sudo-1.8.31p1-1 fails for Kerberos authonly user under fileset krb5.client.rte 1.16.1.2 after reinstall of krb5-libs and/or libiconv

Error message:

sudo: you do not exist in the passwd database

Other things to note:

sudo_64 always fails.

krb5.client.rte 1.6.0.5 is near end of support

NAS krb5 1.6.1.2 update_all leaves down-level message filesets (krb5.msg.*)

Here is what I did:

On the test server:

$ echo "--->$LIBPATH<---"

---><---

$ date -u

Fri Sep  4 17:08:38 UTC 2020

$ sudo ODMDIR=/etc/objrepos yum distro-sync

[…]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ lslpp -Lqc krb5.\* | awk -F: '{print $2"\t"$3}' | expand -t 32

krb5.client.rte                 1.6.0.5

krb5.client.samples             1.6.0.5

krb5.doc.en_US.html             1.6.0.5

krb5.doc.en_US.pdf              1.6.0.5

krb5.lic                        1.6.0.5

krb5.msg.en_US.client.rte       1.6.0.5

krb5.toolkit.adt                1.6.0.5

$ rpm -q sudo krb5-libs libiconv

sudo-1.8.31p1-1.ppc

krb5-libs-1.16.1-4.ppc

libiconv-1.16-1.ppc

$ /usr/bin/grep -p KRB5 /etc/methods.cfg

KRB5:

        program = /usr/lib/security/KRB5

        program64 = /usr/lib/security/KRB5_64

        options = authonly,kadmind=no,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5files:

        options = db=BUILTIN,auth=KRB5

$ sudo lsuser -f $(id -un) | grep KRB5

        registry=KRB5files

        SYSTEM=KRB5files

$ sudo -k id

[ … this works … ]

$ sudo_64 -k id

[ … this does not work … ]

exec(): 0509-036 Cannot load program sudo_64 because of the following errors:

        0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.so could not be loaded.

        0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.so.

        0509-026 System error: Cannot run a file that does not have a valid format.

On the NIM server:

$ /usr/bin/grep -p discontinued Readme_NAS_AIX_1.16.1.2.txt

Please note that the support for current versions of NAS (1.5.0.xx and 1.6.0.x) will

be discontinued from end of year 2020, hence customers are advised to update to

1.16.1.2 version.

$ nim -o cust -a lpp_source=lpp_krb5_1_16_1_2 -a installp_flags=acNgXYb  -a fixes=update_all $server

[…]

$nim -o cust -a lpp_source=lpp_krb5_1_6_0_5 -a installp_flags=ugb -a filesets='krb5.msg' $server

[ … uninstall leftover msg files … ]

On the remote server:

$ sudo -k id

[ … this still works … ]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this no longer works … ]

$

Now to fix it.

On the NIM server:

nim -o cust -a lpp_source=lpp7200-03-03-all-ibm -a installp_flags=aFXYb -a filesets='

krb5.client.rte 1.6.0.5

krb5.client.samples 1.6.0.5

krb5.doc.en_US.html 1.6.0.5

krb5.doc.en_US.pdf 1.6.0.5

krb5.lic 1.6.0.5

krb5.toolkit.adt 1.6.0.5

' \

 $server

On the test server:

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this still does not work … ]

On the test server as root:

# yum reinstall krb5-libs libiconv

[…]

On the test server:

$ sudo -k id

[ … this works again … ]

sudo-1.8.31p1-1 fails for Kerberos authonly user under fileset krb5.client.rte 1.16.1.2 after reinstall of krb5-libs and/or libiconv

Error message:

sudo: you do not exist in the passwd database

Other things to note:

sudo_64 always fails.

krb5.client.rte 1.6.0.5 is near end of support

NAS krb5 1.6.1.2 update_all leaves down-level message filesets (krb5.msg.*)

Here is what I did:

On the test server:

$ echo "--->$LIBPATH<---"

