Verification of my solaris account ends with "PAM-CM-1349: A problem occurred while executing the script processor. Please try your request again or contact your Administrator."

Document ID : KB000114286
Last Modified Date : 14/09/2018
Show Technical Document Details
Issue:
We have a 3.1.2 CA PAM appliance and we have defined a Solaris 2.10 endpoint. Then we have created the corresponding UNIX application and we have defined a Script Processor of type Solaris.

Next a target account has been created to use the application just created. The account has been defined as a privileged account which can change its own password.

The account can log in normally into the Solaris box and it can for sure change its password. However, when we try to save the account, it never completes and a message is displayed
PAM-CM-1349 error

and of course the account is not verified.
Environment:
CA PAM 3.1.X and 3.2.X and above
Cause:
This error is rather generic and in most cases it needs to be troubleshot by setting the Tomcat log level to debug and determining what happens to the flow of commands received and sent to the Solaris machine.

However, there is one particular situation which will cause this problem: PAM uses to verify successful login to a UNIX box an echo command returning the last return code obtained upon log in to the system. This is usually

echo $?

and it should return just 0. If it does not, the log in sequence will be considered as faulty and PAM will consider it as erroneous.

This command is represented by the following entry in the Script Processor window under the UNIX application definition we use to log in to this server
 
Default script
But unfortunately if the shell environment for the user using this application is /bin/csh, this command is not understood, and this will result in the verification failing.



 
Resolution:
It is necessary to use the equivalent command for the csh shell in order to retrieve the correct return code upon logon. In the case of /bin/csh, one needs to use as the Exit Status of last command $status, that is
 
Corrected status
This will only work for versions 3.1.X and later, since in previou versios there is no "Exit Status of Last Command" field to define​
Additional Information:
https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/reference/credential-manager-target-connector-settings/unix-target-connector