[OpenAFS] Cron jobs without service keytab
Jeffrey Hutzelman
jhutz@cmu.edu
Mon, 12 Apr 2004 14:22:31 -0400
On Saturday, April 10, 2004 16:35:58 -0700 Matthew Andrews
<matt@slackers.net> wrote:
> Hmmm, what system type is this on?
>
> crond on my system(fedora) doesn't seem to be linked against any pam libs:
IIRC, older redhat did that, but current ones certainly don't.
In any event, if the problem is that cron is invoking some pam session
module that you don't want it to, you can change the pam configuration for
cron. The model is that applications don't get to control what modules get
invoked and in what order; that's controlled by config files (/etc/pam.d/*,
or perhaps a single file on older systems).
> If the pag is really being lost likely either cron does a setgroups
> somewhere, and explicitly obliterates the pag group memberships(I've seen
> this before, but I can't remember what program did it)
This shouldn't be able to happen; the kernel module traps setgroups and
insures that pag information is preserved. There's no problem unless you
set a really large set of groups, and even then I think it's the groups
that lose, and not the pag.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA