This section describes known issues for UNAB.
Symptom:
After I upgraded UNAB from 12.6 ,12.6.1 or 12.6.2 to 12.8, the one-way trust functionality did not work.
Solution:
To resolve this issue, you must register UNAB with the one-way trust domain after you upgrade to 12.8.
Symptom:
The UNAB agent (uxauthd) lost connection to the trusted domain after I configured the domain security policy Kerberos service ticket lifetime to expire before the user ticket expires.
Solution:
Set the tgt_renew_lifetime token value the in uxauth.ini to less than the Kerberos service ticket maximum lifetime.
Valid on HP-UX IA64
To change a password, Active Directory users are prompted for and must provide the current password twice instead of once.
Valid on AIX
Symptom:
When I try to login to an AIX UNIX host using SSH as a mapped user the failed attempt is not logged by uxaudit.
Solution:
Seaudit does not log the first failed log in attempt of a mapped user if the user entered an incorrect password. Subsequent login attempts are logged by uxaudit..
Valid on HP-UX
In Active Directory I selected the "User must change password at next login" option. When I use SSH or Telnet to login, users cannot login or change the password.
Valid on Red Hat Linux 5.0 and up
Symptom:
I installed UNAB and CA ControlMinder on a Red Hat Linux and configured the PAM configuration files to use the "value=action" syntax in the control field. When I attempt to log in to a Linux host, the log in action is denied.
Solution:
UNAB does not support the "value=action" syntax of the control field in the PAM configuration files.
After un-registering UNAB from Active Directory in a one-way trust domain environment user ID details from the one-way trusted domain are displayed even though they should not appear.
Symptom:
I tried to log in to an AIX 5.3 endpoint using SSH, however the login attempt failed.
Solution:
This error is a known IBM issue with several combinations of AIX and SSH versions. The issue has been logged with IBM development as APAR (Authorized Program Analysis Report) number IV10231.
Symptom:
When I set the token watchdog_enabled to no and restart UNAB, uxauthd starts.
Solution:
The watchdog script ignores changes made to the watchdog_enabled token after starting uxauthd for the first time. We recommend you to specify -n during the registration process, make changes to the token, and start uxauthd.sh script separately.
Symptom:
When I log in to UNAB and my user account is present in the local password file and the Active Directory, the audit log shows the following record:
<audit_record_date_and_time> A LOGIN map3
Solution:
This is a known issue with UNAB. The audit log records A LOGIN instead of P LOGIN.
Valid on Linux
If you log in to a host that has UNAB installed using rlogin, the login attempt appears in the audit twice.
Valid on Windows Server 2003 SP1, Windows Server 2003 64 Bit
LDAP queries fails to return Active Directory queries results for extended search using LDAP_MATCHING_RULE_IN_CHAIN.
To workaround this issue, install the latest service pack for MIcrosoft Windows 2003 Server or disable the UNAB group update during log in by setting the wingrp_update_login token to no.
Note: For more information, see Microsoft Knowledge Base article 914828.
The uxpreinstall utility fails to verify the host name resolution after you install UNAB and before you register with Active Directory.
To work around this problem, use the -d argument to specify the Active Directory domain name. For example:
./uxpreinstall -d domain_name
Valid on Linux, HP-UX
The UNAB audit records do not display the telnet and rlogin login programs. In LInux, the UNAB audit records show "remote" instead of telnet or rlogin. On HP-UX the UNAB audit records show "login" instead of telnet or rlogin.
If you register then deregister a UNAB host in Active Directory, after you register the host, we recommend that you wait the time necessary for domain controller replication before you deregister the host.
Note: If you deregister a UNAB host, policies that were not distributed are deleted.
Valid for SSH
If you create a user in Active Directory and the new user immediately tries to log in to a UNAB endpoint, the first login attempt fails but subsequent login attempts succeed. The first login attempt fails because the user is not known to the endpoint. However, during the failed login process, uxauthd updates the local NSS storage with the user information. Subsequent login attempts succeed because the user is now known to the endpoint.
By default, uxauthd updates the user information in the NSS storage every hour. If the new user tries to log in to the endpoint after uxauthd updates the NSS storage, the login succeeds.
Several login services bypass PAM on SSO login. The login policy is not applied and audit events are not generated.
Valid for Linux, AIX, HP-UX
A limitation in the UNIX PAM flow results in logging a successful login to a UNAB host as an error message, indicating that account authentication failed in the syslog file.
Valid on AIX 5.3
A password mismatch error message appears when a mapped user attempts to change an account password using sepass. Regardless of the error message, the account password is changed on Active Directory.
Due to Sun Solaris password limitations, users that are logging in to the UNIX host with Active Directory account, cannot change their account password using Solaris passwd tool. If the user must change the account password on the first login, the user must login from a system other than Solaris.
If UNAB is running on the UNIX host, use the following command to change the local account password:
passwd -r files username
If CA ControlMinder is running on the UNIX host, use the sepass utility to change the local account password.
If you impersonate an Active Directory user using su, the impersonation attempt is not audited.
The audit records of login sessions done using sftp program can display the sshd daemon in the program field and not the sftp program.
UNAB events are displayed in the Windows Event Viewer with blank fields.
Valid for Solaris
Kerberized FTP and telnet programs bypass the PAM stack and therefore, UNAB does not audit FTP and telnet SSO logins of enterprise users.
When you deregister a UNAB host that was previously registered with SSO enabled, the computer object is removed from Active Directory, but the corresponding records are not deleted from the keytab file. If you attempt to register the UNAB host again, the Kerberos ticket is not created.
To overcome this problem, we recommend that you do not deregister UNAB hosts, or remove the keytab file if it is used by UNAB hosts only.
Valid on HP-UX
Due to an HP-UX limitation, do not use the @ symbol in passwords on HP-UX endpoints.
Valid on HP-UX
You cannot log into a HP-UX host with a fully qualified domain name, for example: user@domain.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|