crontab error : “You (user) are not allowed to access to (crontab) because of pam configuration.”

Issue

crontab -l command fails with the following error.

# crontab -l
You (user) are not allowed to access to (crontab) because of pam configuration.

You would see below logs in the cron log file /var/log/cron:

Sep 19 11:01:01 geeklab crond[125479]: (user) PAM ERROR (Permission denied)
Sep 19 11:01:01 geeklab crond[125479]: (user) FAILED to authorize user with PAM (Permission denied)
Sep 19 11:01:26 geeklab crontab[125631]: (user) PAM ERROR (Permission denied)

The log file /var/log/secure would have below errors :

Sep 19 11:01:26 geeklab crontab: pam_access(crond:account): access denied for user `root' from `cron'
Sep 19 11:01:26 geeklab crontab: pam_unix(crond:account): expired password for user root (password aged)

Solution

There could be 2 reasons for this error :
1. Expired password for the user
2. user not allowed access to cron in /etc/security/access.conf file.

Check for expired user password

1. First of all, check the password expiry for the user using chage command.

# chage -l user
Last password change                                    : Jul 19, 2017
Password expires                                        : Sep 02, 2017        ### password has expired
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 45
Number of days of warning before password expires       : 7

From the output above we can say that the password has expired on September 2nd 2017. Crontab command will fail if it is run as user whose password is expired. PAM will not allow to run cronjob as user if the password of that user is expired.

2. If password is expired, new password will need to be set for the user in order to allow user to run cronjobs. To set password for user, run following command as root:

# passwd user

3. You can also set the password to never expire for that particular user if its allowed in your environment.

Allow user to access cron resource in /etc/security/access.conf file

1. Another issue could be that the user is not allowed to use the cron resources in /etc/security/access.conf file. In that case you can allow the user cron access by adding below line in the file /etc/security/access.conf. Usually this line is hashed by default.

# vi /etc/security/access.conf
# User "root" should be allowed to get access via cron .. tty5 tty6.
+ : user : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6

2. Also check for any entry where the user is denied access to use cron. You must remove the entry in that case from the file /etc/security/access.conf. An example entry to deny cron access to user can be as shown below :

# vi /etc/security/access.conf
# Deny all other users access by any means.
-: ALL : ALL

or

# vi /etc/security/access.conf
# deny user "user" access to cron
- : user : cron crond :0

Verify

If you have applied any one of the solutions explained above, you can run command crontab -l or crontab -e as user to verify the cron access.

Related Post