AIX Open Source

 View Only
Expand all | Collapse all

sudo PAM account management error: Invalid argument/sudo: a password is required

  • 1.  sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Thu June 13, 2024 02:00 PM

    I am getting an issue with what looks like our LDAP accounts, not all of them, where there is a sudoers file in place set to NOPASS and it is asking for one as well.  Seeing this on AIX 7.3 or 7.2:

    sudo_ids-1.9.15p5-1.ppc

    ###

     - pam.conf 

    #
    # PAM Configuration File
    #
    #########################################################################
    # change log:
    # 01/19/12 michael - add in stanzas to make this a proper subset of all needed
    # ??/??/11 cwa - added IBM Systems Director lwilogin
    #########################################################################
    #
    # This file controls the PAM stacks for PAM enabled services.
    # The format of each entry is as follows:
    #
    # <service_name> <module_type> <control_flag> <module_path> [module_options]
    #
    # Where:
    #       <service_name> is:
    #               The name of the PAM enabled service.
    #
    #       <module_type> is one of: 
    #               auth, account, password, session
    #
    #       <control_flag> is one of: 
    #               required, requisite, sufficient, optional
    #
    #       <module_path> is:
    #               The path to the module. If the field does not begin with '/' 
    #               then /usr/lib/security is prefixed for 32-bit services,
    #               /usr/lib/security/64/ is prefixed for 64-bit services.
    #               If the module path is specified as full path,then it
    #               directly uses for 32-bit services, for 64-bit services
    #               module path derived as <module_path>/64/<module_name>.
    #
    #       [module_options] is:
    #               An optional field. Consult the specified modules documentation
    #               for valid options.
    #       
    # The service name OTHER controls the behavior of services that are PAM 
    # enabled but do not have an explicit entry in this file.
    #

    #
    # Authentication
    #
    ftp     auth    requisite       /usr/lib/security/pam_permission 
    ftp     auth    required        /usr/lib/security/pam_aix 
    imap    auth    required        /usr/lib/security/pam_aix 
    login   auth    requisite       /usr/lib/security/pam_permission 
    login   auth    required        /usr/lib/security/pam_aix 
    rexec   auth    required        /usr/lib/security/pam_aix 
    rlogin  auth    sufficient      /usr/lib/security/pam_rhosts_auth
    rlogin  auth    requisite       /usr/lib/security/pam_permission 
    rlogin  auth    required        /usr/lib/security/pam_aix 
    rsh     auth    required        /usr/lib/security/pam_rhosts_auth
    sshd    auth    requisite       /usr/lib/security/pam_permission
    sshd    auth    required        /usr/lib/security/pam_aix 
    snapp   auth    required        /usr/lib/security/pam_aix 
    su      auth    sufficient      /usr/lib/security/pam_allowroot 
    su      auth    required        /usr/lib/security/pam_aix 
    telnet  auth    requisite       /usr/lib/security/pam_permission 
    telnet  auth    required        /usr/lib/security/pam_aix 
    OTHER   auth    required        /usr/lib/security/pam_prohibit

    #
    # Account Management
    #
    ftp     account required        /usr/lib/security/pam_aix 
    login   account required        /usr/lib/security/pam_aix 
    rexec   account required        /usr/lib/security/pam_aix 
    rlogin  account required        /usr/lib/security/pam_aix 
    rsh     account required        /usr/lib/security/pam_aix 
    sshd    account required        /usr/lib/security/pam_aix 
    su      account sufficient      /usr/lib/security/pam_allowroot 
    su      account required        /usr/lib/security/pam_aix 
    telnet  account required        /usr/lib/security/pam_aix 
    OTHER   account required        /usr/lib/security/pam_prohibit

    #
    # Password Management
    #
    login   password  required      /usr/lib/security/pam_aix 
    passwd  password  required      /usr/lib/security/pam_aix 
    rlogin  password  required      /usr/lib/security/pam_aix 
    su      password  required      /usr/lib/security/pam_aix 
    sshd    password  required      /usr/lib/security/pam_aix 
    telnet  password  required      /usr/lib/security/pam_aix 
    OTHER   password  required      /usr/lib/security/pam_prohibit

