[CentOS] FYI: C 7, broken cron, sort of SOLVED

Wed Apr 17 17:55:24 UTC 2019
mark <m.roth at 5-cent.us>

I was fighting this a few weeks ago, and asking here. I *finally* solved
it yesterday... and the answer isn't pleasant.

Running the command

authconfig --enablesssd --enablesssdauth --enablesmartcard
--smartcardmodule=sssd --smartcardaction=0 --updateall

breaks crond, as per bugzilla # Bug 1650314. The way that it breaks it is
to insert into /etc/pam.d/password-auth-ac two lines reading

auth required pam_deny.so

one as the third line in the auth stanza, so:
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_deny.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
<...>
and the other where it belongs, as the last auth line.

This is clearly a bug in the code, as pam_deny.so should ONLY be the
*last* line in the auth stanza.

We've replicated this on an RHEL workstation, and then put a ticket in.
The... odd reply (so far) was that they weren't going to fix it in the 7.7
errata, and to use authselect in 8.0 (which is only a beta release). We're
going to escalate this.

In the meantime, if anyone has run into this, delete that
auth required pam_deny.so that's in the middle of the auth stanza in
/etc/pam.d/password-auth-ac, it should *only* be at the end of the auth
stanza, and everything will work correctly.

      mark