Failed to open PAM security session

If one day you notice that your super-duper script doesn’t work when executed from cron and crond itself is whining about:

CRON (username) ERROR: failed to open PAM security session: Success
CRON (username) ERROR: cannot set security context

Then the most obvious step from here is to take a look at /etc/pam.d/crond and /var/log/secure (if you’re running Redhat based Linux distro):

# The PAM configuration file for the cron daemon
auth       sufficient
auth       required
auth       include    system-auth
account    required
account    include    system-auth
session    required
session    include    system-auth

In case if /var/log/secure has similar lines check your /etc/security/access.conf and make sure that cron is allowed for everyone or at least for the user experiencing the problem:

pam_access(crond:account): access denied for user `username’ from `cron’

Otherwise, a word “session” should give you a hint on a possible issue with system-auth section. Lets check it:

cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

account     required
account     sufficient uid < 500 quiet
account     required

password    requisite try_first_pass retry=3
password    sufficient md5 shadow nullok try_first_pass use_authtok
password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required

The most critical module here is which retrieves account information from /etc/passwd and /etc/shadow. Check them for the consistency because in my case /etc/shadow was a culprit missing a record for a username. Once it was fixed the errors had stopped popping up.

7 thoughts on “Failed to open PAM security session

  1. Pingback: Crontab ERROR: failed to open PAM security session: Success » Shanison

  2. Thanks for the article it helps me to save me a little headache :)
    After a massive implementation of LDAP authentication in my company some machines begin to exhibit this error message for every local account. At the end the problem was on access.conf

    Thanks again my friend.

    • Hi Leonardo,

      Thank you very much for your kind response.
      I’m endlessly happy to hear that my humble post has helped in your troubleshooting and saved you some time that now you could spend on something more fascinating than fixing LDAP authentication issues. Frankly speaking, it could be boring and pesky at times. ;-)
      Have fun!


  3. Pingback: User cron not running.

  4. You might find this problem inside a Linux container (lxc). I’m not sure what the root cause is, but the it starts with `` module. Discussions on the Linux-container mailing list in 2013 suggest one remedy: replace with a (soft)link to ``. See `/lib64/security`. This solution is fine if your filesystem is not shared with other linux containers. Otherwise, comment-out all instances of `` from pam.d modules.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.