[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt
[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt
--//例行檢查,發現一臺linux 伺服器報錯。
# journalctl --unit=crond --since "2020-11-20 10:15:00"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Fri 2020-11-20 10:40:01 CST. --
Nov 20 10:20:01 localhost.localdomain crond[10658]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:20:01 localhost.localdomain CROND[10660]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:30:01 localhost.localdomain crond[11195]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:30:01 localhost.localdomain CROND[11198]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:40:01 localhost.localdomain crond[11790]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:40:01 localhost.localdomain CROND[11793]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//從現象看應該是執行/usr/lib64/sa/sa1 1 1時報錯,間隔10分鐘。我手工以root使用者執行沒有問題。
# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A
# journalctl --unit=crond
...
Nov 19 23:53:01 localhost.localdomain crond[9410]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 19 23:53:01 localhost.localdomain CROND[9413]: (root) CMD (/usr/lib64/sa/sa2 -A)
--//執行/usr/lib64/sa/sa2 -A也是一樣報錯。
# systemctl cat crond.service
# /usr/lib/systemd/system/crond.service
[Unit]
Description=Command Scheduler
After=syslog.target auditd.service systemd-user-sessions.service time-sync.target
[Service]
EnvironmentFile=/etc/sysconfig/crond
ExecStart=/usr/sbin/crond -n $CRONDARGS
KillMode=process
[Install]
WantedBy=multi-user.target
--//可以發現執行時使用-n 引數。
man crond
-n Tells the daemon to run in the foreground. This can be useful when starting it out of init. With this
option is needed to change pam setting. /etc/pam.d/crond must not enable pam_loginuid.so module.
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
--//按照介紹必須註解session required pam_loginuid.so,但是我嘗試註解它沒用。
--//先嚐試debug crond看看。
# cat /etc/sysconfig/crond
# Settings for the CRON daemon.
# CRONDARGS= : any extra command-line startup arguments for crond
CRONDARGS= -x ext,sch,proc,pars,load,misc,test,bit
--//加入-x引數。
--//繼續上個星期的探究:
# journalctl --unit=crond --since "2020-11-23 08:45:00" | grep -C3 pam_system
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/bin/date +"\%Y/\%m/\%d \%T" >> /dev/kmsg"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa2 -A"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa1 1 1"
Nov 23 08:50:01 localhost.localdomain crond[9407]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[9406]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[15590]: [15590] do_command(/bin/date +"\%Y/\%m/\%d \%T" >> /dev/kmlog_it: (root 9410) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 08:50:01 localhost.localdomain crond[15590]: log_it: (root 9411) CMD (/bin/date +"%Y/%m/%d %T" >> /dev/kmsg)
Nov 23 09:00:01 localhost.localdomain crond[10021]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:00:01 localhost.localdomain CROND[10023]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: log_it: (root 10023) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: sg, (*system*,0,0))
--
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...pid #10021 died, stat=0
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...no children
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="run-parts /etc/cron.hourly"
Nov 23 09:01:01 localhost.localdomain crond[10104]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:01:01 localhost.localdomain CROND[10106]: (root) CMD (run-parts /etc/cron.hourly)
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/home/oracle/log_it: (root 10106) CMD (run-parts /etc/cron.hourly)
Nov 23 09:10:01 localhost.localdomain crond[10598]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:10:01 localhost.localdomain CROND[10600]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:10:01 localhost.localdomain crond[15590]: log_it: (root 10600) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:12:01 localhost.localdomain crond[15590]: orcl_rman.scripts/orclbak.sh > /dev/null 2>&1"
--//換一個思路,看看錯誤資訊來自那個檔案。
# strings -f /usr/lib64/security/* | grep -i "Failed to create session"
/usr/lib64/security/pam_systemd.so: Failed to create session: %s
--//錯誤提示來源/usr/lib64/security/pam_systemd.so。 */
# grep pam_systemd.so /etc/pam.d/*
/etc/pam.d/fingerprint-auth:-session optional pam_systemd.so
/etc/pam.d/fingerprint-auth-ac:-session optional pam_systemd.so
/etc/pam.d/password-auth:-session optional pam_systemd.so
/etc/pam.d/password-auth-ac:-session optional pam_systemd.so
/etc/pam.d/runuser-l:-session optional pam_systemd.so
/etc/pam.d/smartcard-auth:-session optional pam_systemd.so
/etc/pam.d/smartcard-auth-ac:-session optional pam_systemd.so
/etc/pam.d/system-auth:-session optional pam_systemd.so
/etc/pam.d/system-auth-ac:-session optional pam_systemd.so
--//有點不理解前面有一個減號,是註解嗎?感覺不像。而且裡面有一行說明,改動該檔案要
--//# User changes will be destroyed the next time authconfig is run.
--//對比前面應該是下劃線內容 */
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth include password-auth
--//註解session include password-auth,繼續測試: */
--//修改/etc/sysconfig/crond檔案,取消crond的除錯。
--//修改/etc/cron.d/sysstat為每分鐘執行1次,主要節省調式時間。記住測試完成後要修改回來。
*/1 * * * * root /usr/lib64/sa/sa1 1 1
# systemctl stop crond.service
# systemctl start crond.service
--//等幾分鐘檢查發現:
# systemctl status crond.service
* crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-11-23 09:33:18 CST; 3min 1s ago
Main PID: 12110 (crond)
CGroup: /system.slice/crond.service
`-12110 /usr/sbin/crond -n
Nov 23 09:33:18 localhost.localdomain systemd[1]: Started Command Scheduler.
