One user unable to sudo on specific EC2 instances (g4/g5.*). PAM account management error is thrown while trying to sudo

Question

We have multiple EC2 machines in our account, all AL2. One user is unable to sudo on specific instance types (g4/g5), while others can. The user is a part of sudoers and other users able to sudo on the same instance types. 
This becomes weirder when this user is able to sudo on other instance types (c5, m5, etc.).

Error thrown is
PAM account management error: Authentication service cannot retrieve authentication info ; TTY=pts/2 ; PWD=/home/; USER=root ; COMMAND=/usr/bin/su

The users on these servers are authenticated using sssd hitting the enterprise LDAP server, so they are not created locally.

We upgraded/downgraded the sudo version but it did not help. Any advise would be appreciated.

[root@ip-100-x-x-x log]# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Answer

Hello,

I understand that you are experiencing issue while performing sudo for specific user.

I would request you to check the sssd configuration and consider disabling implicit files domain for id_provider = files if not already done. Please modify the below parameter in the /etc/sssd/sssd.conf:

enable_files_domain=False

Once the above changes are done. Please restart sssd, make sure to clear the cache while performing the operation and verify sudo access.

However if you still experience issues after making the changes, you may consider checking the below commands/logs to troubleshoot further:

$ id username
 $ getent passwd username

logs:
/var/log/messages
/var/log/secure
sssd logs

You may also consider enabling debug logs on the sssd to get more clues on the issue.

One user unable to sudo on specific EC2 instances (g4/g5.*). PAM account management error is thrown while trying to sudo

Contenido relevante