Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-11752: sudo Command Generates Validation Failure With Message "Account cannot be accessed at this time"

Authentication Service ,  

14 February,19 at 09:53 PM

After applying a patch to the operating system that updates the version of the native sudo package to 1.8.23 (see Note below), the following error appears when a user does a sudo command:
Account cannot be accessed at this time.
Please contact your system administrator.
sudo: account validation failure, is your account locked?
User-added image

This error occurs when the computer is joined to a Centrify Standard 2307 zone. 

The following messages can be seen in the debug log:
adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > dz.interface SAM, is user cn=one test,ou=testusers,ou=staff,dc=centrifyimage,dc=vms allowed to use PAM sudo? N

adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > base.except Module=Base : User 'one' denied access to application 'sudo' by DirectAuthorize (rc: 0)

The newer version of sudo requires the user to authenticate through the PAM stack. Since previous versions do not require this, the PAM access has not been configured through Access Manager.

 Reverting the sudo package to an older release will workaround this issue.

In the Standard 2307 zone, PAM access to applications must be explicitly defined.  The following steps detail how to add the PAM access.

1) Define the PAM Access in Access Manager.
a) In Access Manager, open the zone -> Rights folder
b) Right click on PAM Access and select Add PAM Access Right
User-added image

c) Define the right as seen in the image below
User-added image

2) Add the Access to the login role
a) In Access manager, open the zone -> Roles folder
b) Find the Role that is assigned to the user that allows for login.  (In the image below, the Role is named "Login"). Right click on the Role and select Properties
User-added image

c) In the Properties dialog box, on the PAM Access tab, select Add
d) Pick the newly defined sudo right from the list of applications and then pick OK

User-added image

3) On the Linux machine, flush the cache and check that the access is granted
User-added image
4) Test the access
User-added image

Note:  The version of sudo can be found by performing this rpm command:
User-added image