Rocky Linux 9.5 - Cron Job is not getting triggered showing PAM error"

Rocky Linux Help & Support
1

Hi,

We observed new issue related to “Cron Job” on Rocky Linux 9.5 system.
This issue is an blocker for an our release. So, request for an solution as soon as possible. Can someone provide a solution.

Please find details below,

Issue Description : In Our setup we have automatic function in there we have cron job entries. There we have scheduled it, need to load every day “01:00AM”. But its not loading as scheduled time. The cron job is not getting triggered, facing issue on here.

Please find the details of crontab below,

In Cron Log showing error message as,

Jun 25 01:00:01 test crond[6337]: (root) PAM ERROR (Authentication token is no longer valid; new one required)
Jun 25 01:00:01 test crond[6336]: (root) PAM ERROR (Authentication token is no longer valid; new one required)
Jun 25 01:00:01 test crond[6336]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)
Jun 25 01:00:01 test crond[6337]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)

Cron job Details below,

[ju@linux /etc 16]$ sudo cat crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed

05 4 * * * root /usr/sbin/aide --check
0 5 * * * root /usr/sbin/aide  --check | /bin/mail -s "$(hostname) - AIDE Integrity Check" root@localhost
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly

[ju@linux /etc 17]$ sudo crontab -l

0 1 * * * sudo -u apache /var/www/html/acorn/admin/old_file_util.php -a 365 -p /var/www/html/acorn/data -r 1 >> /dev/null 2>&1
0 0 * * * sudo -u apache /var/www/html/acorn/admin/email_util.php 0 >> /dev/null 2>&1
0 1 * * * sudo -u apache /var/www/html/acorn/admin/GetLongBuff.pl >> /dev/null 2>&1
2

Hi,

Does the same issue occur if you update to 9.6? This is the supported release of Rocky.

Regards Tom.

3

This tells me that your root password is expired. Run chage as root. Does it say password must be changed? If so, then you must set a password. Otherwise, chage --maxdays 99999 root will remove the restriction. Below are the defaults.

[root@sani ~]# chage -l root
Last password change                                    : Nov 08, 2024
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
4

Hi all, I am also experiencing this issue today.
I have cronjobs that run as the admin user and would like them to continue to run regardless of the password being expired.
I need the password to expire every 90days.
The password being re-set will only happend when someone tries to next login to the server, so it can remain expired for weeks.
Looking at this article(Sadly I can’t find one for RHEL9) I’ve tried the fix but it does nto seem to work in Rocky9.

For those who can’t read the article, it’s suggesting:

  • Modify the /etc/pam.d/system-auth account section like following:

Raw

account     required      pam_access.so
account  [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

Note: In RHEL6, RHEL 7, and RHEL 8, modify the /etc/pam.d/password-auth as well.

Any thoughts would be greatly appreciated.

6

Do you mean root by ‘the admin user’? If the cronjob is run for a user different than root seems like you have to remove the option use_uid, because it makes the module evaluate the validity of root’s passwd:

use_uid
Evaluate conditions using the account of the user whose UID the application is running under instead of the user being authenticated.

7

Hi,
Yes, After resetting the root password in our setup. The automatic function cron job entries are loading as scheduled time ( 01:00AM ). The cron job is getting triggered.
But facing one more issue on here., As mentioned above log,

0 1 * * * sudo -u apache /var/www/html/acorn/admin/GetLongBuff.pl >> /dev/null 2>&1

During Cron job triggered GetLongBuff.pl will load the getlongbuff.log file in /var/log folder like "/var/log/getlongbuff.log ". But here its showing as “/dev/null”. In code the condition is, if any error occurred during the cron job automatic function then in log need to show as “/dev/null” . So, its showing as /dev/null. But in same code build in different server its working as expected.
After comparing both the servers found that the crontabs rpm is having difference ( Working server shows : crontabs-1.11-27.20190603git.el9_0.noarch and Issue server shows : crontabs-1.11-27.20190603git.el9.noarch ). So, It may causing an issue or anything need to verify.
Request for an solution, Can someone provide a solution for this as soon as possible.
Thanks.