    #
    # Session Management
    #
    ftp     session required        /usr/lib/security/pam_aix 
    imap    session required        /usr/lib/security/pam_aix 
    login   session required        /usr/lib/security/pam_aix 
    rexec   session required        /usr/lib/security/pam_aix 
    rlogin  session required        /usr/lib/security/pam_aix 
    rsh     session required        /usr/lib/security/pam_aix 
    snapp   session required        /usr/lib/security/pam_aix 
    sshd    session required        /usr/lib/security/pam_aix 
    su      session required        /usr/lib/security/pam_aix 
    telnet  session required        /usr/lib/security/pam_aix 
    # auto-make home directory
    login   session optional        /usr/lib/security/pam_mkuserhome
    rlogin  session optional        /usr/lib/security/pam_mkuserhome
    telnet  session optional        /usr/lib/security/pam_mkuserhome 
    OTHER   session required        /usr/lib/security/pam_prohibit

    #
    #Entries for authexec
    #
    authexec        auth    required        pam_aix
    authexec        account required        pam_aix
    authexec        password required       pam_aix

    #
    #

    #
    # websm
    #
    websm_rlogin    auth    sufficient      /usr/lib/security/pam_rhosts_auth
    websm_rlogin    auth    required        /usr/lib/security/pam_aix use_new_state 
    websm_su        auth    sufficient      /usr/lib/security/pam_aix 
    websm_su        auth    required        /usr/lib/security/pam_aix 

    websm_rlogin    account    required     /usr/lib/security/pam_aix mode=S_RLOGIN 
    websm_su        account    sufficient   /usr/lib/security/pam_aix mode=S_SU 
    websm_su        account    required     /usr/lib/security/pam_aix mode=S_SU 

    websm_rlogin    password   required     /usr/lib/security/pam_aix use_new_state try_first_pass 
    websm_su        password   required     /usr/lib/security/pam_aix try_first_pass 

    websm_rlogin    session    required     /usr/lib/security/pam_aix 
    websm_su        session    required     /usr/lib/security/pam_aix 

    #
    #Entries for Systems Director
    #
    lwilogin        auth     required        pam_aix
    lwilogin        account  required        pam_aix
    lwilogin        password required        pam_aix
    lwilogin        session  required        pam_aix

    #
    # BuildForge agent
    #
    bfagent         auth    requisite       /usr/lib/security/pam_permission
    bfagent         auth    required        pam_aix
    bfagent         account required        pam_aix
    wbem auth required /usr/lib/security/pam_aix
    wbem account required /usr/lib/security/pam_aix
    wbem password required /usr/lib/security/pam_aix
    wbem session required /usr/lib/security/pam_aix

    # Needed for new sudo (added 01/28/2022 JK)
    #
    sudo    auth    required        /usr/lib/security/pam_aix
    sudo    account required        /usr/lib/security/pam_aix
    sudo    password        required        /usr/lib/security/pam_aix
    sudo    session required        /usr/lib/security/pam_aix

    ###

    ###

     - methods.cfg


    NIS:
            program = /usr/lib/security/NIS
            program_64 = /usr/lib/security/NIS_64
            
    DCE:
            program = /usr/lib/security/DCE

    PAM:
            program = /usr/lib/security/PAM

    PAMfiles:
            options = auth=PAM,db=BUILTIN

    LDAP:
            program = /usr/lib/security/LDAP
            program_64 = /usr/lib/security/LDAP64

    ###

    ###

     - login.cfg

            sak_enabled = false
            logintimes =
            logindisable = 0
            logininterval = 0
            loginreenable = 0
            logindelay = 10

    */dev/console:
    *       synonym = /dev/tty0

    usw:
            auth_type = PAM_AUTH
            logintimeout = 30
            maxlogins = 32767
            mkhomeatlogin = true
            shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd,/usr/bin/bash,/bin/hnbdefaultshell,/usr/bin/hnbdefaultshell,/uv/bin/uv
            pwd_algorithm = ssha256
            unix_passwd_compat = true
            logindelay = 10

    ###

    ###

     - /etc/security/user (defaults section)

    default:
            account_locked = false
            admgroups =
            admin = false
            auth1 = SYSTEM
            auth2 = NONE
            daemon = true
            default_roles =
            dictionlist = /usr/local/etc/pwddictionary.dat
            expires = 0
            login = false
            loginretries = 5
            logintimes =
            histexpire = 26
            histsize = 50
            maxage = 0
            maxexpired = -1
            maxrepeats = 4
            minage = 0
            minalpha = 3
            mindiff = 4
            mindigit = 1
            minlen = 14
            minloweralpha = 1
            minother = 3
            minupperalpha = 1
            pwdchecks =
            pwdwarntime = 5
            rlogin = true
            SYSTEM = "LDAP or compat"
            su = true
            sugroups = ALL
            tpath = nosak
            ttys = ALL
            umask = 027
            minrepeats = 4
            minspecialchar = 1

    ###

    I have setup debugging as well for the sudo and sudoers if that is needed.  I also setup for pam_debug but not seeing any output in there as of yet.



