How to enable cron access for any user in Solaris 11
Some users, for example „webservd“, are not allowed to use cron in Solaris.
When studying the man pages, it is easy to be misleaded to look into the /etc/cron.d cron.allow and cron.deny files for resolution.
Warning - Invalid account: 'webservd' not allowed to execute cronjobs
But this is caused by a flag in /etc/shadow:
webservd:LK:15759::::::12351
The LK flag disallows cron usage.
See „passwd -n“ vs. „passwd -l“.
See „man passwd“:
Security
passwd uses pam(3PAM) for password change. It calls PAM with
a service name passwd and uses service module type auth for
authentication and password for password change.
Locking an account (-l option) does not allow its use for
password based login or delayed execution (such as at(1),
batch(1), or cron(1M)). The N option can be used to disal
low password based login, while continuing to allow delayed
execution.
locked accounts that have never had a password and no login
accounts cannot have their status changed directly to an
active password. See -d. Changing a password on a locked
account that had a password prior to being locked, changes
the password without unlocking the account. See -u to unlock
the account. An authorized administrator can activate an
account in the not yet activated state by giving it a pass-
word.
An account can become locked following inactivity. To unlock
such an account use the u or -f options. With -u, the pass
word is not changed; the use of -f forces a password change.
To resolve:
root@amp1:~# passwd -s webservd WARNING: changing account in reserved uid range: webservd. webservd LK root@amp1:~# passwd -d webservd WARNING: changing account in reserved uid range: webservd. passwd: password information changed for webservd root@amp1:~# passwd -N webservd WARNING: changing account in reserved uid range: webservd. passwd: password information changed for webservd root@amp1:~# passwd -s webservd WARNING: changing account in reserved uid range: webservd. webservd NL