UNIX account verification by other account fails while update is successful

book

Article ID: 206764

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have had a few servers that have accounts where we can successfully update the password with PAM and the account shows as Verified afterwards, but when we try to Verify the account, it fails and the account goes into an Unverified state. These accounts are configured to be updated and verified by a non-root master account because they are not allowed remote logon.

Cause

The master account was not allowed to run su commands on the problem servers. When another account is configured to verify the password of a managed account, PAM logs on to the remote server as the other account and then runs an "su - <managed account>" command. This should prompt for the managed account's password and thus can be used to verify that password.

Environment

Affects any supported PAM release as of January 2021

Resolution

The master account needs to be granted permissions to run "su" commands.

Note that root can su to another user w/o having to provide that user's password. If root is configured as the master account, then PAM will logon as root, run the "su - <managed account>" command as root, and then run it a second time in the context of the managed account to get a password prompt. In that case the managed account itself needs to be allowed to run the su command for the PAM Verify script to work.