We have a 3.1.2 CA PAM appliance and we have defined a Solaris 2.10 endpoint. Then we have created the corresponding UNIX application and we have defined a Script Processor of type Solaris.

Next a target account has been created to use the application just created. The account has been defined as a privileged account which can change its own password.

The account can log in normally into the Solaris box and it can for sure change its password. However, when we try to save the account, it never completes and a message is displayed
and of course the account is not verified.

CA PAM 3.1.X and 3.2.X and above

This error is rather generic and in most cases it needs to be troubleshot by setting the Tomcat log level to debug and determining what happens to the flow of commands received and sent to the Solaris machine.

However, there is one particular situation which will cause this problem: PAM uses to verify successful login to a UNIX box an echo command returning the last return code obtained upon log in to the system. This is usually

echo $?

and it should return just 0. If it does not, the log in sequence will be considered as faulty and PAM will consider it as erroneous.

This command is represented by the following entry in the Script Processor window under the UNIX application definition we use to log in to this server
  But unfortunately if the shell environment for the user using this application is /bin/csh, this command is not understood, and this will result in the verification failing.



 

It is necessary to use the equivalent command for the csh shell in order to retrieve the correct return code upon logon. In the case of /bin/csh, one needs to use as the Exit Status of last command $status, that is
 

https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/reference/credential-manager-target-connector-settings/unix-target-connector