When an automated account checker indicates that an account creation has failed, several scenarios could be at play. This guide outlines common causes and provides steps for investigation.
Account Not Created
Begin by checking the resource to which the user was intended to be added and their corresponding role status on the User Search page. The following sections detail steps for specific scenarios:
No Role
This scenario typically occurs if our system failed to assign the role (a rare occurrence, though a known issue exists when a faculty member requests Radon/Hathi for themselves) or if the Identity and Access Management Office (IAMO) rejected the role.
You may attempt to manually add the role using the designated tool to see if it is rejected again. Alternatively, inquire with IAMO regarding the role's status and whether it can be added.
Role Pending
A "Role Pending" status can indicate two possibilities: either IAMO's overnight processing encountered an issue, or the account was added just after the cutoff for the overnight process but before the account check was run.
In the former case, an issue occurred on IAMO's side. Typically, their team resolves such issues promptly in the morning. However, if it's later in the day and the role remains pending, it is advisable to contact IAMO for an update.
The latter scenario involves a narrow window (e.g., between 4-5 AM) where users can be added, potentially triggering a false alarm. This is uncommon but can happen with faculty who work late or are traveling internationally.
Role Ready
When a role is "Ready," there are two primary scenarios: IAMO's overnight process failed but has since been rectified, or an issue exists with our internal translation daemon (transd).
In the first case, no further action may be required. You can verify the account's status using ldapsearch -x uid=USERNAME | grep host to confirm the presence of the correct host entry. If present, the user should be able to log in.
For the second scenario, investigating the transd is the next step. The transd is responsible for translating IAMO packets into accounts on our systems. Log into xenon.rcac and examine /var/log/transd_log. Check for recent activity at the end of the log file. If the log appears stale, it could indicate a problem such as a full disk. In this event, assign a ticket to systems support and request their investigation. If recent activity is present, you can search the log for the specific username to find relevant account entries. If the transd is actively running, further investigation may be necessary.
Asking IAMO
The Footprints queue for IAMO is ITAP_IDENTITY_MANAGEMENT. Ben Lewis and Scott Morris are familiar with our web application and the "account failed" email notifications. If they report that the account is expired, graduated, or otherwise invalid, communicate this information directly to the faculty member who initiated the request (do not use the Footprints ticket for this). Otherwise, IAMO should be able to facilitate account creation or resolve any processing backlogs.
Login Shell /opt/acmaint-3.10/etc/disable is Invalid
This message indicates that the user account is no longer valid, often due to reasons such as graduation. In such cases, remove the account from the Manage User page and inform the requesting faculty member separately (outside of the support ticket) that an account could not be created for the user. It is good practice to verify the student's graduation status with the Principal Investigator (PI), as this often clarifies the situation for the faculty member. The user will need to have a Request for Privileges (R4P) filed, after which the account can be re-added once the R4P is complete. If the faculty member believes the student should still be valid, inquire with IAMO about their status. The user may have been very recently re-added or might be experiencing another issue.
