Pam permision denied

i running a lxd (ubuntu 20) and freipa as ldap i add successfully ubuntu to freeipa and as freeipa user login to client whiteout any issue
i used following doc to give a root permission to user:
when i try sudo apt update get error
sudo: pam_open_session: Permission denied
sudo: policy plugin failed session initialization

Please help

You can probably increase the debug level of that particular PAM plugin (pam_open_session) and then look at auth.log to know what’s going on.

tis is what i have in auth.log

PAM pam_parse: expecting return value; […reqired]
pam_unix(cron:session): session opened for user root by (uid=0)

and Permission denied
in syslog

in /var/log/sssd_pam.log
(Mon Jun 7 21:07:13 2021) [pam] [orderly_shutdown] (0x0010): SIGTERM: killing children

(Sun Jun 6 00:00:05 2021) [sssd] [service_signal_done] (0x0010): Unable to signal service [2]: No such file or directory