-
Title
How can I set up the user mapping to map local account with Active Directory account? -
Description
How can I set up the user mapping to map local account with Active Directory account?
-
Resolution
You can map local Unix users or local MAC user to Active Directory accounts.
You can do this by modifying the /etc/passwd file directly and replace the password field with the sAMAccountName@domain of the Active Directory account. You do not need to update the shadow file. However,we recommend using a map file instead of modifying password entries directly.
To configure a user mapping file
1. Run the following command as root to enable local map files:
vastool configure vas vas_auth user-map-files /etc/user-map
Note: This example configures QAS to use /etc/user-map for user mappings. You can specify any filename.
2. Add user mappings to the map file. The format is [local user name]:[sAMAccountName@domain]. If you want to map a local user named jdoe to the Active Directory account for johnd@example.com, add the following line to the file:
jdoe:johnd@example.com
You can also manage the map file centrally through a group policy by doing the following:
1. Start Group Policy Object Editor
2. Navigate to and select Unix Settings -> Quest Software -> Identity Mapping
3. Select the "Mapped User" option - this will allow you to set up the VAS Unix user to AD user mapping.You would then use the local account name to login with the AD account's password. As a best practice we suggest setting up custom prompts to avoid confusion when using mapped users.
-
Additional Information
For more information about user mappings please see the section "Mapping Local Users to Active Directory Users" in the AuthenticationServices AdminGuide. The pdf is located in the docs folder of the download and on the Support Portal as a separate download. This may also be an option for users with Solaris 10 system that have a LOGIN_NAME_MAX = 9 and Active Directory users with a longer name.