Unable to log in
If you are unable to log in as an Active Directory user after installing, check the following:
- Log in as root on the Unix host.
- Check the status of the Authentication Services subsystems. To do this, run the following command:
vastool status
Correct any errors reported by the status command, then try logging in again.
- Ensure the user exists locally and is allowed to log in. To check this, run the following command:
vastool user checklogin <username>
The output displays whether the user is a known Active Directory user. If not, you may need to map the user to an Active Directory account or Unix-enable the Active Directory account. If the user is known, an access control rule may prevent them from logging in. The output of the command displays which access control rules are in effect for the user.
You may need to restart window managers such as gdm in order for the window manager to reload NSS modules. Until the window manager reloads the NSS configuration, you will be unable to log in with an Active Directory user. Other services such as cron may also be affected by NSS changes. If you are unsure which services need to be reloaded, reboot the system.
|
|
Note: If you are configuring Authentication Services on VMware ESX Server vSphere (ESX 4.0) the reason you can not log in may be related to access control issues. For more information, see Configuring access control on ESX 4.. |
Resolving DNS problems
It is imperative that DNS is correctly configured. Authentication Services relies on DNS in order to locate domain controllers. Follow these steps to verify that domain controllers can be located using DNS:
- Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the Unix command prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:
dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name>
If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNS administrator to resolve the issue.
- Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix command prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your Active Directory DNS domain name.
dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>
If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS administrator to resolve the issue.
It is possible to work around DNS problems using the vastool join command to specify the domain controller host name on the command line. Authentication Services can work without DNS configured as long as the forward lookup in the /etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.
You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your domain controller in /etc/hosts, then as root, enter the following commands replacing <administrator> with the name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and <DC Host Name> with the host name of your domain controller:
iptables -A INPUT -p udp --dport 53 -j DROP iptables -A OUTPUT -p udp --dport 53 -j DROP /opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>
Unix Account tab is missing in ADUC
If the Unix Account tab is missing when viewing the properties of a user or group in Active Directory Users and Computers, the most likely cause is that the extension module (AducExtensions.dll) was unable to load. Typically this is due to an invalid or corrupt installation. To resolve this issue, check the following:
- Ensure that Authentication Services has been installed on the local computer.
- Ensure that you are logged in as a domain user or that ADUC is running as a domain user.
- The Authentication Services installation may have become corrupted. Remove and re-install Authentication Services.
- Certain software is required in order for the Unix Account tab to load. If any of the following software has been removed, please re-install it:
- Windows PowerShell
- VisualStudio C++ Runtime
- .NET Framework v4.5
- If you are working with One Identity Active Roles Server MMC Console, ensure that display specifiers have been installed and that you have restarted the Active Roles Service. Until you do this, the Unix Account tab will not appear in Active Roles Server MCC Console.
- If the Unix Account tab still does not appear, open Control Center and enable debug logging from the Preferences. Attempt to load the Unix Account tab, then send the generated log files to VARcompany.support.
vasypd has unsatisfied dependencies
If you receive the following error message while installing the Authentication Services vasypd Unix component, the rpcbind service may not be enabled.
svcadm: Instance "svc:/quest/vas/vasypd:default" has unsatisfied dependencies. Error 4 starting vasypd
To enable the rpcbind service
- Check the dependencies of vasypd:
# svcs -d quest/vas/vasypd STATE STIME FMRI disabled Sep_14 svc:/network/rpc/bind:default online Sep_14 svc:/milestone/single-user:default online Sep_14 svc:/system/filesystem/local:default
- If rpcbind is disabled, run this command to enable it:
# /usr/sbin/svcadm enable -s /network/rpc/bind
- Run the following command to start vasypd:
# /etc/init.d/vasypd start