We have many Active Directory accounts managed by PAM. The accounts are configured to verify themselves, but have their password updated by a service account. We have seen problems with accounts that were locked out due to extended inactivity. It looks like PAM cannot verify and update locked out Active Directory accounts in our environment.
Can PAM rotate the passwords of users that are locked out in AD, and if yes, what is needed to get it to work?
The short answer is yes, PAM can unlock accounts that it finds locked while updating an account password, as long as the service account used to update the password has permission to unlock the managed accounts.
Here is a detailed description of how PAM updates Active Directory accounts that are managed by a service account:
1. At present, i.e. up to and including the 3.2 release, PAM always first tries to verify the new password. While this is right only when the password is entered manually or via an API call, it is done unconditionally, including the case where a scheduled job generates a new password according to the password composition policy tied to the target application and attempts to set this new password. Account verification is done by attempting to login to Active Directory using the account credentials. Since PAM 3.1.1 a failed attempt using the Distinguished Name (DN) will always be followed by another attempt to use the user principal name. This was added as part of enhancement https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/release-information/new-features-and-enhancements-in-3-1-x/new-features-and-enhancements-in-3-1-1#NewFeaturesandEnhancementsin3.1.1-TrackingAccountMovementAcrossActiveDirectoryOUs.
Therefore a password update process will always start with two failed logins by the managed user, unless the new password happens to be the correct current password.
2. PAM logs on using the service account credentials and checks LDAP attribute "lockoutTime" of the managed account. If this is set, and not equal to "0", the account is regarded locked, and PAM will attempt to set this attribute to 0. If this fails for whatever reason, the password will not be updated and the code moves on to step 3. This is why it is important to give the service account the privilege to unlock all accounts it manages in PAM. If the account is not locked at this point, i.e. "lockoutTime" either was found to be zero or successfully changed to zero, PAM will try to update the password.
3. PAM attempts to verify the new password again. If step 2 was successful, the first attempt using the DN should be successful. If step 2 failed, this again will cause two failed login attempts and the target account will be flagged as unverified.