i'm working on PAM 3.3.2 for a client that is due to go live in 10 days.
We need to manage AD Accounts by way of a Master AD account. So we on-board and configure those accounts accordingly.
When I try to force change the password I see the behavior described in
Avoid Windows Target Accounts getting locked out
In short "FIRST PAM attempts to verify the specified credentials for the account, BEFORE Updating the credentials for the account using the master account."
or in other words
"The _managed_ account first tries to validate its "own" creds with the _generated_ password not the currently verified and synchronized one; Well Of course that fails twice (once by UPN and again by DN) because the generated password is NOT the same as the current password… and only then does the Management account login."
I see this as a potential design flaw - consider the following real-world experience for which I will provide some anecdotal evidence to support my finding (see screenshots further below).
NOTE: Before I try to force spin the password on the managed account I confirm that the password is indeed valid by (a) validating in PAM and (b) auto-connecting to a target windows member server device with that account. So We know the password is correct.
====== excerpt from the Catalina log ============
Nov 06, 2020 6:29:01 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager loginToActiveDirectoryServer
INFO: Failed authentication to Active Directory using distinguished name 'CN=*******,OU=Users,OU=PAM,OU=CORE,DC=domain,DC=net' for account '******' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580 ]'
…
Nov 06, 2020 6:29:02 PM com.cloakware.cspm.server.plugin.targetmanager.WindowsDomainServiceTargetManager bindUsingUserPrincipalName
INFO: Failed authentication to Active Directory using user principal name '*******@*****.net' due to error '[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 52e, v2580 ]'
================================================
52e == invalid credentials.
Consider what could happen if the Account Lock out policy was set to 1 failed attempt in a target domain. PAM would lock out the managed account every time a PAM admin or Job were trying to force-spin the password.
If PAM must first validate the managed account's password, then shouldn't it do so with the _current_ password, not the generated one?
I appreciate your thoughts.
enjoy your weekend
------------------------------
Services Architect
HCL Technologies Ltd
------------------------------