This article is based on the discussion " Unable to change password on LocalDB user, when added to AuthProfile" by @TorokAdam and answered by @kiwi. Read on to see the discussion and solution!
Using PAN-OS 10.2.2 on a PA-440.
I have created a few LocalDB users and added them to a group. Then I've created an authentication profile and added this group to the allow list (also tried with "all"). Since these local users are also the FW-administrators, I've created the same users under Device/Administrators and linked the appropriate Authentication Profile to them.
After this, the administrators are unable to change their passwords on the Device/Local users page with the error message:
"Admin user "USERNAME" is defined with authentication profile, cannot set password".
The same error message pops up when I try to change the password in CLI. I am unable to change the Auth Profile to none on the Administrator page with the same error message.
Workaround is creating user, change pw and then add it to Auth Profile.
I have the same setup working on another PA-440 but with PanOS 10.1.x
Could you guys advise? I haven't found this on the support portal under 10.2.2 known issues.
This behavior isn't there on PAN-OS 10.1 but starts popping up on PAN-OS 10.2.x
TAC recognized the behavior and a fix is coming in an upcoming release.
NOTE: At the moment of writing this, PAN-OS 10.2.3 is the recommended release for 10.2.x and it's still showing the same behavior.