[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt
[20201120]pam_systemd(crondsession) Failed to create session Access denied.txt
--//例行檢查,發現一臺linux 伺服器報錯。
# journalctl --unit=crond --since "2020-11-20 10:15:00"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Fri 2020-11-20 10:40:01 CST. --
Nov 20 10:20:01 localhost.localdomain crond[10658]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:20:01 localhost.localdomain CROND[10660]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:30:01 localhost.localdomain crond[11195]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:30:01 localhost.localdomain CROND[11198]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 20 10:40:01 localhost.localdomain crond[11790]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 20 10:40:01 localhost.localdomain CROND[11793]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//從現象看應該是執行/usr/lib64/sa/sa1 1 1時報錯,間隔10分鐘。我手工以root使用者執行沒有問題。
# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A
# journalctl --unit=crond
...
Nov 19 23:53:01 localhost.localdomain crond[9410]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 19 23:53:01 localhost.localdomain CROND[9413]: (root) CMD (/usr/lib64/sa/sa2 -A)
--//執行/usr/lib64/sa/sa2 -A也是一樣報錯。
# systemctl cat crond.service
# /usr/lib/systemd/system/crond.service
[Unit]
Description=Command Scheduler
After=syslog.target auditd.service systemd-user-sessions.service time-sync.target
[Service]
EnvironmentFile=/etc/sysconfig/crond
ExecStart=/usr/sbin/crond -n $CRONDARGS
KillMode=process
[Install]
WantedBy=multi-user.target
--//可以發現執行時使用-n 引數。
man crond
-n Tells the daemon to run in the foreground. This can be useful when starting it out of init. With this
option is needed to change pam setting. /etc/pam.d/crond must not enable pam_loginuid.so module.
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
--//按照介紹必須註解session required pam_loginuid.so,但是我嘗試註解它沒用。
--//先嚐試debug crond看看。
# cat /etc/sysconfig/crond
# Settings for the CRON daemon.
# CRONDARGS= : any extra command-line startup arguments for crond
CRONDARGS= -x ext,sch,proc,pars,load,misc,test,bit
--//加入-x引數。
--//繼續上個星期的探究:
# journalctl --unit=crond --since "2020-11-23 08:45:00" | grep -C3 pam_system
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/bin/date +"\%Y/\%m/\%d \%T" >> /dev/kmsg"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa2 -A"
Nov 23 08:50:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/usr/lib64/sa/sa1 1 1"
Nov 23 08:50:01 localhost.localdomain crond[9407]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[9406]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 08:50:01 localhost.localdomain crond[15590]: [15590] do_command(/bin/date +"\%Y/\%m/\%d \%T" >> /dev/kmlog_it: (root 9410) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 08:50:01 localhost.localdomain crond[15590]: log_it: (root 9411) CMD (/bin/date +"%Y/%m/%d %T" >> /dev/kmsg)
Nov 23 09:00:01 localhost.localdomain crond[10021]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:00:01 localhost.localdomain CROND[10023]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: log_it: (root 10023) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:00:01 localhost.localdomain crond[15590]: sg, (*system*,0,0))
--
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...pid #10021 died, stat=0
Nov 23 09:01:01 localhost.localdomain crond[15590]: [15590] sigchld...no children
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="run-parts /etc/cron.hourly"
Nov 23 09:01:01 localhost.localdomain crond[10104]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:01:01 localhost.localdomain CROND[10106]: (root) CMD (run-parts /etc/cron.hourly)
Nov 23 09:01:01 localhost.localdomain crond[15590]: user [root:0:0:...] cmd="/home/oracle/log_it: (root 10106) CMD (run-parts /etc/cron.hourly)
Nov 23 09:10:01 localhost.localdomain crond[10598]: pam_systemd(crond:session): Failed to create session: Access denied
Nov 23 09:10:01 localhost.localdomain CROND[10600]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:10:01 localhost.localdomain crond[15590]: log_it: (root 10600) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:12:01 localhost.localdomain crond[15590]: orcl_rman.scripts/orclbak.sh > /dev/null 2>&1"
--//換一個思路,看看錯誤資訊來自那個檔案。
# strings -f /usr/lib64/security/* | grep -i "Failed to create session"
/usr/lib64/security/pam_systemd.so: Failed to create session: %s
--//錯誤提示來源/usr/lib64/security/pam_systemd.so。 */
# grep pam_systemd.so /etc/pam.d/*
/etc/pam.d/fingerprint-auth:-session optional pam_systemd.so
/etc/pam.d/fingerprint-auth-ac:-session optional pam_systemd.so
/etc/pam.d/password-auth:-session optional pam_systemd.so
/etc/pam.d/password-auth-ac:-session optional pam_systemd.so
/etc/pam.d/runuser-l:-session optional pam_systemd.so
/etc/pam.d/smartcard-auth:-session optional pam_systemd.so
/etc/pam.d/smartcard-auth-ac:-session optional pam_systemd.so
/etc/pam.d/system-auth:-session optional pam_systemd.so
/etc/pam.d/system-auth-ac:-session optional pam_systemd.so
--//有點不理解前面有一個減號,是註解嗎?感覺不像。而且裡面有一行說明,改動該檔案要
--//# User changes will be destroyed the next time authconfig is run.
--//對比前面應該是下劃線內容 */
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
auth include password-auth
--//註解session include password-auth,繼續測試: */
--//修改/etc/sysconfig/crond檔案,取消crond的除錯。
--//修改/etc/cron.d/sysstat為每分鐘執行1次,主要節省調式時間。記住測試完成後要修改回來。
*/1 * * * * root /usr/lib64/sa/sa1 1 1
# systemctl stop crond.service
# systemctl start crond.service
--//等幾分鐘檢查發現:
# systemctl status crond.service
* crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-11-23 09:33:18 CST; 3min 1s ago
Main PID: 12110 (crond)
CGroup: /system.slice/crond.service
`-12110 /usr/sbin/crond -n
Nov 23 09:33:18 localhost.localdomain systemd[1]: Started Command Scheduler.
Nov 23 09:33:18 localhost.localdomain crond[12110]: (CRON) INFO (RANDOM_DELAY will be scaled with factor 99% if used.)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (running with inotify support)
Nov 23 09:33:19 localhost.localdomain crond[12110]: (CRON) INFO (@reboot jobs will be run at computer's startup.)
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)
# journalctl --unit=crond --since "2020-11-23 09:33:20"
-- Logs begin at Mon 2020-03-02 18:43:25 CST, end at Mon 2020-11-23 09:39:01 CST. --
Nov 23 09:34:01 localhost.localdomain CROND[12152]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:35:01 localhost.localdomain CROND[12222]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:36:01 localhost.localdomain CROND[12284]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:37:01 localhost.localdomain CROND[12346]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:38:01 localhost.localdomain CROND[12435]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 09:39:01 localhost.localdomain CROND[12511]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//OK現在沒有錯誤資訊了。嘗試修改在前面加入減號看看。
# cat /etc/pam.d/crond
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
-session include password-auth
auth include password-auth
# systemctl status crond.service
* crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-11-23 09:33:18 CST; 35min ago
Main PID: 12110 (crond)
CGroup: /system.slice/crond.service
|-12110 /usr/sbin/crond -n
`-14221 /usr/sbin/anacron -s
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.daily' in 11 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Will run job `cron.monthly' in 51 min.
Nov 23 10:01:01 localhost.localdomain anacron[14221]: Jobs will be executed sequentially
Nov 23 10:02:01 localhost.localdomain CROND[14294]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:03:01 localhost.localdomain CROND[14353]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:04:01 localhost.localdomain CROND[14415]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:05:02 localhost.localdomain CROND[14478]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:06:01 localhost.localdomain CROND[14542]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:07:01 localhost.localdomain CROND[14604]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Nov 23 10:08:01 localhost.localdomain CROND[14662]: (root) CMD (/usr/lib64/sa/sa1 1 1)
--//看來減號也是註解。是否兩者存在衝突???不好解析。
# grep "^-" /etc/pam.d/password-auth
-session optional pam_systemd.so
--//是否要執行authconfig重新配置呢?我直接修改還是生效的啊,不熟悉放棄。
--//工作非常不熟悉systemctl journalctl命令使用,感覺systemd很麻煩。
--//最終我放棄裡面的全部改動修改回來。對pam之類的東西也不熟悉,還是不亂動了,反正真實的情況也是正確執行的。僅僅做一個記錄。
-
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/267265/viewspace-2735973/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- Failed to create or upgrade OLRAI
- BUG:Failed to create or upgrade OLRAI
- Create a SharePoint Application Page for Anonymous AccessAPP
- su - xxx Could not create sessionSession
- hive on spark:return code 30041 Failed to create Spark client for Spark session原因分析及解決方案探尋HiveSparkAIclientSession
- device-mapper create ioctl failed: Device or resource busydevAPPAI
- ORA-19504: failed to create file "" 一則案例AI
- create CompassSession session fail, compass init is null!!!SessionAINull
- ERROR [main] zookeeper.RecoverableZooKeeper: ZooKeeper create failed after 4 attemptsErrorAI
- 解決錯誤:ASP.NET Error: Failed to access IIS metabaseASP.NETErrorAI
- audit時的by session和by access選項的區別!Session
- IDEA啟動時報Failed to create JVM錯誤的解決IdeaAIJVM
- [筆記].痛哉!!!Error: Can't access JTAG chain, Error: Operation failed筆記ErrorAI
- ubuntu gedit出錯:Failed to connect to the session manager的問題UbuntuAISession
- PyCharm啟動報錯:Failed to create JVM.解決辦法之一PyCharmAIJVM
- 包拯斷案 | create connections failed的深度剖析 還故障一個真相AI
- 開啟Eclipse時出現"Failed to create the Java Virtual Machine"怎麼辦EclipseAIJavaMac
- VirtualBox Host-only Adapter,Failed to create the host-only adapter 轉APTAI
- Failed to run 'create login' or 'sp_addsrvrolemeber' in sql Linux using windows authentcationAIVRSQLLinuxWindows
- "Failed to create empty document" error message appears when opening the BrightStor ARCserve BackupAIErrorAPP
- MySQL建立使用者報錯 ERROR 1396 (HY000): Operation CREATE USER failed for 'afei'@'%'MySqlErrorAI
- ORA-01045: user HR lacks CREATE SESSION privilege; logon deniedSessionGo
- 小米系列真機除錯程式碼時遇到小米系列手機除錯Installation failed with message Failed to establish session除錯AISession
- 菜鳥調錯(一)——Maven專案部署到Jboss出現:Failed to create a new SAX parserMavenAI
- 【故障處理】Linux下匯入匯出“IMP-00030: failed to create file ... for write”LinuxAI
- Rancher 系列文章-K3s Traefik MiddleWare 報錯-Failed to create middleware keysAI
- oracle之 Got minus one from a read call 與 ORA-27154: post/wait create failedOracleGoAI
- Windows 啟動 Idea 報錯 if you already hava a 64-bit JDK ... 以及 failed to create jvm...WindowsIdeaJDKAIJVM
- Oracle Rac root.sh報錯 Failed to create keys in the OLR, rc = 127 libcap.so.1OracleAI
- Linux 以執行使用者執行定時任務後,報錯 Failed to cache access tokenLinuxAI
- ubuntu下pig報錯ERROR 2999: Unexpected internal error. Failed to create DataStorage的解決UbuntuErrorAIAST
- Create DatabaseDatabase
- JAVA使用accessJava
- access()函式函式
- Httplistener Access DeniedHTTP
- create index/create index online區別Index
- ORA-07274: spdcr: access error, access to oracle denied.ErrorOracle
- Cannot Access Pls Pages: 'mod_security: Access denied with code 400'