Pam account management error permission denied

Running SUDO as a user with the root role fails with: «PAM account management error: Permission denied» or «account validation failure, is your account locked?» (Doc ID 2618680.1)

Last updated on OCTOBER 12, 2022

Applies to:

Symptoms

On systems where root is a role, running sudo as a user with the root role fails.

Changes

System was updated from 11.4.14.5.0 (or lower) to 11.4.15.5.0 or 11.4.16.4.0.

System was updated from 11.3.36.17.0 (or lower) to 11.3.36.18.0 (or higher).

Cause

To view full details, sign in with your My Oracle Support account.

Don’t have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services. For more information about Oracle (NYSE:ORCL), visit oracle.com. пїЅ Oracle | Contact and Chat | Support | Communities | Connect with us | | | | Legal Notices | Terms of Use

Источник

CentOS

The Community ENTerprise Operating System

PAM account management error: Permission denied

PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 15:29:52

After upgrading CentOS to 7.6 I can no longer elevate via sudo from ssh conneciton.
it is fine on the console but not via ssh.

the error is : PAM account management error: Permission denied

Re: PAM account management error: Permission denied

Post by TrevorH » 2018/12/05 15:51:07

Re: PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 16:07:35

/var/log/secure and messages are the first places I went.

messages gives me nothig,
secure gives me access denied, which again is nothing.

Re: PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 16:08:33

Re: PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 16:09:42

Re: PAM account management error: Permission denied

Post by TrevorH » 2018/12/05 16:16:10

Re: PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 16:42:51

I have two server very similar.
I have compared pam.d of the problem sever against the not updated server.
Their sums on each file are exactly the saem.

The sudo and sudo-i are the same.
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
[root@devsso04 pam.d]# cat sudo-i
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so

Re: PAM account management error: Permission denied

Post by TrevorH » 2018/12/05 17:14:59

Re: PAM account management error: Permission denied

Post by ccheltenham » 2018/12/05 17:43:31

Trevor-
Those files now look like this —
However no cigar.
Im sorry.

]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
[ccheltenham-ext@devsso03

]$ cat /etc/pam.d/sudo-i
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
session include sudo

Running Rpm —
[ccheltenham-ext@devsso03

]$ rpm -Vr /etc/pam.d/sudo
rpm: no arguments given for verify
[ccheltenham-ext@devsso03

]$ rpm -Vr /etc/pam.d/sudo-i
rpm: no arguments given for verify

Again , i really appreciate your input.
If nothing else i feel better that I am at least pretty much think the same way you are.

The error in /var/log/secure says PAM account manager error:Permission denied
I ever set everything in /etc/pam.d to 777 recursively.

This is really odd.

Thanks again but still get the same error.

Источник

glossopgeek

Following the RHEL7.6 / CentOS7.6 upgrade, we started having issues sudo-ing up on a box.

FreeIPA is in place as the central authentication mechanism which handles logins and privilege management.

So, upon SSH’ing to a server

In /var/log/secure, you’ll see something like

The Redhat support portal offers the advice that you need to add sudo to the list of services in the HBAC role definition. In our case, we only had sshd listed as an allowed service.

1. Open IPA web interface
2. Policies tab
3. HBAC rules
4. Select a rule
5. Under the section Via Service, add sudo to the list

Like this:

Awesome, this really helped us out today. I would have never thought to add that there as I don’t think of sudo being a service.. but as soon as I did, everything worked as expected.

Glad to hear it helped, IPA can be a strange one when you least expect it!

I spent an hour try to find out what’s going on until read this. Thank you very much!!

saved my ass 😀 THANK YOU!

Don’t forget, also that port 88/UDP (Kerberos) must be open between the AD controllers and the IPA Clients that want to get sudo availabilities…

From the IPA Client TO the AD Controllers to be more precise, in case they are not on the same subnet !

Источник

PAM configuration for ValidateUser and Permission Denied

Troubleshooting

Problem

Symptom

The ValidateUser command generates entries in the InfoSphere Information Server installation log. indicating that the user name and password were successfully authenticated. However, you receive a “Permission denied” error.

Note: You must log in as the root user to run the ValidateUser command.

Cause

The following problems can cause the “Permission denied” error to display:

1. You are using an unsupported third party security system like Vintela
2. An operating system login restriction exists in the PAM configuration file
3. A login restriction exists in the /etc/security/user file

The “Permission denied” error often occurs because of an operating system login restriction for the user that is being authenticated. Corporate security policy often prohibits application users from logging into Linux and UNIX servers by using a command line shell. These application users are permitted to establish connections to application listeners through TCP/IP ports, but are not permitted to issue commands directly through a command line shell. This restriction might be scripted into the PAM stack with the use of explicit directives, or in the case of AIX, PAM automatically queries the /etc/security/user file for possible login restrictions. Unsupported third party security systems might also restrict login access and must be disabled while the InfoSphere Suite Installer is running.

Environment

All Linux and UNIX operating systems.

Diagnosing The Problem

Use the operating system logging daemon (syslogd) to obtain more detailed diagnostic information in the system log file to determine what files must be changed for the ValidateUser utility to run successfully. Ensure that syslogd is running in debug mode.

The following files are important when debugging your PAM configuration:

• Syslog configuration file: change this configuration file to modify the logging daemon’s behavior
• Target log file: captures output from the logging daemon
• Syslog-ng pid file: contains the logging daemon’s process ID (pid), which simplifies the daemon termination activity

Note: You can debug PAM at multiple levels. This document is primarily concerned with high level debugging techniques.

Tab navigation

Click one of the previous links to view debugging configuration steps for your operating system. The files, locations, and steps that you complete vary from one operating system to another.

AIX debugging

• PAM debugging file: /etc/pam_debug
• Syslog configuration file location: /etc/syslog.conf
• Target log file: /tmp/debuglog
• syslogd pid file: /etc/syslogd.pid

Complete the following steps to check for PAM runtime debugging information (you do not need to bounce syslogd):

1. Log in as root .
2. Create an empty file /etc/pam_debug , for example using «touch /etc/pam_debug» command. The PAM library checks that this file exists to enable syslog output.
3. Open the /etc/syslog.conf file and add the following line:
   *.debug /tmp/debuglog
4. Run the following command to check whether a debugging file exists. If this file does not exist, create a new plain text file and save it in the /tmp/debuglog directory. The logging daemon checks that this file exists to enable debugging.
   touch /tmp/debuglog
5. Run the following command to open another syslogd for debugging. Allow the system syslogd to continue running in parallel with the debugging syslogd, which will run in the foreground.
   /usr/sbin/syslogd -d
6. Open another terminal session and log in as root .
7. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

The «Permission Denied» error typically indicates that a login restriction has been set in the /etc/security/user file. On AIX, PAM checks the /etc/security/user file for possible login errors, even when running the minimum stack. PAM checks this file independent of any special directives in the stack.

The following error might occur when you run the ./ValidateUser command:

Username is valid.
Password is valid.
[rc 7] PAM error description = Permission denied

To resolve this error, check the login settings in the /etc/security/user file. If the user does not have a login setting or login=false , complete the following steps to change the login value to true.

1. Log in as root .
2. Back up the /etc/security/user file.
3. Run the following command to modify the /etc/security/user file:
   vi /etc/security/user
4. Modify the file to set login to true:
   login=true
5. Save and close the /etc/security/user file.
6. Run the InfoSphere Information Server installation program.
7. Change the values in the /etc/security/user to the original values.
8. Save and close the /etc/security/user file.

