Using a non-UNIX account to change a local UNIX account password
search cancel

Using a non-UNIX account to change a local UNIX account password

book

Article ID: 236134

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We have our UNIX servers integrated with Active Directory. We can logon to the UNIX servers with an AD username and password and run command "sudo passwd <user>" to change the password of any local UNIX user/account, including root. But when we configure the AD target account in PAM as other account ("Use the following account to change password") to update a local UNIX account, it fails.

Environment

Privileged Access Manager, all versions

Cause

The UNIX update credential script PAM uses to run commands on the target server checks the privilege elevation setting of the "other account". Because the Active Directory, or any LDAP, target application type does not have the concept of privilege elevation, the AD account will not have such a setting, and PAM will not invoke the sudo command, but just run "passwd <user>", which cannot work.

Resolution

The command PAM runs to update the password can be customized to always invoke sudo in the UNIX target application that the managed local UNIX accounts are associated with.

Assume the UNIX account name is "pamuser", and the AD account is "pamadmin" and is configured to change pamuser's password:

 

Identify the UNIX target application for pamuser:

Change the Change Password Command to "sudo passwd"

Note that this does NOT work, if sudo is configured with authentication, because the pamadmin account itself has no privilege elevation setting, and PAM will expect the "'sudo passwd <user>" command to prompt for the new password of <user> right away, and not first ask for the pamadmin password. If you were required to use authenticated sudo only, it would require the target application to be configured with a custom update script, see documentation page Add a UNIX Target Connector.

Additional Information

For information on how to configure one UNIX account to manage another UNIX account's password, see KB 132195.

For a detailed discussion of privilege elevation settings, see KB 123217.