You have UNIX servers integrated with Active Directory. You can logon to the UNIX servers with an AD username and password and run command "sudo passwd <user>" to change the password of any local UNIX user/account, including root. But when you configure the AD target account in PAM as other account ("Use the following account to change password") to update a local UNIX account, it fails.

The UNIX credential update script PAM uses to run commands on the target server checks the privilege elevation setting of the "other account", in order to determine whether or not to invoke the passwd command with sudo. Because the Active Directory, or any LDAP, target application type does not have the concept of privilege elevation, the AD account will not have such a setting, and PAM will not invoke the sudo command, but just run "passwd <user>", which cannot work. Changing the password of another account requires root privileges.

Note that this does NOT work, if sudo is configured with authentication, because the pamadmin account itself has no privilege elevation setting, and PAM will expect the "'sudo passwd <user>" command to prompt for the new password of <user> right away, and not first ask for the pamadmin password. You have to configure sudo for the pamadmin account with the NOPASSWD tag. If you were allowed to use authenticated sudo only, it would require the target application to be configured with a custom update script, see documentation page Add a UNIX Target Connector.

For information on how to configure one UNIX account to manage another UNIX account's password, see KB 132195.

For a detailed discussion of privilege elevation settings, see KB 123217.