Troubleshooting Guide › Troubleshooting UNAB › Active Directory User Cannot Log In to UNAB Endpoint

Active Directory User Cannot Log In to UNAB Endpoint

Valid on UNIX

Symptom:

An Active Directory user that has UNIX attributes cannot log in to a UNAB endpoint.

Solution:

To troubleshoot the problem, do the following:

1. Verify that the user's container is one of the following:
   • The container specified in the user_container configuration setting.
   • A sub-container under the container specified in the user_container configuration setting.

     Note: The user_container configuration setting is located in the AD section of the uxauth.ini file.

2. Verify that the user has a UID and a GID in Active Directory.
3. Verify that the user is not suspended.
4. Verify that UNAB is started on the endpoint:
   1. Open a command prompt window on the endpoint.
   2. Run the following command:

      ./uxauthd.sh status
      

      A message informs you of the current status of UNAB.

5. Verify that the endpoint is registered in Active Directory.

   Note: If the endpoint is not registered in Active Directory, use the uxconsole -register utility to register the host.

6. Stop the name or password caching daemon for your OS on the endpoint, as follows:
   1. Stop UNAB:

      ./uxauthd.sh stop
      

   2. Delete the NSS cache database:

      rm -rf /opt/CA/uxauth/etc/nss.db
      

   3. Check if the name or password caching daemon for your OS is running on the endpoint.

      For example, for a Linux or Solaris endpoint, check if the nscd daemon is running. For an HP-UX endpoint, check if the pwgrd daemon is running.

   4. If the name or password caching daemon for your OS is running, kill the process.
   5. Start UNAB:

      ./uxauthd.sh start
      

7. Obtain a Ticket Granting Ticket (TGT) using a different Active Directory user account.

   Run the following command to connect to Active Directory using the Administrator account:

   ./uxconsole -krb -init Administrator
   

   Note: You can obtain a TGT using the agent keytab, for example:

   ./uxconsole -krb -init -k
   

8. Resolve the Active Directory user account directly:
   • Run the following search:

     ./uxconsole -ldap -search "(&(objectClass=user)(sAMAccountName=johndoe))"
     

     Check for discrepancies between the expected and actual user account name.

9. Search for the user account in other domains, if applicable.
   • Run the following command:

     ./uxconsole -ldap -search -b DC=unabca,DC=test,DC=co,DC=il "(&(objectClass=user)(objectCategory=person))"
     

10. Verify that the user account UNIX attributes are identical on the Active Directory and UNIX.