[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt

lfree發表於2020-11-23

[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt

--//例行檢查,發現一臺linux 伺服器報錯。

# journalctl --unit=crond --since "2020-11-20 10:15:00"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Fri 2020-11-20 10:40:01 CST. --
Nov 20 10:20:01 localhost.localdomain crond[10658]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:20:01 localhost.localdomain CROND[10660]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:30:01 localhost.localdomain crond[11195]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:30:01 localhost.localdomain CROND[11198]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:40:01 localhost.localdomain crond[11790]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:40:01 localhost.localdomain CROND[11793]: (root) CMD (/usr/lib64/sa/sa1 1 1)

--//從現象看應該是執行/usr/lib64/sa/sa1 1 1時報錯,間隔10分鐘。我手工以root使用者執行沒有問題。

# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

# journalctl --unit=crond
...
Nov 19 23:53:01 localhost.localdomain crond[9410]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 19 23:53:01 localhost.localdomain CROND[9413]: (root) CMD (/usr/lib64/sa/sa2 -A)
--//執行/usr/lib64/sa/sa2 -A也是一樣報錯。

# systemctl cat crond.service
# /usr/lib/systemd/system/crond.service
[Unit]
Description=Command Scheduler
After=syslog.target auditd.service systemd-user-sessions.service time-sync.target

[Service]
EnvironmentFile=/etc/sysconfig/crond
ExecStart=/usr/sbin/crond -n $CRONDARGS
KillMode=process

[Install]
WantedBy=multi-user.target

--//可以發現執行時使用-n 引數。

man crond
   -n  Tells the daemon to run in the foreground.  This can be useful when starting it out of init. With this
       option is needed to change pam setting.  /etc/pam.d/crond must not enable pam_loginuid.so module.

# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth

--//按照介紹必須註解session    required   pam_loginuid.so,但是我嘗試註解它沒用。
--//先嚐試debug crond看看。

# cat /etc/sysconfig/crond
# Settings for the CRON daemon.
# CRONDARGS= :  any extra command-line startup arguments for crond
CRONDARGS= -x ext,sch,proc,pars,load,misc,test,bit
--//加入-x引數。

--//繼續上個星期的探究:
# journalctl --unit=crond --since "2020-11-23 08:45:00" | grep -C3  pam_system
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/bin/date +"\%Y/\%m/\%d \%T"  >> /dev/kmsg"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa2 -A"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa1 1 1"
Nov 23 08:50:01 localhost.localdomain crond[9407]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[9406]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[15590]: [15590] do_command(/bin/date +"\%Y/\%m/\%d \%T"  >> /dev/kmlog_it: (root 9410) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 08:50:01 localhost.localdomain crond[15590]: log_it: (root 9411) CMD (/bin/date +"%Y/%m/%d %T"  >> /dev/kmsg)
Nov 23 09:00:01 localhost.localdomain crond[10021]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:00:01 localhost.localdomain CROND[10023]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: log_it: (root 10023) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: sg, (*system*,0,0))
--
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...pid #10021 died, stat=0
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...no children
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="run-parts /etc/cron.hourly"
Nov 23 09:01:01 localhost.localdomain crond[10104]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:01:01 localhost.localdomain CROND[10106]: (root) CMD (run-parts /etc/cron.hourly)
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/home/oracle/log_it: (root 10106) CMD (run-parts /etc/cron.hourly)
Nov 23 09:10:01 localhost.localdomain crond[10598]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:10:01 localhost.localdomain CROND[10600]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:10:01 localhost.localdomain crond[15590]: log_it: (root 10600) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:12:01 localhost.localdomain crond[15590]: orcl_rman.scripts/orclbak.sh > /dev/null 2>&1"

--//換一個思路,看看錯誤資訊來自那個檔案。

# strings -f /usr/lib64/security/* | grep -i "Failed to create session"
/usr/lib64/security/pam_systemd.so: Failed to create session: %s

