Not able to use sudo command for user authenticated via ActiveDirectory

[907th]

I run EC2 instance with Amazon Linux (Amazon Linux 2 AMI 2.0.20200304.0 x86_64 HVM). My user authenticates via ActiveDirectory. After running 'configure passwdqc and tally via central system-auth confic' (yes, there is a typo in the last word) task I no longer can use 'sudo'.

Ansible execution log:

TASK [dev-sec.os-hardening : configure passwdqc and tally via central system-auth confic] ***********************************************************
changed: [banking]

TASK [dev-sec.os-hardening : Gather package facts] **************************************************************************************************
fatal: [banking]: FAILED! => {"msg": "Incorrect sudo password"}

Try from terminal:

[achernenkov@internal.mydomain.com@banking ~]$ sudo less /etc/pam.d/system-auth-ac
[sudo] password for achernenkov@internal.mydomain.com:
Sorry, try again.

The original '/etc/pam.d/system-auth-ac' file which allows me to use sudo:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

[907th]

journalctl investigation revealed that the missing of pam_sss can cause this issue:

after OS hardening:

Jun 02 11:21:30 banking sudo[21126]: pam_unix(sudo:auth): conversation failed
Jun 02 11:21:30 banking sudo[21126]: pam_unix(sudo:auth): auth could not identify password for [achernenkov@internal.mydomain.com]
Jun 02 11:21:30 banking sudo[21126]: achernenkov@internal.mydomain.com : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/home/achernenkov@internal...

before OS hardening:

Jun 02 12:02:40 banking sshd[21586]: pam_lastlog(sshd:session): username too long, output might be inaccurate
Jun 02 12:02:45 banking sudo[21686]: pam_sss(sudo:auth): authentication success; logname=achernenkov@internal.epayservice uid=154801144 euid=0 tty=/d
Jun 02 12:02:45 banking sudo[21686]: achernenkov@internal.mydomain.com : TTY=pts/0 ; PWD=/home/achernenkov@internal.mydomain.com ; USER=root
Jun 02 12:02:45 banking sudo[21686]: pam_unix(sudo:session): session opened for user root by achernenkov@internal.epayservice(uid=0)

[rndmh3ro]

The system-auth-ac is currently templated by the role and has no pam_sss included.
The way we handle the file is currently not optimal. There's an open issue for this as well: #252

When changing this, we should have a way to manage custom entries. I don't know how though, yet.

[joubbi]

It would be nice to have this one and #252 fixed.
For this one I think that the solution is here:
https://access.redhat.com/solutions/880793

auth        required      pam_env.so
auth  [success=ignore default=2] pam_localuser.so  <----
auth        requisite     pam_faillock.so preauth audit deny=3 unlock_time=900 <----
auth        sufficient    pam_unix.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        sufficient    pam_sss.so   <----
auth [success=ignore default=1] pam_localuser.so    <----
auth        [default=die] pam_faillock.so authfail audit deny=3 unlock_time=900 <----
auth        required      pam_deny.so

account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so 
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

[schurzi]

this should be fixed in #392
If you are using sssd you will need to set os_auth_pam_sssd_enable accordingly