Power

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL

Hi Joshua,

Was working with AIX support and it looks like it is the sudo process that is attempting to establish another root session of some sort, and since the attribute of maxulogs in /etc/security/user is 1 it cannot do this, so fails with permission denied. This was easy enough to test:

# chuser maxulogs=1 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=1

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

So, only one user logged in

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

Change maxulogs to 2:

# chuser maxulogs=2 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=2

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Now if I login via a second terminal as root so there are no more available logins for root:

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

root pts/1 Nov 15 14:28 (10.99.0.131)

And we get the permission denied again:

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

And if I increase maxlogs to 3 and try again it works fine.

# chuser maxulogs=3 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=3

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Additionally, each time I enter 'sudo -l' with 'maxlogs=1' the console log gets the following (This is in the HMC terminal):

AIX Version 7

Copyright IBM Corporation, 1982, 2022.

Console login: Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Which also indicate sudo is doing something with a login session. So, setting STD_AUTH does not have the issue; however, it appears that with PAM_AUTH it causes sudo to behave differently.

This is something that the sudo executable is doing when PAM is enabled. I do see information in the sudoers man page regarding PAM:

"On systems that use PAM for authentication, sudo will create a new PAM session for the command to be run in."

https://www.sudo.ws/docs/man/1.8.27/sudoers.man/

It looks like the 'sudo -l' doing just this and the new session cannot be created because the root user's max logins has been reached.

There are some various PAM related options mentioned in the man page, I tried a few of them like '!pam_session', but this did nothing. This is a

better question for the sudo folks, or someone with access to the sudo source code to see what it is actually doing or trying to do.

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL

Checked the sudo code a bit and found :

In plugins/sudoers/auth/sudo_auth.c :

static sudo_auth auth_switch[] = {

/* Standalone entries first */

#ifdef HAVE_AIXAUTH

AUTH_ENTRY("aixauth", FLAG_STANDALONE, sudo_aix_init, NULL, sudo_aix_verify, NULL, sudo_aix_cleanup, NULL, NULL)

#endif

#ifdef HAVE_PAM

AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_approval, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)

#endif

in plugins/sudoers/auth/sudo_auth.h :

typedef struct sudo_auth {

unsigned int flags; /* various flags, see below */

int status; /* status from verify routine */

const char *name; /* name of the method as a string */

void *data; /* method-specific data pointer */

int (*init)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth);

int (*setup)(const struct sudoers_context *ctx, struct passwd *pw, char **prompt, struct sudo_auth *auth);

int (*verify)(const struct sudoers_context *ctx, struct passwd *pw, const char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);

int (*approval)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth, bool exempt);

int (*cleanup)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth, bool force);

int (*begin_session)(const struct sudoers_context *ctx, struct passwd *pw, char **user_env[], struct sudo_auth *auth);

int (*end_session)(struct sudo_auth *auth);

} sudo_auth;

So things trying to run the approval function with pam will call sudo_pam_approval,() which calls AIX : pam_acct_mgmt()

Same things using standard aix auth will not call anything as it is set to NULL.

So as stated previously, that need to be checked with the opensource community.

Hi Joshua,

Was working with AIX support and it looks like it is the sudo process that is attempting to establish another root session of some sort, and since the attribute of maxulogs in /etc/security/user is 1 it cannot do this, so fails with permission denied. This was easy enough to test:

# chuser maxulogs=1 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=1

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

So, only one user logged in

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

Change maxulogs to 2:

# chuser maxulogs=2 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=2

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Now if I login via a second terminal as root so there are no more available logins for root:

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

root pts/1 Nov 15 14:28 (10.99.0.131)

And we get the permission denied again:

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

And if I increase maxlogs to 3 and try again it works fine.

# chuser maxulogs=3 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=3

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Additionally, each time I enter 'sudo -l' with 'maxlogs=1' the console log gets the following (This is in the HMC terminal):

AIX Version 7

Copyright IBM Corporation, 1982, 2022.

Console login: Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Which also indicate sudo is doing something with a login session. So, setting STD_AUTH does not have the issue; however, it appears that with PAM_AUTH it causes sudo to behave differently.

This is something that the sudo executable is doing when PAM is enabled. I do see information in the sudoers man page regarding PAM:

"On systems that use PAM for authentication, sudo will create a new PAM session for the command to be run in."

https://www.sudo.ws/docs/man/1.8.27/sudoers.man/

It looks like the 'sudo -l' doing just this and the new session cannot be created because the root user's max logins has been reached.

There are some various PAM related options mentioned in the man page, I tried a few of them like '!pam_session', but this did nothing. This is a

better question for the sudo folks, or someone with access to the sudo source code to see what it is actually doing or trying to do.

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL