Originally posted by: Tin_Cup

After implementing freeipa on two systems, sudo refuses to look at the freepipa ldap for rights. It immediatly fails with:

$ sudo -l
sudo: you do not exist in the passwd database

Which is obvious, because I am logged in through an ldap account. I am logged in and other tools know my name, so I can conclude the ldap itself is working. Also, several other similar servers work fine. So the problem is (for now) limited to two systems.

Sudo is showing different behavior for different users:

As root:

XXXXXXXX:/home/root# sudo -l
sudo: LDAP Config Summary
sudo: ===================
…
*****Snipped a lot of log output showing working connection to ldap
…
sudo: result now has 0 entries
Matching Defaults entries for root on SUCENA61:
    logfile=/var/log/sudo.log

User root may run the following commands on SUCENA61:
    (ALL) ALL
SUCENA61:/home/root#

As our local user fallback:

XXXXXXXX.DOMAIN.DOMAIN.TOPLEVEL:/home/fallback$ sudo -l
sudo: LDAP Config Summary
sudo: ===================
…
*****Snipped a lot of log output showing working connection to ldap
…
sudo: result now has 0 entries
sudo: PAM account management error: System error
XXXXXXXX.DOMAIN.DOMAIN.TOPLEVEL:/home/fallback$

As logged in ldap user:

login as: me
Using keyboard-interactive authentication.
me's Password:
1 unsuccessful login attempt since last login.
Last unsuccessful login: Tue Aug 20 11:13:11 CEST 2019 on ssh from ww.xx.yy.zz
Last login: Tue Aug 27 16:16:57 CEST 2019 on ssh from ww.xx.yy.zz
*******************************************************************************
* WAARSCHUWING: U staat op het punt om toegang te krijgen tot een door ons   *
...
Bladiebladiebla
...
*******************************************************************************
$ sudo -l
sudo: you do not exist in the passwd database
$

And last but not least, logged in as root en su-ed to me:

:/home/root#

# su - me

$ sudo -l
sudo: LDAP Config Summary
sudo: ===================
sudo: adding search result
sudo: result now has 3 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base 'ou=sudoers,dc=dcdomain,dc=dcdomain,dc=org'
sudo: adding search result
sudo: result now has 3 entries
sudo: sorting remaining 3 entries

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

fileset versions:

  GSKit8.gskcrypt32.ppc.rte
                           8.0.50.71    C     F    IBM GSKit Cryptography Runtime
  GSKit8.gskcrypt64.ppc.rte
                           8.0.50.71    C     F    IBM GSKit Cryptography Runtime
  GSKit8.gskssl32.ppc.rte  8.0.50.71    C     F    IBM GSKit SSL Runtime With
  GSKit8.gskssl64.ppc.rte  8.0.50.71    C     F    IBM GSKit SSL Runtime With
  idsldap.clt32bit64.rte    6.4.0.11    C     F    Directory Server - 32 bit
  idsldap.clt64bit64.rte    6.4.0.11    C     F    Directory Server - 64 bit
  idsldap.clt_max_crypto32bit64.rte
  idsldap.clt_max_crypto64bit64.rte
  idsldap.cltbase64.adt     6.4.0.11    C     F    Directory Server - Base Client
  idsldap.cltbase64.rte     6.4.0.11    C     F    Directory Server - Base Client
  idsldap.cltjava64.rte     6.4.0.11    C     F    Directory Server - Java Client
  idsldap.license64.rte     6.4.0.11    C     F    Directory Server - License
  idsldap.msg64.en_US       6.4.0.11    C     F    Directory Server - Messages -
  krb5.client.rte            1.6.0.3    C     F    Network Authentication Service
  krb5.client.samples        1.6.0.3    C     F    Network Authentication Service
  krb5.doc.en_US.html        1.6.0.3    C     F    Network Auth Service HTML
  krb5.doc.en_US.pdf         1.6.0.3    C     F    Network Auth Service PDF
  krb5.lic                   1.6.0.3    C     F    Network Authentication Service
  krb5.msg.en_US.client.rte  1.6.0.3    C     F    Network Auth Service Client
  krb5-libs                 1.16.1-2    C     R    The shared libraries used by

relevant RPM's versions:

sudo-1.8.27-2.ppc
gettext-0.19.8.1-3.ppc
openldap-2.4.46-1.ppc

any idea what/where is wrong?

Originally posted by: JayZach

I don't have an idea... but I have a very similar issue this morning after doing a 'yum update' on my server.. 

After the below packages updated, I can no longer sudo with users authenticating with Kerberos, as I get the "sudo: you do not exist in the passwd database" error.  I tried to downgrade sudo, but no dice.  So, something else needs downgraded or some sqlite database has been wiped or something... I'm not sure.   We're not doing ldap lookup, but we've created local users matching UID's in our AD and do Kerberos authentication.  "Kerberos users" can login via ssh, but can't sudo.  Local users can login via ssh and sudo fine..

