Red Hat Bugzilla – Bug 217512
PAM connection refused with vanilla kernel, cron jobs not executed
Last modified: 2007-11-30 17:11:50 EST
Description of problem:
I use freshly installed FC6 with vanilla kernel (I will attach the kernel
config), and on the server crond cannot run the cron jobs, with the following
messages in /var/log/cron:
Nov 26 04:03:01 server crond: Authentication service cannot retrieve
Nov 26 04:03:01 server crond: CRON (www) ERROR: failed to open PAM
security session: Connection refused
Nov 26 04:03:01 server crond: CRON (www) ERROR: cannot set security context
Version-Release number of selected component (if applicable):
vixie-cron-4.1-64.x86_64, but tested also FC5 one:
Steps to Reproduce:
1. install FC6 system with the attached kernel config
2. add a cron job to the system crontab for non-root user (www in my case)
3. wait for the cron job to be scheduled
the above messages in the system log, the job is not executed.
the job should be executed; vixie-cron should work even on vanilla kernels.
I have straced crond, and before printing the above messages to the system log,
it unsuccessfully tries to send some data over AF_NETLINK socket, getting
ECONNREFUSED. I can attach the strace output on request.
Rebuilding the vixie-cron RPM without PAM support (--define 'WITH_PAM 0')
"fixes" the problem.
I have looked into the default PAM configuration - it seems that in
/etc/pam.d/system-auth there is the following exception for crond, just before
the pam_unix.so is called:
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
adding a similar exception above the pam_unix.so call also to the "account"
section fixes the problem. Temporarily commenting out the pam_unix.so call in
the "account" section out also "fixes" the problem.
I do not fully understand the problem, but I think adding the above exception to
the "account" section of /etc/pam.d/system-auth should be the apporopriate solution.
I have tested this under 22.214.171.124 and 2.6.19-rc5 (for which the config is attached).
I am giving this low priority because of the unsupported kernel configuration.
Created attachment 142278 [details]
2.6.19-rc5 kernel config
Could you send me whole strace? Thanks.
Created attachment 142379 [details]
Strace of crond
Have you this user (www) int /etc/shadow?
I dont have it (good spotting!). After adding it (using pwconv) it works.
However, it seems that other utilities (except crond) work even when the user is
not in shadow (su, for example). I don't think having the user in shadow is
required for things like crond.
It doesn't have to be in shadow but then its password part of the entry in
/etc/passwd must not be x or begin with ##.
su does work because when su-ing from root the account check is skipped.