Hello everyone,

We're experiencing a situation in our environment where PSafe appears to be failing to execute or executing pwdadm commands incorrectly on AIX servers.

At the beginning of the operation, we noticed that all credentials for which PSafe rotated the password were prompted by the user for a new password change.
This is due to AIX adding the ADMCHG flag to the credential after the password is rotated.
To avoid this, the original password rotation workflow included the command pwdadm -f NOCHECK <<ManAcctName>>.
Even with this command in the workflow, the credential remained with ADMCHG and the NOCHECK flag was not added.

So, we changed the command to pwdadm -c <<ManAcctName>> and added two more consecutive executions.

After this change, the password rotations no longer prompted the user to change the password at the next login, and the ADMCHG flag was removed.

However, an AIX server in our environment doesn't log the execution of pwdadm -c even after three consecutive runs.
We enabled audit mode on this server, and only the execution of the passwd command is recorded in the log.

I ran the password change using Check Password Results in Configurations > Privileged Access Management > Custom Platforms > Check/Change Password, and there I can see all of PSafe's interactions with the server.
The command executes, and PSafe considers it successful, but in the three runs of pwdadm -c, it appears to send the command without waiting for the prompt.
And with this behavior, the server ignores and doesn't log the command execution.

Has anyone else with AIX servers experienced similar behavior?
Is there anything that can be done in the Change Password workflow to prevent this from happening without waiting for the prompt? Our workflow is configured to wait for a response each time a command is executed, such as a PROMPT or a request for a new password, and the problem is only occurring when executing pwdadm.

Thanks,

Rudolf.