Currently, to reset a password for Solaris TPAM sends the command "passwd \$user" which works fine for a standalone box, but enterprise deployment of Solaris servers typically run other services like LDAP which can cause problems if "passwd" is not specifically told to only look at files. There are several ways to achieve this: one way is to modify the server's nsswitch.conf file to only look at files, but this will create issues for non-functional accounts - so the preferred method would be for PAR/TPAM to send the command "passwd -r files \$user", i.e. add the '-r files' switch.
解决办法
Enhancement Request 5632 has been released in TPAM version 2.5.909.