|
|
|
This section describes known issues for UNAB.
Fixed an issue with UNAB that prevented removing a deployed policy from a Red Hat Linux endpoint from CA Access Control Enterprise Management.
Symptom:
I tried to log in to an AIX 5.3 endpoint using SSH, however the login attempt failed.
Solution:
This error is a known IBM issue with several combinations of AIX and SSH versions. The issue has been logged with IBM development as APAR (Authorized Program Analysis Report) number IV10231.
Symptom:
When I set the token watchdog_enabled to no and restart UNAB, uxauth starts.
Solution:
The watchdog script ignores changes made to the watchdog_enabled token after starting uxauth for the first time. We recommend you to specify -n during the registration process, make changes to the token, and start uxauthd.sh script separately.
Symptom:
When I log in to UNAB and my user account is present in the local password file and the Active Directory, the audit log shows the following record:
<audit_record_date_and_time> A LOGIN map3
Solution:
This is a known issue with UNAB. The audit log records A LOGIN instead of P LOGIN.
Valid on Linux
If you log in to a host that has UNAB installed using rlogin, the login attempt appears in the audit twice.
Valid on Windows Server 2003 SP1, Windows Server 2003 64 Bit
LDAP queries fails to return Active Directory queries results for extended search using LDAP_MATCHING_RULE_IN_CHAIN.
To workaround this issue, install the latest service pack for MIcrosoft Windows 2003 Server or disable the UNAB group update during log in by setting the wingrp_update_login token to no.
Note: For more information, see Microsoft Knowledge Base article 914828.
The uxpreinstall utility fails to verify the host name resolution after you install UNAB and before you register with Active Directory.
To work around this problem, use the -d argument to specify the Active Directory domain name. For example:
./uxpreinstall -d domain_name
Valid on Linux, HP-UX
The UNAB audit records do not display the telnet and rlogin login programs. In LInux, the UNAB audit records show "remote" instead of telnet or rlogin. On HP-UX the UNAB audit records show "login" instead of telnet or rlogin.
If you register then deregister a UNAB host in Active Directory, after you register the host, we recommend that you wait the time necessary for domain controller replication before you deregister the host.
Note: If you deregister a UNAB host, policies that were not distributed are deleted.
Valid for SSH
If you create a user in Active Directory and the new user immediately tries to log in to a UNAB endpoint, the first login attempt fails but subsequent login attempts succeed. The first login attempt fails because the user is not known to the endpoint. However, during the failed login process, uxauthd updates the local NSS storage with the user information. Subsequent login attempts succeed because the user is now known to the endpoint.
By default, uxauthd updates the user information in the NSS storage every hour. If the new user tries to log in to the endpoint after uxauthd updates the NSS storage, the login succeeds.
Several login services bypass PAM on SSO login. The login policy is not applied and audit events are not generated.
Valid for Linux, AIX, HP-UX
A limitation in the UNIX PAM flow results in logging a successful login to a UNAB host as an error message, indicating that account authentication failed in the syslog file.
Valid on Linux, HP-UX
The "Given password does not match OS password" error message appears when you issue the checklogin command for the Active Directory user who is not authorized to log in. This message is displayed instead of the actual login deny message.
Valid on AIX 5.3
A password mismatch error message appears when a mapped user attempts to change an account password using sepass. Regardless of the error message, the account password is changed on Active Directory.
Due to Sun Solaris password limitations, users that are logging in to the UNIX host with Active Directory account, cannot change their account password using Solaris passwd tool. If the user must change the account password on the first login, the user must login from a system other than Solaris.
If UNAB is running on the UNIX host, use the following command to change the local account password:
passwd -r files username
If CA Access Control is running on the UNIX host, use the sepass utility to change the local account password.
If you impersonate an Active Directory user using su, the impersonation attempt is not audited.
The audit records of login sessions done using sftp program can display the sshd daemon in the program field and not the sftp program.
UNAB events are displayed in the Windows Event Viewer with blank fields.
Valid for Solaris
Kerberized FTP and telnet programs bypass the PAM stack and therefore, UNAB does not audit FTP and telnet SSO logins of enterprise users.
When you deregister a UNAB host that was previously registered with SSO enabled, the computer object is removed from Active Directory, but the corresponding records are not deleted from the keytab file. If you attempt to register the UNAB host again, the Kerberos ticket is not created.
To overcome this problem, we recommend that you do not deregister UNAB hosts, or remove the keytab file if it is used by UNAB hosts only.
Valid on HP-UX
Due to an HP-UX limitation, do not use the @ symbol in passwords on HP-UX endpoints.
Valid on HP-UX
You cannot log into a HP-UX host with a fully qualified domain name, for example: user@domain.
| Copyright © 2012 CA. All rights reserved. |
|