Issue
crontab -l command fails with the following error.
# crontab -l You (user) are not allowed to access to (crontab) because of pam configuration.
You would see below logs in the cron log file /var/log/cron:
Sep 19 11:01:01 geeklab crond[125479]: (user) PAM ERROR (Permission denied) Sep 19 11:01:01 geeklab crond[125479]: (user) FAILED to authorize user with PAM (Permission denied) Sep 19 11:01:26 geeklab crontab[125631]: (user) PAM ERROR (Permission denied)
The log file /var/log/secure would have below errors :
Sep 19 11:01:26 geeklab crontab: pam_access(crond:account): access denied for user `root' from `cron' Sep 19 11:01:26 geeklab crontab: pam_unix(crond:account): expired password for user root (password aged)
Solution
There could be 2 reasons for this error :
1. Expired password for the user
2. user not allowed access to cron in /etc/security/access.conf file.
Check for expired user password
1. First of all, check the password expiry for the user using chage command.
# chage -l user Last password change : Jul 19, 2017 Password expires : Sep 02, 2017 ### password has expired Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 45 Number of days of warning before password expires : 7
From the output above we can say that the password has expired on September 2nd 2017. Crontab command will fail if it is run as user whose password is expired. PAM will not allow to run cronjob as user if the password of that user is expired.
2. If password is expired, new password will need to be set for the user in order to allow user to run cronjobs. To set password for user, run following command as root:
# passwd user
3. You can also set the password to never expire for that particular user if its allowed in your environment.
Allow user to access cron resource in /etc/security/access.conf file
1. Another issue could be that the user is not allowed to use the cron resources in /etc/security/access.conf file. In that case you can allow the user cron access by adding below line in the file /etc/security/access.conf. Usually this line is hashed by default.
# vi /etc/security/access.conf # User "root" should be allowed to get access via cron .. tty5 tty6. + : user : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
2. Also check for any entry where the user is denied access to use cron. You must remove the entry in that case from the file /etc/security/access.conf. An example entry to deny cron access to user can be as shown below :
# vi /etc/security/access.conf # Deny all other users access by any means. -: ALL : ALL
or
# vi /etc/security/access.conf # deny user "user" access to cron - : user : cron crond :0
Verify
If you have applied any one of the solutions explained above, you can run command crontab -l or crontab -e as user to verify the cron access.