After updating from an older sudo version (e.g., 1.8.6p2) to a newer version (e.g., 1.9.15p5), the following error often occurs when using sudo:
aix01 $ sudo -l sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator sudo: a password is required aix01 $
The message also indicates the error: a PAM entry for sudo is missing. This wasn’t required in older sudo versions. To avoid this problem, the following four entries should be added to /etc/pam.conf, for example:
aix01 # vi /etc/pam.conf ... sudo auth required pam_aix sudo account required pam_aix sudo password required pam_aix sudo session required pam_aix aix01 #
Note: The entries cannot be added using sudo because sudo is not working!
After adding the entries, sudo seems to be working again. Listing allowed commands produces the expected output:
aix01 $ sudo -l Matching Defaults entries for user01 on aix01: ... User user01 may run the following commands on aix01: (ALL) NOPASSWD: /usr/sbin/*fs, /usr/sbin/*dev, /usr/sbin/ls*, /usr/sbin/*lv, /usr/sbin/*lvcopy, /usr/sbin/*pv, /usr/sbin/*vg, /usr/sbin/ifconfig, /usr/bin/startsrc, /usr/bin/stopsrc … $
Executing commands using sudo also seems to be working again:
aix01 $ sudo errpt IDENTIFIER TIMESTAMP T C RESOURCE_NAME DESCRIPTION AA8AB241 1117100725 T O OPERATOR OPERATOR NOTIFICATION AA8AB241 1117100125 T O OPERATOR OPERATOR NOTIFICATION … aix01 $
However, if the “-i” or “–login” option of sudo is used, only an error message is displayed again:
aix01 $ sudo -i id sudo: Account expired or PAM config lacks an "account" section for sudo, contact your system administrator sudo: a password is required aix01 $
When invoked with the option “-i” (or “–login”), the service name is no longer “sudo”, but “sudo-i”. If the “sudo-i” service is not configured in /etc/pam.conf, sudo will terminate with the error message above. Unfortunately, the developers reused the error message from the very beginning. It would have been better to also include the service name “sudo-i” in the message. Then it would have been quite obvious that entries for “sudo-i” were missing in /etc/pam.conf. We will add the necessary entries. Together, this results in the following required entries for sudo:
aix01 $ sudo vi /etc/pam.conf ... sudo auth required pam_aix sudo account required pam_aix sudo password required pam_aix sudo session required pam_aix sudo-i auth required pam_aix sudo-i account required pam_aix sudo-i password required pam_aix sudo-i session required pam_aix aix01 $
A quick test shows that calls with the option “-i” (or “–login”) now work:
aix01 $ sudo -i id [YOU HAVE NEW MAIL] uid=0(root) gid=0(system) groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp) aix01 $
This can be determined relatively easily by enabling PAM debugging. To do this, debugging messages from auth must be logged via syslogd. We use the file /var/log/auth.log for this purpose:
aix01 $ sudo touch /var/log/auth.log aix01 $ sudo vi /etc/syslog.conf … auth.debug /var/log/auth.log aix01 $ sudo refresh -s syslogd 0513-095 The request for subsystem refresh was completed successfully. aix01 $
Creating the file /etc/pam_debug enables the sending of debug messages from PAM to syslogd:
aix01 $ sudo touch /etc/pam_debug aix01 $
Here are the lines from the log for calling “sudo -l” without sudo entries in /etc/pam.conf:
Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_start(sudo user01) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_set_item(1) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_set_item(2) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_set_item(5) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_set_item(8) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_set_item(3) Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_acct_mgmt() Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_prohibit Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: load_function: successful load of pam_sm_acct_mgmt Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_acct_mgmt: error Permission denied Nov 17 15:01:11 aix01 auth|security:alert sudo: user01 : Account expired or PAM config lacks an "account" section for sudo, contact your system administrator ; TTY=pts/0 ; PWD=/home/user01 ; USER=root ; COMMAND=list Nov 17 15:01:11 aix01 auth|security:debug sudo PAM: pam_end(): status = User account has expired
The first line contains the service name in the call pam_start. A few lines later, the module pam_prohibit is loaded (entry OTHER from /etc/pam.conf). After that, the error message displayed by sudo appears.
The situation is very similar for “sudo -i“:
Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_start(sudo-i user01) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_set_item(1) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_set_item(2) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_set_item(5) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_set_item(8) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_set_item(3) Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_acct_mgmt() Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: load_modules: /usr/lib/security/pam_prohibit Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: load_function: successful load of pam_sm_acct_mgmt Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_acct_mgmt: error Permission denied Nov 17 15:11:12 aix01 auth|security:alert sudo: user01 : Account expired or PAM config lacks an "account" section for sudo, contact your system administrator ; TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/usr/bin/ksh -c id Nov 17 15:11:12 aix01 auth|security:debug sudo PAM: pam_end(): status = User account has expired
Here too, the service name is found in the call to pam_start, this time “sudo-i“. The pam_prohibit module is also loaded here, and the error is logged.
The debugging messages from PAM clearly show that the entries for “sudo” and “sudo-i” are missing in /etc/pam.conf.
Note: After completing PAM debugging, this should be deactivated again!