Host errata advisory emails stopped being sent to admin in RedHat Satellite.

Solution Verified - Updated -

Environment

  • RedHat Satellite 6

Issue

  • No automatic Host errata advisory emails are sent to the the admin in RedHat Satellite.

Resolution

  • Add the entries for the foreman and foreman-proxy users to the /etc/security/access.conf to allow the cron jobs mention in /etc/cron.d/* files to run on the host.

    # cat /etc/security/access.conf
+ : foreman : LOCAL

Root Cause

  • foreman and foreman-proxy users failed to run the cron job due to PAM permission denied.

Diagnostic Steps

  1. Execute the following command on the Satellite server to check if mail delivers from hammer command

    # hammer user list              
Replace X with the actual User ID in the following command to generate the mail:

# foreman-rake console <<< 'Katello::ErrataMailer.host_errata(user: X).deliver_now'

  2. Verify the below error

  • In /var/log/cron

    May  1 15:00:01 satellite.example.com crond[475823]: (foreman-proxy) PAM ERROR (Permission denied)
May  1 15:00:01 satellite.example.com crond[475823]: (foreman-proxy) FAILED to authorize user with PAM (Permission denied)
May  1 15:00:01 satellite.example.com crond[475822]: (foreman) PAM ERROR (Permission denied)
May  1 15:00:01 satellite.example.com crond[475822]: (foreman) FAILED to authorize user with PAM (Permission denied)

  • In /var/log/audit/audit.log

    16041:type=USER_ACCT msg=audit(1682978401.513:503097): pid=475822 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=? acct="foreman" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=failed'UID="root" AUID="unset"

  1. Confirm foreman and foreman-proxy user are not excluded from the nss db.

    $ grep -A 2 "\[nss\]" etc/sssd/sssd.conf
[nss]
filter_groups = root, abcaccount, tomcat
filter_users = root, abcaccount, ldap, tomcat

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments