[sudo-users] sudo 1.8.7 on RHEL6: unable to establish credentials: User not known to the underlying authentication module

Todd C. Miller Todd.Miller at courtesan.com
Thu Jul 11 15:00:14 MDT 2013

It looks like pam_unix is what is failing.  I suspect the problem
is that pam_unix is marked as "required" for session which will
cause the overall return value of pam_setcreds() to be a failure,
even though it may have been successful for pam_sss.  So for a
non-local user you would get the failure message.

I'm not a PAM expect but perhaps instead of "required" for pam_unix
you could try:

[success=ok new_authtok_reqd=ok ignore=ignore cred_unavail=ignore default=bad]

You may need to use cred_err instead of cred_unavail.

However, I think it is best for sudo to just avoid printing the
warning message since there's no way for it to tell which PAM module
in the stack had the problem and whether or not another module was
ultimately successful.

 - todd

More information about the sudo-users mailing list