[CentOS] cron breaking when enabling ldap

Tue Sep 14 15:27:45 UTC 2010
Gerrard Geldenhuis <Gerrard.Geldenhuis at betfair.com>

Hi
When I enable a box to do authentication using LDAP it breaks cron for users like jboss. 

I get the following in /var/log/secure
Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access denied for user `jboss' from `cron'

I have the following in /etc/ldap.conf
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,jboss

/etc/pam.d/crond 
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so type= retry=3 difok=3 minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so debug service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

I have added 
+ : jboss : cron

to /etc/security/access.conf which fixes the problem. However I am not sure that it is the "correct" fix. 

I would have thought that the string in /etc/ldap.conf 
nss_initgroups_ignoreusers would prevent this error unless I am confused about the pam ordering and sequence of how authentication happens. 

The cron job executes fine without LDAP enabled.

Can anyone shed any more light on this error and a possible fix? I am using CentOS 5.5 fully updated.

Best Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________