A situation may arise when there is the following setup

• UNIX accounts are managed centrally in Active Directory
• UNIX machines are set up so that the accounts and their passwords are pulled from the said Active Directory (AD) by using one of the utilities for UNIX to AD integration. For instancs sssd or secldapclntd
• The flavor of the UNIX machines whose password must be rotated is AIX

Under these conditions, it may occur that an account whose password has been rotated in Active Directory successfully by using PAM is never able to log in into the target server.

The login attempt results in server asking to reset the password on first login. Message "Your password has expired"  followed by "You must change your password now and login again" is received, but trying to change the password, the connection is closed and the situation goes back to the initial point 

CA PAM all releases

Target Server running AIX, all flavours

The problem is caused by a combination of two factors

• AIX, by default, has a setting whereby when some user gets its password changed by root or any other user, once that user logs it, a password change is mandatory. This is normal AIX behaviour with respect to password management
• The AIX server where one is trying to log in upon password change through PAM has some issue connecting to the Active Directory/LDAP server. For instance it is lacking a permission, or it has a connection failure or any other possible reason preventing update of a user's password in AD from that server

In such situation, after a password for- say- user A is rotated in AD through PAM, when user A logs to the AIX machine it will be prompted to change the password, but the password won't be changed because of the issue with user A changing the password in AD from the server it is connecting to. Consequently user A will be disconnected and password will not be updated

There are several solutions here:

A first solution is to disable the flag that forces password change upon first login in AIX. There are several websites recommending how to do that. In general clearing the ADMCHG flag from server /etc/security/passwd for every user which should not be required to change its password on first login will suffice

Otherwise it is also possible to investigate and try to solve the root cause  why when a user changes its password in AD from the problematic server it gets a failure message. This may however not be the best option, as if the flag for changing the password is still on, following the default behaviour in AIX means the target account password will get changed outside the control of PAM, which will lead to problems with autologin, etc