SCIENTIFIC-LINUX-USERS Archives

March 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: updated vixie-cron on SL3
From:
"C. Ray Ng" <[log in to unmask]>
Reply To:
C. Ray Ng
Date:
Mon, 27 Mar 2006 11:36:06 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (36 lines) 
Troy Dawson wrote:

> Anyway, because of that, I believe you have to look at your
>   /etc/pam.d/system-auth

Thanks Troy for pointing this out and suggested a way out
by removing this line in /etc/pam.d/system-auth:

account     [default=bad success=ok user_unknown=ignore 
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5afs.so

since the new crond is now passing through the pam stack.
Indeed, that does fix the crond's permission problem.

The line is inserted by authconfig when kerberos is enabled, and Troy 
also pointed
out that Fermi lab use an onsite version of authconfig which does not do 
that.
They are in:
ftp://linux.fnal.gov/linux/scientific/305/i386/sites/Fermi/Updates/authconfig-4.3.7-1f2.i386.rpm
ftp://linux.fnal.gov/linux/scientific/305/i386/sites/Fermi/Updates/authconfig-gtk-4.3.7-1f2.i386.rpm

I was puzzled by the same pam_krb5_afs.so line in SL4 which doesn't seem 
to hurt,
but now under a more careful look, it was preceded with 
"pam_succeed_if.so, like:

account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
quiet
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_krb5afs.so

Too bad that pam module wasn't in pam-0.75 on SL3.

-ray

ATOM RSS1 RSS2