CentOS - Sep 2010 - cron breaking when enabling ldap

Hi
When I enable a box to do authentication using LDAP it breaks cron for users
like jboss.

I get the following in /var/log/secure
Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account): access
denied for user `jboss' from `cron'

I have the following in /etc/ldap.conf
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,jboss

/etc/pam.d/crond 
auth       sufficient pam_env.so
auth       required   pam_rootok.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so
session    include    system-auth

/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so type= retry=3 difok=3 minlen=8
dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so debug service in crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

I have added 
+ : jboss : cron

to /etc/security/access.conf which fixes the problem. However I am not sure that
it is the "correct" fix.

I would have thought that the string in /etc/ldap.conf 
nss_initgroups_ignoreusers would prevent this error unless I am confused about
the pam ordering and sequence of how authentication happens.

The cron job executes fine without LDAP enabled.

Can anyone shed any more light on this error and a possible fix? I am using
CentOS 5.5 fully updated.

Best Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Gerrard Geldenhuis
> Sent: 14 September 2010 16:28
> To: centos at centos.org
> Subject: [CentOS] cron breaking when enabling ldap
> 
> Hi
> When I enable a box to do authentication using LDAP it breaks cron for
> users like jboss.
> 
> I get the following in /var/log/secure
> Sep 14 15:25:01 exoipatest01 crond[7214]: pam_access(crond:account):
> access denied for user `jboss' from `cron'
> 
> I have the following in /etc/ldap.conf
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,tomcat,radiusd,news,mailman,nscd,j
> boss
> 
> /etc/pam.d/crond
> auth       sufficient pam_env.so
> auth       required   pam_rootok.so
> auth       include    system-auth
> account    required   pam_access.so
> account    include    system-auth
> session    required   pam_loginuid.so
> session    include    system-auth
> 
> /etc/pam.d/system-auth-ac
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_ldap.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_access.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account     required      pam_permit.so
> 
> password    requisite     pam_cracklib.so type= retry=3 difok=3
> minlen=8 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=0
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so debug service
> in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_ldap.so
> 
> I have added
> + : jboss : cron
> 
> to /etc/security/access.conf which fixes the problem. However I am not
> sure that it is the "correct" fix.
> 
> I would have thought that the string in /etc/ldap.conf
> nss_initgroups_ignoreusers would prevent this error unless I am
> confused about the pam ordering and sequence of how authentication
> happens.
> 
> The cron job executes fine without LDAP enabled.
> 
> Can anyone shed any more light on this error and a possible fix? I am
> using CentOS 5.5 fully updated.
> 
> Best Regards
> 
I have been stupid about this, I realized that I add a - : ALL : ALL when I
enable ldap which is not on a box without ldap. Adding this on a box without
ldap creates the same error. My fix is thus the correct fix.

Regards

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________