[RHEL] How to allow cron to run if user password is expired

환경

• Red Hat Enterprise Linux 5
• Red Hat Enterprise Linux 6

문제

• The cron job wasn't executed successfully, and got these messages:

Raw

Jul 10 00:31:01 hostname1 crond[2860]: CRON (xxx) ERROR: failed to open PAM security session: Success
Jul 10 00:31:01 hostname1 crond[2860]: CRON (xxx) ERROR: cannot set security context

• How to let the cron job continue to run?

• Cron stop after user password expired.

해결

• By default, the crond service will be failed to run if the user's password has expired.

• There are error message in the /var/log/cron file.

For example:

Raw

# tailf /var/log/cron
...
Jul 10 00:31:01 hostname1 crond[2860]: Authentication token is no longer valid; new one required
Jul 10 00:31:01 hostname1 crond[2860]: CRON (xxx) ERROR: failed to open PAM security session: Success
Jul 10 00:31:01 hostname1 crond[2860]: CRON (xxx) ERROR: cannot set security context

• Actually, the pam_unix.so refuses the crond service to continue to run when the user's password has expired.

• To run cron job all time, modify the /etc/pam.d/system-auth file in order to skip the pam_unix.so authentication.

• Modify the /etc/pam.d/system-auth account section like following:

Raw

account     required      pam_access.so
account  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

Note: In RHEL6, modify the /etc/pam.d/password-auth instead.

• Then the pam authentication for crond service will pass.