Last modified: 2012-06-12 09:13:25 UTC
in labs, if you create a new system user via puppet, in a class applied to your instance, and then add cron jobs into this user's crontab, this does not mean they are executed yet. you will see the jobs with "crontab -u <user> -l", you will be able to execute the exact commands, also as that user with sudo, like "sudo -u <user> -s "/full/path/command/from/crontab foo" and that will work, but they will not be executed due to access.conf if you check auth.log you will see "CRON[22045]: pam_access(cron:account): access denied for user `foo' from `cron'" this is for security and config in /etc/security/access.conf it looks like this: # Disallow access to all forms of login to all # users except for members of the nova project # that this instance is a member of: -:ALL EXCEPT (project-foo) root:ALL and since "crond" is a form of login in this context, it disallows users who are not in the "project-foo" group. This file should not be changed manually though, it is defined in puppet ldap.pp /puppet/templates/ldap/access.conf.erb So either make (system) users members of the project- group (but we can't add them to this group via puppet) or make changes to access.conf.erb, "crond" can be allowed seperately from other forms of login
This was a pam issue. I had pam_security used for everything. I changed it to only enforce for ssh.
should be resolved meanwhile by Ryan by not using access.conf any longer. changed a cron on a labs project and checking tomorrow to confirm and close -- ..was i about to say when getting a mid-air collision:) thx Ryan