Let's take the following scenario

Customer has login to UNIX using Active Directory (AD)-managed accounts, except for some local accounts like root.

Integration of AD and UNIX is performed via a method of the customer's choice, for instance using sssd.

Password rotation for the root account has been established using rotation via a master account defined in Active directory.

Rotation of password for root and other privileged accounts works fine: the password is changed right, according to tomcat log

However, when trying to verify the root password using PAM or when trying to do login to the remote endpoint using root and the password stored in PAM, it prompts back for the password

If doing su - to root from another user (which requires the root password) and using the password stored in PAM, however, this works seamlessly and the user is able to switch to root 

Password verification for root does not work either.

CA PAM all releases

Checking /var/log/secure during an attempt at ssh to the endpoint using root shows the followint

May 24 13:26:46 122946 mymachine sshd[1235]: pam_unix(sshd:auth); authentication failure; logname= uid=0 euid=0 tty=ssh ruser rhost= X.X.X.X user=root

May 24 13:26:46 122946 mymachine sshd[1235]: pam_succeed_if(sshd:auth); requirement "uid >= 1000" not met by user user="root"

May 24 13:26:46 122946 mymachine sshd[1235]: Failed password from root from X.X.X.X port XXXXX sshd2

This is a setting in the pam.d unix modules to prevent non-privileged users from logging in, but in a UNIX system root id is always 0, so it will always be excluded from login

Change the pam.d configuration in UNIX to allow login to the workstation using root with its 0 uid