CRON[83463]: 设置用户凭据失败

tag-icon tag-icon ldap cron pam
CRON[83463]: 设置用户凭据失败

我有多个 docker 容器,它们的设置基本相同,可以成功使用 cron 运行夜间备份作业。

我有另一个容器,设置基本相同,它尝试使用 cron 运行夜间备份作业,但失败了。

我安装了 rsyslog 来获取更多信息,当 cron 运行 root 的 crontab 时,我会在 syslog 文件中看到以下条目:

CRON[83463]: Failure setting user credentials

此容器与所有其他容器的一个区别是,它允许用户使用 LDAP 登录。它在 Dockerfile 中有以下额外行:

RUN echo '*;*;*;Al0000-2400;svn' >> /etc/security/group.conf
COPY pam_group /usr/share/pam-configs/groups
RUN echo "session required        pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
RUN sed -i 's#\(.*pam_ldap.so.*\)#auth    required     pam_group.so\n\1#' /etc/pam.d/common-auth
RUN sed -i 's#^passwd:.*#passwd:  files ldap systemd#;s#^group:.*#group:   files ldap systemd#;s#^shadow:.*#shadow:  files ldap#' /etc/nsswitch.conf

pam_group文件如下所示:

Name: activate /etc/security/group.conf
Default: yes

Priority: 900
Auth-Type: Primary Auth:
        required                        pam_group.so

显然,设置 LDAP 并尝试确保所有用户都添加到svn组(这根本不起作用)时发生的一些事情破坏了 cron 的根用户会话。

我搜索了整个互联网,但没有找到这个特定的错误。我尝试了相关的解决方案,但没有任何效果。

更新:

pam.d/common-auth 看起来像:

auth    [success=2 default=ignore]  pam_unix.so nullok_secure
auth    required     pam_group.so
auth    [success=1 default=ignore]  pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so

pam.d/cron 看起来像:

@include common-auth

# Sets the loginuid process attribute
session    required     pam_loginuid.so

# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session       required   pam_env.so

# In addition, read system locale information
session       required   pam_env.so envfile=/etc/default/locale

@include common-account
@include common-session-noninteractive 

# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session    required   pam_limits.so

答案1

您的问题可能是 root 用户不在 LDAP 中;您需要以某种方式将其包括pam_unix.so在内/etc/pam.d/cron

例如:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
@include common-auth

假设common-auth开始的事情是这样的:

auth    [success=1 default=ignore]      pam_ldap.so
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

相关内容