Applies to any PAM release and environment managing Active Directory target accounts.

This error is observed if the account is not allowed to log on to the Active Directory domain controllers. In order for PAM to manage the password of accounts in Active Directory, it needs to be able to verify the stored password. This is done by attempting a logon to Active Directory with the account (distinguished or principal) name and password, even when another account is configured to update this account's password. To resolve the problem, update the privileges of the account to allow it to logon to the domain controllers from the PAM server(s).

The tomcat log will show 49/531 errors returned by Active Directory, such as

LDAP: error code 49 - 80090308: LdapErr: DSID-0C090449, comment: AcceptSecurityContext error, data 531, v3839

Error 49/531 is RESTRICTED_TO_SPECIFIC_MACHINES, see e.g. page LDAP error codes.