Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

Hi Anand,

lacking some more information from you, but okay.

a) if it is the only local user having this problem:

a1) check if the user has a valid password by displaying the last password-change (display it for all local users)

for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((sudo /usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d  %02d:%02d", $YY + 1900 , $MM +1 ,$DD  , $hh, $mm');echo $i $TIMESTAMP;done

If the password is expired or if there is none - well that's why this user can't sudo. 
He might access the system using a key depending on your sshd configuration, which overides the normal password-aging mechanism.
But sudo looks explicitly, if there is a valid password.
 
a2) check entries in pam.conf
grep -n sudo /etc/pam.conf
65:sudo    auth    required        /usr/lib/security/pam_aix
89:sudo    account required        /usr/lib/security/pam_aix
107:sudo    password  required      /usr/lib/security/pam_aix 
128:sudo    session required        /usr/lib/security/pam_aix

Hint: Pay attention if editing the file, as tabulators are not everywhere accepted, or a least an additonal blank after the tabulator is needed

a3) check if same uid exists in ldap - possibly the uid is taken from ldap with different username leading to mismatch

Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

Hi,

Thank you for the responses. I made changes to the /etc/pam.conf as recommended and still the same error. The password is set and not expired. I also deleted the account and recreated it just to be sure and that has not helped as well.

Is there any other file that we are mising. I cross checked with the other servers in the environment with this server and cannot see a difference with the account

------------------------------
Anand Sivasubramanian

Original Message:
Sent: Tue February 21, 2023 11:20 AM
From: Juergen Maehlmann
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Hi Anand,

lacking some more information from you, but okay.

a) if it is the only local user having this problem:

a1) check if the user has a valid password by displaying the last password-change (display it for all local users)

for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((sudo /usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d  %02d:%02d", $YY + 1900 , $MM +1 ,$DD  , $hh, $mm');echo $i $TIMESTAMP;done

If the password is expired or if there is none - well that's why this user can't sudo. 
He might access the system using a key depending on your sshd configuration, which overides the normal password-aging mechanism.
But sudo looks explicitly, if there is a valid password.
 
a2) check entries in pam.conf
grep -n sudo /etc/pam.conf
65:sudo    auth    required        /usr/lib/security/pam_aix
89:sudo    account required        /usr/lib/security/pam_aix
107:sudo    password  required      /usr/lib/security/pam_aix 
128:sudo    session required        /usr/lib/security/pam_aix

Hint: Pay attention if editing the file, as tabulators are not everywhere accepted, or a least an additonal blank after the tabulator is needed

a3) check if same uid exists in ldap - possibly the uid is taken from ldap with different username leading to mismatch

------------------------------
Juergen Maehlmann

Original Message:
Sent: Mon February 20, 2023 05:18 PM
From: Anand Sivasubramanian
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

------------------------------
Anand Sivasubramanian
------------------------------

Hi Anand,

Can you enable the logging and compare with working logs.

You can add below entries to /etc/sudo.conf file.

Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug

------------------------------
SANGAMESH

Original Message:
Sent: Tue February 28, 2023 11:53 AM
From: Anand Sivasubramanian
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Hi,

Thank you for the responses. I made changes to the /etc/pam.conf as recommended and still the same error. The password is set and not expired. I also deleted the account and recreated it just to be sure and that has not helped as well.

Is there any other file that we are mising. I cross checked with the other servers in the environment with this server and cannot see a difference with the account

------------------------------
Anand Sivasubramanian

Original Message:
Sent: Tue February 21, 2023 11:20 AM
From: Juergen Maehlmann
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Hi Anand,

lacking some more information from you, but okay.

a) if it is the only local user having this problem:

a1) check if the user has a valid password by displaying the last password-change (display it for all local users)

for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((sudo /usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d  %02d:%02d", $YY + 1900 , $MM +1 ,$DD  , $hh, $mm');echo $i $TIMESTAMP;done

If the password is expired or if there is none - well that's why this user can't sudo. 
He might access the system using a key depending on your sshd configuration, which overides the normal password-aging mechanism.
But sudo looks explicitly, if there is a valid password.
 
a2) check entries in pam.conf
grep -n sudo /etc/pam.conf
65:sudo    auth    required        /usr/lib/security/pam_aix
89:sudo    account required        /usr/lib/security/pam_aix
107:sudo    password  required      /usr/lib/security/pam_aix 
128:sudo    session required        /usr/lib/security/pam_aix

Hint: Pay attention if editing the file, as tabulators are not everywhere accepted, or a least an additonal blank after the tabulator is needed

a3) check if same uid exists in ldap - possibly the uid is taken from ldap with different username leading to mismatch

------------------------------
Juergen Maehlmann

Original Message:
Sent: Mon February 20, 2023 05:18 PM
From: Anand Sivasubramanian
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

------------------------------
Anand Sivasubramanian
------------------------------

Hi Anand,

Can you enable the logging and compare with working logs.

You can add below entries to /etc/sudo.conf file.

Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug

------------------------------
SANGAMESH

Original Message:
Sent: Tue February 28, 2023 11:53 AM
From: Anand Sivasubramanian
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Hi,

Thank you for the responses. I made changes to the /etc/pam.conf as recommended and still the same error. The password is set and not expired. I also deleted the account and recreated it just to be sure and that has not helped as well.

Is there any other file that we are mising. I cross checked with the other servers in the environment with this server and cannot see a difference with the account

------------------------------
Anand Sivasubramanian

Original Message:
Sent: Tue February 21, 2023 11:20 AM
From: Juergen Maehlmann
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Hi Anand,

lacking some more information from you, but okay.

a) if it is the only local user having this problem:

a1) check if the user has a valid password by displaying the last password-change (display it for all local users)

for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((sudo /usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d  %02d:%02d", $YY + 1900 , $MM +1 ,$DD  , $hh, $mm');echo $i $TIMESTAMP;done

If the password is expired or if there is none - well that's why this user can't sudo. 
He might access the system using a key depending on your sshd configuration, which overides the normal password-aging mechanism.
But sudo looks explicitly, if there is a valid password.
 
a2) check entries in pam.conf
grep -n sudo /etc/pam.conf
65:sudo    auth    required        /usr/lib/security/pam_aix
89:sudo    account required        /usr/lib/security/pam_aix
107:sudo    password  required      /usr/lib/security/pam_aix 
128:sudo    session required        /usr/lib/security/pam_aix

Hint: Pay attention if editing the file, as tabulators are not everywhere accepted, or a least an additonal blank after the tabulator is needed

a3) check if same uid exists in ldap - possibly the uid is taken from ldap with different username leading to mismatch

------------------------------
Juergen Maehlmann

Original Message:
Sent: Mon February 20, 2023 05:18 PM
From: Anand Sivasubramanian
Subject: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

sudo -l
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
sudo: a password is required

$ rpm -qa|grep -i sudo
sudo_ids-1.9.5p2-1.ppc

oslevel -s
7200-05-03-2148

------------------------------
Anand Sivasubramanian
------------------------------