    ------------------------------
    Joshua Krause
    ------------------------------


  • 2.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Thu June 20, 2024 02:47 AM

    Hi Joshua,

    Please send the sudo logging outputs.



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 3.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Tue July 09, 2024 10:23 AM
      |   view attached

    I have attached the sudo_debug.log, let me know if you need any other logs.



    ------------------------------
    Joshua Krause
    ------------------------------

    Attachment(s)

    log
    sudo_debug.log   275.82 MB 1 version
    Original Message


  • 4.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Fri July 19, 2024 09:10 AM

    I am still seeing the error, any ideas?



    ------------------------------
    Joshua Krause
    ------------------------------

    Original Message


  • 5.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 22, 2024 11:37 AM

    Hi Joshua

    Sorry for the delay.

    I will review the logs you sent and get back to you if need any more info in 2-3 days.



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 6.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Tue July 23, 2024 09:42 AM
      |   view attached

    I am uploading a more recent sudo_debug.log file.



    ------------------------------
    Joshua Krause
    ------------------------------

    Attachment(s)

    log
    sudo_debug.log   83.89 MB 1 version
    Original Message


  • 7.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 29, 2024 09:07 AM

    Hi Joshua,

    It seems PAM authentication check is successful but I am seeing this in the log.

    Account expired or PAM config lacks an "account" section for sudo, contact your system administrator

    Jul 19 09:29:15.101 sudo[41288130] -> sudo_auth_init @ ./auth/sudo_auth.c:106
Jul 19 09:29:15.101 sudo[41288130] -> sudo_aix_init @ ./auth/aix_auth.c:135
Jul 19 09:29:15.101 sudo[41288130] -> sudo_aix_authtype @ ./auth/aix_auth.c:66
Jul 19 09:29:15.101 sudo[41288130] <- sudo_aix_authtype @ ./auth/aix_auth.c:127 := 2
Jul 19 09:29:15.101 sudo[41288130] -> sudo_pam_init2 @ ./auth/pam.c:203
Jul 19 09:29:15.101 sudo[41288130] -> conv_filter_init @ ./auth/pam.c:107
Jul 19 09:29:15.101 sudo[41288130] <- conv_filter_init @ ./auth/pam.c:175
Jul 19 09:29:15.101 sudo[41288130] <- sudo_pam_init2 @ ./auth/pam.c:277 := 86649125
Jul 19 09:29:15.101 sudo[41288130] <- sudo_aix_init @ ./auth/aix_auth.c:142 := 181786330
Jul 19 09:29:15.101 sudo[41288130] -> sudo_pam_init2 @ ./auth/pam.c:203
Jul 19 09:29:15.101 sudo[41288130] <- sudo_pam_init2 @ ./auth/pam.c:210 := 86649125
Jul 19 09:29:15.101 sudo[41288130] <- sudo_auth_init @ ./auth/sudo_auth.c:173 := 86649125
Jul 19 09:29:15.101 sudo[41288130] -> user_is_exempt @ ./check.c:318
Jul 19 09:29:15.101 sudo[41288130] <- user_is_exempt @ ./check.c:324 := false
Jul 19 09:29:15.101 sudo[41288130] check_user: user running command as self
Jul 19 09:29:15.101 sudo[41288130] -> sudo_auth_approval @ ./auth/sudo_auth.c:186
Jul 19 09:29:15.101 sudo[41288130] -> sudo_pam_approval @ ./auth/pam.c:361
Jul 19 09:29:15.102 sudo[41288130] -> log_warningx @ ./logging.c:818
Jul 19 09:29:15.102 sudo[41288130] -> vlog_warning @ ./logging.c:698
Jul 19 09:29:15.102 sudo[41288130] -> sudoers_setlocale @ ./locale.c:87
Jul 19 09:29:15.102 sudo[41288130] sudoers_setlocale: setting locale to C (sudoers)
Jul 19 09:29:15.102 sudo[41288130] <- sudoers_setlocale @ ./locale.c:128 := true
Jul 19 09:29:15.102 sudo[41288130] Account expired or PAM config lacks an "account" section for sudo, contact your system administrator
Jul 19 09:29:15.102 sudo[41288130] -> sudo_gettime_real_v1 @ ./gettime.c:66
Jul 19 09:29:15.102 sudo[41288130] <- sudo_gettime_real_v1 @ ./gettime.c:77 := 0
Jul 19 09:29:15.102 sudo[41288130] -> sudoers_to_eventlog @ ./logging.c:981
Jul 19 09:29:15.102 sudo[41288130] -> sudo_getgrgid @ ./pwutil.c:537
Jul 19 09:29:15.102 sudo[41288130] -> aix_getauthregistry_v1 @ ./aix.c:162
Jul 19 09:29:15.102 sudo[41288130] <- aix_getauthregistry_v1 @ ./aix.c:190 := -1
Jul 19 09:29:15.102 sudo[41288130] -> rbfind @ ./redblack.c:282

    Can you please check if the user account is really expired.



