PAM-CMN-0155 when attempting to modify some user accounts in 4.1.7
Article ID: 371974
Updated On:
Products
Issue/Introduction
When attempting to update a user who has a CM group membership, or one is being added, and the user also is a vault user (member of a vault group), it fails with error
PAM-CMN-0155: User <PAM account name> was not updated
The session log will show a message like
PAM-CMN-2261: Password Authority failure to try to activate user <PAM account name>. Message: PAM-CM-0873: Invalid user group ID. User group ID <id> does not exist..
This is observed since the upgrade to 4.1.7.
Users that were configured this way at lower releases cannot change their password, the update will fail with the same error.
Environment
This problem is specific to the PAM 4.1.7 release
Cause
There was an inconsistency in calls retrieving group memberships. One call included secrets management groups, another one didn't. This was introduced with new feature "New External API Methods for Managing Credential Manager Credential Groups and Obtaining Credential Manager Roles", see documentation page New Features in 4.1.7.
Resolution
This problem is resolved in published cumulative patch 4.1.7.50, where it is listed as follows:
- Cannot update a user who is a member of a credential group (or add a user to a credential group) if they are also a member of a secrets group. (Case number: 35263274/Defect ID: DE605266)
Feedback
