Arch Linux

c.monty

Member

Registered: 2017-10-27

Posts: 18

Error: sudo: account validation failure, is your account locked

Hi,

I have created local user account locadmin and added this user to group wheel:

useradd -m -G wheel -s /bin/bash locadmin

The intention is to deactivate root and use this account for local system administration.

In sudoers file the configuration is modified accordingly:

[root@pc7-cubi3 ~]# more /etc/sudoers | grep wheel
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
# %wheel ALL=(ALL) NOPASSWD: ALL

However I cannot execute any sudo command; the error reported is:

[locadmin@pc7-cubi3 ~]$ sudo fdisk -l
[sudo] Passwort für locadmin:
[sudo] Passwort für locadmin:
sudo: account validation failure, is your account locked?

I wonder why I have to enter the password twice; maybe this is related to activated ldap/kerberos authentication for other user accounts.

Any advice to fix this issue is appreciated.

THX

Last edited by c.monty (2019-03-16 18:04:07)

Head_on_a_Stick

Member

From: The Wirral

Registered: 2014-02-20

Posts: 8,842

Website

Re: Error: sudo: account validation failure, is your account locked

Can we please see

groups locadmin
passwd -S locadmin

Also:

[root@pc7-cubi3 ~]# more /etc/sudoers | grep wheel

^ Useless use of `more`

Correct invocation:

grep wheel /etc/sudoers

You should probably post the entire sudoers file though.

Full details of your kerberos configuration may also be appropriate.

---

Jin, Jîyan, Azadî

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

[root@pc7-cubi3 ~]# groups locadmin
wheel locadmin
[root@pc7-cubi3 ~]# passwd -S locadmin
locadmin P 03/16/2019 0 99999 7 -1

LDAP / Kerberos authentication is irrelevant for local user account, here locadmin.

This is the only active part in sudoers file:

[...]
## User privilege specification
##
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
[...]

This issue occured since updating the system today.

Last edited by c.monty (2019-03-16 18:53:13)

loqs

Member

Registered: 2014-03-06

Posts: 18,467

Re: Error: sudo: account validation failure, is your account locked

LDAP / Kerberos authentication is irrelevant for local user account, here locadmin.

You have made no changes to the pam stack used by sudo when you added LDAP / Kerberos integration?

This issue occured since updating the system today.

What was updated today?

Last edited by loqs (2019-03-16 18:56:48)

Head_on_a_Stick

Member

From: The Wirral

Registered: 2014-02-20

Posts: 8,842

Website

Re: Error: sudo: account validation failure, is your account locked

How about `sudo -l` (ell for lima) as the locadmin user?

This issue occured since updating the system today.

Do you mean that things were working fine before the update?

If so, which packages were updated and does downgrading them fix things?

---

Jin, Jîyan, Azadî

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

The system updated hundreds of packages including kernel 5.x

The output of sudo -l is the same as with any other sudo command:

[locadmin@pc7-cubi3 ~]$ sudo -l
[sudo] Passwort für locadmin:
[sudo] Passwort für locadmin:
sudo: account validation failure, is your account locked?

To me it looks like verification is checking only LDAP but not local sudoers file.
locadmin is a local account and therefore only local rules should be applied.

The pam stack was modified for Online and Offline Authentication with SSSD according to Wiki.

Last edited by c.monty (2019-03-16 19:08:19)

seth

Member

Registered: 2012-09-03

Posts: 65,480

Re: Error: sudo: account validation failure, is your account locked

Including https://wiki.archlinux.org/index.php/LD … nable_sudo ?
Can you sudo for other accounts?

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

Including https://wiki.archlinux.org/index.php/LD … nable_sudo ?
Can you sudo for other accounts?

I didn't change any config that was working before system update.
This includes /etc/pam.d/sudo:

[locadmin@pc7-cubi3 ~]$ more /etc/pam.d/sudo
#%PAM-1.0
auth            sufficient      pam_sss.so
auth            required        pam_unix.so try_first_pass
auth            required        pam_nologin.so

Any other accounts are using LDAP and don't have sudo authorisation.

This is the sudo debug log:

[root@pc7-cubi3 ~]# cat /var/log/sudo_debug.log | grep 22:23:4
Mar 16 22:23:40 sudo[17832] <- getln @ ./tgetpass.c:422 := *****
Mar 16 22:23:40 sudo[17832] -> tgetpass_display_error @ ./tgetpass.c:95
Mar 16 22:23:40 sudo[17832] <- tgetpass_display_error @ ./tgetpass.c:110
Mar 16 22:23:40 sudo[17832] -> sudo_term_restore_v1 @ ./term.c:156
Mar 16 22:23:40 sudo[17832] <- sudo_term_restore_v1 @ ./term.c:164 := true
Mar 16 22:23:40 sudo[17832] <- tgetpass @ ./tgetpass.c:268 := *****
Mar 16 22:23:40 sudo[17832] <- auth_getpass @ ./auth/sudo_auth.c:468 := *****
Mar 16 22:23:40 sudo[17832] <- converse @ ./auth/pam.c:613 := 0
Mar 16 22:23:40 sudo[17832] <- sudo_pam_verify @ ./auth/pam.c:194 := 0
Mar 16 22:23:40 sudo[17832] <- verify_user @ ./auth/sudo_auth.c:364 := 1
Mar 16 22:23:40 sudo[17832] -> timestamp_update @ ./timestamp.c:885
Mar 16 22:23:40 sudo[17832] -> sudo_gettime_mono_v1 @ ./gettime.c:105
Mar 16 22:23:40 sudo[17832] <- sudo_gettime_mono_v1 @ ./gettime.c:121 := 0
Mar 16 22:23:40 sudo[17832] writing 56 byte record at 168 @ timestamp_update() ./timestamp.c:926
Mar 16 22:23:40 sudo[17832] -> ts_write @ ./timestamp.c:308
Mar 16 22:23:40 sudo[17832] <- ts_write @ ./timestamp.c:347 := 56
Mar 16 22:23:40 sudo[17832] <- timestamp_update @ ./timestamp.c:931 := 1
Mar 16 22:23:40 sudo[17832] -> timestamp_close @ ./timestamp.c:733
Mar 16 22:23:40 sudo[17832] <- timestamp_close @ ./timestamp.c:741
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref @ ./pwutil.c:179
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref_item @ ./pwutil.c:168
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref_item @ ./pwutil.c:173
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref @ ./pwutil.c:181
Mar 16 22:23:40 sudo[17832] <- check_user_interactive @ ./check.c:171 := 1
Mar 16 22:23:40 sudo[17832] -> sudo_auth_approval @ ./auth/sudo_auth.c:179
Mar 16 22:23:40 sudo[17832] -> sudo_pam_approval @ ./auth/pam.c:215
Mar 16 22:23:40 sudo[17832] -> log_warningx @ ./logging.c:628
Mar 16 22:23:40 sudo[17832] -> vlog_warning @ ./logging.c:502
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] sudoers_setlocale: setting locale to C (sudoers)
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := true
Mar 16 22:23:40 sudo[17832] account validation failure, is your account locked?
Mar 16 22:23:40 sudo[17832] -> new_logline @ ./logging.c:908
Mar 16 22:23:40 sudo[17832] <- new_logline @ ./logging.c:1034 := account validation failure, is your account locked? ; TTY=pts/0 ; PWD=/home/locadmin ; USER=root ; COMMAND=list
Mar 16 22:23:40 sudo[17832] -> set_perms @ ./set_perms.c:115
Mar 16 22:23:40 sudo[17832] set_perms: PERM_ROOT: uid: [1000, 0, 0] -> [0, 0, 0]
Mar 16 22:23:40 sudo[17832] set_perms: PERM_ROOT: gid: [1000, 1000, 1000] -> [1000, 0, 1000]
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_addref @ ./pwutil.c:723
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_addref @ ./pwutil.c:725
Mar 16 22:23:40 sudo[17832] <- set_perms @ ./set_perms.c:389 := true
Mar 16 22:23:40 sudo[17832] -> do_syslog @ ./logging.c:107
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := false
Mar 16 22:23:40 sudo[17832] -> mysyslog @ ./logging.c:86
Mar 16 22:23:40 sudo[17832] <- mysyslog @ ./logging.c:93
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := false
Mar 16 22:23:40 sudo[17832] <- do_syslog @ ./logging.c:152
Mar 16 22:23:40 sudo[17832] -> restore_perms @ ./set_perms.c:402
Mar 16 22:23:40 sudo[17832] restore_perms: uid: [0, 0, 0] -> [1000, 0, 0]
Mar 16 22:23:40 sudo[17832] restore_perms: gid: [1000, 0, 1000] -> [1000, 1000, 1000]
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref @ ./pwutil.c:743
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref_item @ ./pwutil.c:732
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref_item @ ./pwutil.c:737
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref @ ./pwutil.c:745
Mar 16 22:23:40 sudo[17832] <- restore_perms @ ./set_perms.c:448 := true
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] sudoers_setlocale: setting locale to LC_CTYPE=de_DE.UTF-8;LC_NUMERIC=de_DE.UTF-8;LC_TIME=de_DE.UTF-8;LC_COLLATE=C;LC_MONETARY=de_DE.UTF-8;LC_MESSAGES=de_DE.UTF-8;LC_PAPER=de_DE.UTF-8;LC_NAME=de_DE.UTF-8;LC_ADDRESS=de_DE.UTF-8;LC_TELEPHONE=de_DE.UTF-8;LC_MEASUREMENT=de_DE.UTF-8;LC_IDENTIFICATION=de_DE.UTF-8 (user)
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := true
Mar 16 22:23:40 sudo[17832] -> sudoers_warn_setlocale @ ./locale.c:136
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := false
Mar 16 22:23:40 sudo[17832] <- sudoers_warn_setlocale @ ./locale.c:140 := false
Mar 16 22:23:40 sudo[17832] -> sudoers_warn_setlocale @ ./locale.c:136
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := false
Mar 16 22:23:40 sudo[17832] <- sudoers_warn_setlocale @ ./locale.c:139 := false
Mar 16 22:23:40 sudo[17832] -> sudoers_setlocale @ ./locale.c:89
Mar 16 22:23:40 sudo[17832] <- sudoers_setlocale @ ./locale.c:130 := false
Mar 16 22:23:40 sudo[17832] <- vlog_warning @ ./logging.c:605 := true
Mar 16 22:23:40 sudo[17832] <- log_warningx @ ./logging.c:635 := true
Mar 16 22:23:40 sudo[17832] <- sudo_pam_approval @ ./auth/pam.c:277 := 3
Mar 16 22:23:40 sudo[17832] -> log_auth_failure @ ./logging.c:356
Mar 16 22:23:40 sudo[17832] -> audit_failure @ ./audit.c:68
Mar 16 22:23:40 sudo[17832] <- audit_failure @ ./audit.c:101 := 0
Mar 16 22:23:40 sudo[17832] <- log_auth_failure @ ./logging.c:387 := true
Mar 16 22:23:40 sudo[17832] <- sudo_auth_approval @ ./auth/sudo_auth.c:188 := -1
Mar 16 22:23:40 sudo[17832] -> sudo_auth_cleanup @ ./auth/sudo_auth.c:203
Mar 16 22:23:40 sudo[17832] -> sudo_pam_cleanup @ ./auth/pam.c:284
Mar 16 22:23:40 sudo[17832] <- sudo_pam_cleanup @ ./auth/pam.c:291 := 0
Mar 16 22:23:40 sudo[17832] <- sudo_auth_cleanup @ ./auth/sudo_auth.c:215 := 0
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref @ ./pwutil.c:179
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref_item @ ./pwutil.c:168
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref_item @ ./pwutil.c:173
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref @ ./pwutil.c:181
Mar 16 22:23:40 sudo[17832] <- check_user @ ./check.c:233 := -1
Mar 16 22:23:40 sudo[17832] -> rewind_perms @ ./set_perms.c:85
Mar 16 22:23:40 sudo[17832] -> restore_perms @ ./set_perms.c:402
Mar 16 22:23:40 sudo[17832] restore_perms: uid: [1000, 0, 0] -> [1000, 0, 0]
Mar 16 22:23:40 sudo[17832] restore_perms: gid: [1000, 1000, 1000] -> [1000, 1000, 1000]
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref @ ./pwutil.c:743
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref_item @ ./pwutil.c:732
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref_item @ ./pwutil.c:737
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref @ ./pwutil.c:745
Mar 16 22:23:40 sudo[17832] <- restore_perms @ ./set_perms.c:448 := true
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref @ ./pwutil.c:743
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref_item @ ./pwutil.c:732
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref_item @ ./pwutil.c:737
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref @ ./pwutil.c:745
Mar 16 22:23:40 sudo[17832] <- rewind_perms @ ./set_perms.c:95 := true
Mar 16 22:23:40 sudo[17832] -> restore_nproc @ ./sudoers.c:144
Mar 16 22:23:40 sudo[17832] <- restore_nproc @ ./sudoers.c:149
Mar 16 22:23:40 sudo[17832] -> sudo_freepwcache @ ./pwutil.c:449
Mar 16 22:23:40 sudo[17832] -> rbdestroy @ ./redblack.c:368
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref_item @ ./pwutil.c:168
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref_item @ ./pwutil.c:173
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_pw_delref_item @ ./pwutil.c:168
Mar 16 22:23:40 sudo[17832] <- sudo_pw_delref_item @ ./pwutil.c:173
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] <- rbdestroy @ ./redblack.c:371
Mar 16 22:23:40 sudo[17832] <- sudo_freepwcache @ ./pwutil.c:460
Mar 16 22:23:40 sudo[17832] -> sudo_freegrcache @ ./pwutil.c:779
Mar 16 22:23:40 sudo[17832] -> rbdestroy @ ./redblack.c:368
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_gr_delref_item @ ./pwutil.c:491
Mar 16 22:23:40 sudo[17832] <- sudo_gr_delref_item @ ./pwutil.c:496
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_gr_delref_item @ ./pwutil.c:491
Mar 16 22:23:40 sudo[17832] <- sudo_gr_delref_item @ ./pwutil.c:496
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] <- rbdestroy @ ./redblack.c:371
Mar 16 22:23:40 sudo[17832] -> rbdestroy @ ./redblack.c:368
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_grlist_delref_item @ ./pwutil.c:760
Mar 16 22:23:40 sudo[17832] <- sudo_grlist_delref_item @ ./pwutil.c:765
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] <- rbdestroy @ ./redblack.c:371
Mar 16 22:23:40 sudo[17832] -> rbdestroy @ ./redblack.c:368
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> rbdestroy_int @ ./redblack.c:350
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] -> sudo_gidlist_delref_item @ ./pwutil.c:732
Mar 16 22:23:40 sudo[17832] <- sudo_gidlist_delref_item @ ./pwutil.c:737
Mar 16 22:23:40 sudo[17832] <- rbdestroy_int @ ./redblack.c:358
Mar 16 22:23:40 sudo[17832] <- rbdestroy @ ./redblack.c:371
Mar 16 22:23:40 sudo[17832] <- sudo_freegrcache @ ./pwutil.c:798
Mar 16 22:23:40 sudo[17832] <- sudoers_policy_main @ ./sudoers.c:639 := -1
Mar 16 22:23:40 sudo[17832] <- sudoers_policy_list @ ./policy.c:925 := -1
Mar 16 22:23:40 sudo[17832] <- policy_list @ ./sudo.c:1183 := -1

