We've been seeing an issue in our environment where KBL audits have only been collecting local account login data, even though there are plenty of AD users logging in and out of the system during the period of the observation.

Doing seaudit -kbl -a -sd <date> one can observe local users logging in and starting cmdlog, and logging out as well, but there is no trace about the Active Directory users logging into the system.

What is the reason for this behaviour and how can this be solved ?

UNAB 12.8X, 12.9X and 14.X

This is due to the actual shell binary used by the Active Directory accounts not being listed in the /etc/shells file. If it is not listed there it is not tracked by the seos kernel module resulting in events not being posted in the audit log.

In fact, not only Active Directory users, but ANY users configured to use the shell binary not listed in /etc/shells would not get cmdlog started for them. For instance, assuming the users are using /bin/ksh, if instead of it /etc/shells contains a symbolic link to the actual file (e.g. /bin/ksh ->  /bin/alternative/ksh), the users logging in and having  ksh as shell will experience this issue.