If at is compiled with USE=pam then users that are listed only in /etc/passwd don't work. Ldap-users do work. Explanation of reasons in https://bugzilla.redhat.com/show_bug.cgi?id=150131 For local users following line is printed into syslog. [atd] Authentication service cannot retrieve authentication info Work around is to replace "account" line in /etc/pam.d/atd with following account required pam_permit.so pam_deny_uc.so - deny UPPERCASE characters in username (required because of ldap...) My /etc/pamd.d/system-auth auth requisite pam_deny_uc.so auth sufficient pam_unix.so try_first_pass nodelay auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_ldap.so ignore_unknown_user password required pam_passwdqc.so min=disabled,8,8,8,7 passphrase=0 random=0 password sufficient pam_ldap.so use_authtok password sufficient pam_unix.so md5 shadow use_authtok password required pam_deny.so session required pam_unix.so
Please don't CC maintainers/herds yourself. Leave that to the bug-wranglers. *** This bug has been marked as a duplicate of bug 267438 ***
Lars, okay for the CC (somewhat) but if you read the bug you duped this against, I explicitly asked for this one!
pam team can modify the pam.d file however it sees fit
(In reply to comment #2) > Lars, okay for the CC (somewhat) but if you read the bug you duped this > against, I explicitly asked for this one! Sorry for that. I was in a rush when I wrangled this bug.
This is a bug in at, not in PAM, it shouldn't drop root before calling pam_start… at a minimum it should save the DAC_OVERRIDE cap before doing that.