bin/systemctl stop crond.service
Redirecting to /bin/systemctl status crond.service
● crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2019-06-20 17:00:06 EDT; 2s ago
  Process: 7471 ExecStart=/usr/sbin/crond -n $CRONDARGS (code=exited, status=0/SUCCESS)
 Main PID: 7471 (code=exited, status=0/SUCCESS)

Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Started Command Scheduler.
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 68% if used.)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (running with inotify support)
Jun 20 16:59:15 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com crond[7471]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopping Command Scheduler...
Jun 20 17:00:06 ibm-p8-kvm-02-guest-07.virt.pnr.lab.eng.rdu2.redhat.com systemd[1]: Stopped Command Scheduler.
Redirecting to /bin/systemctl start crond.service
:: [ 17:00:08 ] :: [   LOG    ] :: rlServiceStart: Service crond started successfully
:: [ 17:00:49 ] :: [  BEGIN   ] :: Running 'tail /var/log/cron > cron2.log.100'
:: [ 17:00:49 ] :: [   PASS   ] :: Command 'tail /var/log/cron > cron2.log.100' (Expected 0, got 0)
:: [ 17:00:49 ] :: [   PASS   ] :: File 'cron2.log.100' should not contain '(root) PAM ERROR (Failure setting user credentials)' 
:: [ 17:00:49 ] :: [   PASS   ] :: File 'cron2.log.100' should not contain '(root) FAILED to authorize user with PAM (Failure setting user credentials)' 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 10248s
::   Assertions: 808 good, 0 bad
::   RESULT: PASS
Comment 15 errata-xmlrpc 2019-08-06 12:35:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2041
Note You need to log in before you can comment on or make changes to this bug.