[CentOS] FYI: C 7, broken cron, sort of SOLVED
mark
m.roth at 5-cent.usWed Apr 17 17:55:24 UTC 2019
- Previous message: [CentOS] A strange situation with MegaCli64 and smartctl
- Next message: [CentOS] CentOS-announce Digest, Vol 170, Issue 4
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I was fighting this a few weeks ago, and asking here. I *finally* solved it yesterday... and the answer isn't pleasant. Running the command authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall breaks crond, as per bugzilla # Bug 1650314. The way that it breaks it is to insert into /etc/pam.d/password-auth-ac two lines reading auth required pam_deny.so one as the third line in the auth stanza, so: auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_deny.so auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success <...> and the other where it belongs, as the last auth line. This is clearly a bug in the code, as pam_deny.so should ONLY be the *last* line in the auth stanza. We've replicated this on an RHEL workstation, and then put a ticket in. The... odd reply (so far) was that they weren't going to fix it in the 7.7 errata, and to use authselect in 8.0 (which is only a beta release). We're going to escalate this. In the meantime, if anyone has run into this, delete that auth required pam_deny.so that's in the middle of the auth stanza in /etc/pam.d/password-auth-ac, it should *only* be at the end of the auth stanza, and everything will work correctly. mark
- Previous message: [CentOS] A strange situation with MegaCli64 and smartctl
- Next message: [CentOS] CentOS-announce Digest, Vol 170, Issue 4
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list