Troubleshooting Unix Password Rotation and Credential Script
Article ID: 144241
Updated On:
Products
Issue/Introduction
An AIX Target server does not work with Default AIX Credentials Script due to customization at the OS level.
So the "Script Processor" has been updated to a known expression that worked in the past but still does not work.
Environment
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
1. The account used for changing the password has invalid password(unverified)
2. The account used for changing the password has insufficient privilege(sudo) to clear target account status(such as disabled).
3. The account used for changing the password do not have access to /usr/bin/passwd
Resolution
Check the tomcat catalina.out to better understand why the password rotation fails.
Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.
INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd<targetuser>
'
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd <targetuser>
<user> @unix:~> passwd <targetuser>
bash: passwd: command not found
<user> @unix:~> ' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'
This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.
System administrator should ensure the "<user>" will have access to /usr/bin/passwd to change other account password.
Feedback
