[OpenAFS] pam and cron
Shouri Chatterjee
shouri@ee.iitd.ac.in
Mon, 19 Aug 2013 11:29:04 +0530 (IST)
Hi,
I have observed a strange problem:
When trying to run a cron job for root (not an AFS login), it just does
not run. Through /etc/cron.hourly (the system crontab) things used to run,
till I made a private crontab for root - and now even the system crontab
jobs fail to run.
Here is what I see in /var/log/auth.log:
Aug 19 11:17:01 bessel CRON[3728]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
Aug 19 11:17:01 bessel CRON[3728]: pam_krb5(cron:account): skipping non-Kerberos login
Aug 19 11:17:01 bessel CRON[3728]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
This is what /var/log/auth.log used to look like before I setup the
private crontab for root for the first time:
Aug 19 08:17:01 bessel CRON[32410]: pam_krb5(cron:account): pam_sm_acct_mgmt: entry (silent)
Aug 19 08:17:01 bessel CRON[32410]: pam_krb5(cron:account): skipping non-Kerberos login
Aug 19 08:17:01 bessel CRON[32410]: pam_krb5(cron:account): pam_sm_acct_mgmt: exit (ignore)
Aug 19 08:17:01 bessel CRON[32410]: pam_unix(cron:session): session opened for user root by (uid=0)
Aug 19 08:17:01 bessel CRON[32410]: pam_unix(cron:session): session closed for user root
The /etc/cron.hourly/* files where supposed to run at the 17th minute by
the hour.
In fact, this is the only log - nothing at all gets logged in any of the
others (syslog etc).
Our openafs is configured with pam; these are the contents of all the
(relevant?) pam files:
#
# /etc/pam.d/common-account - authorization settings common to all
services
account sufficient pam_krb5.so debug minimum_uid=10000
account sufficient pam_unix.so debug
account required pam_permit.so
#
# /etc/pam.d/common-auth - authentication settings common to all services
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_krb5.so use_first_pass minimum_uid=10000
auth optional pam_afs_session.so program=/usr/bin/aklog
auth required pam_deny.so
#
# /etc/pam.d/common-password - password-related modules common to all
services
password sufficient pam_unix.so nullok obscure min=4 max=8 md5
debug
password sufficient pam_krb5.so debug try_first_pass
minimum_uid=10000
password required pam_deny.so
#
# /etc/pam.d/common-session - session-related modules common to all
services
session required pam_limits.so
session optional pam_krb5.so minimum_uid=10000
session optional pam_unix.so
session optional pam_afs_session.so program=/usr/bin/aklog
#
# /etc/pam.d/common-session-noninteractive - session-related modules
# common to all non-interactive services
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session optional pam_umask.so
session optional pam_krb5.so minimum_uid=1000
session required pam_unix.so
session optional pam_afs_session.so
@include common-auth
session required pam_env.so
session required pam_env.so envfile=/etc/default/locale
@include common-account
@include common-session-noninteractive
session required pam_limits.so
@include common-auth
@include common-account
@include common-session
# /etc/pam.d/cron
# The PAM configuration file for the cron daemon
@include common-auth
session required pam_env.so
session required pam_env.so envfile=/etc/default/locale
@include common-account
@include common-session-noninteractive
session required pam_limits.so
Is there something I am overlooking?
Thanks,
Shouri
____________
Shouri Chatterjee
Associate Professor
Department of Electrical Engineering
IIT Delhi, Hauz Khas
New Delhi 110016
India
Phone: +91 11 2659 1099 (O)
+91 11 2659 1619 (R)