[OpenAFS] Cron jobs without service keytab

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 12 Apr 2004 14:22:31 -0400


On Saturday, April 10, 2004 16:35:58 -0700 Matthew Andrews 
<matt@slackers.net> wrote:

> Hmmm, what system type is this on?
>
> crond on my system(fedora) doesn't seem to be linked against any pam libs:

IIRC, older redhat did that, but current ones certainly don't.
In any event, if the problem is that cron is invoking some pam session 
module that you don't want it to, you can change the pam configuration for 
cron.  The model is that applications don't get to control what modules get 
invoked and in what order; that's controlled by config files (/etc/pam.d/*, 
or perhaps a single file on older systems).



> If the pag is really being lost likely either cron does a setgroups
> somewhere, and explicitly obliterates the pag group memberships(I've seen
> this before, but I can't remember what program did it)

This shouldn't be able to happen; the kernel module traps setgroups and 
insures that pag information is preserved.  There's no problem unless you 
set a really large set of groups, and even then I think it's the groups 
that lose, and not the pag.


-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA