I have a number of docker containers, all set up mostly identically, which successfully use cron to run nightly backup jobs.
I have another container, set up mostly identically, which tries, and fails, to use cron to run a nightly backup job.
I installed rsyslog to get more information, and when cron runs root's crontab I see the following entry in the syslog file:
CRON: Failure setting user credentials
The one difference between this container and all the others is that this one allows users to log in using LDAP. It has the following extra lines in the Dockerfile:
RUN echo '*;*;*;Al0000-2400;svn' >> /etc/security/group.conf
COPY pam_group /usr/share/pam-configs/groups
RUN echo "session required pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
RUN sed -i 's#\(.*pam_ldap.so.*\)#auth required pam_group.so\n\1#' /etc/pam.d/common-auth
RUN sed -i 's#^passwd:.*#passwd: files ldap systemd#;s#^group:.*#group: files ldap systemd#;s#^shadow:.*#shadow: files ldap#' /etc/nsswitch.conf
pam_group file looks like:
Name: activate /etc/security/group.conf
Auth-Type: Primary Auth:
Clearly, something about setting up the LDAP, and trying to ensure that all users get added to the
svn group (which doesn't work at all) broke the root user session for cron.
I have looked all over the internet, but not found this specific error. I have tried related solutions, but nothing works.
pam.d/common-auth looks like:
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth required pam_group.so
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
pam.d/cron looks like:
# Sets the loginuid process attribute
session required pam_loginuid.so
# Read environment variables from pam_env's default files, /etc/environment
# and /etc/security/pam_env.conf.
session required pam_env.so
# In addition, read system locale information
session required pam_env.so envfile=/etc/default/locale
# Sets up user limits, please define limits for cron tasks
# through /etc/security/limits.conf
session required pam_limits.so