Release Notes › Known Issues › General Known Issues › UNIX Endpoint Known Issues

UNIX Endpoint Known Issues

This section describes known issues for CA ControlMinder for UNIX.

FTP Login on Solaris 8 Fails

Symptom:

I'm on a Solaris 8 machine and FTP logins fail for AD users.

530 Login incorrect.
Login failed.

The same account credentials work fine for native users.

Solution:

None. The ftpd on Solaris 8 verifies the existence of the account in /etc/shadow and NIS. The FTP implementation on newer Solaris versions does not have this limitation.

CAWIN Installation Requires Ncurses

Valid on Linux 64-bit Server

Install Ncurses 32-bit before installing CAWIN on Linux 64-bit servers.

Failed Login Events Not Audited When serevu Daemon Running

Valid on VMware vCenter 4.0 u2

When CA ControlMinder is installed on VMware vCenter version 4.0 u2, the following occurs when the serevu daemon is running:

• A LOGIN records for failed login events do not appear in audit file
• The pam_seos_failed_login.log file size is 0

To work around this issue, do the following:

1. Stop all CA ControlMinder daemons.
2. Navigate to the following directory:

   /etc/pam.d/
   

3. Edit the system-auth file to remove all references to pam_seos.so. For example:

   account required pam_per_user.so /etc/pam.d/login.map
   auth required pam_per_user.so /etc/pam.d/login.map
   password required pam_per_user.so /etc/pam.d/login.map
   session required pam_per_user.so /etc/pam.d/login.map
   

4. Edit the system-auth-generic file to add reference to pam_seos.so. For example:

   password  sufficient  pam_seos.so
   auth       optional     pam_seos.so
   account    optional     pam_seos.so
   session    optional     pam_seos.so
   

5. Edit the system-auth-local file to add references to pam_seos.so. For example:

   password  sufficient  pam_seos.so
   auth       optional     pam_seos.so
   account    optional     pam_seos.so
   session    optional     pam_seos.so
   

6. Save and close the files.
7. Start CA ControlMinder daemons.

SSH Login Not Audited by CA ControlMinder or by Audit Log if SElinux Enabled

Valid on RedHat Linux Advanced Server 6

On RedHat Linux Advanced Server 6, SSH user log ins are not audited by CA ControlMinder because the SElinux default policy does not allow SSHD to access the /proc file system.

To workaround this issue, run the /opt/CA/AccessControl /lbin/sshd_policy.sh script to load a SElinux policy module to allow access to /proc.

Cannot Configure JBoss JDBC Password Consumer on Linux

Valid on Linux

Currently, you cannot configure a JBoss JDBC password consumer on LInux.

Log in to CA ControlMinder Requires PAM_Login Flag Enabled

Valid on AIX

If the PAM_login flag is not enabled, CA ControlMinder cannot detect the Active Directory user account correctly.

To work around this problem, enable the PAM_login flag in the log in program (LOGINAPPL) you set. Verify that seosd daemon accepts log in requests from PAM modules by setting the PamPassUserInfo token to 1 in seos.ini under the [pam_seos] section.

You can use the following command to set the login flags:

er LOGINAPPL SSH loginflags(pamlogin)

User Sessions Are Not Logged when Default Shell Is Not Defined in /etc/shells

Valid for Keyboard Logger

CA ControlMinder does not record user sessions when a user logs in with a shell that is not defined in /etc/shells.

When PAM is Active segrace Is Not Called for FTP and SSH Grace Login

When PAM is activated, segrace is not called automatically for a grace login to FTP and SSH services.

To work around this issue on FTP, change the value of the LOGINFLAGS property to nograce in the LOGINAPPL record for the FTP service.

To work around this issue on SSH, do not call segrace from PAM. Instead, call segrace from the user or operating system startup script.

CA ControlMinder Does Not Reset Passwords Once the Grace Period Expires

Valid on HPUX, and AIX

If UNAB is installed on the CA ControlMinder endpoint, CA ControlMinder PAM does not invoke the 'sepass' utility to reset the account password when the user password grace period expires.

This problem affects login applications that use loginflags(pamlogin), for example, SSH login, rlogin, FTP, and Telnet. SSH login is not recognized as a login action by CA ControlMinder on HPUX and AIX. To work around this problem, use loginflags(none) for SSH login applications.

Run the following command to set the token:

er LOGINAPPL SSH loginflags(none)

Solaris Network Event Bypass Does Not Work for Some Processes

CA ControlMinder on Solaris does not bypass network events (bypass type PBN of SPECIALPGM records) for processes that start before CA ControlMinder starts.

Stat Interception Calls Not Supported on AIX Systems

File access check on a stat system call with the STAT_intercept token set to “1” is not supported on AIX systems.