Your account are not allowed to access to crontab because of pam configuration.

In today guide a simple solution for above topic by extending the age of an account or by reset the password to resolve the error account are not allowed to access to crontab because of pam configuration.

In production environment the “service accounts” will be configured with no password expiry. For your understanding here service account means some account used for applications and database. In my case one of database server’s “oracle” user account password expired, but it suppose to be no expiry. Let’s go through few troubleshooting steps according to above titled error.

While someone tries to create a cron job for a password expired account this restricted error message will be thrown. Moreover, the system implemented with pam configuration we will get this error while password expired for any users.

CronJob

Troubleshooting CronJob

First let us print the secure log and go through it, you will find the below error why we are not allowed to create a cron job.

# tail -f /var/log/secure

Secure log output:

Mar 26 17:20:47 linuxsysadmins.local crontab: pam_unix(crond:account): expired password for user "account_name" (password aged)

Hence, we are creating cronjob it’s good to peak into cron logs as well.

# tail -f /var/log/cron

Cron log output:

Mar 26 17:21:14 linuxsysadmins.local crontab[5830]: (account_name) PAM ERROR (Authentication token is no longer valid; new one required

Check the account password ageing to confirm whether the password expired.

root:linuxsysadmins.local  ~ $ chage -l account_name
Last password change : Jan 29, 2019
Password expires : Mar 15, 2019
Password inactive : Apr 19, 2019
Account expires : never
Minimum number of days between password change : 3
Maximum number of days between password change : 45
Number of days of warning before password expires : 7
root:linuxsysadmins.local ~ $

Once we found password expired resetting password is not advisable for service accounts. Instead, try to set the password age to never expire for service accounts. Local accounts for normal user’s password can be reset using “passwd account_name”.

Solution:

Set the password to never expire for respective service account.

# chage -E -1 -I -1 -m 3 -M 99999 -W 7 account_name

Verify after setting the account ageing.

root:linuxsysadmins.local  ~ $ chage -l account_name
Last password change : Mar 26, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 3
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

This will resolve the titled error by allowing user to create cron job.

Additional Verification:

In some servers additional verification required where the hardening setup implemented in a standard way.

You need to enable the user to use cron in the login access control table file /etc/security/access.conf

Use the following entry which will allow the “account_name” user to run cron jobs

Allow the "account_name" user to run cron jobs

+: account_name : cron crond :0

Ensure it is above the last entry:
Deny all other users access by any means.

-: ALL : ALL

As this entry denies (-) access from all sources to all other users not previously mentioned in the file.

That’s it we have done with a simple guide.

Have a read on latest Red Hat Enterprise Linux 8 storage topics

Conclusion:

A simple password expiry will make lot of noise in any critical production environment. To be in a safe side without interrupted smooth ongoing production it’s good to set no password expiry for applications and DB accounts. Will back with more troubleshooting guides in future, subscribe to our newsletter and stay tuned.