Blog Viewer

PAM not able to verify or change the password of Linux account

By Maria Celeste Catena posted 11-02-2017 04:51 AM

  

###### [Issue Summary] ######
We have tested the non root accounts in PAM, where we created a user in Linux and tried to integrate it with PAM. After saving the password in PAM, we found that the PAM is not able to change the password neither it can verify the credentials. The GUI is also different since it is the local account in Linux system.

But at the same time, if we map the access of this machine to the user, it is able to give the authenticated session with successful SSO.

 

###### [Troubleshooting] ######

Set the Tomcat logs to INFO. Remember to click on Submit to take effect the change.
Reproduce the error by doing a verify and download the tomcat logs (catalina.out).
Open the catalina.out file and search for the account.  Does it shows a log similar like the one below?:

INFO: received data 'echo 5806851173112548163-$?-5765463665594853060


$ echo 5806851173112548163-$?-5765463665594853060
5806851173112548163-1-5765463665594853060
$ ' does NOT CONTAIN the case-sensitive string '5806851173112548163-0-5765463665594853060'

 

###### [Root Cause] ######

When PAM communicates to the target device to verify the account, it sends an echo $? and expects a 0 as result. If the server returns 1, then it means for PAM that something is not well.

 

You can easily validate this by connecting to the target device and type "echo $?" . What value returns?

 

$? is the return code of the last executed command.

This means that there's an action that didn't end properly in the system or that is on hold.

 

$? is a variable holding the return value of the last command you ran.

The background process pid is available as $!, and $? only reports whether the background command was correctly started.

 

###### [Resolution] ######
If you consider thatre is no risk to skip this status, then you can modify the Verify script and remove this verification status step.
You can modify it and then paste it in the target application settings.

OR
If you consider that PAM should validate the Target device status, then you will have to check from your end what are the process that are taking so long or that are getting on hold.

 

Note: To get the Default scripts, you need to ask to support. Modifying the script is under your responsability. Support can help you if required but is not a Service team.

2 comments
7 views

Comments

11-02-2017 02:49 PM

This typically is observed when the last command run by the last login script, such as ~/.bashrc or ~/.profile, returns a code other than 0. In that case a modification of the login script would be another option to resolve this problem.

11-02-2017 05:59 AM

Another scenario of not able to change password is the locale setting of the user.

 

In such case, set Change Password Command on Script Processor tab of target application as:

LANG=C passwd

or

LANG=en_US.UTF-8 passwd