[CentOS] cron breaking when enabling ldap

Tue Sep 14 15:42:35 UTC 2010
Gerrard Geldenhuis <Gerrard.Geldenhuis at betfair.com>

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Gerrard Geldenhuis
> Sent: 14 September 2010 16:28
> To: centos at centos.org
> Subject: [CentOS] cron breaking when enabling ldap
> 
> Hi
> When I enable a box to do authentication using LDAP it breaks cron for
> users like jboss.
> 
> I get the following in /var/log/secure
> Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account):
> access denied for user `jboss' from `cron'
> 
> I have the following in /etc/ldap.conf
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,j
> boss
> 
> /etc/pam.d/crond
> auth       sufficient pam_env.so
> auth       required   pam_rootok.so
> auth       include    system-auth
> account    required   pam_access.so
> account    include    system-auth
> session    required   pam_loginuid.so
> session    include    system-auth
> 
> /etc/pam.d/system-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_access.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so type= retry=3 difok=3
> minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so debug service
> in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> 
> I have added
> + : jboss : cron
> 
> to /etc/security/access.conf which fixes the problem. However I am not
> sure that it is the "correct" fix.
> 
> I would have thought that the string in /etc/ldap.conf
> nss_initgroups_ignoreusers would prevent this error unless I am
> confused about the pam ordering and sequence of how authentication
> happens.
> 
> The cron job executes fine without LDAP enabled.
> 
> Can anyone shed any more light on this error and a possible fix? I am
> using CentOS 5.5 fully updated.
> 
> Best Regards
> 

I have been stupid about this, I realized that I add a - : ALL : ALL when I enable ldap which is not on a box without ldap. Adding this on a box without ldap creates the same error. My fix is thus the correct fix.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________