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 8.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 29, 2024 09:19 AM

    Here is the account that is always failing:

    (hostname:/)#  lsuser -f user_account | fgrep expires
            expires=0

    There are other LDAP accounts on this box, however, they don't seem to have the same issue.  The only real diff is that the account above the SUDO is set to NOPASS.



    ------------------------------
    Joshua Krause
    ------------------------------

    Original Message


  • 9.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 29, 2024 09:50 AM

    I had a tail running grepping for "expire" while attempting sudo -l with that nuid and it didn't output anything.  I then attempted grepping for "fail" and when I ran the command I got this output:

    /var/log)#  tail -f sudo_debug.log | grep -i fail
    Jul 29 09:40:44.961 sudo[17695126] /etc/sudoers:17: ## Failure to use 'visudo' may result in syntax or file permission errors
    Jul 29 09:40:45.387 sudo[17695126] -> log_auth_failure @ ./logging.c:502
    Jul 29 09:40:45.387 sudo[17695126] -> audit_failure @ ./audit.c:139
    Jul 29 09:40:45.387 sudo[17695126] -> vaudit_failure @ ./audit.c:112
    Jul 29 09:40:45.387 sudo[17695126] -> audit_failure_int @ ./audit.c:84
    Jul 29 09:40:45.387 sudo[17695126] <- audit_failure_int @ ./audit.c:103 := 0
    Jul 29 09:40:45.387 sudo[17695126] <- vaudit_failure @ ./audit.c:130 := 0
    Jul 29 09:40:45.387 sudo[17695126] <- audit_failure @ ./audit.c:145 := 0
    Jul 29 09:40:45.387 sudo[17695126] a password is required @ log_auth_failure() ./logging.c:563
    Jul 29 09:40:45.390 sudo[17695126] <- log_auth_failure @ ./logging.c:568 := true

    I went ahead and cleared the sudo_debug file out, recreated it, ran the command from the nuid and saved off the file.  This should maybe help narrow it down.



    ------------------------------
    Joshua Krause
    ------------------------------

    Original Message


  • 10.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 29, 2024 10:11 AM

    Okay. 

    In the log I am also seeing below failure where getuserattr seems to be failing at some point.

    Jul 19 10:25:08.853 sudo[41157056] -> aix_getauthregistry_v1 @ ./aix.c:162
Jul 19 10:25:08.853 sudo[41157056] <- aix_getauthregistry_v1 @ ./aix.c:190 := -1



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 11.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon July 29, 2024 10:12 AM
    Edited by Joshua Krause Mon July 29, 2024 10:13 AM

    Is there anything pointing to why it is failing?  Is there a configuration file that can cause that issue or is it possibly an issue with a newer version of sudo?

    I mean up above a handful of lines it looks to be fine with the call:

