We have had a few servers that have accounts where we can successfully update the password with PAM and the account shows as Verified afterwards, but when we try to Verify the account, it fails and the account goes into an Unverified state. These accounts are configured to be updated and verified by a non-root master account because they are not allowed remote logon.
The master account was not allowed to run su commands on the problem servers. When another account is configured to verify the password of a managed account, PAM logs on to the remote server as the other account and then runs an "su - <managed account>" command. This should prompt for the managed account's password and thus can be used to verify that password.
Affects any supported PAM release as of January 2021
The master account needs to be granted permissions to run "su" commands.
Note that root can su to another user w/o having to provide that user's password. If root is configured as the master account, then PAM will logon as root, run the "su - <managed account>" command as root, and then run it a second time in the context of the managed account to get a password prompt. In that case the managed account itself needs to be allowed to run the su command for the PAM Verify script to work.