Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-23830: Error on AIX 7.2 "sudo: account expired or PAM config lacks an 'account' section for sudo, contact your system administrator"

Authentication Service ,  

14 November,19 at 05:08 PM

Problem:
Even before the Centrify agent is installed, when attempting to use sudo on an AIX 7.2 system the following error is seen:
 "sudo: account expired or PAM config lacks an 'account' section for sudo, contact your system administrator"

Resolution: 
As sudo is now looking for its own PAM stack the following lines must be entered in to the /etc/pam.conf  file:

sudo auth required pam_aix
sudo account required pam_aix
sudo password required pam_aix
sudo session required pam_aix

sudo-i auth required pam_aix
sudo-i account required pam_aix
sudo-i password required pam_aix
sudo-i session required pam_aix

**NOTE** If this error is seen after upgrading the OS on a system is already running the Centrify Agent it is recommended that you perform an "adleave" then add the entries and verify Sudo is working without error. Onvce verified run an "adjoin" again to allow Centrify to update the new entries in the PAM stack to point to the Centrify PAM modules as this is done at join time. 

If the system cannot have the "adleave" and "adjoin" process done on it  the following should be added to the /etc/pam.conf file BEFORE the lines above:
sudo    auth    sufficient    pam_centrifydc
sudo    auth    requisite    pam_centrifydc deny
sudo    account    sufficient    pam_centrifydc
sudo    account    requisite    pam_centrifydc deny
sudo    password    sufficient    pam_centrifydc try_first_pass
sudo    password    requisite    pam_centrifydc deny
sudo    session    required    pam_centrifydc homedir
sudo-i    auth    sufficient    pam_centrifydc
sudo-i    auth    requisite    pam_centrifydc deny
sudo-i    account    sufficient    pam_centrifydc
sudo-i    account    requisite    pam_centrifydc deny
sudo-i    password    sufficient    pam_centrifydc try_first_pass
sudo-i    password    requisite    pam_centrifydc deny
sudo-i    session    required    pam_centrifydc homedir

Related Articles

 articleKB-9105: Authentication fails on AIX 7.2 when unixname is longer than 8 characters articleKB-9656: AIX v7.1, 7.2 is not working properly after update with latest patch articleKB-18829: adcdiag failed with certificate error on solaris/AIX/HP-UX machines articleKB-11817: Samba invalid SID error when samaccountname not equal to unixname articleKB-8974: Centrify TL support details for AIX platform articleKB-45176: Active Directory users are unable to log on to AIX 7.x systems after applying OS Patches articleCentrify Server Suite 2017 - What's New and What to Plan For articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I