[systemd-devel] Crond session, pam_access and pam_systemd

[Thomas HUMMEL]

Hello,

Using systemd-239 on CentOS 8.2 I'm trying to figure out what exactly 
happens when a cron "session" is created. In particular, what 
corresponds to the following error messages I get while running a user 
crontab :

2020-10-12T14:27:01.031334+02:00 maestro-orbit systemd: 
pam_access(systemd-user:account): access denied for user `toto' from 
`systemd-user'

2020-10-12T14:27:01.036959+02:00 maestro-orbit crond[135956]: 
pam_systemd(crond:session): Failed to create session: Start job for unit 
user at 1000.service failed with 'failed'

- What I'm doing :

ssh to the host, sudo -u toto, crontab -e, exit

so when toto's crontab gets executed toto has no running sessions

- access.conf, for cron, has the line

+:ALL:cron crond

- If, I add

+:toto:systemd-user

the error messages do not occur anymore.

My understanding is that for an standard logged-in user, pam_systemd 
registers the user sessions to systemd-logind and each logged-in user 
has a user slice holding all his session's scopes plus an init scope 
holding a user@<uid>.service which in turns holds at least a user 
instance of systemd (systemd --user) and "sd-pam".

So my questions are:

- what is sd-pam ?
- is a crond session different from a user session ?
- what pam service name does crond use ?
- what does the first error message refers to and why does the 
systemd-user pam service name get passed ? and by which systemd (system 
or user) ?
- what is the failing systemd job the second message refers to ? Does 
this mean that the crond "session" gets created by the systemd --user 
instance (as some gnome apps in other contexts for instance) ?
- does the line I added to access.conf makes sense at all ?

I also noticed that if the user gets lingered there is no such error 
message (which makes me think about the creation of the crond session 
through the systemd --user instance running a job)

Thanks for your help and sorry for the confusion

--
Thomas HUMMEL