    ##

    Jul 29 09:44:34.279 sudo[17695194] sudo_get_gidlist: looking up group-IDs for srvcpmunixrec
    Jul 29 09:44:34.279 sudo[17695194] -> aix_getauthregistry_v1 @ ./aix.c:162
    Jul 29 09:44:34.281 sudo[17695194] aix_getauthregistry_v1: saved authentication registry for user srvcpmunixrec is LDAP
    Jul 29 09:44:34.281 sudo[17695194] <- aix_getauthregistry_v1 @ ./aix.c:190 := 0
    Jul 29 09:44:34.281 sudo[17695194] -> rbfind @ ./redblack.c:282
    Jul 29 09:44:34.281 sudo[17695194] <- rbfind @ ./redblack.c:286 := 30013d58
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_get_gidlist @ ./pwutil.c:1063 := 30015078
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_gidlist_delref @ ./pwutil.c:806
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_gidlist_delref_item @ ./pwutil.c:795
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_gidlist_delref_item @ ./pwutil.c:800
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_gidlist_delref @ ./pwutil.c:808
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_grlist_delref @ ./pwutil.c:834
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_grlist_delref_item @ ./pwutil.c:823
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_grlist_delref_item @ ./pwutil.c:828
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_grlist_delref @ ./pwutil.c:836
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_gr_delref @ ./pwutil.c:524
    Jul 29 09:44:34.281 sudo[17695194] -> sudo_gr_delref_item @ ./pwutil.c:513
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_gr_delref_item @ ./pwutil.c:518
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_gr_delref @ ./pwutil.c:526
    Jul 29 09:44:34.281 sudo[17695194] <- sudo_ldap_build_pass1 @ ./ldap.c:1001 := (&(sudoHost=utaecegdi7301)(|(sudoUser=srvcpmunixrec)(sudoUser=#12937)(sudoUser
    =%users)(sudoUser=%#100)(sudoUser=%su-root)(sudoUser=%#300)(sudoUser=ALL))(!(|(sudoUser=!srvcpmunixrec)(sudoUser=!#12937)(sudoUser=!%users)(sudoUser=!%#100)(
    sudoUser=!%su-root)(sudoUser=!%#300))))
    Jul 29 09:44:34.281 sudo[17695194] ldap search '(&(sudoHost=utaecegdi7301)(|(sudoUser=srvcpmunixrec)(sudoUser=#12937)(sudoUser=%users)(sudoUser=%#100)(sudoUs
    er=%su-root)(sudoUser=%#300)(sudoUser=ALL))(!(|(sudoUser=!srvcpmunixrec)(sudoUser=!#12937)(sudoUser=!%users)(sudoUser=!%#100)(sudoUser=!%su-root)(sudoUser=!%
    #300))))'
    Jul 29 09:44:34.281 sudo[17695194] searching from base 'ou=sudoers,ou=UNIX,ou=DATACENTER,o=HNBAUTH'
    Jul 29 09:44:34.289 sudo[17695194] adding search result

    ##



    ------------------------------
    Joshua Krause
    ------------------------------

    Original Message


  • 12.  RE: sudo PAM account management error: Invalid argument/sudo: a password is required

    Posted Mon August 12, 2024 02:00 PM

    Hi Joshua,

    I am not able to see the similar error you are having.

    Will compare your logs and my logs to understand more.

    Aug 12 08:48:42.721 sudo[15204810] -> sudo_auth_init @ ./auth/sudo_auth.c:106
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_aix_init @ ./auth/aix_auth.c:135
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_aix_authtype @ ./auth/aix_auth.c:66
    Aug 12 08:48:42.721 sudo[15204810] <- sudo_aix_authtype @ ./auth/aix_auth.c:127 := 2
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_pam_init2 @ ./auth/pam.c:203
    Aug 12 08:48:42.721 sudo[15204810] -> conv_filter_init @ ./auth/pam.c:107
    Aug 12 08:48:42.721 sudo[15204810] <- conv_filter_init @ ./auth/pam.c:175
    Aug 12 08:48:42.721 sudo[15204810] <- sudo_pam_init2 @ ./auth/pam.c:277 := 86649125
    Aug 12 08:48:42.721 sudo[15204810] <- sudo_aix_init @ ./auth/aix_auth.c:142 := 181786330
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_pam_init2 @ ./auth/pam.c:203
    Aug 12 08:48:42.721 sudo[15204810] <- sudo_pam_init2 @ ./auth/pam.c:210 := 86649125
    Aug 12 08:48:42.721 sudo[15204810] <- sudo_auth_init @ ./auth/sudo_auth.c:173 := 86649125
    Aug 12 08:48:42.721 sudo[15204810] check_user: authentication disabled
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_auth_approval @ ./auth/sudo_auth.c:186
    Aug 12 08:48:42.721 sudo[15204810] -> sudo_pam_approval @ ./auth/pam.c:361
    Aug 12 08:48:42.732 sudo[15204810] <- sudo_pam_approval @ ./auth/pam.c:422 := 86649125
    Aug 12 08:48:42.732 sudo[15204810] <- sudo_auth_approval @ ./auth/sudo_auth.c:199 := 86649125
    Aug 12 08:48:42.732 sudo[15204810] -> timestamp_close @ ./timestamp.c:796
    Aug 12 08:48:42.732 sudo[15204810] <- timestamp_close @ ./timestamp.c:804
    Aug 12 08:48:42.732 sudo[15204810] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:211
    Aug 12 08:48:42.732 sudo[15204810] -> sudo_pam_cleanup @ ./auth/pam.c:430
    Aug 12 08:48:42.732 sudo[15204810] <- sudo_pam_cleanup @ ./auth/pam.c:437 := 86649125



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message