Using a non-UNIX account to change a local UNIX account password
Article ID: 236134
Updated On:
Products
Issue/Introduction
We have our UNIX servers integrated with Active Directory. We can logon to the UNIX servers with an AD username and password and run command "sudo passwd <user>" to change the password of any local UNIX user/account, including root. But when we configure the AD target account in PAM as other account ("Use the following account to change password") to update a local UNIX account, it fails.
Environment
Privileged Access Manager, all versions
Cause
The UNIX update credential script PAM uses to run commands on the target server checks the privilege elevation setting of the "other account". Because the Active Directory, or any LDAP, target application type does not have the concept of privilege elevation, the AD account will not have such a setting, and PAM will not invoke the sudo command, but just run "passwd <user>", which cannot work.
Resolution
The command PAM runs to update the password can be customized to always invoke sudo in the UNIX target application that the managed local UNIX accounts are associated with.
Assume the UNIX account name is "pamuser", and the AD account is "pamadmin" and is configured to change pamuser's password:
Identify the UNIX target application for pamuser:
Change the Change Password Command to "sudo passwd"
Note that this does NOT work, if sudo is configured with authentication, because the pamadmin account itself has no privilege elevation setting, and PAM will expect the "'sudo passwd <user>" command to prompt for the new password of <user> right away, and not first ask for the pamadmin password. If you were required to use authenticated sudo only, it would require the target application to be configured with a custom update script, see documentation page Add a UNIX Target Connector.
Additional Information
Feedback