Last edited by c.monty (2019-03-16 21:25:42)

loqs

Member

Registered: 2014-03-06

Posts: 18,467

Re: Error: sudo: account validation failure, is your account locked

If you change /etc/pam.d/sudo back to the default is the error the same:

#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

If you change /etc/pam.d/sudo back to the default is the error the same:

#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth

Everything is working with this /etc/pam.d/sudo.

seth

Member

Registered: 2012-09-03

Posts: 65,480

Re: Error: sudo: account validation failure, is your account locked

Are you sure the former setup worked? How long did you not update the system?
The sudo.pam suggested in the wiki is broken since 2014… (feel free to update the wiki)

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

Are you sure the former setup worked? How long did you not update the system?
The sudo.pam suggested in the wiki is broken since 2014… (feel free to update the wiki)

Sure, it worked before upgrade.
Last upgrade was in 12/2018.

loqs

Member

Registered: 2014-03-06

Posts: 18,467

Re: Error: sudo: account validation failure, is your account locked

Was pambase 20190105.1-1 in the upgrade?  That would have changed the missing account and session entries from permit to deny.

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

Was pambase 20190105.1-1 in the upgrade?  That would have changed the missing account and session entries from permit to deny.

Indeed this package was installed during upgrade:

[root@pc7-cubi3 ~]# pacman -Qs pambase
local/pambase 20190105.1-1
    Base PAM configuration for services

Can you please share some additional information what has changed with this release?
And how can I fix the issue?

seth

Member

Registered: 2012-09-03

Posts: 65,480

Re: Error: sudo: account validation failure, is your account locked

https://git.archlinux.org/svntogit/pack … e291dd2070

You have "fixed" (unbroken) it.
sudo.pam is including the relevant configs and you added sssd support there.

Your sudo.pam was simply broken and is no more with its default entries, the stricter defaults exposed that.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

https://git.archlinux.org/svntogit/pack … e291dd2070

You have "fixed" (unbroken) it.
sudo.pam is including the relevant configs and you added sssd support there.

Your sudo.pam was simply broken and is no more with its default entries, the stricter defaults exposed that.

I'm sorry, but I don't fully understand.
Do I need to adjust the configuration in

/etc/pam.d/sudo

only and Online and Offline Authentication with SSSD will still work?
If yes, what configuration is required then?

seth

Member

Registered: 2012-09-03

Posts: 65,480

Re: Error: sudo: account validation failure, is your account locked

Just leave /etc/pam.d/sudo alone at its default. That's it.
The "auth sufficient pam_sss.so forward_pass" is then provided through the proper includes.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

c.monty

Member

Registered: 2017-10-27

Posts: 18

Re: Error: sudo: account validation failure, is your account locked

Just leave /etc/pam.d/sudo alone at its default. That's it.
The "auth sufficient pam_sss.so forward_pass" is then provided through the proper includes.

Is this the default of /etc/pam.d/sudo?

#%PAM-1.0
auth            include         system-auth
account         include         system-auth
session         include         system-auth

seth

Member

Registered: 2012-09-03

Posts: 65,480

Re: Error: sudo: account validation failure, is your account locked

https://git.archlinux.org/svntogit/pack … kages/sudo

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

jayray

Member

Registered: 2006-10-15

Posts: 38

Re: Error: sudo: account validation failure, is your account locked

Sorry to necro, but ran into this today. That is the fix, grab the latest sudo for pam.d. I have an old install pre-2008 and the sudo file was:

-rw-r--r--   1 root root    67 Dec 19  2008 sudo

#%PAM-1.0
auth            required        pam_unix.so
auth            required        pam_nologin.so

replace with current from above and fixed.This should be solved.

Last edited by jayray (2019-07-05 17:54:10)

Trilby

Inspector Parrot

Registered: 2011-11-29

Posts: 30,380

Website

Re: Error: sudo: account validation failure, is your account locked

grab the latest sudo for pam.d. I have an old install pre-2008...

You shouldn't need to manually "grab" anything, nor should it matter how old your installation is.  That file is owned by the sudo package and tracked by pacman.  If you have a recent version of sudo installed, you'd have a recent version of that file installed.

---

"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman