I was fighting this a few weeks ago, and asking here. I *finally* solved
it yesterday... and the answer isn't pleasant.
Running the command
authconfig --enablesssd --enablesssdauth --enablesmartcard
--smartcardmodule=sssd --smartcardaction=0 --updateall
breaks crond, as per bugzilla # Bug 1650314. The way that it breaks it is
to insert into /etc/pam.d/password-auth-ac two lines reading
auth required pam_deny.so
one as the third line in the auth stanza, so:
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_deny.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >1000
quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
<...>
and the other where it belongs, as the last auth line.
This is clearly a bug in the code, as pam_deny.so should ONLY be the
*last* line in the auth stanza.
We've replicated this on an RHEL workstation, and then put a ticket in.
The... odd reply (so far) was that they weren't going to fix it in the 7.7
errata, and to use authselect in 8.0 (which is only a beta release). We're
going to escalate this.
In the meantime, if anyone has run into this, delete that
auth required pam_deny.so that's in the middle of the auth stanza in
/etc/pam.d/password-auth-ac, it should *only* be at the end of the auth
stanza, and everything will work correctly.
mark
