Previous Topic: UNIX Endpoint Known IssuesNext Topic: Server Components Known Issues


UNAB Known Issues

This section describes known issues for UNAB.

One-Way Trust Functionality Fails After UNAB Upgrade

Symptom:

After I upgraded UNAB from 12.6 ,12.6.1 or 12.6.2 to 12.8, the one-way trust functionality did not work.

Solution:

To resolve this issue, you must register UNAB with the one-way trust domain after you upgrade to 12.8.

UNAB Agent Lost Connection to Trusted Domain

Symptom:

The UNAB agent (uxauthd) lost connection to the trusted domain after I configured the domain security policy Kerberos service ticket lifetime to expire before the user ticket expires.

Solution:

Set the tgt_renew_lifetime token value the in uxauth.ini to less than the Kerberos service ticket maximum lifetime.

AD Users are Prompted Twice for Current Password on HP-UX

Valid on HP-UX IA64

To change a password, Active Directory users are prompted for and must provide the current password twice instead of once.

Failed Login Attempt of Mapped Users to AIX Not Logged

Valid on AIX

Symptom:

When I try to login to an AIX UNIX host using SSH as a mapped user the failed attempt is not logged by uxaudit.

Solution:

Seaudit does not log the first failed log in attempt of a mapped user if the user entered an incorrect password. Subsequent login attempts are logged by uxaudit..

Password Change at Next Login Fails on HP-UX

Valid on HP-UX

In Active Directory I selected the "User must change password at next login" option. When I use SSH or Telnet to login, users cannot login or change the password.

PAM Configuration Changes Blocks Users Login

Valid on Red Hat Linux 5.0 and up

Symptom:

I installed UNAB and CA ControlMinder on a Red Hat Linux and configured the PAM configuration files to use the "value=action" syntax in the control field. When I attempt to log in to a Linux host, the log in action is denied.

Solution:

UNAB does not support the "value=action" syntax of the control field in the PAM configuration files.

Incorrect User ID Displayed After Un-registering UNAB in a One-Way Trust Domain Environment

After un-registering UNAB from Active Directory in a one-way trust domain environment user ID details from the one-way trusted domain are displayed even though they should not appear.

Trusted User SSH Login Failed on AIX

Symptom:

I tried to log in to an AIX 5.3 endpoint using SSH, however the login attempt failed.

Solution:

This error is a known IBM issue with several combinations of AIX and SSH versions. The issue has been logged with IBM development as APAR (Authorized Program Analysis Report) number IV10231.

uxauthd Starts Even When watchdog_enabled Token is Set to No

Symptom:

When I set the token watchdog_enabled to no and restart UNAB, uxauthd starts.

Solution:

The watchdog script ignores changes made to the watchdog_enabled token after starting uxauthd for the first time. We recommend you to specify -n during the registration process, make changes to the token, and start uxauthd.sh script separately.

Audit Log Records Login With Local Account Password As Attempt Login

Symptom:

When I log in to UNAB and my user account is present in the local password file and the Active Directory, the audit log shows the following record:

<audit_record_date_and_time> A LOGIN map3

Solution:

This is a known issue with UNAB. The audit log records A LOGIN instead of P LOGIN.

Rlogin Entries Logged Twice

Valid on Linux

If you log in to a host that has UNAB installed using rlogin, the login attempt appears in the audit twice.

Hot Fix for Microsoft Windows Server 2003 to Improve Performace

Valid on Windows Server 2003 SP1, Windows Server 2003 64 Bit

LDAP queries fails to return Active Directory queries results for extended search using LDAP_MATCHING_RULE_IN_CHAIN.

To workaround this issue, install the latest service pack for MIcrosoft Windows 2003 Server or disable the UNAB group update during log in by setting the wingrp_update_login token to no.

Note: For more information, see Microsoft Knowledge Base article 914828.

Uxpreinstall Utility Fails to Verify Host Name Resolution

The uxpreinstall utility fails to verify the host name resolution after you install UNAB and before you register with Active Directory.

To work around this problem, use the -d argument to specify the Active Directory domain name. For example:

./uxpreinstall -d domain_name
Telnet and rlogin Programs Not Displayed in Audit Records

Valid on Linux, HP-UX

The UNAB audit records do not display the telnet and rlogin login programs. In LInux, the UNAB audit records show "remote" instead of telnet or rlogin. On HP-UX the UNAB audit records show "login" instead of telnet or rlogin.

Interval between uxconsole -register and -deregister Commands

If you register then deregister a UNAB host in Active Directory, after you register the host, we recommend that you wait the time necessary for domain controller replication before you deregister the host.

Note: If you deregister a UNAB host, policies that were not distributed are deleted.

New Domain User Login May Fail on First Attempt

Valid for SSH

If you create a user in Active Directory and the new user immediately tries to log in to a UNAB endpoint, the first login attempt fails but subsequent login attempts succeed. The first login attempt fails because the user is not known to the endpoint. However, during the failed login process, uxauthd updates the local NSS storage with the user information. Subsequent login attempts succeed because the user is now known to the endpoint.

By default, uxauthd updates the user information in the NSS storage every hour. If the new user tries to log in to the endpoint after uxauthd updates the NSS storage, the login succeeds.

Login Services Bypass PAM on SSO Login

Several login services bypass PAM on SSO login. The login policy is not applied and audit events are not generated.

Successful Login to Host Generates an Error Message

Valid for Linux, AIX, HP-UX

A limitation in the UNIX PAM flow results in logging a successful login to a UNAB host as an error message, indicating that account authentication failed in the syslog file.

Password Mismatch Message When Changing Password Using sepass

Valid on AIX 5.3

A password mismatch error message appears when a mapped user attempts to change an account password using sepass. Regardless of the error message, the account password is changed on Active Directory.

Active Directory User Cannot Change Password on Solaris

Due to Sun Solaris password limitations, users that are logging in to the UNIX host with Active Directory account, cannot change their account password using Solaris passwd tool. If the user must change the account password on the first login, the user must login from a system other than Solaris.

If UNAB is running on the UNIX host, use the following command to change the local account password:

passwd -r files username

If CA ControlMinder is running on the UNIX host, use the sepass utility to change the local account password.

Impersonating an Active Directory User Does Not Create Audit Record

If you impersonate an Active Directory user using su, the impersonation attempt is not audited.

sshd Program Name Appears in Audit Records of SFTP Sessions

The audit records of login sessions done using sftp program can display the sshd daemon in the program field and not the sftp program.

UNAB Entries Contain Blank Fields in Event Viewer

UNAB events are displayed in the Windows Event Viewer with blank fields.

FTP SSO Login of Enterprise Users Not Audited

Valid for Solaris

Kerberized FTP and telnet programs bypass the PAM stack and therefore, UNAB does not audit FTP and telnet SSO logins of enterprise users.

Deregistering SSO Enabled UNAB Does Not Delete Records from Keytab File

When you deregister a UNAB host that was previously registered with SSO enabled, the computer object is removed from Active Directory, but the corresponding records are not deleted from the keytab file. If you attempt to register the UNAB host again, the Kerberos ticket is not created.

To overcome this problem, we recommend that you do not deregister UNAB hosts, or remove the keytab file if it is used by UNAB hosts only.

HP-UX Does Not Support @ Symbol in Passwords

Valid on HP-UX

Due to an HP-UX limitation, do not use the @ symbol in passwords on HP-UX endpoints.

HP-UX Does Not Support Fully Qualified Domain Name Login

Valid on HP-UX

You cannot log into a HP-UX host with a fully qualified domain name, for example: user@domain.