Crontab + PAM + User with no password

15.53pm. Today I discovered an issue whereby a local users crontab was not running. The user was originally created to only run a script and was not required to own credentials as we could always su to the user when required. However as time passes the requirement to run the script became more and more frequent so I decided to create a crontab entry for the user. This is the error I then received:

tail -f /var/log/cron
Oct 30 11:21:01 SERVERNAME crond[22739]: Authentication service cannot retrieve authentication info
Oct 30 11:21:01 SERVERNAME crond[22739]: CRON (USERNAME) ERROR: failed to open PAM security session: Success
Oct 30 11:21:01 SERVERNAME crond[22739]: CRON (USERNAME) ERROR: cannot set security context

This server uses the Pluggable Authentication Module (PAM), so I thought I would take a look at the following log file too:

tail -f /var/log/secure
Oct 30 11:19:01 SERVERNAME unix_chkpwd[22423]: could not get username from shadow (USERNAME))
Oct 30 11:19:01 SERVERNAME crond[22422]: pam_unix(crond:account): unix_update returned error 9

So this log points me to the to the /etc/shadow file, as the local user does not own a set of credentials there is no entry.

I then tried to give the user a password (and populate the shadow file) but I then hit this problem:

[root@SERVERNAME home]# passwd USERNAME
Changing password for user USERNAME.
passwd: Authentication token manipulation error

Thankfully  I was able to get around this stumbling block by using the 'vipw' tool. However I had to make a fake change to /usr/passwd file for the tool to move on to /etc/shadow, I then re-ran the tool to revert the change. Once complete the crontab worked as expected.

Hurrah!