Nov 23 09:33:18 localhost.localdomain crond[12110]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 99% if used.)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (running with inotify support)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)
# journalctl --unit=crond --since "2020-11-23 09:33:20"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Mon 2020-11-23 09:39:01 CST. --
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:37:01 localhost.localdomain CROND[12346]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:38:01 localhost.localdomain CROND[12435]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:39:01 localhost.localdomain CROND[12511]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//OK現在沒有錯誤資訊了。嘗試修改在前面加入減號看看。
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
-session include password-auth
auth include password-auth
# systemctl status crond.service
* crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-11-23 09:33:18 CST; 35min ago
Main PID: 12110 (crond)
CGroup: /system.slice/crond.service
|-12110 /usr/sbin/crond -n
`-14221 /usr/sbin/anacron -s
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.daily' in 11 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.monthly' in 51 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Jobs will be executed sequentially
Nov 23 10:02:01 localhost.localdomain CROND[14294]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:03:01 localhost.localdomain CROND[14353]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:04:01 localhost.localdomain CROND[14415]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:05:02 localhost.localdomain CROND[14478]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:06:01 localhost.localdomain CROND[14542]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:07:01 localhost.localdomain CROND[14604]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:08:01 localhost.localdomain CROND[14662]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//看來減號也是註解。是否兩者存在衝突???不好解析。
# grep "^-" /etc/pam.d/password-auth
-session optional pam_systemd.so
--//是否要執行authconfig重新配置呢?我直接修改還是生效的啊,不熟悉放棄。
--//工作非常不熟悉systemctl journalctl命令使用,感覺systemd很麻煩。
--//最終我放棄裡面的全部改動修改回來。對pam之類的東西也不熟悉,還是不亂動了,反正真實的情況也是正確執行的。僅僅做一個記錄。
-
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2735973/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- su - xxx Could not create sessionSession
- hive on spark:return code 30041 Failed to create Spark client for Spark session原因分析及解決方案探尋HiveSparkAIclientSession
- ascp: Failed to open TCP connection for SSH, exiting. Session Stop (Error: Failed to open TCP connection for SSH)AITCPSessionError
- VirtualBox Host-only Adapter,Failed to create the host-only adapter 轉APTAI
- Failed to run 'create login' or 'sp_addsrvrolemeber' in sql Linux using windows authentcationAIVRSQLLinuxWindows
- [20201120]使用event 10049.txt
- [20201120]cygwin與ssh.txt
- IDEA啟動時報Failed to create JVM錯誤的解決IdeaAIJVM
- npm ERR! network request to https://registry.npmmirror.com/create-vite failed,NPMHTTPViteAI
- unable to access ‘https://gitee.com/XXX/XXX.git/‘: Failed to connect to 127.0.0.1 portHTTPGiteeAI127.0.0.1
- 包拯斷案 | create connections failed的深度剖析 還故障一個真相AI
- Rancher 系列文章-K3s Traefik MiddleWare 報錯-Failed to create middleware keysAI
- PyCharm啟動報錯:Failed to create JVM.解決辦法之一PyCharmAIJVM
- 【故障處理】Linux下匯入匯出“IMP-00030: failed to create file ... for write”LinuxAI
- ubuntu下pig報錯ERROR 2999: Unexpected internal error. Failed to create DataStorage的解決UbuntuErrorAIAST
- MySQL建立使用者報錯 ERROR 1396 (HY000): Operation CREATE USER failed for 'afei'@'%'MySqlErrorAI
- Windows 啟動 Idea 報錯 if you already hava a 64-bit JDK ... 以及 failed to create jvm...WindowsIdeaJDKAIJVM
- Linux 以執行使用者執行定時任務後,報錯 Failed to cache access tokenLinuxAI
- gitlab密碼更新後,使用git命令報錯remote: HTTP Basic: Access denied fatal: Authentication failed for ‘https:xxx‘Gitlab密碼REMHTTPAI
- create_singlethread_workqueue, create_workqueuethread
- Android 棧記憶體溢位bug fix小記(pthread_create (1040KB stack) failed: Out of memory)Android記憶體溢位threadAI
- 01.svn commit 時提示 Commit failed (details follow) Unable to create pristine install stream 系統找不到指定的路徑MITAI
- svn access to forBiddenORB
- JAVA使用accessJava
- AP(Access Pointer)
- SQL__CREATESQL
- Object.create()Object
- create-a-page
- create-a-document
- Docker create命令Docker
- create index .. onlineIndex
- session和v$session說明Session
- laravel session 與 php session配置LaravelSessionPHP
- SessionSession
- SQL Access Advisor(zt)SQL
- Java連線AccessJava
- Configuring Harbor with HTTPS AccessHTTP
- Django Error: [WinError 10013] An attempt was made to access a socket in a way forbidden by its access permissionsDjangoErrorORB