---><---

$ date -u

Fri Sep  4 17:08:38 UTC 2020

$ sudo ODMDIR=/etc/objrepos yum distro-sync

[…]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ lslpp -Lqc krb5.\* | awk -F: '{print $2"\t"$3}' | expand -t 32

krb5.client.rte                 1.6.0.5

krb5.client.samples             1.6.0.5

krb5.doc.en_US.html             1.6.0.5

krb5.doc.en_US.pdf              1.6.0.5

krb5.lic                        1.6.0.5

krb5.msg.en_US.client.rte       1.6.0.5

krb5.toolkit.adt                1.6.0.5

$ rpm -q sudo krb5-libs libiconv

sudo-1.8.31p1-1.ppc

krb5-libs-1.16.1-4.ppc

libiconv-1.16-1.ppc

$ /usr/bin/grep -p KRB5 /etc/methods.cfg

KRB5:

        program = /usr/lib/security/KRB5

        program64 = /usr/lib/security/KRB5_64

        options = authonly,kadmind=no,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5files:

        options = db=BUILTIN,auth=KRB5

$ sudo lsuser -f $(id -un) | grep KRB5

        registry=KRB5files

        SYSTEM=KRB5files

$ sudo -k id

[ … this works … ]

$ sudo_64 -k id

[ … this does not work … ]

exec(): 0509-036 Cannot load program sudo_64 because of the following errors:

        0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.so could not be loaded.

        0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.so.

        0509-026 System error: Cannot run a file that does not have a valid format.

On the NIM server:

$ /usr/bin/grep -p discontinued Readme_NAS_AIX_1.16.1.2.txt

Please note that the support for current versions of NAS (1.5.0.xx and 1.6.0.x) will

be discontinued from end of year 2020, hence customers are advised to update to

1.16.1.2 version.

$ nim -o cust -a lpp_source=lpp_krb5_1_16_1_2 -a installp_flags=acNgXYb  -a fixes=update_all $server

[…]

$nim -o cust -a lpp_source=lpp_krb5_1_6_0_5 -a installp_flags=ugb -a filesets='krb5.msg' $server

[ … uninstall leftover msg files … ]

On the remote server:

$ sudo -k id

[ … this still works … ]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this no longer works … ]

$

Now to fix it.

On the NIM server:

nim -o cust -a lpp_source=lpp7200-03-03-all-ibm -a installp_flags=aFXYb -a filesets='

krb5.client.rte 1.6.0.5

krb5.client.samples 1.6.0.5

krb5.doc.en_US.html 1.6.0.5

krb5.doc.en_US.pdf 1.6.0.5

krb5.lic 1.6.0.5

krb5.toolkit.adt 1.6.0.5

' \

 $server

On the test server:

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this still does not work … ]

On the test server as root:

# yum reinstall krb5-libs libiconv

[…]

On the test server:

$ sudo -k id

[ … this works again … ]

Ayappan,
It looks like I will need to track down the dependencies for "libibmldap.a".  It looks like it is in "idsldap.clt_max_crypto32bit64" and "idsldap.clt_max_crypto64bit64".

I try to limit the number of surprises (especially when dealing with security) so I currently have no integration with LDAP and AIX.  I only use Kerberos for passwords for some accounts.


Here is what I have tried so far:

# cp -pf /etc/sudoers /etc/sudoers.sav
# yum erase sudo
[...]
warning: /etc/sudoers saved as /etc/sudoers.rpmsave
[...]
# yum install sudo_ids
[...]
--> Processing Dependency: libibmldap.a for package: sudo_ids-1.8.31p1-2.ppc
--> Finished Dependency Resolution
Error: Package: sudo_ids-1.8.31p1-2.ppc (AIX_Toolbox)
Requires: libibmldap.a
[...]
# yum install sudo
[...]
# cp -pf /etc/sudoers.rpmsave /etc/sudoers
#

sudo-1.8.31p1-1 fails for Kerberos authonly user under fileset krb5.client.rte 1.16.1.2 after reinstall of krb5-libs and/or libiconv

