Not All Unix Target Accounts are Successfully Verified

Document ID : KB000073217
Last Modified Date : 15/03/2018
Show Technical Document Details
Issue:
Unix accounts become unverified for a variety of reasons.  When they do, PAM will not allow passwords to be used or accounts to be checked out.

 
Environment:
PAM 2.8.3, with 2.8.3.01, 2.8.3.02 and 2.8.3.03 HotFixes.
Cause:
This problem may occur for many reasons.  For one recent case the Target Application was configured for the passwords to expire after a period of time.  When the expired passwords were being updated many of them became unverified.  To investigate such an issue, set the  Tomcat Log Level = Debug,  verify an account that is currently not verified.  Download the Tomcat Log and find where PAM is going through the verification dialogue.  You should see messages showing that the password prompt matched and the password was sent.  One reason for the script to fail is if the prompts don't match the regular expressions on the Target Application's Script Process tab.  Beneath each prompt field PAM displays the default regular expression, which matches the default prompts for the selected Unix Variant.  The script can fail because the wrong Unix Variant is selected, or because the prompts were changed on the target system from the defaults.  Another possible cause for the script to fail is that the response from the target server did not come back quickly enough.  In the case for the recent customer issue, the Tomcat log showed PAM send the string that gets the status of the command last executed on the server.  The unix command executed to get this status is "echo $?".  Entries for the Echo Command and the Exit Status of Last Command may also be found on the Script Processor tab, if these are different for your system.  The Tomcat log will show the command being executed.  For example, if the default status check is used the log will contain <a string of digits>$?<a string of digits>.  This will be followed shortly by a similar message, with the $? replaced by the status that was returned by the last command executed on the server.  It should be 0 if successful.  If the system does not reply quickly enough you will see a message that the expected reply was not seen.  Check the timestamps of the status request and reply.  Increase the timeout setting on the Script Processor page, if necessary. 
Resolution:
Change the various values on the Target Application's Script Processor tab as needed.
Additional Information:
A good technique for troubleshooting password verification and update issues is to login to the server in question, as the account making the password changes or verification.  Enter the command that PAM would use to make the changes and go through the dialogue to change a password.  It is not actually necessary to change the password.  Enter a control-C once the prompt to verify new password is displayed.