--//錯誤提示來源/usr/lib64/security/pam_systemd.so。 */

# grep pam_systemd.so /etc/pam.d/*
/etc/pam.d/fingerprint-auth:-session     optional      pam_systemd.so
/etc/pam.d/fingerprint-auth-ac:-session     optional      pam_systemd.so
/etc/pam.d/password-auth:-session     optional      pam_systemd.so
/etc/pam.d/password-auth-ac:-session     optional      pam_systemd.so
/etc/pam.d/runuser-l:-session   optional        pam_systemd.so
/etc/pam.d/smartcard-auth:-session     optional      pam_systemd.so
/etc/pam.d/smartcard-auth-ac:-session     optional      pam_systemd.so
/etc/pam.d/system-auth:-session     optional      pam_systemd.so
/etc/pam.d/system-auth-ac:-session     optional      pam_systemd.so
--//有點不理解前面有一個減號,是註解嗎?感覺不像。而且裡面有一行說明,改動該檔案要
--//# User changes will be destroyed the next time authconfig is run.

--//對比前面應該是下劃線內容 */
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth       include    password-auth

--//註解session    include    password-auth,繼續測試: */
--//修改/etc/sysconfig/crond檔案,取消crond的除錯。
--//修改/etc/cron.d/sysstat為每分鐘執行1次,主要節省調式時間。記住測試完成後要修改回來。
*/1 * * * * root /usr/lib64/sa/sa1 1 1

# systemctl stop crond.service
# systemctl start crond.service

--//等幾分鐘檢查發現:

# systemctl status crond.service
* crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-11-23 09:33:18 CST; 3min 1s ago
 Main PID: 12110 (crond)
   CGroup: /system.slice/crond.service
           `-12110 /usr/sbin/crond -n

Nov 23 09:33:18 localhost.localdomain systemd[1]: Started Command Scheduler.
Nov 23 09:33:18 localhost.localdomain crond[12110]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 99% if used.)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (running with inotify support)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)

# journalctl --unit=crond --since "2020-11-23 09:33:20"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Mon 2020-11-23 09:39:01 CST. --
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:37:01 localhost.localdomain CROND[12346]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:38:01 localhost.localdomain CROND[12435]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:39:01 localhost.localdomain CROND[12511]: (root) CMD (/usr/lib64/sa/sa1 1 1)

--//OK現在沒有錯誤資訊了。嘗試修改在前面加入減號看看。
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
-session    include    password-auth
auth       include    password-auth

# systemctl status crond.service
* crond.service - Command Scheduler
   Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-11-23 09:33:18 CST; 35min ago
 Main PID: 12110 (crond)
   CGroup: /system.slice/crond.service
           |-12110 /usr/sbin/crond -n
           `-14221 /usr/sbin/anacron -s

Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.daily' in 11 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.monthly' in 51 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Jobs will be executed sequentially
Nov 23 10:02:01 localhost.localdomain CROND[14294]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:03:01 localhost.localdomain CROND[14353]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:04:01 localhost.localdomain CROND[14415]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:05:02 localhost.localdomain CROND[14478]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:06:01 localhost.localdomain CROND[14542]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:07:01 localhost.localdomain CROND[14604]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:08:01 localhost.localdomain CROND[14662]: (root) CMD (/usr/lib64/sa/sa1 1 1)

--//看來減號也是註解。是否兩者存在衝突???不好解析。
# grep "^-" /etc/pam.d/password-auth
-session     optional      pam_systemd.so

--//是否要執行authconfig重新配置呢?我直接修改還是生效的啊,不熟悉放棄。

--//工作非常不熟悉systemctl journalctl命令使用,感覺systemd很麻煩。
--//最終我放棄裡面的全部改動修改回來。對pam之類的東西也不熟悉,還是不亂動了,反正真實的情況也是正確執行的。僅僅做一個記錄。

-

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2735973/,如需轉載,請註明出處,否則將追究法律責任。

相關文章