Problem:
After applying a patch to the operating system that updates the version of the native sudo package to 1.8.23 (see Note below), the following error appears when a user does a sudo command:
Account cannot be accessed at this time.
Please contact your system administrator.
sudo: account validation failure, is your account locked?
This error occurs when the computer is joined to a Centrify Standard 2307 zone.
The following messages can be seen in the debug log:
adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > dz.interface SAM, is user cn=one test,ou=testusers,ou=staff,dc=centrifyimage,dc=vms allowed to use PAM sudo? N
adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > base.except Module=Base : User 'one' denied access to application 'sudo' by DirectAuthorize (rc: 0)
Cause:
The newer version of sudo requires the user to authenticate through the PAM stack. Since previous versions do not require this, the PAM access has not been configured through Access Manager.
Workaround:
Reverting the sudo package to an older release will workaround this issue.
Resolution:
In the Standard 2307 zone, PAM access to applications must be explicitly defined. The following steps detail how to add the PAM access.
1) Define the PAM Access in Access Manager.
a) In Access Manager, open the zone -> Rights folder
b) Right click on PAM Access and select Add PAM Access Right
c) Define the right as seen in the image below
2) Add the Access to the login role
a) In Access manager, open the zone -> Roles folder
b) Find the Role that is assigned to the user that allows for login. (In the image below, the Role is named "Login"). Right click on the Role and select Properties
c) In the Properties dialog box, on the PAM Access tab, select Add
d) Pick the newly defined sudo right from the list of applications and then pick OK
3) On the Linux machine, flush the cache and check that the access is granted
4) Test the access
Note: The version of sudo can be found by performing this rpm command: