UNAB fails to retrieve proxy ticket from KDC upon system boot on a Systemd Linux

book

Article ID: 33252

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

Issue:

If the Unix Authentication Broker (UNAB) is installed on a Systemd Linux variant like Red Hat Enterprise Linux 7 users might experience an issue upon system startup where the initial Ticket Granting Ticket (TGT) fails to be obtained a ticket for the client from a Windows Domain Controller, i.e. KDC (Key Distribution Center)
User login via UNAB is not possible until uxauthd is manually restarted or until internal timeouts cause the TGT to be obtained.

Error messages similar to those below may appear in the system log
...
uxauthd[1032]: Cannot resolve network address for KDC in realm "MYDOM.CA.COM" while getting initial credentials
uxauthd[1032]: Could not retrieve proxy ticket from KDC for domain 'mydom.ca.com', error = -1765328164.
uxauthd[1032]: No active DCs in domain 'mydom.ca.com'.
uxauthd[1032]: No connection to domain 'mydom.ca.com', watcher thread started.
...

Cause:

This issue is caused by the provided legacy SysVinit scripts being executed before network initialization has been completed.

 

Workaround:

Introduce another Systemd service which is restarts UNAB after the network initialization has been completed so the TGT can be obtained accordingly.

  • Create this file accordingly as root:

    # cat /etc/systemd/system/my-uxauthd.service
    [Unit]
    Description=my uxauthd init service to sync with network
    After=network.service NetworkManager.service NetworkManager-wait-online.service

    [Service]
    ExecStart=/opt/CA/uxauth/lbin/uxauthd.sh restart
    Type=forking

    [Install]
    WantedBy=default.target

  • In a root shell submit these commands:

     

    # chmod 664 /etc/systemd/system/my-uxauthd.service

    # systemctl daemon-reload

    # systemctl enable my-uxauthd.service

        # systemctl start my-uxauthd.service

     # reboot


Additional Information:  

This issue has been verified in RH 7 with UNAB 12.8 SP1 but other versions of Linux and UNAB might also be affected.

Environment

Release: ACP1M005900-12.8-Privileged Identity Manager
Component:

Resolution

.