PAM is unable to rotate passwords of AIX accounts

book

Article ID: 207116

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

CA PAM has been configured with the latest AIX target connector script (see attachment) for password update. As per the the regular behaviour in AIX, changing a user's password means the user will be requested to change the password at first login. The default and modified update account scripts are tailored so that command  pwdadm -c <username> is launched afterwards to eliminate the need for changing the password at first login. Nonetheless, script does not work well and attempts at changing the password (either using elevated privileges by own account or through anothe account) always result in the following errors in the catalina.out log

Jan 13, 2021 12:43:06 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: received data 'sudo pwdadm -c <user>
Error changing "<user>".
<user>@<machine>:/home/<user>$ ' MATCHES the pattern '[#|\$]
Jan 13, 2021 12:43:06 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write

Where <user> is the user whose password we are trying to manage

 

Cause

This may be a permissions problem for <user> in that it is not able to properly run sudo for command pwadm

To know it this is the case, please log in into the AIX box for which the process has been applied and try to manually change the password for user <user> either as itself or as the other user being defined to change its password and see if running that command throws an error. If it does, then this is an AIX problem which should bring to the attention of the AIX administrators.

Environment

PRIVILEGED ACCESS MANAGEMENT, all versions

Resolution

Modify the rights of the user being utilized to change passwords so that it can run pwdadmin against the user it is trying to manage.

Attachments

1611338300107__AIXAdmin_UpdateScript_flexible_sudoV2.txt get_app