We just upgraded from PAM 3.2.3 to Layer 7 PAM 3.3.0 during the weekend. It appears the Layer 7 PAM 3.3.0 is unable to reset passwords for accounts. It appears the change in the applications that interface with our servers are no longer able to change the passwords in version 3.3.0. These password policies were written by me along with input from the awesome and legenday Adam Roll! They worked for 4 months under PAM 3.2.3.
For our Windows systems, we use a password master. It keeps failing to rotate the password masters password. The accounts that depend upon it, become unverified when the password cannot be rotatted. On the domain, the passwords expire every 60 days. The accounts can be rotated administratively any time. However, the accounts must wait one day before the account can rotate its own password.
I have cleaned up 6 domains. For our LINUX systems, we are not using a password master. As a result, the accounts are not rotating the password and being locked out. We have over 100 local accounts on LINUX systems that unverified.
I check the session logs on all three production appliances. There were no entries the pertain to either resetting LINUX or Active Directory accounts.
I attached a copy of our password policy. Does anyone have any ideas of what works with 3.3.0 versus 3.2.3?
Thanks
------------------------------
Thanks
Tarek Hamdy
thamdy2000@gmail.com571-723-2859
------------------------------