cronjob dies when user password expires

sparcguy · February 1, 2007, 9:13pm

I noticed for some time now on solaris 8 whenever our root or oracle password expires after 12 weeks the cronjob for the expired user will totally stop working, it will start working again once the password has been changed.

I wonder if anybody encountered this problem and knows of a fix other than extending expiry period.

this is the /var/cron/log

! bad user (oracle) Fri Feb 2 08:00:00 2007
< oracle 3769 c Fri Feb 2 08:00:00 2007 rc=1

this is the /etc/default/passwd
#ident "@(#)passwd.dfl 1.3 92/07/14 SMI"
MAXWEEKS=12
MINWEEKS=1
PASSLENGTH=8

funksen · February 2, 2007, 5:02am

the problem is you cannot switch to a user (like cron does) and run programs when the password is expired, because you are prompted to change it

you can check the "ADMCHG" Flag in /etc/security/passwd with a rootcron first, and remove it (just works for the oracle user)

for root you just can turn the password-policy off afaik

Perderabo · February 2, 2007, 11:38am

Actually I have wondered why Solaris does this for some time. Thanks to Open Solaris I can find the answer. It seems that Sun modified cron to use PAM and introduced this behavior in the process. So I suppose that you could probably write your own PAM module to allow expired users to run cronjobs.

I really like Open Solaris... no more mysteries.

Create · February 3, 2007, 11:44pm

yeah,

it is not actually a problem, it was designed to run that way. Best way to get around it would turn the password policy off for root to reset every 12 weeks.

Why would you want expired accounts to have access to run things?

you wouldn't, so its design is correct.

system · February 5, 2007, 2:04am

It is for this reason i wrote the pwage script, that I posted here:
Check Password Age