One user unable to sudo on specific EC2 instances (g4/g5.*). PAM account management error is thrown while trying to sudo

0

We have multiple EC2 machines in our account, all AL2. One user is unable to sudo on specific instance types (g4/g5), while others can. The user is a part of sudoers and other users able to sudo on the same instance types. This becomes weirder when this user is able to sudo on other instance types (c5, m5, etc.).

Error thrown is PAM account management error: Authentication service cannot retrieve authentication info ; TTY=pts/2 ; PWD=/home/<userid>; USER=root ; COMMAND=/usr/bin/su

The users on these servers are authenticated using sssd hitting the enterprise LDAP server, so they are not created locally.

We upgraded/downgraded the sudo version but it did not help. Any advise would be appreciated.

[root@ip-100-x-x-x log]# cat /etc/os-release NAME="Amazon Linux" VERSION="2" ID="amzn" ID_LIKE="centos rhel fedora" VERSION_ID="2" PRETTY_NAME="Amazon Linux 2" ANSI_COLOR="0;33" CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2" HOME_URL="https://amazonlinux.com/"

질문됨 일 년 전272회 조회
1개 답변
0

Hello,

I understand that you are experiencing issue while performing sudo for specific user.

I would request you to check the sssd configuration and consider disabling implicit files domain for id_provider = files if not already done. Please modify the below parameter in the /etc/sssd/sssd.conf:

enable_files_domain=False

Once the above changes are done. Please restart sssd, make sure to clear the cache while performing the operation and verify sudo access.

However if you still experience issues after making the changes, you may consider checking the below commands/logs to troubleshoot further:

$ id username $ getent passwd username

logs: /var/log/messages /var/log/secure sssd logs

You may also consider enabling debug logs on the sssd to get more clues on the issue.

AWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