This section describes items you should consider when using UNAB.
Valid on Linux
Symptom:
When I log in to a Linux host using an SSH client the home directory for my account is not created when SELinux is enabled.
Solution:
The home directory is not created when attempting to log in using an SSH client. To work around this problem do the following:
\etc\pam.d\
session required pam_makehomedir.so
Valid on Red Hat Linux
Symptom:
When asked to change my password I cannot continue to work on the host after the password change processes completed. The problem occurs when I log in using an SSH client or Telnet.
Solution:
To overcome the problem change the account password, log out of the host and log in with the new password.
After fully migrating user accounts to Active Directory, you can disable the local UNIX account by adding an asterisk (*) at the beginning of the account entry in the /etc/passwd file.
To avoid performance issues in UNAB, do not set the value of the unab_refresh_interval token value to a short interval.
Valid for SSO mode
We recommend that unless required, do not set the Kerberos dns_lookup_realm value to true. When set to true, Kerberos initiates unnecessary DNS searches that can result in a substantial slowdown of UNAB login processing.
If UNAB users cannot change their account passwords, verify that the Domain Controller security policy you use does not prohibit users from changing their account passwords.
The sepass utility is integrated with UNAB. The integration lets users change their Active Directory passwords on endpoints on which both CA ControlMinder and UNAB are installed.
To integrate sepass with UNAB:
Note: For more information about seos.ini initialization file tokens, see the Reference Guide.
If you want to log in to UNAB with an Active Directory account that did not previously exist on the local host, follow these steps:
uxconsole -register
uxconsole -activate
You cannot log in to a CA ControlMinder endpoint for UNIX with the 'Administrator' Active Directory user account if UNAB is installed on the endpoint. To work around this problem, you can create userPrincipleName for this account.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|