On the below AWS Linux servers the A2A client is unable to connect to PAM using fully qualified domain names, be it the VIP FQDN, or a specific PAM host address. It works when we use IP addresses in the A2A client configuration file and that resolves the problem for now. But long term we prefer to use FQDNs and not IPs, which could change. We don't see a problem with the DNS configuration. When we run "nslookup <FQDN>" we do get the expected IP back. Only the PAM A2A client doesn't seem to resolve it properly. We do have other servers in AWS that don't have this problem, but they are in a different subnet.

Release : Applies to any PAM release

The /etc/resolv.conf file had read permissions for the root user only, but the A2A client was run by a non-root user. The nslookup command had been run while logged on as root and worked for that reason.

Changing the permissions on /etc/resolv.conf  to 644 resolved the issue. This file is meant to be readable by all users. Only the write permissions should be limited to root.