Running uxconsole -register with the -sso option in PAM SC results in coredump

book

Article ID: 209746

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When running 

uxconsole -register -d <domain> -v 4 -n -sso

there is a coredump generated, but the registration in AD takes place (there is a machine object created)

The equivalent command without the -sso option does not create a coredump

 

Cause

When running the uxconsole command with the -sso option, UNAB will try to create an /etc/krb5.keytab file, which is the standard location for Kerberos files. If for some reason the /etc/krb5.keytab is corrupted, core will occur inside the Kerberos code that sets the password on the computer object in AD while updating accordingly the keytab file. Kerberos needs to parse its contents in the process, and it tries to report the error by using fprint() which actually causes a coredump to occur. In the log file it is visible because the coredump appears just after some lines stating we are trying to set the password for the computer in AD. This is the reason why the computer AD object is created.

Environment

CA ControlMinder seversion v12.81.0.3924 - Display module's version 

uxconsole version 12.81.0.3748

Other versions may also give the same error

Resolution

Delete /etc/krb5.keytab and rerun uxconsole