Problem: Commands calling centrifydc PAM module fails for 'Permission denied' when adclient is joined and stopped on redhat/CentOS 7.6 For example: [super@centos76v1 ~]$ sudo /usr/share/centrifydc/bin/centrifydc stop Centrify DirectControl stopped. [super@centos76v1 ~]$ sudo /usr/sbin/adflush -f sudo: PAM account management error: Permission denied [super@centos76v1 ~]$ sudo /usr/share/centrifydc/bin/centrifydc start sudo: PAM account management error: Permission denied
Cause: As we don't assign rescue right to any local user, the apu.lst is empty as expected when DA supports AuditRequired. And if we did not add local user to user.ignore, so the user is not in user.ignore list as expected. This issue is related to the recent rh7-sudo-1.8.23 enhancement: https://access.redhat.com/solutions/3679241
Resolution: when adclient is not running, local users must be in the user.ignore.
Adding the user to user.ignore file will work as long as the user's audit level is not intended to be "AUDIT_REQUIRED" or "DO_NOT_AUDIT", as the default audit level for users in the user.ignore list is "AUDIT_IF_POSSIBLE".