Error message:

sudo: you do not exist in the passwd database

Other things to note:

sudo_64 always fails.

krb5.client.rte 1.6.0.5 is near end of support

NAS krb5 1.6.1.2 update_all leaves down-level message filesets (krb5.msg.*)

Here is what I did:

On the test server:

$ echo "--->$LIBPATH<---"

---><---

$ date -u

Fri Sep  4 17:08:38 UTC 2020

$ sudo ODMDIR=/etc/objrepos yum distro-sync

[…]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ lslpp -Lqc krb5.\* | awk -F: '{print $2"\t"$3}' | expand -t 32

krb5.client.rte                 1.6.0.5

krb5.client.samples             1.6.0.5

krb5.doc.en_US.html             1.6.0.5

krb5.doc.en_US.pdf              1.6.0.5

krb5.lic                        1.6.0.5

krb5.msg.en_US.client.rte       1.6.0.5

krb5.toolkit.adt                1.6.0.5

$ rpm -q sudo krb5-libs libiconv

sudo-1.8.31p1-1.ppc

krb5-libs-1.16.1-4.ppc

libiconv-1.16-1.ppc

$ /usr/bin/grep -p KRB5 /etc/methods.cfg

KRB5:

        program = /usr/lib/security/KRB5

        program64 = /usr/lib/security/KRB5_64

        options = authonly,kadmind=no,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5files:

        options = db=BUILTIN,auth=KRB5

$ sudo lsuser -f $(id -un) | grep KRB5

        registry=KRB5files

        SYSTEM=KRB5files

$ sudo -k id

[ … this works … ]

$ sudo_64 -k id

[ … this does not work … ]

exec(): 0509-036 Cannot load program sudo_64 because of the following errors:

        0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.so could not be loaded.

        0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.so.

        0509-026 System error: Cannot run a file that does not have a valid format.

On the NIM server:

$ /usr/bin/grep -p discontinued Readme_NAS_AIX_1.16.1.2.txt

Please note that the support for current versions of NAS (1.5.0.xx and 1.6.0.x) will

be discontinued from end of year 2020, hence customers are advised to update to

1.16.1.2 version.

$ nim -o cust -a lpp_source=lpp_krb5_1_16_1_2 -a installp_flags=acNgXYb  -a fixes=update_all $server

[…]

$nim -o cust -a lpp_source=lpp_krb5_1_6_0_5 -a installp_flags=ugb -a filesets='krb5.msg' $server

[ … uninstall leftover msg files … ]

On the remote server:

$ sudo -k id

[ … this still works … ]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this no longer works … ]

$

Now to fix it.

On the NIM server:

nim -o cust -a lpp_source=lpp7200-03-03-all-ibm -a installp_flags=aFXYb -a filesets='

krb5.client.rte 1.6.0.5

krb5.client.samples 1.6.0.5

krb5.doc.en_US.html 1.6.0.5

krb5.doc.en_US.pdf 1.6.0.5

krb5.lic 1.6.0.5

krb5.toolkit.adt 1.6.0.5

' \

 $server

On the test server:

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this still does not work … ]

On the test server as root:

# yum reinstall krb5-libs libiconv

[…]

On the test server:

$ sudo -k id

[ … this works again … ]

Ayappan,
It looks like I will need to track down the dependencies for "libibmldap.a".  It looks like it is in "idsldap.clt_max_crypto32bit64" and "idsldap.clt_max_crypto64bit64".

I try to limit the number of surprises (especially when dealing with security) so I currently have no integration with LDAP and AIX.  I only use Kerberos for passwords for some accounts.


