|
|
|
This section describes known issues for UNAB.
UNAB registration command returns an incorrect Active Directory server name if the Active Directory server is a member of a forest.
To workaround this issue, run uxconsole -register command with the -t site argument and specify the Active Directory site to that contains the DCs that UNAB uses to communicate with Active Directory.
Valid on Windows Server 2003 SP1, Windows Server 2003 64 Bit
LDAP queries fails to return Active Directory queries results for extended search using LDAP_MATCHING_RULE_IN_CHAIN.
To workaround this issue, install the latest service pack for MIcrosoft Windows 2003 Server or disable the UNAB group update during log in by setting the wingrp_update_login token to no.
Note: For more information, see Microsoft Knowledge Base article 914828.
You cannot use the CA Access Control UNIX Attributes Plug-in to set an empty GECOS attribute to an Active Directory user.
The uxpreinstall utility fails to verify the host name resolution after you install UNAB and before you register with Active Directory.
To work around this problem, use the -d argument to specify the Active Directory domain name. For example:
./uxpreinstall -d domain_name
Valid on AIX
The uxpreinstall utility reports a host name resolution error when /etc/netsvc.conf file does not contain the DNS data source.
The group name in the -manage -group <groupname> command is case sensitive.
During the users migration process, an incorrect conflict message appears reporting a mismatch when comparing a UNIX user that is not assigned GECOS parameters with the corresponding Active Directory user account.
Valid on Linux, HP-UX
The UNAB audit records do not display the telnet and rlogin login programs. In LInux, the UNAB audit records show "remote" instead of telnet or rlogin. On HP-UX the UNAB audit records show "login" instead of telnet or rlogin.
Valid on AIX 5.3
If the /etc/resolv.conf file does not contain the Active Directory server name, an attempt to register the host with Active Directory results in a core dump.
If you register then deregister a UNAB host in Active Directory, after you register the host, we recommend that you wait the time necessary for domain controller replication before you deregister the host.
Note: If you deregister a UNAB host, policies that were not distributed are deleted.
Valid for SSH
If you create a user in Active Directory and the new user immediately tries to log in to a UNAB endpoint, the first login attempt fails but subsequent login attempts succeed. The first login attempt fails because the user is not known to the endpoint. However, during the failed login process, uxauthd updates the local NSS storage with the user information. Subsequent login attempts succeed because the user is now known to the endpoint.
By default, uxauthd updates the user information in the NSS storage every hour. If the new user tries to log in to the endpoint after uxauthd updates the NSS storage, the login succeeds.
Valid on Linux
If you log in to a host that has UNAB installed using rlogin, the login attempt appears in the audit twice.
Several login services bypass PAM on SSO login. The login policy is not applied and audit events are not generated.
Valid for Linux, AIX, HP-UX
A limitation in the UNIX PAM flow results in logging a successful login to a UNAB host as an error message, indicating that account authentication failed in the syslog file.
Valid on Solaris, Linux, HP-UX
The "Given password does not match OS password" error message appears when you issue the checklogin command for Active Directory user that is not authorized to log in. This message is displayed instead of the actual login deny message.
Valid on AIX 5.3
A password mismatch error message appears when a mapped user attempts to change an account password using sepass. Regardless of the error message, the account password is changed on Active Directory.
Due to Sun Solaris password limitations, users that are logging in to the UNIX host with Active Directory account, cannot change their account password using Solaris passwd tool. If the user must change the account password on the first login, the user must login from a system other than Solaris.
If UNAB is running on the UNIX host, use the following command to change the local account password:
passwd -r files username
If CA Access Control is running on the UNIX host, use the sepass utility to change the local account password.
If you impersonate an Active Directory user using su, the impersonation attempt is not audited.
The audit records of login sessions done using sftp program can display the sshd daemon in the program field and not the sftp program.
UNAB events are displayed in the Windows Event Viewer with blank fields.
Valid for Solaris
Kerberized FTP and telnet programs bypass the PAM stack and therefore, UNAB does not audit FTP and telnet SSO logins of enterprise users.
Valid on Linux SuSE
If you implement UNAB in full integration mode on a Linux SuSE endpoint, and a domain user uses rlogin to log in to the endpoint, UNAB creates two audit records for the same login event.
When you deregister a UNAB host that was previously registered with SSO enabled, the computer object is removed from Active Directory, but the corresponding records are not deleted from the keytab file. If you attempt to register the UNAB host again, the Kerberos ticket is not created.
To overcome this problem, we recommend that you do not deregister UNAB hosts, or remove the keytab file if it is used by UNAB hosts only.
Valid on HP-UX
Due to an HP-UX limitation, do not use the @ symbol in passwords on HP-UX endpoints.
Valid on HP-UX
You cannot log into a HP-UX host with a fully qualified domain name, for example: user@domain.
| Copyright © 2012 CA. All rights reserved. | Tell Technical Publications how we can improve this information |