Troubleshooting Unix Password Rotation and Credential Script
Article ID: 144241
Updated On:
Products
CA Privileged Access Manager (PAM)
CA Privileged Access Manager - Cloakware Password Authority (PA)
CA Privileged Access Manager - Server Control (PAMSC)
Issue/Introduction
An AIX Target server does not work with Default AIX Credentials Script due to customization at the OS level.
So the "Script Processor" has been updated to a known expression that worked in the past but still does not work.
Environment
Release : 3.x
Component : PRIVILEGED ACCESS MANAGEMENT
Cause
There can be many reasons such as
1. The account used for changing the password has invalid password(unverified)
2. The account used for changing the password has insufficient privilege(sudo) to clear target account status(such as disabled).
3. The account used for changing the password do not have access to /usr/bin/passwd
1. The account used for changing the password has invalid password(unverified)
2. The account used for changing the password has insufficient privilege(sudo) to clear target account status(such as disabled).
3. The account used for changing the password do not have access to /usr/bin/passwd
Resolution
Check the tomcat catalina.out to better understand why the password rotation fails.
Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.
INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd targetuser1
'
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd targetuser1
adminuser1@unix:~> passwd targetuser1
bash: passwd: command not found
[email protected]:~> ' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'
This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.
System administrator should ensure the "adminuser1" will have access to /usr/bin/passwd to change other account password.
Following sample shows when the /usr/bin/passwd was not accessible due to misconfiguration of the account.
INFO: start executing the default UNIX credentials update script
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: sent data 'passwd targetuser1
'
Jan 01, 2020 01:00:00 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'passwd targetuser1
adminuser1@unix:~> passwd targetuser1
bash: passwd: command not found
[email protected]:~> ' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'
This is an uncommon use case but it is important to check the catalina.out log to understand why the password change failed.
As you can see the "passwd" command returned "command not found".
And when PAM tried to find a pattern using the defined (original or custom) expression, there was no matching pattern for obvious reason.
System administrator should ensure the "adminuser1" will have access to /usr/bin/passwd to change other account password.
Feedback
Yes
No
Powered by
