Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Safeguard Authentication Services 6.0 LTS - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

Encryption types

The following table details the encryption types used in Safeguard Authentication Services.

Table 8: Encryption types
Encryption types Specification Active Directory version Safeguard Authentication Services version

KERB_ENCTYPE_DES_CBC_CRC

CRC32

RFC 3961

All

All

KERB_ENCTYPE_DES_CBC_MD5

RSA-MD5

RFC 3961

All

All

KERB_ENCTYPE_RC4_HMAC_MD5

RC4-HMAC-MD5

RFC 4757

All

All

KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96

HMAC-SHA1-96-AES128

RFC 3961

Windows Server 2008 +

3.3.2+

KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96

HMAC-SHA1-96-AES256

RFC 3961

Windows Server 2008 +

3.3.2+

Network requirements

Safeguard Authentication Services must be able to communicate with Active Directory, including domain controllers, global catalogs, and DNS servers using Kerberos, LDAP, and DNS protocols. The following table summarizes the network ports that must be open and their function.

Table 9: Network ports
Port Function

389

Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting Active Directory site membership.

3268

Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.

88

Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default.

464

Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Safeguard Authentication Services always uses TCP for password operations.

53

Used for DNS. Since Safeguard Authentication Services uses DNS to locate domain controllers, DNS servers used by the UNIX hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.

123

UDP only. Used for time-synchronization with Active Directory.

445

CIFS port used to enable the client to retrieve configured group policy.

NOTE: Safeguard Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.

UNIX administration and configuration

This section explains Safeguard Authentication Services administration and configuration details relevant to administrators who are integrating UNIX hosts with Active Directory.

A separate Administration Guide for macOS is available on the distribution media. While many of the concepts covered in this guide apply to macOS it is recommended that you refer to the Safeguard Authentication Services macOS Administration Guide first when working with macOS.

Joining the domain

For full Safeguard Authentication Services functionality on UNIX, you must join the UNIX system on which you installed the Safeguard Authentication Services agent to the domain. You can join an Active Directory domain either by running vastool join from the command line or the interactive join script, vasjoin.sh.

Before you join the UNIX host to the Active Directory domain, you may want to determine if you are already joined.

To determine if you are joined to an Active Directory domain

  1. Run the following command:

    # /opt/quest/bin/vastool info domain

    If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain, you will see the following error:

    ERROR: No domain could be found.
    ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm
    default_realm not configured in vas.conf. Computer may not be joined to domain
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation