Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-11752: sudo Command Generates Validation Failure With Message "Account cannot be accessed at this time"

Authentication Service ,  

14 February,19 at 09:53 PM

Problem:
  
After applying a patch to the operating system that updates the version of the native sudo package to 1.8.23 (see Note below), the following error appears when a user does a sudo command:
 
Account cannot be accessed at this time.
Please contact your system administrator.
sudo: account validation failure, is your account locked?
 
User-added image

This error occurs when the computer is joined to a Centrify Standard 2307 zone. 

The following messages can be seen in the debug log:
  
adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > dz.interface SAM, is user cn=one test,ou=testusers,ou=staff,dc=centrifyimage,dc=vms allowed to use PAM sudo? N

adclient[79354]: DEBUG <fd:16 PAMIsUserAllowedAccess3 > base.except Module=Base : User 'one' denied access to application 'sudo' by DirectAuthorize (rc: 0)
 

Cause:  
  
The newer version of sudo requires the user to authenticate through the PAM stack. Since previous versions do not require this, the PAM access has not been configured through Access Manager.

Workaround:
  
 Reverting the sudo package to an older release will workaround this issue.


Resolution:
  
In the Standard 2307 zone, PAM access to applications must be explicitly defined.  The following steps detail how to add the PAM access.

1) Define the PAM Access in Access Manager.
  
a) In Access Manager, open the zone -> Rights folder
  
b) Right click on PAM Access and select Add PAM Access Right
  
User-added image

    
c) Define the right as seen in the image below
  
User-added image

  
2) Add the Access to the login role
  
a) In Access manager, open the zone -> Roles folder
  
b) Find the Role that is assigned to the user that allows for login.  (In the image below, the Role is named "Login"). Right click on the Role and select Properties
  
User-added image
  

c) In the Properties dialog box, on the PAM Access tab, select Add
  
d) Pick the newly defined sudo right from the list of applications and then pick OK
  
User-added image
  

3) On the Linux machine, flush the cache and check that the access is granted
    
User-added image
  
 
4) Test the access
  
User-added image
  

Note:  The version of sudo can be found by performing this rpm command:
  
User-added image

Related Articles

 articleKB-2370: "Account cannot be accessed at this time" articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I