You have UNIX servers integrated with Active Directory. You can logon to the UNIX servers with an AD username and password and run command "sudo passwd <user>" to change the password of any local UNIX user/account, including root. But when you configure the AD target account in PAM as other account ("Use the following account to change password") to update a local UNIX account, it fails.
The UNIX credential update script PAM uses to run commands on the target server checks the privilege elevation setting of the "other account", in order to determine whether or not to invoke the passwd command with sudo. Because the Active Directory, or any LDAP, target application type does not have the concept of privilege elevation, the AD account will not have such a setting, and PAM will not invoke the sudo command, but just run "passwd <user>", which cannot work. Changing the password of another account requires root privileges.
The command PAM runs to update the password can be customized to always invoke sudo. This is done in the UNIX target application that the managed local UNIX accounts are associated with.
Assume the UNIX account name is "pamuser", and the AD account is "pamadmin" and is configured to change pamuser's password:
Identify the UNIX target application for pamuser:
Change the Change Password Command to "sudo passwd"
Note that this does NOT work, if sudo is configured with authentication, because the pamadmin account itself has no privilege elevation setting, and PAM will expect the "'sudo passwd <user>" command to prompt for the new password of <user> right away, and not first ask for the pamadmin password. You have to configure sudo for the pamadmin account with the NOPASSWD tag. If you were allowed to use authenticated sudo only, it would require the target application to be configured with a custom update script, see documentation page Add a UNIX Target Connector.