# periodic daily (pam_acct_mgmt: authentication error)



## le4o360 (Jan 17, 2011)

Hi!
I have default config for periodic tasks (/etc/periodic.conf was copied from /etc/defaults/periodic.conf). Every time my crontab runs periodic daily, I've got this errors in my /var/log/messages and auth.log


```
Jan 12 03:01:10 mybsd su: pam_acct_mgmt: authentication error
Jan 13 03:01:12 mybsd su: pam_acct_mgmt: authentication error
Jan 14 03:01:10 mybsd su: pam_acct_mgmt: authentication error
Jan 15 03:02:23 mybsd su: pam_acct_mgmt: authentication error
```

I'v tried to turn on logging for periodic daily:

```
daily_output="/var/log/daily.log"
```
But there are no errors there.
At the same time when I'm manually run periodic daily in command prompt, I received those errors immediately.
Looks like some script in /etc/periodic/daily/ cause those errors.
Any solutions for my issue?
Thanks.


----------



## SirDice (Jan 17, 2011)

le4o360 said:
			
		

> Hi!
> I have default config for periodic tasks (/etc/periodic.conf was copied from /etc/defaults/periodic.conf).


You don't need to copy the file. Only add the things you want changed to /etc/periodic.conf, all other settings will come from /etc/defaults/periodic.conf.


----------



## le4o360 (Jan 17, 2011)

Thanks for advice!
Now I have only one line in my /etc/periodic.conf


----------



## le4o360 (Jan 17, 2011)

But what about those errors?


----------



## SirDice (Jan 17, 2011)

Did you add a script in /etc/periodic/daily/?

None of the standard scripts seem to do a su(1) (which is the cause of the error).


----------



## le4o360 (Jan 17, 2011)

I haven't add anything in /etc/periodic/daily
What can I do to proper run su in daily scripts?


----------



## SirDice (Jan 17, 2011)

le4o360 said:
			
		

> What can I do to proper run su in daily scripts?



You shouldn't need to do anything.

Try running the scripts in /etc/periodic/daily/ by hand. See if you can find which of them is generating the error.


----------



## le4o360 (Jan 17, 2011)

I'm manualy search and found, that the

```
[root@mybsd /etc/periodic/daily]# sh 450.status-security

Security check:
    (output mailed separately)
```
cause this error:

```
Jan 17 20:41:27 mybsd su: pam_acct_mgmt: authentication error
```


----------



## le4o360 (Jan 17, 2011)

Here is 450.status-security

```
#!/bin/sh
#
# $FreeBSD: src/etc/periodic/daily/450.status-security,v 1.10.36.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

case "$daily_status_security_enable" in
    [Yy][Ee][Ss])
        echo ""
        echo "Security check:"

        case "$daily_status_security_inline" in
            [Yy][Ee][Ss])
                export security_output="";;
            *)
                export security_output="${daily_status_security_output}"
                case "${daily_status_security_output}" in
                    "")
                        ;;
                    /*)
                        echo "    (output logged separately)";;
                    *)
                        echo "    (output mailed separately)";;
                esac;;
        esac

        periodic security
        rc=3;;

    *)  rc=0;;
esac

exit $rc
```


----------



## le4o360 (Jan 18, 2011)

Can anybody explain me how does "450.status-security" works? And why it cause my errors?


----------



## le4o360 (Jan 18, 2011)

Just added following line in my /etc/periodic.conf

```
daily_status_security_inline="YES"
```
Now I have got this output for sh /etc/periodic/daily/450.status-security

```
Security check:

Checking setuid files and devices:

Checking for uids of 0:
root 0
toor 0

Checking for passwordless accounts:

Checking login.conf permissions:

mybsd.local ipfw denied packets:
+++ /tmp/security.F7UAQOvX      2011-01-18 12:11:05.000000000 +0300
+01999    63359     7426477 deny log logamount 1000 ip from any to any

ipfw log limit reached:
01999    63359     7426477 deny log logamount 1000 ip from any to any

mybsd.local login failures:

mybsd.local refused connections:

Checking for a current audit database:

Database created: Ð²Ñ‚Ð¾Ñ€Ð½Ð¸Ðº, 18 ÑÐ½Ð²Ð°Ñ€Ñ 2011 Ð³. 07:55:01 (MSK)

Checking for packages with security vulnerabilities:

pam_login_access: pam_sm_acct_mgmt: nobody is not allowed to log in on tty
su: Sorry

-- End of security output --
```
It looks like I need something to do with:

```
pam_login_access: pam_sm_acct_mgmt: nobody is not allowed to log in on tty
```
Is this trouble liked with my /etc/ttys?


----------



## le4o360 (Jan 18, 2011)

Or maybe it linked with my /etc/login.access and following root restrictions:

```
+:root:console
```


----------



## le4o360 (Jan 18, 2011)

Just have tried use following in /etc/login.access:

```
+:ALL:ALL
```
And all is working fine for me. No more errors in auth.log and messages.
Now can you help me to tune up my /etc/login.access? I want restrict root access to console only, and grant my user (wheel group) permissions to access from several ip-address, as well I want no more troubles with nobody user 
Here is my actual /etc/login.access:

```
-:ALL EXCEPT root:console
-:ALL EXCEPT wheel:ALL EXCEPT 192.168.125.20 192.168.125.15
```


----------

