Accounts are configured with a Password View Policy (PVP) that changes the password on check-in. After the first check-in, some AIX target accounts, which are configured to have their password updated by a service account, don't work with auto-login anymore. The connection is established, but the user is asked to change the password. Server logs show that PAM fails to send the pwdadm command that resets the password change requirement after setting a new password.

PAM 4.1.0-4.1.6

The default UNIX update script does send a "pwdadm -c <user>" command following the passwd command, if the target application has UNIX variant AIX checked. But there is no wait for the passwd command to complete. Typically this is not a problem, but it has been observed on multiple servers that when the passwd command returns, the shell does not see the command that was sent afterwards and therefore doesn't execute it.

This problem is fixed in the upcoming 4.1.7 and 4.2 releases.