Release Notes › General Considerations › UNAB Considerations

UNAB Considerations

This section describes items you should consider when using UNAB.

Home Directory Not Created on Log In When SELinux is Enabled

Valid on Linux

Symptom:

When I log in to a Linux host using an SSH client the home directory for my account is not created when SELinux is enabled.

Solution:

The home directory is not created when attempting to log in using an SSH client. To work around this problem do the following:

1. Open the password-auth file. This file is located in the following directory by default:

   \etc\pam.d\
   

2. Locate the session section.
3. Add the following line before the pam_uxauth section:

   session required pam_makehomedir.so
   

4. Save and close the file.

Change Password Attempt Fails on Red Hat Linux

Valid on Red Hat Linux

Symptom:

When asked to change my password I cannot continue to work on the host after the password change processes completed. The problem occurs when I log in using an SSH client or Telnet.

Solution:

To overcome the problem change the account password, log out of the host and log in with the new password.

Disable Local User Account After Migration

After fully migrating user accounts to Active Directory, you can disable the local UNIX account by adding an asterisk (*) at the beginning of the account entry in the /etc/passwd file.

Do Not Set the unab_refresh_interval Token Value to a Short Interval

To avoid performance issues in UNAB, do not set the value of the unab_refresh_interval token value to a short interval.

Do not Set Kerberos dns_lookup_realm to True

Valid for SSO mode

We recommend that unless required, do not set the Kerberos dns_lookup_realm value to true. When set to true, Kerberos initiates unnecessary DNS searches that can result in a substantial slowdown of UNAB login processing.

UNAB Users Cannot Change Account Password According to Specified Password Policy

If UNAB users cannot change their account passwords, verify that the Domain Controller security policy you use does not prohibit users from changing their account passwords.

sepass Integration with UNAB Endpoints

The sepass utility is integrated with UNAB. The integration lets users change their Active Directory passwords on endpoints on which both CA ControlMinder and UNAB are installed.

To integrate sepass with UNAB:

• Verify that you set the "change_pam" token value, in the seos.ini file, to yes. Configure this token to instruct sepass to change passwords using the PAM interface.
• Verify that you set the "auth_login" token value, in the seos.ini file, to pam. Configure this token to instruct sepass to validate existing passwords using the PAM interface.

Note: For more information about seos.ini initialization file tokens, see the Reference Guide.

Log In to UNAB with Active Directory Account

If you want to log in to UNAB with an Active Directory account that did not previously exist on the local host, follow these steps:

1. Register the UNAB host with Active Directory as follows:

   uxconsole -register
   

2. Activate UNAB as follows:

   uxconsole -activate
   

3. Create a UNAB login authorization (login policy) or local login policy (users.allow, users.deny, groups.allow, groups.deny) to enable Active Directory users to log in.

You Cannot Log In to CA ControlMinder for UNIX Using 'Administrator' Account When UNAB Is Installed

You cannot log in to a CA ControlMinder endpoint for UNIX with the 'Administrator' Active Directory user account if UNAB is installed on the endpoint. To work around this problem, you can create userPrincipleName for this account.