The Problem
The system’s account will be expired by policy but need to run to cron job by that account.
When expired, cron job was failed by PAM with below message:
Jul 10 00:31:01 geeklab crond[2860]: CRON (xxx) ERROR: failed to open PAM security session: Success Jul 10 00:31:01 geeklab crond[2860]: CRON (xxx) ERROR: cannot set security context
The Solution
Add to below line at top of account section in /etc/pam.d/system-auth (if CentOS/RHEL 7, use file password-auth)
account required pam_access.so account [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
For example:
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_access.so
account [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so