RedHatCannotCron

How to solve a non-responsive cron under Red Hat

This happens frequently, especially if your users are (like mine) programmers:

"I need to start operations (compilations, testing, restarting services, etc...) at night, but I cannot use cron! What gives?"

The steps to correct this are simple enough:

1. Add the user to the file /etc/cron.allow

Yes, I know, cron is supposed to look only into /etc/cron.deny. But, trust me, it's better to be safe than sorry.

Therefore, as root, to add user joe to the file /etc/crond.allow:

# touch /etc/crond.allow
# echo joe >> /etc/crond.allow

That's done.

As an aside, an easy way to diagnose cron problems is to try to run crontab as a normal user. Here is what you will get if the user is not authorized:

andre@galactus$ crontab -l
You (andre) are not allowed to use this program (crontab)
See crontab(1) for more information

andre@galactus$ crontab -e
You (andre) are not allowed to use this program (crontab)
See crontab(1) for more information

2. If you are using LDAP

Now, that is an important point - if you are using LDAP, PAM is going to check your user ID every time cron is started.

And, of course, remember these two major points about Red Hat and PAM:

  1. PAM sucks.
  2. Red Hat's PAM configuration sucks even more.

Now that I got this off my chest, simply put the following into the file /etc/pam.d/crond:

#
# The PAM configuration file for the cron daemon
#
#
# --------------------------------------------------------------
# Modified by Gil ANDRE
# Put this into /etc/pam.d/crond is Red Hat cron is misbehaving
# --------------------------------------------------------------
auth       sufficient pam_rootok.so
auth       sufficient pam_ldap.so
auth       required   pam_stack.so service=system-auth
auth       required   pam_env.so
account    sufficient pam_ldap.so
account    required   pam_stack.so service=system-auth
account    required   pam_access.so
session    sufficient pam_ldap.so
session    required   pam_limits.so
session    required   pam_loginuid.so

Compare and contrast with the original /etc/pam.d/crond:

#
# The PAM configuration file for the cron daemon
#
#
auth       sufficient pam_rootok.so
auth       required   pam_stack.so service=system-auth
auth       required   pam_env.so
account    required   pam_stack.so service=system-auth
account    required   pam_access.so
session    required   pam_limits.so
session    required   pam_loginuid.so

3. Restart crond

That's always a good thing to, as root:

# /etc/init.d/crond restart
Stopping crond:                                            [  OK  ]
Starting crond:                                            [  OK  ]

And you should be done!

See Also:

PLEASE NOTE These are Suse Linux man pages, but they are the same cron version as under Red Hat (ISC cron v4.1).