Here is what I have tried so far:

# cp -pf /etc/sudoers /etc/sudoers.sav
# yum erase sudo
[...]
warning: /etc/sudoers saved as /etc/sudoers.rpmsave
[...]
# yum install sudo_ids
[...]
--> Processing Dependency: libibmldap.a for package: sudo_ids-1.8.31p1-2.ppc
--> Finished Dependency Resolution
Error: Package: sudo_ids-1.8.31p1-2.ppc (AIX_Toolbox)
Requires: libibmldap.a
[...]
# yum install sudo
[...]
# cp -pf /etc/sudoers.rpmsave /etc/sudoers
#

sudo-1.8.31p1-1 fails for Kerberos authonly user under fileset krb5.client.rte 1.16.1.2 after reinstall of krb5-libs and/or libiconv

Error message:

sudo: you do not exist in the passwd database

Other things to note:

sudo_64 always fails.

krb5.client.rte 1.6.0.5 is near end of support

NAS krb5 1.6.1.2 update_all leaves down-level message filesets (krb5.msg.*)

Here is what I did:

On the test server:

$ echo "--->$LIBPATH<---"

---><---

$ date -u

Fri Sep  4 17:08:38 UTC 2020

$ sudo ODMDIR=/etc/objrepos yum distro-sync

[…]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ lslpp -Lqc krb5.\* | awk -F: '{print $2"\t"$3}' | expand -t 32

krb5.client.rte                 1.6.0.5

krb5.client.samples             1.6.0.5

krb5.doc.en_US.html             1.6.0.5

krb5.doc.en_US.pdf              1.6.0.5

krb5.lic                        1.6.0.5

krb5.msg.en_US.client.rte       1.6.0.5

krb5.toolkit.adt                1.6.0.5

$ rpm -q sudo krb5-libs libiconv

sudo-1.8.31p1-1.ppc

krb5-libs-1.16.1-4.ppc

libiconv-1.16-1.ppc

$ /usr/bin/grep -p KRB5 /etc/methods.cfg

KRB5:

        program = /usr/lib/security/KRB5

        program64 = /usr/lib/security/KRB5_64

        options = authonly,kadmind=no,is_kadmind_compat=no,tgt_verify=no,allow_expired_pwd=yes

KRB5files:

        options = db=BUILTIN,auth=KRB5

$ sudo lsuser -f $(id -un) | grep KRB5

        registry=KRB5files

        SYSTEM=KRB5files

$ sudo -k id

[ … this works … ]

$ sudo_64 -k id

[ … this does not work … ]

exec(): 0509-036 Cannot load program sudo_64 because of the following errors:

        0509-150   Dependent module /opt/freeware/libexec/sudo/libsudo_util.so could not be loaded.

        0509-022 Cannot load module /opt/freeware/libexec/sudo/libsudo_util.so.

        0509-026 System error: Cannot run a file that does not have a valid format.

On the NIM server:

$ /usr/bin/grep -p discontinued Readme_NAS_AIX_1.16.1.2.txt

Please note that the support for current versions of NAS (1.5.0.xx and 1.6.0.x) will

be discontinued from end of year 2020, hence customers are advised to update to

1.16.1.2 version.

$ nim -o cust -a lpp_source=lpp_krb5_1_16_1_2 -a installp_flags=acNgXYb  -a fixes=update_all $server

[…]

$nim -o cust -a lpp_source=lpp_krb5_1_6_0_5 -a installp_flags=ugb -a filesets='krb5.msg' $server

[ … uninstall leftover msg files … ]

On the remote server:

$ sudo -k id

[ … this still works … ]

$ sudo ODMDIR=/etc/objrepos yum reinstall krb5-libs libiconv

[…]

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this no longer works … ]

$

Now to fix it.

On the NIM server:

nim -o cust -a lpp_source=lpp7200-03-03-all-ibm -a installp_flags=aFXYb -a filesets='

krb5.client.rte 1.6.0.5

krb5.client.samples 1.6.0.5

krb5.doc.en_US.html 1.6.0.5

krb5.doc.en_US.pdf 1.6.0.5

krb5.lic 1.6.0.5

krb5.toolkit.adt 1.6.0.5

' \

 $server

On the test server:

$ sudo -k id

sudo: you do not exist in the passwd database

[ … this still does not work … ]

On the test server as root:

# yum reinstall krb5-libs libiconv

[…]

On the test server:

$ sudo -k id

[ … this works again … ]