UNIX servers - On Password Rotation -PAM-CM-1349: A problem occurred while executing the script processor
search cancel

UNIX servers - On Password Rotation -PAM-CM-1349: A problem occurred while executing the script processor

book

Article ID: 192084

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When using Managed Service Accounts for AIX server to change the password of a Target Account (via “Generate Credentials” of PAM UI) a script processor error like such

“PAM-CM-1349: A problem occurred while executing the script processor. Please try your request again or contact your Administrator” on clicking “Generate Credentials” as shown below


Environment

Release : 3.2

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

################ Discussion with excerpts from Catalina logs #####################

This error is essentially not due to any script error as the root cause. Catalina logs show that say user “linuxuser1” is configured to Reset/Rotate the Credentials of say user “linuxuser2” but “linuxuser1” is configured incorrectly and not authorized to perform the required Reset/Rotate for “linuxuser2”. 

Using the excerpt of Catalina logs in INFO mode for discussion:

  • Note one gets the error message pop up highlighted in Turquoise
  • From the excerpt of Catalina logs in INFO mode the root cause is shown as an authorization issue (in Yellow).
  • The error in Red is indicating that due to authorization error "You are not authorized to change 'uzpaam21's password" the expected regex pattern that PAM expects is not found and hence leads to the “does NOT MATCH” message

INFO: received data 'passwd uzpaam21

You are not authorized to change "uzpaam21's" password.

uzpaam11@xxxxxxx561:/home/uzpaam11$' does NOT MATCH any of the pattern(s): '[(?si)(.*?password(\sfor|\sagain|:).*?)]'

Apr 16, 2020 6:21:31 PM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScript

INFO: stopping script processor

Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log

INFO: jsch: Disconnecting from XXXXX561.xxxxxx.com port 22

Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.plugin.SSHConnector$1 log

INFO: jsch: Caught an exception, leaving main loop due to Socket closed

Apr 16, 2020 6:21:32 PM com.cloakware.cspm.server.app.impl.lb c

SEVERE: UpdateTargetAccountCmd.invoke 15220: PAM-CM-1349: A problem occurred while executing the script processor.  Please try your request again or contact your Administrator.

com.cloakware.cspm.server.app.ApplicationException: PAM-CM-1349: A problem occurred while executing the script processor.  Please try your request again or contact your Administrator.

                

Resolution

So, say you have 2 UNIX accounts linuxuser1 and linuxuser2.  “linuxuser1” is rotating “linuxser2"'s  password, then you need to make special settings for the “linuxuser1” to actually perform thi,s in case of a Linux/AIX, this user “linuxuser1” will need to have SUDO privileges The reason is that PAM needs to use "passwd [username]" and this command for changing password is only allowed to either a “root” user or a user that has elevated privilege meaning that this user can use the SUDO command. Also, this user’s account (“linuxuser1”) needs to be configured to rotate its own password

Remediation

So, configure the two accounts like such:

Screenshot #1 - Ensure user linuxuser1 has the settings like such and is allowed SUDO commands.

Screenshot #2 - Ensure user lnuxuser2 (whose Password is to be reset by user linuxuser1) has the settings like such.

This should resolve the scripting error.

Additional Information

 

Powered by Wolken Software