When UNAB is running, user authentication is sporadically failing. Users are authorized at the group level and when `uxconsole -manage -show -detail -user unabuser` is run, some of the user's groups are missing. After restarting UNAB, some times multiple times, the groups are listed again.

Unix Authentication Broker 12.8 sp1 and above

The inconsistent behavior indicates that there is an environmental issue causing UNAB to get different results when querying Active Directory. This was confirmed by using uxconsole to run LDAP queries to each of the domain controllers UNAB communicates with. On one of the DCs in the environment, the LDAP query could not find the specified group.

Sample output:

# uxconsole -krb -init -k > /dev/null
# cn= Sample-UNAB-Group
# uxconsole -ldap -search -d DomainController04 \(cn=$cn\)
CA ControlMinder UNAB uxconsole v12.81.0.3888 - console utility
Copyright (c) 2013 CA. All rights reserved.

Processing references ...
dn: ldap://fake.company.com/DC=fake,DC=company,DC=com
dn: ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
dn: ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com

No such entries

In order to stabilize UNAB performance while the issue with the domain controller is reviewed, modify uxauth.ini and add the problem domain controller to the ignore_dc_list list. After making the modification, restart UNAB for the changes to take effect.

For more information on the uxconsole ldap command: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/reference/utilities/uxconsole-utility-manage-unix-authentication-broker-endpoints/uxconsole-ldap-perform-ldap-queries-in-active-directory.html

For more information about the ignore_dc_list token in uxauth.ini: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager-server-control/14-1/reference/configuration-files/the-uxauth-ini-file/ad.html