Tuesday, November 17, 2009

How to enable cron for a locked account in Linux?

In my environment, there are times when locked application/databases accounts need to run some cron jobs. In linux, by default, a locked account can not run the cron job until a specific setting is disabled in /etc/pam.d/crond file. Here is the detail:

# cat /etc/pam.d/crond
# The PAM configuration file for the cron daemon
auth sufficient pam_rootok.so
auth required pam_stack.so service=system-auth
auth required pam_env.so
account required pam_stack.so service=system-auth
# account required pam_access.so
session required pam_limits.so
session required pam_loginuid.so

This example is good for at least Redhat Linux 4U7. In the /etc/pam.d/crond file, I had to disable "account required pam_access.so" line and boom! The cron started working for the locked account as well.

No comments: