UserAccount is a member of the group assigned to the PMUX profile, when UserAccount submits a request from AIX1 to run the command sudo, the request is rejected.
1. Check the number of groups on AIX host.
groups UserAccount | wc -w
2. Verify if the number of groups being read during the execution of pmrun su – command is the same as the result of item 1. In addition, check if the group assigned in the profile is listed under traceInfoRecord: val[X] in the trace file.
Example: traceInfoRecord: val:AIX_TEST_GROUP
In order to verify, enable debugging in UPM Server and AIX host.
On the UNIX client
pmlocald -z on
pmrun -z on
On the PM server
pmmasterd -z on
Reproduce the issue (unable to su), then gather the .trc files under /tmp on UNIX client and PM server.
Run the same commands (pmlocald, pmrun and pmmasterd) with "-z off" to disable trace on server and client
3. If trace file shows only 128 groups but the result of wc –w is more than 128, you may need to increase the limit on AIX host. Please discuss with your AIX administrator before making these changes.
To increase/verify the limit:
1. lsattr -El sys0 -a ngroups_allowed
2. The system needs to be restarted for the change to be effective.
3. Verify the change
4. Check if the UserAccount can now execute the command.