See the following links for more information on debugging for PAM in an AIX environment:

HP-UX debugging

• Syslog configuration file location: /etc/syslog.conf
• Target log file: /var/adm/syslog/syslog.log
• syslogd pid file: /var/run/syslog.pid

Complete the following steps to check for PAM runtime debugging information (you do not need to bounce syslogd):

1. Log in as root .
2. From the command line, run the following command to create a dynamic display of the syslogd messages file, which might contain PAM runtime processing information:
   tail –f /var/adm/syslog/syslog.log
3. Open another terminal session and log in as root .
4. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

As an optional step, run syslogd in debug mode to obtain PAM runtime information. You can use this information to help determine what files you need to change for the ValidateUser utility to run successfully:

1. Log in as root .
2. From the command line, run the following command to determine if syslogd is running:
   ps –ef|grep syslogd
3. Run the following command to edit the syslog.conf file:
   vi /etc/syslog.conf
4. Optional: Run the following command to force syslogd to read the contents of the /etc/syslog.conf file:
   kill -HUP `cat /var/run/syslog.pid`
5. Add the following line in the syslog.conf file:
   *.debug /var/adm/syslog/syslog.log
6. Run the following command to stop syslogd:
   kill `cat /var/run/syslogd.pid`
7. Restart syslogd:
   /usr/sbin/syslogd –d
8. Run the following command to create a dynamic display of the syslogd messages file, which might contain PAM runtime processing information:
   tail –f /var/adm/syslog/syslog.log
9. Open another terminal session and log in as root .
10. Invoke the ValidateUser utility with arguments:
    install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

RedHat debugging

• Syslog configuration file location: /etc/rsyslog.conf
• Target log file: /var/log/messages
• syslogd pid file: /var/run/syslogd.pid

Complete the following steps to check for PAM runtime debugging information (you do not need to bounce syslogd):

1. Log in as root .
2. Open the /etc/rsyslog.conf file and add the following line at the end of the file to force the daemon to generate debugging output. This information is captured in the /var/log/messages file.
   *.debug /var/log/messages
3. Save and close the rsyslog.conf file.
4. From the command line, run the following command to create a dynamic display of the syslogd messages file, which might contain PAM runtime processing information:
   tail –f /var/log/messages
5. Run the following command to invoke another syslogd for debugging. Allow the system syslogd to continue running in parallel with the debugging syslogd, which will run in the foreground.
   /sbin/rsyslogd –d -i /tmp/rsyslogd.pid
6. Open another terminal session and log in as root .
7. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your Engine tier OS user name
password is the Engine tier OS user’s password

Solaris debugging

• Syslog configuration file location: /etc/syslog.conf
• Target log file: /var/log/authlog
• syslogd pid file: /etc/syslogd.pid

Complete the following steps to check for PAM runtime debugging information (you do not need to bounce syslogd):

1. Log in as root .
2. From the command line, run the following command to create a dynamic display of the syslogd messages file, which might contain PAM runtime processing information:
   tail –f /var/log/authlog
3. Open another terminal session and log in as root .
4. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

As an optional step, run syslogd in debugging mode to obtain PAM runtime information, which is saved to the /var/log/pamlog directory:

1. Log in as root .
2. Run the following command to back up the syslog.conf file:
   cp /etc/syslog.conf /etc/syslog.conf.bak
3. From the command line, run the following command to edit the syslog.conf file:
   vi /etc/syslog.conf
4. Add the following lines to the syslog.conf file to enable debugging:
   auth.alert /dev/console
   auth.info;auth.debug /var/log/pamlog
5. Run the following command to ensure that the PAM log file exists.
   touch /var/log/pamlog
6. Run the following command to back up the pam.conf file:
   cp /etc/pam.conf /etc/pam.conf.bak
7. Run the following command to edit the pam.conf file:
   vi /etc/pam.conf
8. Optional: Add a debugging statement, debug , to the following lines in the pam.conf file:
   other auth requisite pam_authtok_get.so.1 debug
   other auth required pam_unix_auth.so.1 debug
   other account required pam_unix_account.so.1 debug
   other password requisite pam_authtok_get.so.1 debug
   other password requisite am_authtok_check.so.1 debug
   other password required pam_authtok_store.so.1 debug
9. Run the following command to stop syslogd:
   kill `cat /var/run/syslogd.pid`
10. Restart syslogd in debugging mode:
    /usr/sbin/syslogd
11. Open another terminal session and log in as root .
12. Invoke the ValidateUser utility with arguments:
    install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

SuSE debugging

syslog-ng is the equivalent of the syslogd logging daemon on other Linux and UNIX systems.

