When user verify status of any of the below 3 services:

1. ucp-minion (systemctl status ucp-minion)
2. ucp-salt-minion (systemctl status ucp-salt-minion)
3. ucp-telegraf (systemctl status ucp-telegraf)
   
   

The error below is observed:

sudo: PAM account management error: Permission denied sudo: a password is required pam_access(sudo:account): access denied for user {{arcuser' from }}'
pam_sss(sudo:account): Access denied for user arcuser: (User not known to the underlying authentication)
arcuser : PAM account management error: Permission denied ; PWD=/ ; USER=root ; COMMAND=/bin/systemctl>

Aria Operations 8.x - Linux OS Telegraf agent VMs/Servers, where PAM module is enabled by default or manually.
VCF Operations 9.x - Linux OS Telegraf agent VMs/Servers, where PAM module is enabled by default or manually.

Error indicates that the pam_access.so module is blocking the user "arcuser" during a sudo attempt because it cannot find an entry in the system’s access control files that permits 'arcuser' to perform that action from a local "origin."

It is always highly recommended to make a copy of any file that is modified before making changes to the original configuration file.

To allow arcuser (user) to overcome PAM restriction, customer must add a rule in /etc/security/access.conf file, follow the steps below:

1. Open /etc/security/access.conf file using text editors such as vi, vim, or nano:
   

   sudo vi /etc/security/access.conf

2. Add below entry at top of the file without quotes
   

   +:arcuser:LOCAL

   Note: Adding above entry at any other location instead of top of the file, may cause unexpected behavior that prevent all users access on local system.

This was observed on RHEL 8, and the resolution above was required to to resolve the unhealthy status. Other Linux OS distributions may also observe the same symptoms and error descripted in the introduction.