Originally posted by: jgruizny

I just updated to the latest sudo_ids (sudo_ids-1.8.27-2.ppc) package available, and now I am getting the following errors:

# sudo su - someuserid
sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

Reverting back to version sudo_ids-1.8.27-1.ppc solved the issue.

Originally posted by: sangameshm

Since now sudo_ids has been enabled to work with PAM if we have auth_type as PAM_AUTH in /etc/security/login.cfg file then PAM authentication is used.

If we want to continue using PAM some additional entries needs to be added to /etc/pam.conf file for sudo to work with pam authentication.

sudo   auth      required      /usr/lib/security/pam_aix
sudo   account   required      /usr/lib/security/pam_aix
sudo   password  required      /usr/lib/security/pam_aix
sudo   session   required      /usr/lib/security/pam_aix

If we want to use standard authentication then the auth_type entry should be STD_AUTH

Originally posted by: james.franznick

Thanks, that worked. I also had to add the following to pam.conf to fix ssh logins

sshd   auth      required      /usr/lib/security/pam_aix
sshd   account   required      /usr/lib/security/pam_aix
sshd   password  required      /usr/lib/security/pam_aix
sshd   session   required      /usr/lib/security/pam_aix

Originally posted by: james.franznick

So that worked for "sudo su - root" but does not work for "sudo -u oracle -i"  I get the error below. I can't find any actual answers on google related to this error but everything points to a pam config issue

# sudo -l
x386428's Password:
User x386428 may run the following commands on dugpcdvopsora03:
    (oracle) PASSWD: ALL

# sudo -u oracle  -i
Sorry, try again.
Sorry, try again.
sudo: 3 incorrect password attempts

my pam.conf looks like this and ssh login and auth works fine

...

sudo   auth      required      pam_aix
sudo   account   required      pam_aix
sudo   password  required      pam_aix
sudo   session   required      pam_aix

sshd   auth      required      pam_aix
sshd   account   required      pam_aix
sshd   password  required      pam_aix
sshd   session   required      pam_aix

Originally posted by: jgruizny

I have the same issue, 'sudo su - userid' works ok, but "sudo -u userid -i" doesn't work

Originally posted by: sangameshm

Please see the attached file.

Originally posted by: james.franznick

debug log attached

Attachment(s)

sudo_debug.txt   220 KB 1 version

Originally posted by: jgruizny

Here is another log file attached

Attachment(s)

sudo_debug.log   358 KB 1 version

Originally posted by: james.franznick

I rolled back to sudo-1.8.27-1.aix6.1.ppc.rpm and "sudo -u user -i" is working fine with both STD_AUTH and PAM_AUTH

Originally posted by: sangameshm

With sudo -V command some interesting output we can see related to PAM authentication is.

PAM service name to use: sudo
PAM service name to use for login shells: sudo-i

So, try adding this entry in /etc/pam.conf and sudo should work fine.

sudo-i  account required        pam_aix

Originally posted by: jgruizny

Just adding

sudo-i  account required        pam_aix

to /etc/pam.conf didn't work for me.

But adding all the same entries as sudo did:

sudo   auth      required      pam_aix
sudo   account   required      pam_aix
sudo   password  required      pam_aix
sudo   session   required      pam_aix

sudo-i   auth      required      pam_aix
sudo-i   account   required      pam_aix
sudo-i   password  required      pam_aix
sudo-i   session   required      pam_aix

Originally posted by: james.franznick

Works for me also, the "sudo" entries are needed to do "sudo su -", the sudo-i entries are needed to do "sudo -u user -i"