Hi Nag,
pure theory - not enough information....
I assume you login through ssh, possibly without password with pubkey.
a) have a look on the user:
===SNIP===
lsuser -a login rlogin root
root login=true rlogin=false
===SNAP===
Login using ssh and with "normal" user which is allowed to login remotely and sudo su - root works. But root will get the same error, as root is not allowed to login remotely.
btw: the error message is wrong - it should say, that rlogin is not allowed.
On top sshd may dispass the rlogin from PAM, but sudo ignores sshd-params and looks into those pam-related-params.
b) have a look on the user-password - is there a valid entry in /etc/security/passwd for this user? If there is an entry, is the password possibly expired?
===SNIP===
for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((/usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d %02d:%02d", $YY + 1900 , $MM +1 ,$DD , $hh, $mm');echo $i $TIMESTAMP;done
root 2021-02-04 15:13
.......
===SNAP===
This is a common failure, if users are allowed to login by key or certificate (with it's own expiry), ssh is ignoring PAM and sudo is used with NOPASSWD option.
c) is the user expired (as you mentioned account expired error)?
===SNIP===
lsuser -a expires [user]
[user] expires=0
===SNAP===
d) entries needed for sudo - are they all there?
===SNIP===
grep sudo /etc/pam.conf
sudo auth required /usr/lib/security/pam_aix
sudo account required /usr/lib/security/pam_aix
sudo password required /usr/lib/security/pam_aix
sudo session required /usr/lib/security/pam_aix
===SNAP===
e) on the working or non-working hosts: is there something additional in directory /etc/pam.d?
e) possible help may be to extend pam by:
===SNIP===
/opt/freeware/bin/grep -A1 -B1 file /etc/pam.conf | grep -v ^#
sshd auth required /usr/lib/security/pam_aix
sshd auth required /usr/lib/security/pam_ckfile
sshd auth requisite /usr/lib/security/pam_permission file=/etc/security/access.conf found=allow
sshd auth optional /usr/lib/security/pam_mkuserhome
===SNAP===
and in /etc/security/access.conf:
===SNIP===
cat /etc/security/access.conf
+root
+@[here enter the first group, which is allowed to login]
+@[here enter the second group, which is allowed to login]
-:ALL
===SNAP===
Original covered for login, but overriding the pam.conf entries regarding sudo, too
Hint, if using sudo with openldap or idsldap: the groups are taken from ldap, additional local groups are ignored.
regards,
c)
------------------------------
Juergen Maehlmann
------------------------------
Original Message:
Sent: Tue February 23, 2021 10:52 PM
From: Nag N
Subject: After upgrade to " sudo_noldap-1.9.5p2-1.ppc" , Account expired or PAM config lacks an "account" error
After upgrading to sudo_noldap-1.9.5p2-1.ppc, sudo commands fail with PAM error. Anyone know how to fix this. Most of the servers are working fine after upgrade , except few.
$ sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required
I copied /etc/sudoers and /etc/pam.conf file from working server , still same problem, on working server had sudo_noldap-1.9.5p2-1.ppc
Than you very much
------------------------------
Nag N
------------------------------