-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Gerrard Geldenhuis Sent: 14 September 2010 16:28 To: centos@centos.org Subject: [CentOS] cron breaking when enabling ldap
Hi When I enable a box to do authentication using LDAP it breaks cron for users like jboss.
I get the following in /var/log/secure Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access denied for user `jboss' from `cron'
I have the following in /etc/ldap.conf nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,j boss
/etc/pam.d/crond auth sufficient pam_env.so auth required pam_rootok.so auth include system-auth account required pam_access.so account include system-auth session required pam_loginuid.so session include system-auth
/etc/pam.d/system-auth-ac #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so type= retry=3 difok=3 minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so debug service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
I have added
- : jboss : cron
to /etc/security/access.conf which fixes the problem. However I am not sure that it is the "correct" fix.
I would have thought that the string in /etc/ldap.conf nss_initgroups_ignoreusers would prevent this error unless I am confused about the pam ordering and sequence of how authentication happens.
The cron job executes fine without LDAP enabled.
Can anyone shed any more light on this error and a possible fix? I am using CentOS 5.5 fully updated.
Best Regards
I have been stupid about this, I realized that I add a - : ALL : ALL when I enable ldap which is not on a box without ldap. Adding this on a box without ldap creates the same error. My fix is thus the correct fix.
Regards
________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________