Previous Topic: Receive Error Code 2803 When Registering or Starting UNABNext Topic: User Cannot Run Commands on a UNAB Endpoint


Active Directory User Cannot Log In to UNAB Endpoint

Valid on UNIX

Symptom:

An Active Directory user that has UNIX attributes cannot log in to a UNAB endpoint.

Solution:

To troubleshoot the problem, do the following:

  1. Verify that the user's container is one of the following:
  2. Verify that the user has a UID and a GID in Active Directory.
  3. Verify that the user is not suspended.
  4. Verify that UNAB is started on the endpoint:
    1. Open a command prompt window on the endpoint.
    2. Run the following command:
      ./uxauthd.sh status
      

      A message informs you of the current status of UNAB.

  5. Verify that the endpoint is registered in Active Directory.

    Note: If the endpoint is not registered in Active Directory, use the uxconsole -register utility to register the host.

  6. Stop the name or password caching daemon for your OS on the endpoint, as follows:
    1. Stop UNAB:
      ./uxauthd.sh stop
      
    2. Delete the NSS cache database:
      rm -rf /opt/CA/uxauth/etc/nss.db
      
    3. Check if the name or password caching daemon for your OS is running on the endpoint.

      For example, for a Linux or Solaris endpoint, check if the nscd daemon is running. For an HP-UX endpoint, check if the pwgrd daemon is running.

    4. If the name or password caching daemon for your OS is running, kill the process.
    5. Start UNAB:
      ./uxauthd.sh start
      
  7. Obtain a Ticket Granting Ticket (TGT) using a different Active Directory user account.

    Run the following command to connect to Active Directory using the Administrator account:

    ./uxconsole -krb -init Administrator
    

    Note: You can obtain a TGT using the agent keytab, for example:

    ./uxconsole -krb -init -k
    
  8. Resolve the Active Directory user account directly:
  9. Search for the user account in other domains, if applicable.
  10. Verify that the user account UNIX attributes are identical on the Active Directory and UNIX.