Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Authentication Services encryption types

The following table details the encryption types used in Authentication Services.

Table 8: Authentication Services: Encryption types
Encryption types Specification Active Directory version Authentication Services version
KERB_ENCTYPE_DES_CBC_CRC
CRC32 RFC 3961 All All
KERB_ENCTYPE_DES_CBC_MD5
RSA-MD5 RFC 3961 All All
KERB_ENCTYPE_RC4_HMAC_MD5
RC4-HMAC-MD5 RFC 4757 All All
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES128 RFC 3961 Windows Server 2008 + 3.3.2+
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
HMAC-SHA1-96-AES256 RFC 3961 Windows Server 2008 + 3.3.2+

Management Console for Unix requirements

One Identity recommends that you install One Identity Management Console for Unix, a separate One Identity product that provides a mangement console that is a powerful and easy-to-use tool that dramatically simplifies deployment of Authentication Services agents to your clients. The mangement console streamlines the overall management of your Unix, Linux, and Mac OS X hosts by enabling centralized management of local Unix users and groups and providing granular reports on key data and attributes.

Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.

Table 9: Management Console for Unix: Hardware and software requirements
Component Requirements
Supported platforms

Can be installed on the following configurations:

  • Windows x86 (32-bit)
  • Windows x86-64 (64-bit)
  • Unix/Linux systems for which Java 8 is available
Server requirements

The Management Console for Unix server requires Java 8 (also referred to as JRE 8, JDK 8, JRE 1.8, and JDK 1.8).

Managed Host Requirements

Click www.oneidentity.com/products/authentication-services/ to view a list of Unix, Linux, and Mac platforms that support Authentication Services.

Click www.oneidentity.com/products/privilege-manager-for-unix/ to review a list of Unix and Linux platforms that support Privilege Manager for Unix.

Click www.oneidentity.com/products/privilege-manager-for-sudo/ to review a list of Unix, Linux, and Mac platforms that support Privilege Manager for Sudo.

NOTE: To enable the Management Console for Unix server to interact with the host, you must install both an SSH server (that is, sshd) and an SSH client on each managed host. Both OpenSSH 2.5 (and higher) and Tectia SSH 5.0 (and higher) are supported.

NOTE: Management Console for Unix does not support Security-Enhanced Linux (SELinux)

NOTE: When you install Authentication Services on Solaris 11, the Solaris 10 packages are installed.

Default memory requirement

1024 MB

NOTE: See JVM memory tuning suggestions in the One Identity Management Console for Unix Administration Guide for information about changing the default memory allocation setting in the configuration file.

Network requirements

Authentication Services must be able to communicate with Active Directory, including domain controllers, global catalogs, and DNS servers using Kerberos, LDAP, and DNS protocols. The following table summarizes the network ports that must be open and their function.

Table 10: Network ports
Port Function
389 Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting Active Directory site membership.
3268 Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog.
88 Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default.
464 Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Authentication Services always uses TCP for password operations.
53 Used for DNS. Since Authentication Services uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.
123 UDP only. Used for time-synchronization with Active Directory.
445 CIFS port used to enable the client to retrieve configured group policy.

Note: Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.

Unix administration and configuration

This section explains Authentication Services administration and configuration details relevant to administrators who are integrating Unix hosts with Active Directory.

A separate Administration Guide for Mac OS X is available on the distribution media. While many of the concepts covered in this guide apply to Mac OS X it is recommended that you refer to the Authentication ServicesMac OS X/macOS Administration Guide first when working with Mac OS X.

Documents connexes