[pam_access.so] How to ignore account expiration error(s)

ANIL KARADAĞ anil.karadag at gmail.com
Thu Dec 29 14:29:20 UTC 2011 

hi Jon,


I updated my crond file content according to your reply but result does not
change.

===========  /etc/pam.d/crond  ================
#
# The PAM configuration file for the cron daemon
#
#
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth

account    sufficient pam_rootok.so
#account    required   pam_access.so
#account    include   system-auth
account    required   pam_unix.so
account    required   pam_tally.so

session    required   pam_loginuid.so
session    include    system-auth

===================================



On Thu, Dec 29, 2011 at 2:39 PM, Jon Miller <jonebird at gmail.com> wrote:

> What I do in these situations is manually do the "include" for
> system-auth and then remove the unnecessary lines.
> That is, keep your first two lines, then replace the third line with
> the "account" entries of system-auth. At that point you have an
> identical setup but you can now try commenting out the pam_access
> account line without needing to affect any other pam files which may
> also include system-auth.
>
> -- Jon Miller
>
> On Thu, Dec 29, 2011 at 3:18 AM, ANIL KARADAĞ <anil.karadag at gmail.com>
> wrote:
> > Hi Ben,
> >
> > /etc/pam.d/crond includes the following lines;
> >
> > account    sufficient  pam_rootok.so
> > account    required   pam_access.so
> > account    include    system-auth
> >
> > crond with the above lines exits with an account expiration error if root
> > password is expired.
> >
> > If crond uses "account    sufficient   pam_access.so" instead of "account
> >  required   pam_access.so", root's jobs can be run.
> >
> > Does "sufficient" flag cause to access problem?
> >
> >
> >
> > On Wed, Dec 28, 2011 at 7:12 PM, ben <ben at appliedplastic.com> wrote:
> >>
> >> On 12/28/2011 5:39 AM, Jon Miller wrote:
> >> > Sorry but I do not have a direct answer to your question, however it
> >> > is my opinion that the use of pam_access doesn't make much sense for
> >> > /etc/pam.d/crond. Cronjobs are for users which already have access
> >> > whereas pam_access would be controlling who gained access in the first
> >> > place. My suggestion is to completely remove that line from crond.
> >> >
> >> > -- Jon Miller
> >>
> >> I suspect that pam_access is used to deny expired users. you might look
> >> at adding a root ok module first.
> >>
> >> --
> >> Ben Hildred
> >> Estimator
> >> Applied Plastic Coatings, Inc.
> >> 5000 Tabor St.
> >> Wheat Ridge, CO 80033
> >> 303 424 9200
> >> F: 303 424 8800
> >> ben at appliedplastic.com
> >> http://appliedplastic.com
> >>
> >> _______________________________________________
> >> Pam-list mailing list
> >> Pam-list at redhat.com
> >> https://www.redhat.com/mailman/listinfo/pam-list
> >
> >
> >
> >
> > --
> > Anıl KARADAĞ
> > http://anilkaradag.info/blog
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>



-- 
Anıl KARADAĞ
http://anilkaradag.info/blog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20111229/c6f21f74/attachment.htm>

More information about the Pam-list mailing list