It is required for PAM to manage root passwords with an Active Directory target account. When attempting to rotate the root password, the following error occurs. How can PAM be configured so the Active Directory account can manage root accounts?

PAM-CM-1341: Failed to establish a communications channel to the remote host.

Privileged Access Manager, all versions

In Unix, only root is allowed to change passwords for other users. This is confirmed in the Tomcat logs when the log level is set to Info. The following message will be logged prior to the error.

2023-01-01T01:23:45.653+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T98127 - received data 'passwd root
passwd: Only root can specify a user name.
'

Under normal circumstances, a Unix target account would be managing the root account and "use elevated privileges" would be set so PAM would use `sudo passwd root` to change the password. However, this option is not available for Active Directory target accounts.

In order for the Active Directory account to be capable of running `sudo passwd`, please work with a Linux Administrator to add the user to the sudoers file.