Troy Dawson wrote:
> Anyway, because of that, I believe you have to look at your
> /etc/pam.d/system-auth
Thanks Troy for pointing this out and suggested a way out
by removing this line in /etc/pam.d/system-auth:
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5afs.so
since the new crond is now passing through the pam stack.
Indeed, that does fix the crond's permission problem.
The line is inserted by authconfig when kerberos is enabled, and Troy
also pointed
out that Fermi lab use an onsite version of authconfig which does not do
that.
They are in:
ftp://linux.fnal.gov/linux/scientific/305/i386/sites/Fermi/Updates/authconfig-4.3.7-1f2.i386.rpmftp://linux.fnal.gov/linux/scientific/305/i386/sites/Fermi/Updates/authconfig-gtk-4.3.7-1f2.i386.rpm
I was puzzled by the same pam_krb5_afs.so line in SL4 which doesn't seem
to hurt,
but now under a more careful look, it was preceded with
"pam_succeed_if.so, like:
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5afs.so
Too bad that pam module wasn't in pam-0.75 on SL3.
-ray