centos 7 crond expired password

Question

I am a newbie in CentOS, whenever I am trying to restart puppet services - pe-puppetdb, pe-puppetserver etc I am getting the following errors:

Jun 23 04:03:01 abc.xyz.com crond[12117]: pam_unix(crond:account): expired     password for user root (root enforced)
Jun 23 04:03:01 abc.xyz.com crond[12117]: (root) PAM ERROR (Authentication token is no longer valid; new one required)
Jun 23 04:03:01 abc.xyz.com crond[12117]: (root) FAILED to authorize user with PAM (Authentication token is no longer valid; new one required)

Following are the entries in /etc/pam.d/crond:

account    required   pam_access.so
account    include    password-auth
session    required   pam_loginuid.so
session    include    password-auth
auth       include    password-auth

I assume there are two things that need to be done here:

1. Reset the password for crond user (by using passwd command)
2. Make sure that the password never expires

I found one solution here https://www.centos.org/forums/viewtopic.php?t=17634 but since the post is 6 years old so I am wondering whether there is any other way the issue can be resolved.

Please advise.

Edit - I even tried changing the password for crond user but got the following error:

[root@abc ~]# chage -l crond
chage: user 'crond' does not exist in /etc/passwd
[root@abc ~]# chage -M 99999 -m 99999 crond
chage: user 'crond' does not exist in /etc/passwd

Edit2 - Added the following line in /etc/pam.d/crond and started the puppetdb service:

account    sufficient pam_succeed_if.so uid = 0

Still the service did not start and got the following error (journalctl -xe):

-- Unit session-11.scope has begun starting up.
Jun 23 10:28:01 abc.xyz.com CROND[30598]: (root) CMD (/var/awslogs/bin/awslogs-nanny.sh > /dev/null 2>&1)
Jun 23 10:28:02 abc.xyz.com systemd[1]: Removed slice user-0.slice.
-- Subject: Unit user-0.slice has finished shutting down
-- Defined-By: systemd
--
-- Unit user-0.slice has finished shutting down.
Jun 23 10:28:02 abc.xyz.com systemd[1]: Stopping user-0.slice.
-- Subject: Unit user-0.slice has begun shutting down
-- Defined-By: systemd
--
-- Unit user-0.slice has begun shutting down.
Jun 23 10:28:05 abc.xyz.com amazon-ssm-agent[845]: 2017-06-23 10:28:05 ERROR      [instanceID=i-0a9865085e27f6862] [MessageProcessor] [Association] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::045981373300:assumed-role/ServerLabServer/i-0a9865085e27f6862 is not authorized to perform: ssm:ListInstanceAssociations on resource:     arn:aws:ec2:ap-southeast-1:045981373300:instance/i-0a9865085e27f6862

Answer 1

The problem is well described in the initial error. The password is expired for the user root, which crond uses.

Check the status of the password with sudo chage -l root. If the password is expired, use sudo passwd to change it. You can also change the expiration settings with sudo chage root.