Using a non-UNIX account to change a local UNIX account password
search cancel

Using a non-UNIX account to change a local UNIX account password

book

Article ID: 236134

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

You have UNIX servers integrated with Active Directory. You can logon to the UNIX servers with an AD username and password and run command "sudo passwd <user>" to change the password of any local UNIX user/account, including root. But when you configure the AD target account in PAM as other account ("Use the following account to change password") to update a local UNIX account, it fails.

Cause

The UNIX credential update script PAM uses to run commands on the target server checks the privilege elevation setting of the "other account", in order to determine whether or not to invoke the passwd command with sudo. Because the Active Directory, or any LDAP, target application type does not have the concept of privilege elevation, the AD account will not have such a setting, and PAM will not invoke the sudo command, but just run "passwd <user>", which cannot work. Changing the password of another account requires root privileges.

Resolution

The command PAM runs to update the password can be customized to always invoke sudo. This is done in the UNIX target application that the managed local UNIX accounts are associated with.

Assume the UNIX account name is "pamuser", and the AD account is "pamadmin" and is configured to change pamuser's password:

 

Identify the UNIX target application for pamuser:

Change the Change Password Command to "sudo passwd"

 

Note that this does NOT work, if sudo is configured with authentication, because the pamadmin account itself has no privilege elevation setting, and PAM will expect the "'sudo passwd <user>" command to prompt for the new password of <user> right away, and not first ask for the pamadmin password. You have to configure sudo for the pamadmin account with the NOPASSWD tag. If you were allowed to use authenticated sudo only, it would require the target application to be configured with a custom update script, see documentation page Add a UNIX Target Connector.

Additional Information

For information on how to configure one UNIX account to manage another UNIX account's password, see KB 132195.

For a detailed discussion of privilege elevation settings, see KB 123217.