Aug 30 07:42:49 Updated: ncurses-6.1-2.ppc
Aug 30 07:42:49 Updated: readline-8.0-1.ppc
Aug 30 07:42:50 Updated: libffi-3.2.1-3.ppc
Aug 30 07:42:50 Updated: libiconv-1.14-2.ppc
Aug 30 07:42:51 Updated: openldap-2.4.46-2.ppc
Aug 30 07:42:51 Updated: bzip2-1.0.6-3.ppc
Aug 30 07:42:51 Installed: pcre-8.42-1.ppc
Aug 30 07:42:51 Installed: p11-kit-0.23.16-1.ppc
Aug 30 07:42:53 Updated: ca-certificates-2019.01.10-1.ppc
Aug 30 07:42:54 Updated: sqlite-3.28.0-1.ppc
Aug 30 07:42:54 Updated: expat-2.2.6-1.ppc
Aug 30 07:42:54 Updated: gdbm-1.18.1-1.ppc
Aug 30 07:43:00 Updated: python-2.7.16-1.ppc
Aug 30 07:43:02 Updated: vim-common-8.0-4.ppc
Aug 30 07:43:02 Updated: libssh2-1.8.2-1.ppc
Aug 30 07:43:05 Installed: krb5-libs-1.16.1-2.ppc
Aug 30 07:43:05 Updated: curl-7.65.1-1.ppc
Aug 30 07:43:05 Updated: vim-enhanced-8.0-4.ppc
Aug 30 07:43:06 Updated: yum-3.4.3-7.noarch
Aug 30 07:43:06 Updated: python-devel-2.7.16-1.ppc
Aug 30 07:43:06 Updated: python-tools-2.7.16-1.ppc
Aug 30 07:43:06 Updated: grep-3.3-1.ppc
Aug 30 07:43:07 Updated: sudo-1.8.27-2.ppc
Aug 30 07:43:07 Updated: wget-1.20.3-1.ppc
Aug 30 07:43:07 Updated: sed-4.5-2.ppc
Aug 30 08:00:04 Installed: bash-completion-2.9-1.noarch
Aug 30 08:12:41 Installed: sudo-1.8.27-1.ppc

Originally posted by: JayZach

I've downgraded several packages that I saw we have in common and I thought might have some effect, but no luck so far..  I'm thinking some config file got changed somewhere, but I can't find it if so..

Here are what I've downgraded (and also curl as a dependency, but I don't think that has any relevance):

sudo-1.8.27-1.ppc
gettext-0.19.8.1-3.ppc
krb5-libs-1.16.1-1.ppc
openldap-2.4.46-1.ppc

 

Originally posted by: Tin_Cup

I tried to debug PAM, by doing a /etc/pam_debug (see: https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/security/pam_enabling_debug.html)

tested again and following info from logging after login as me and doing a sudo -l:

Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_start(sudo xxxxxx)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(1)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(2)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(5)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(8)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(3)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate()
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_aix
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: load_function: successful load of pam_sm_authenticate
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate: error Authentication failed
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(7)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(6)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate()
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_aix
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate: error Authentication failed
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(7)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(6)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate()
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_aix
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_authenticate: error Authentication failed
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(7)
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_set_item(6)
Aug 30 15:17:58 SUCENA61 auth|security:alert sudo:  xxxxxxx : 3 incorrect password attempts ; TTY=pts/2 ; PWD=/home/xxxxxxx ; USER=root ; COMMAND=list
Aug 30 15:17:58 SUCENA61 auth|security:debug sudo PAM: pam_end(): status = Authentication failed
 

doing it as user fallback:

Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_start(sudo fallback)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_set_item(1)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_set_item(2)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_set_item(5)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_set_item(8)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_set_item(3)
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_acct_mgmt()
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_aix
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: load_function: successful load of pam_sm_acct_mgmt
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_acct_mgmt: error System error
Aug 30 15:30:46 SUCENA61 auth|security:alert sudo: fallback : PAM account management error: System error ; TTY=pts/2 ; PWD=/home/fallback ; USER=root ; COMMAND=list
Aug 30 15:30:46 SUCENA61 auth|security:debug sudo PAM: pam_end(): status = System error

not getting more helpful info for me... 

Originally posted by: JayZach

I see there is a prior thread on this also..

https://www.ibm.com/developerworks/community/forums/html/topic?id=f8f0d9e4-1bde-4405-a6ba-1a058e350a1d&ps=25

Originally posted by: Edward Davignon

Here is an example of some of the things I would look at:

Run updtvpkg as root to make sure the lslpp/installp inventory match rpm.

Check lslpp for versions of sudo.  (Try it without the -w to show words that contain the expression.)

See where sudo is in your shell's search path (it could be aliased or a shell function).

See if it is in rpm's inventory.

See if it is in lslpp's inventory.

If it is in lslpp and see what fileset(s) it is part of. (With an example for the ls command.)  Note: I have seen sudo distributed as an installp package.  I have also seen it manually copied from another system or a custom compiled version.

You may also want to see where or if /etc/sudoers is installed from.  Also, check "# ls -lRrt /etc/sudoers* " for saved versions and/or other surprises.

Obviously, you would need to check the Kerberos configuration, and if LDAP or openldap were configured and when.  The istat command in AIX is useful for checking time stamps on files and subdirectories.

# /usr/sbin/updtvpkg

$ lslpp -Lc | grep -i -w -e sudo -e curl -e gettext -e krb5-libs -e openldap | awk -F: '{print $2"\t"$3}' | sort | expand -30
curl-7.64.0-1                 7.64.0-1
gettext-0.19.8.1-3            0.19.8.1-3
openldap-2.4.46-2             2.4.46-2
sudo-1.8.27-2                 1.8.27-2
$ type -a sudo
sudo is aliased to `/usr/bin/sudo ODMDIR=/etc/objrepos'
sudo is /usr/bin/sudo
sudo is /opt/freeware/bin/sudo
$ rpm -qf /usr/bin/sudo
sudo-1.8.27-2.ppc
$ lslpp -w /usr/bin/sudo
$ lslpp -w /usr/bin/ls
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /usr/bin/ls                                 bos.rte.commands      File
$ lslpp -Lc bos.rte.commands
#Package Name:Fileset:Level:State:PTF Id:Fix State:Type:Description:Destination Dir.:Uninstaller:Message Catalog:Message Set:Message Number:Parent:Automatic:EFIX Locked:Install Path:Build Date
bos:bos.rte.commands:7.2.2.16: : :C:F:Commands: : : : : : :0:0:/:1845
$ lslpp -l $(lslpp -wc /usr/bin/ls | awk -F: '/^[^#]/{print $2}' | sort -u)
  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.rte.commands          7.2.2.16  COMMITTED  Commands

Path: /etc/objrepos
  bos.rte.commands          7.2.2.16  COMMITTED  Commands
$

$ su - -c 'ls -lRrt /etc/sudo*'
[…]

Originally posted by: JayZach

Thanks for the ideas.. I'm not sure my initial post was clear that users can login via ssh to their accounts via Kerberos, but when they try to sudo, they get the " sudo: you do not exist in the passwd database" (or "unknown uid: - 301" now on the original version of sudo package.  So, I don't think its a 'bug'  in sudo, but more likely a bug in one of the other packages that let sudo talk to kerberos (above user mentioned PAM.. we're using STD_AUTH, not PAM, so I don't "think" PAM is in play..

 

Run updtvpkg as root to make sure the lslpp/installp inventory match rpm. - ran updtvpkg

Check lslpp for versions of sudo.  (Try it without the -w to show words that contain the expression.) - all versions match between lslpp and rpm output

See where sudo is in your shell's search path (it could be aliased or a shell function). - not aliased - at /usr/bin/sudo which is linked to /opt/freeware/bin/sudo..

See if it is in rpm's inventory. - YES

See if it is in lslpp's inventory.  -YES

If it is in lslpp and see what fileset(s) it is part of. (With an example for the ls command.)  Note: I have seen sudo distributed as an installp package.  I have also seen it manually copied from another system or a custom compiled version.

lslpp -Lc | grep -i -w -e sudo -e curl -e gettext -e krb5-libs -e openldap | awk -F: '{print $2"\t"$3}' | sort | expand -30
curl-7.64.0-1                 7.64.0-1
gettext-0.19.8.1-3            0.19.8.1-3
krb5-libs-1.16.1-1            1.16.1-1
openldap-2.4.46-1             2.4.46-1
sudo-1.8.27-2                 1.8.27-2
 

You may also want to see where or if /etc/sudoers is installed from.  Also, check "# ls -lRrt /etc/sudoers* " for saved versions and/or other surprises.  - no surprises

Obviously, you would need to check the Kerberos configuration, and if LDAP or openldap were configured and when.  The istat command in AIX is useful for checking time stamps on files and subdirectories.  - kerberos config seems fine (it lets users login via kerberos, just not sudo - and I don't see changes).  We have not configured LDAP.

Originally posted by: JayZach

I downgraded sudo more to the version on my production server (sudo-1.8.21p2-1.ppc), and now I get a different although somewhat similar error..

sudo: unknown uid: 303
sudo: unable to initialize policy plugin

Originally posted by: JayZach

Figured it out in the other thread..

https://www.ibm.com/developerworks/community/forums/html/topic?id=f8f0d9e4-1bde-4405-a6ba-1a058e350a1d&ps=25#repliesPg=0

krb5-libs was the culprit (well, curl was the actual culprit that pulled in the dependency of krb5-libs)

I downgraded curl, then could "yum remove krb5-libs" after that - then my kerberos users could use sudo again...

Originally posted by: Tin_Cup

Thanks JayZach, that worked for me, also ;-)

Originally posted by: JayZach

Yay! YW..   The posts of Edward Davignon led me to it, so I thank him... :D

Originally posted by: Edward Davignon

I'm glad to be of service.