search cancel

UNAB fails to retrieve proxy ticket from KDC upon system boot on a Systemd Linux


Article ID: 33252


Updated On:


CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)



If the Unix Authentication Broker (UNAB) is installed on a Systemd Linux variant like Red Hat Enterprise Linux 7 users might experience an issue upon system startup where the initial Ticket Granting Ticket (TGT) fails to be obtained a ticket for the client from a Windows Domain Controller, i.e. KDC (Key Distribution Center)
User login via UNAB is not possible until uxauthd is manually restarted or until internal timeouts cause the TGT to be obtained.

Error messages similar to those below may appear in the system log
uxauthd[1032]: Cannot resolve network address for KDC in realm "MYDOM.CA.COM" while getting initial credentials
uxauthd[1032]: Could not retrieve proxy ticket from KDC for domain '', error = -1765328164.
uxauthd[1032]: No active DCs in domain ''.
uxauthd[1032]: No connection to domain '', watcher thread started.


This issue is caused by the provided legacy SysVinit scripts being executed before network initialization has been completed.



Introduce another Systemd service which is restarts UNAB after the network initialization has been completed so the TGT can be obtained accordingly.

  • Create this file accordingly as root:

    # cat /etc/systemd/system/my-uxauthd.service
    Description=my uxauthd init service to sync with network
    After=network.service NetworkManager.service NetworkManager-wait-online.service

    ExecStart=/opt/CA/uxauth/lbin/ restart


  • In a root shell submit these commands:


    # chmod 664 /etc/systemd/system/my-uxauthd.service

    # systemctl daemon-reload

    # systemctl enable my-uxauthd.service

        # systemctl start my-uxauthd.service

     # reboot

Additional Information:  

This issue has been verified in RH 7 with UNAB 12.8 SP1 but other versions of Linux and UNAB might also be affected.


Release: ACP1M005900-12.8-Privileged Identity Manager