• Syslog configuration file location: /etc/syslog-ng/syslog-ng.conf
• Target log file: /var/log/messages
• syslog-ng pid file: /var/run/syslog-ng.pid

Complete the following steps to check for PAM runtime debugging information (you do not need to bounce syslog-ng):

1. Log in as root .
2. From the command line, run the following command to create a dynamic display of the syslog-ng messages file, which might contain PAM runtime processing information:
   tail –f /var/log/messages
3. Open another terminal session and log in as root .
4. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

As an optional step, run syslog-ng in debugging mode to obtain PAM runtime information. You can use this information to help determine what files you must change for the ValidateUser utility to run successfully:

1. Log in as root .
2. From the command line, run the following command to stop the syslog-ng daemon:
   kill `cat /var/run/syslog-ng.pid`
3. Start syslog-ng in debugging mode:
   /sbin/syslog-ng –d
4. Open another terminal session and log in as root .
5. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

Resolving The Problem

The following techniques provide a means to circumvent PAM restricitions and should be viewed as workarounds.

When the “Permissions denied” error is caused by a user login restriction, you must disable the restriction while the InfoSphere Suite Installer is running. Also, you might need to comment out directives in your PAM configuration file to reduce the PAM stack to the minimum configuration to achieve the following results:

• Proceed with the installation of InfoSphere Information Server
• Identify the PAM directives that are inhibiting user authentication

Tab navigation

Reducing the PAM stack (Linux, UNIX)

For your operating system, complete the following steps to reduce the PAM stack:

1. Log in as root .
2. Back up all files that you intend to modify.
3. Open the PAM configuration files and comment out all of the directives that are not listed as minimum requirements for the ValidateUser utility to run. See Minimum PAM configuration file directives for a list of the files that are required based on your operating system.
4. Save and close the configuration files.
5. Invoke the ValidateUser utility with arguments:
   install_directory/_uninstall/tools/ValidateUser -validate user password

install_directory is the directory where you installed InfoSphere Information Server
user is your user name
password is your password

Minimum PAM configuration file directives

The following configuration file directives represent the minimum requirements for the ValidateUser utility to run correctly. The directives that are required vary based on your operating system.

All required files are located in the /etc/pam.conf directory.

Minimum PAM directives for AIX

All required files are located in the /etc/pam.conf directory.

Minimum PAM directives for HP-UX

RedHat

All required files are located in the /etc/pam.d directory. The /etc/security directory is not required to run the Validate User utility.

Minimum PAM directives for RedHat

Solaris

All required files are located in the /etc/pam.conf directory.

Minimum PAM directives for Solaris

All required files are located in the /etc/pam.d directory. The /etc/security directory is not required to run the Validate User utility.

Источник

We have a CentOS 7.7 system which is joined to a Microsoft AD domain using realmd/sssd. Sudo does work perfectly fine for local system users, however when we attempt to use sudo as an Active Directory user (ocftest) we get the following error:

sudo: PAM account management error: Permission denied

We are using the following version of sudo: sudo-1.8.23-9.el7.x86_64.rpm

The user can «ssh» perfectly fine to the system using their password. This issue comes up a few times after a bit of Googling, and commonly refers to adding the following to the «/etc/security/access.conf» file:

+ : ocftest : ALL
- : ALL : ALL

The users group with the same name (although I have tried the user) is present in the «/etc/sudoers.d/salt» file:

%ocftest@ad.domain.org ALL=(ALL) ALL

And just for completeness:

cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    include      system-auth

cat /etc/pam.d/sudo-i
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    include      sudo

cat /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    sufficient    pam_krb5.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
session     optional      pam_krb5.so

cat /etc/sssd/sssd.conf
[sssd]
domains = ad.domain.org
config_file_version = 2
services = nss, pam

[domain/ad.domain.org]
ad_domain = ad.domain.org
krb5_realm = AD.DOMAIN.ORG
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
ignore_group_members = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
enumerate = True
dyndns_update = False
auto_private_groups = true
ad_access_filter = (&(memberOf=OU=Users,OU=REDACTED,DC=redacted,DC=org))

[pam]

Troubleshooting