Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Kerberos ticket caches

The Authentication Services PAM module uses the Kerberos protocol to authenticate users against Active Directory. The Kerberos protocol allows users to obtain a Ticket Granting Ticket (TGT) that can then be used to obtain other tickets to authenticate to services. Once the TGT has been obtained, it can be used as a single sign-on mechanism that does not require users to repeatedly enter their password.

By default, when a user establishes a login session by means of a service configured to use the Authentication Services PAM module, the ticket is cached by default in the /tmp directory; the name of the cache file is krb5cc_<uid> where <uid> is the User ID (UID) of the account.

Configuring AIX

AIX does not support NSS in the same way that most other Unix versions do. On AIX there is no /etc/nsswitch.conf or support for NSS modules. AIX uses the Loadable Authentication Module (LAM) system to support name service lookups and authentication. As of AIX 5.3 all native binaries support PAM, but are configured for LAM by default. Authentication Services supports both a LAM module and a PAM module on AIX. Configuring the PAM module on AIX is the same as for any other platform. This section explains how to configure the LAM module.

When you join the domain, Authentication Services automatically configures the AIX system to use the Authentication Services LAM module for authentication as well as name service lookups. The modified files are /usr/lib/security/methods.cfg and /etc/security/user.

Using VASTOOL to configure AIX

vastool can automatically update the AIX configuration files on your system.

To modify the AIX configuration

  1. To configure AIX to use Authentication Services for authentication and name service resolution, run the following command as root:
    vastool configure irs
  2. To remove the Authentication Services AIX module configuration, run the following command as root:
    vastool unconfigure irs
  3. After modifying the AIX configuration, restart any affected system services or reboot.

Configuring SELinux

Security Enhanced Linux (SELinux) allows users and administrators more control over access control.

When you join the domain, Authentication Services automatically configures SELinux to work with the SELinux VAS module, which contains a Red Hat Enterprise Linux SELinux policy for Authentication Services.

NOTE: The installation dependencies for the SELinux VAS module are:

  • RHEL 6 & equivalent and higher
  • policycoreutils-python (audit2allow)
  • policycoreutils (semodule, restorecom)
  • selinux-policy-devel (RHEL7) | selinux-policy (RHEL6)

NOTE: After installing the vasd-selinux policy, user home directories that were created prior to the policy being installed might have the incorrect SELinux security context label.

Workaround:

Run the following command to restore the home directories to their default file contexts:

$ /opt/quest/libexec/vas/selinux/configure_selinux.sh restore <*/home*>

where /home is the path to the users' home directories that need the correct SELinux context label. If no path is provided, /home is used by default.

Documents connexes