Mamatha,
Have you verified that you are able to update the credentials manually? There are some common causes for widespread credential update issues:
- In AD (and perhaps others), there is a policy that only allows an account to update it's password every X hours. Disable this policy, or use another account to manage passwords.
- Accounts are getting locked out during password update. When updating a password, PAM first attempts an authentication with the new password, then updates the password, then tests again. The first test should always fail, so you need to make sure your not locking an account after a single failed login attempt.
- Long running jobs: PAM uses the scheduled jobs functionality for policy driven password rotations. Since jobs run synchronously (one at a time) a job that takes a very long time to run may prevent other jobs from running as scheduled. Rebooting would interrupt the long running job, thereby allowing other jobs to run.
I have personally seen issues with corruption of the scheduled jobs queue, however this would not get fixed by a reboot, so I don't believe this is the issue you are seeing.
If the above doesn't point you in the right direction, please provide more information (where are the credentials stored, what password view policy settings are you using, relevant lines from the diagnostic logs, etc)
Joe
Original Message:
Sent: 07-06-2019 05:13 AM
From: Prachi.Nirav Chandan
Subject: Accounts Synchronization on ca PAM
Hello,
Passwords are not getting updated on target accounts as per the policy given. Every minute on dashboard we can see the increased no. of accounts going out of sync.
We are rebooting the nodes every single day to make sure scheduled jobs of credential manager to work fine.
Kindly provide the solution to make the environment stable.
Regards,
Mamatha