UNAB displayed message: Login is denied by login policy.

book

Article ID: 209954

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction


Client is using two users, one Linux local user (duplicated in AD) and other Windows user only.
One shows login ALLOWED and other as login DENEID

Linux Secure log  after attempt login user userx via SSH :
[[email protected] bin]# tail -f /var/log/secure
Mar  3 11:59:07 centos sshd[76288]: pam_unix(etrust-ac:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=userx
Mar  3 11:59:09 centos sshd[76288]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=userx
Mar  3 13:23:50 centos sshd[79227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.17.0.1  user=userx
Mar  3 13:23:50 centos sshd[79227]: UNAB displayed message: Login is denied by login policy.

Below has uxconsole command output of the two users.

[[email protected] bin]# ./uxconsole -manage -user admin -show -detail
CA Privileged Access Manager Server Control UNAB uxconsole v14.10.0.1494 - console utility
Copyright (c) 2018 CA. All rights reserved.
USER 'admin' information 
----------------------------------------------------
 Type               : Local User
 Login Name         : admin
 Mapped to          : [email protected]
 Enterprise Account : Enabled
 Local Account      : Enabled
 Login              : Allowed
 Login Reason       : User exists locally
 Uid                : 1000
 Gid                : 1000(admin)
 Shell              : /bin/bash
 Home Directory     : /home/admin
 Gecos              : admin
 Unix Groups        : 10(wheel), 1000(admin)
 
[[email protected] bin]# ./uxconsole -manage -user userx -show -detail
CA Privileged Access Manager Server Control UNAB uxconsole v14.10.0.1494 - console utility
Copyright (c) 2018 CA. All rights reserved.
USER 'userx' information 
----------------------------------------------------
 Type               : Enterprise User
 Login Name         : userx
 Principal Name     : [email protected]
 Enterprise Account : Enabled
 Login              : Denied
 Login Reason       : According to internal default
 Uid                : 10535
 Gid                : 10005(unix)
 Shell              : /bin/sh
 Home Directory     : /home/userx
 Unix Groups        : 10005(unix)
 All Groups         : [email protected]
** The user userx and the group unix no exists on linux endpoint.
------------------------------------------------------------------

 

 

Cause

UNAB can authenticate the AD user but authorization is required to actually log into that specific Unix machine. The default policy is to deny all users access unless they also exist locally.

In the uxauth.ini see the following setting

; Defines the host activation level

; Options are:

; 0 - Not registered

; 1 - Registered (login permitted for user defined in local user store)

; 2 - Activated (login is permitted for users defined in local user store

;     or defined either .allow file or in the <unab> login policy)

; Default value: 0

activation = 2

Environment

Release : 14.1

Component : MF OPERATIONAL INTELLIGENCE

Resolution

Essentially the client needs to create login policies in OnePAM to allow AD users with unix attributes to login to any unix machine running UNAB.