Open Source Development

Power Open Source Development

Explore the open source tools and capabilities for building and deploying modern applications on IBM Power platforms including AIX, IBM i, and Linux.


#Power


#Power

 View Only
  • 1.  AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Mon February 20, 2023 05:18 PM

    Seeing the below error when I run it for a specific local user on my AIX server. Dont see the same for other users though. Can some one tell me how to get his fixed

    sudo -l
    sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
    sudo: a password is required

    $ rpm -qa|grep -i sudo
    sudo_ids-1.9.5p2-1.ppc

    oslevel -s
    7200-05-03-2148



    ------------------------------
    Anand Sivasubramanian
    ------------------------------

    #AIXOpenSource


  • 2.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Tue February 21, 2023 04:38 AM

    Hi Anand Sivasubramanian,

    Can you please look into the below link.
     https://community.ibm.com/community/user/power/communities/community-home/digestviewe[…]0d4758d475&CommunityKey=10c1d831-47ee-4d92-a138-b03f7896f7c9



    ------------------------------
    Sangeetha Bandi
    ------------------------------



  • 3.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Tue February 21, 2023 11:21 AM

    Hi Anand,

    lacking some more information from you, but okay.

    a) if it is the only local user having this problem:

    a1) check if the user has a valid password by displaying the last password-change (display it for all local users)

    for i in $( lsuser -R files ALL | awk '{print $1}');do seclif=$((sudo /usr/bin/lssec -f /etc/security/passwd -a lastupdate -s $i)| sed 's/.*=\(.*\)$/\1/');TIMESTAMP=$(perl -e '($ss, $mm, $hh, $DD, $MM, $YY) = localtime('$seclif');printf "%04d-%02d-%02d  %02d:%02d", $YY + 1900 , $MM +1 ,$DD  , $hh, $mm');echo $i $TIMESTAMP;done

    If the password is expired or if there is none - well that's why this user can't sudo. 
    He might access the system using a key depending on your sshd configuration, which overides the normal password-aging mechanism.
    But sudo looks explicitly, if there is a valid password.
     
    a2) check entries in pam.conf
    grep -n sudo /etc/pam.conf
    65:sudo    auth    required        /usr/lib/security/pam_aix
    89:sudo    account required        /usr/lib/security/pam_aix
    107:sudo    password  required      /usr/lib/security/pam_aix 
    128:sudo    session required        /usr/lib/security/pam_aix

    Hint: Pay attention if editing the file, as tabulators are not everywhere accepted, or a least an additonal blank after the tabulator is needed

    a3) check if same uid exists in ldap - possibly the uid is taken from ldap with different username leading to mismatch



    ------------------------------
    Juergen Maehlmann
    ------------------------------



  • 4.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Tue February 28, 2023 11:54 AM

    Hi,

    Thank you for the responses. I made changes to the /etc/pam.conf as recommended and still the same error. The password is set and not expired. I also deleted the account and recreated it just to be sure and that has not helped as well.

    Is there any other file that we are mising. I cross checked with the other servers in the environment with this server and cannot see a difference with the account



    ------------------------------
    Anand Sivasubramanian
    ------------------------------



  • 5.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Mon March 06, 2023 12:46 AM
    Edited by SANGAMESH MALLAYYA Mon March 06, 2023 12:45 AM

    Hi Anand,

    Can you enable the logging and compare with working logs.

    You can add below entries to /etc/sudo.conf file.

    Debug sudo /var/log/sudo_debug.log all@debug
    Debug sudoers.so /var/log/sudo_debug.log all@debug



    ------------------------------
    SANGAMESH
    ------------------------------



  • 6.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Wed January 24, 2024 05:07 AM

    Hello, 
               I got the same problem and enabled pam debug.

               Found the service name used by sudo is "sudo-i" and not "sudo".

               So replacing sudo by sudo-i in /etc/pam.conf fixed the problem.
    Regards.
    Alexandre.



    ------------------------------
    ALEXANDRE BLANCKE
    ------------------------------



  • 7.  RE: AIX; sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Posted Wed January 24, 2024 12:57 PM

    Hello,

                I encountered the same problem.

                After putting pam in debug mode, I've found the pam service name used by sudo is "sudo-i" instead of "sudo".

                After replacing sudo by sudo-i in pam.conf, sudo works fine.

    Regards.
    Alexandre.



    ------------------------------
    ALEXANDRE BLANCKE
    ------------------------------