Crontab: User not allowed to access to (crontab) because of pam configuration

Cron is a daemon in Linux that executes scheduled commands. Cron looks for /var/spool/cron directory for crontab files which are named after user accounts in /etc/passwd file and then found crontabs are loaded into the memory. Cron also searches for /etc/crontab file and the files in the /etc/cron.d directory. On Red Hat systems, crond supports access control with PAM (Pluggable Authentication Modules). A PAM configuration file for crond is installed in /etc/pam.d/crond. Crond loads the PAM environment from the pam_env module, but these can be overridden by settings in the crontab file.

Today my system user account threw below error while listing the crontab,

[root@server01 ~]# crontab -l -u sumitgoel

User account has expired
You (sumitgoel) are not allowed to access to (crontab) because of pam configuration.
[root@server01 ~]# su - sumitgoel
sumitgoel@server01 ~ $ crontab -l

User account has expired
You (sumitgoel) are not allowed to access to (crontab) because of pam configuration.
sumitgoel@server01 ~ $

So the first thing to check here is the user account password expiry information and chage is a nice command to show the account aging information,

# chage -l <username>

Most likely the user account password has expired and now we just need to reset the password of the user account to fix the issue. If this is your service account and the password is used at countless places where you just cannot change the password on the fly then simply disable the password expiration for the account,

# chage -I -1 -m 0 -M 99999 -E -1 <username>

You should be all good now but several other things can be checked if you have this issue,

  • Make sure crond is running using command: /etc/init.d/crond status
  • Check logs for any errors in /var/log/cron and /var/log/messages files.
  • Make sure the user is not listed in /etc/cron.deny file.
  • If /etc/cron.allow file exists, then username must be listed in there to allow the use of cron jobs.

This post appeared on the softlexicon.com by Sumit Goel. Copyright © 2012–2013 – softlexicon.com and Sumit Goel. All rights reserved. Not to be reproduced for commercial purposes without written permission.

11 comments:

  1. Replies
    1. Thank You. worked great. Very nice. Have a great day.

      Delete
  2. On a CentOS 6.x system I was tweaking the /etc/security/access.conf file and as this required that I also loaded the pam_access.so module by declaring it in /etc/pam.sshd.

    Doing this caused crond to stop working... (the message of this post).

    The solution was to uncomment the following line (in /etc/security/access.conf):
    + : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

    This will allow root user to use its crontab file.

    See http://spectlog.com/content/Login_access_control_using_/etc/security/access.conf_and_PAM_access_module

    ReplyDelete
    Replies
    1. Yes, this solution worked for me.... gr8 and thanks!!!!

      Delete
  3. This comment has been removed by the author.

    ReplyDelete
  4. I get the same error when trying to edit/view user's cron entry.
    Error:You (xyz_user) are not allowed to access to (crontab) because of pam configuration.
    I then tried changing the file permissions of /etc/cron.allow /etc/cron.allow to 644 and also changed the owner of the crontab file for that user to xyz_user. Even that didnt fix the issue.

    please help me on this....

    is it something related to - https://access.redhat.com/site/solutions/267953 ?

    ReplyDelete
    Replies
    1. Hi Waheedz,

      Please check the user password expiry information using "chage" command as listed in the article. Also, the above Red Hat article can be valid if,

      1. All users are unable to run their private cron jobs (created by crontab -e).
      2. When a cronjob tries to run, it fails with the following errors in /var/log/messages:

      crond[xxxxx]: Permission denied
      crond[xxxxx]: CRON (username) ERROR: failed to open PAM security session: Bad file descriptor
      crond[xxxxx]: CRON (username) ERROR: cannot set security context
      crond[xxxxx]: pam_access(crond:account): access denied for user `username' from `cron'

      Please let me know if that helps.

      Delete
    2. i did check for all the solutions after reading this post but that didnt help me solve the issue.

      This issue is for every user trying to edit his/her crontab. Anyways, one of the senior member of my team fixed the issue. I'll check with him how he solved it...

      will share with you the info....insha allah

      thanks :)

      Delete
    3. sure..will check the logs for any errors...

      Delete

Be sure to check back again because I do make every effort to reply to your comments here.