When using Managed Service Accounts for AIX server to change the password of a Target Account (via “Generate Credentials” of PAM UI) a script processor error like such
“PAM-CM-1349: A problem occurred while executing the script processor. Please try your request again or contact your Administrator” on clicking “Generate Credentials” as shown below
Release : 3.2
Component : PRIVILEGED ACCESS MANAGEMENT
################ Discussion with excerpts from Catalina logs #####################
This error is essentially not due to any script error as the root cause. Catalina logs show that say user “linuxuser1” is configured to Reset/Rotate the Credentials of say user “linuxuser2” but “linuxuser1” is configured incorrectly and not authorized to perform the required Reset/Rotate for “linuxuser2”.
Using the excerpt of Catalina logs in INFO mode for discussion:
INFO: received data 'passwd uzpaam21
You are not authorized to change "uzpaam21's" password.
[email protected]:/home/uzpaam11$' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'
Apr 16, 2020 6:21:31 PM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScript
INFO: stopping script processor
Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Disconnecting from XXXXX561.xxxxxx.com port 22
Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log
INFO: jsch: Caught an exception, leaving main loop due to Socket closed
Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.app.impl.lb c
SEVERE: UpdateTargetAccountCmd.invoke 15220: PAM-CM-1349: A problem occurred while executing the script processor. Please try your request again or contact your Administrator.
com.cloakware.cspm.server.app.ApplicationException: PAM-CM-1349: A problem occurred while executing the script processor. Please try your request again or contact your Administrator.
So, say you have 2 UNIX accounts linuxuser1 and linuxuser2. “linuxuser1” is rotating “linuxser2"'s password, then you need to make special settings for the “linuxuser1” to actually perform thi,s in case of a Linux/AIX, this user “linuxuser1” will need to have SUDO privileges The reason is that PAM needs to use "passwd [username]" and this command for changing password is only allowed to either a “root” user or a user that has elevated privilege meaning that this user can use the SUDO command. Also, this user’s account (“linuxuser1”) needs to be configured to rotate its own password
Remediation
So, configure the two accounts like such:
Screenshot #1 - Ensure user linuxuser1 has the settings like such and is allowed SUDO commands.
Screenshot #2 - Ensure user lnuxuser2 (whose Password is to be reset by user linuxuser1) has the settings like such.