Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

August 4, 2020 | by Dominique St-Amand | Leave a comment

1 min read

As you all know, I’ve been playing around with the Azure Active Directory login extensions for both Linux and Windows. I came across a problem where the first sudo worked (after re-authenticating) and the second, with the same command, failed with

sudo: PAM account management error: System error

Trying to debug this was tricky. Along with a support engineer we were able to enable enough log to get to the bottom of the problem.

First, edit /etc/pam.d/system-auth-aad and add the debug keyword whenever you see pam_aad.so. Adding “debug” will switch to verbose logging.

For example:

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth [success=done ignore=ignore default=die] pam_aad.so debug
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account [success=done ignore=ignore default=die] pam_aad.so debug
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

auth required pam_env.so

auth sufficient pam_fprintd.so

auth [success=done ignore=ignore default=die] pam_aad.so debug

auth sufficient pam_unix.so nullok try_first_pass

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

auth required pam_deny.so

account [success=done ignore=ignore default=die] pam_aad.so debug

account required pam_unix.so

account sufficient pam_localuser.so

account sufficient pam_succeed_if.so uid < 1000 quiet

account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5

password required pam_deny.so

session optional pam_keyinit.so revoke

session required pam_limits.so

-session optional pam_systemd.so

session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session required pam_unix.so

Once that is done, execute in one terminal the following command tail -f /var/log/secure. Execute the sudo that you know will fail (that is the second one after re-authenticating) in a second terminal.

You should see some output like

Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): pam_sm_acct_mgmt was called for user user@contoso.com with flags 32768
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): AadAuthorize, Version: 1.0.013000003; CorrelationId: <hidden>
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Getting the VM metadata
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling http://169.254.169.254/metadata/instance/compute?api-version=2019-03-11
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): HttpResponse 200: <hidden>
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): ResourceId:/subscriptions/<subscription_id>/resourceGroups/<resourcegroup_name>/prov
iders/Microsoft.Compute/virtualMachines/<vm_name>#012Type:Linux
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling AadLogin endpoint
Aug  4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling http://169.254.169.254/metadata/identity/oauth2/token?resource=https://pas.windows.net/Check
MyAccess/Linux&api-version=2019-03-11
Aug  4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): HttpResponse 400: {"error":"invalid_request","error_description":"Identity not found"}
Aug  4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): Running in silent mode. The following message was not sent to the user: Managed System Identity is n
ot enabled for this VM. Turn it on and try again.
Aug  4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): pam_sm_acct_mgmt returned 4
Aug  4 17:36:35 machine_hostname sudo: user@contoso.com : PAM account management error: System error ; TTY=pts/1 ; PWD=/home/user ; U
SER=root ; COMMAND=/bin/ls -l /var/lib/waagent
Aug  4 17:37:01 machine_hostname crond[73242]: pam_aad(crond:account): pam_sm_acct_mgmt was called for user root with flags 32768
Aug  4 17:37:01 machine_hostname crond[73242]: pam_aad(crond:account): pam_sm_acct_mgmt returned 25

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): pam_sm_acct_mgmt was called for user user@contoso.com with flags 32768

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): AadAuthorize, Version: 1.0.013000003; CorrelationId: <hidden>

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Getting the VM metadata

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling http://169.254.169.254/metadata/instance/compute?api-version=2019-03-11

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): HttpResponse 200: <hidden>

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): ResourceId:/subscriptions/<subscription_id>/resourceGroups/<resourcegroup_name>/prov

iders/Microsoft.Compute/virtualMachines/<vm_name>#012Type:Linux

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling AadLogin endpoint

Aug 4 17:36:34 machine_hostname sudo: pam_aad(sudo:account): Calling http://169.254.169.254/metadata/identity/oauth2/token?resource=https://pas.windows.net/Check

MyAccess/Linux&api-version=2019-03-11

Aug 4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): HttpResponse 400: {"error":"invalid_request","error_description":"Identity not found"}

Aug 4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): Running in silent mode. The following message was not sent to the user: Managed System Identity is n

ot enabled for this VM. Turn it on and try again.

Aug 4 17:36:35 machine_hostname sudo: pam_aad(sudo:account): pam_sm_acct_mgmt returned 4

Aug 4 17:36:35 machine_hostname sudo: user@contoso.com : PAM account management error: System error ; TTY=pts/1 ; PWD=/home/user ; U

SER=root ; COMMAND=/bin/ls -l /var/lib/waagent

Aug 4 17:37:01 machine_hostname crond[73242]: pam_aad(crond:account): pam_sm_acct_mgmt was called for user root with flags 32768

Aug 4 17:37:01 machine_hostname crond[73242]: pam_aad(crond:account): pam_sm_acct_mgmt returned 25

As you can see from the logs, Managed Identity needs to be enabled on the virtual machine for the extension to work properly. Unfortunately, this is not documented in the official documentation. I’ve opened a GitHub issue for them to update it.

UPDATE 2021-06-01: The AADLoginForLinux is being deprecated on 2021-08-15. Please use the new extension, SSH based, AADSSHLoginForLinux.

Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

About me

Follow

Categories

Azure AD Linux Login Extension – sudo fails with PAM account management error: System error

You may also like

About me

Follow

Categories

Tags