User are not allowed to access to (crontab) because of pam configuration – Solved

Issue
crontab -l command fails with the following error.

# crontab -l
You (user) are not allowed to access to (crontab) because of pam configuration.

You would see below logs in the cron log file /var/log/cron:

Apr 19 12:00:00 plusdigit crond[125479]: (user) PAM ERROR (Permission denied)
Apr 19 12:00:00 plusdigit crond[125479]: (user) FAILED to authorize user with PAM (Permission denied)
Apr 19 12:01:12 plusdigit crontab[125631]: (user) PAM ERROR (Permission denied)

The log file /var/log/secure would have below errors :

Apr 19 12:01:00 plusdigit crontab: pam_access(crond:account): access denied for user `root' from `cron'
Apr 19 12:01:26 plusdigit crontab: pam_unix(crond:account): expired password for user root (password aged)

Solution

There could be 2 reasons for this error :

  1. Expired password for the user
  2. user not allowed access to cron in /etc/security/access.conf file.

Check for expired user password

  1. First of all, check the password expiry for the user using chage command.
# chage -l user
Last password change                                    : Jan 01, 2020
Password expires                                        : Apr 01, 2020        ### password has expired
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 90
Number of days of warning before password expires       : 7

From the output above we can see that the password has expired on Apr 1st 2020. Crontab command will fail if it is run as user whose password is expired. PAM will not allow to run cronjob as user if the password of that user is expired.

  1. If password is expired, new password will need to be set for the user in order to allow user to run cronjobs. To set password for user, run following command as root:
#passwd user
  1. You can also set the password to never expire for that particular user if its allowed in your environment.
# vi /etc/security/access.conf
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : user : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

Allow user to access cron resource in /etc/security/access.conf file

  1. Another issue could be that the user is not allowed to use the cron resources in /etc/security/access.conf file. In that case you can allow the user cron access by adding below line in the file /etc/security/access.conf. Usually this line is hashed by default.
# vi /etc/security/access.conf
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : user : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

2. Also check for any entry where the user is denied access to use cron. You must remove the entry in that case from the file /etc/security/access.conf. An example entry to deny cron access to user can be as shown below :

# vi /etc/security/access.conf
# Deny all other users access by any means.
-: ALL : ALL

or

# vi /etc/security/access.conf
# deny user "user" access to cron
- : user : cron crond :0

Verify
If you have applied any one of the solutions explained above, you can run command crontab -l or crontab -e as user to verify the cron access.

Leave a Reply

Your email address will not be published. Required fields are marked *