It is required for PAM to manage root passwords with an Active Directory target account. When attempting to rotate the root password, the following error occurs. How can PAM be configured so the Active Directory account can manage root accounts?
PAM-CM-1341: Failed to establish a communications channel to the remote host.
Privileged Access Manager, all versions
In Unix, only root is allowed to change passwords for other users. This is confirmed in the Tomcat logs when the log level is set to Info. The following message will be logged prior to the error.
2023-01-01T01:23:45.653+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T98127 - received data 'passwd root
passwd: Only root can specify a user name.
'
Under normal circumstances, a Unix target account would be managing the root account and "use elevated privileges" would be set so PAM would use `sudo passwd root` to change the password. However, this option is not available for Active Directory target accounts.
Create a second target application and change the Change Password Command value to either 'sudo passwd' or '/usr/bin/sudo /usr/bin/passwd', then have the accounts being managed by the AD account use the new target application.
In order for the Active Directory account to be capable of running `sudo passwd`, please work with a Linux Administrator to add the user to the sudoers file.