One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Checking host for AD readiness

The Check for AD Readiness command performs a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain.

Note:

To check hosts for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the toolbar, and choose Check for AD Readiness.

  2. In the Check AD Readiness dialog, enter the Active Directory domain to use for the readiness check.

  3. Enter Active Directory user credentials, and click OK.

  4. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.

    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

  5. To check the results of the readiness check,

    1. Right-click the host on the All Hosts view of the Hosts tab, and choose Properties.

    2. Select the Readiness Check Results tab on the properties.

    3. Choose AD Readiness from the drop-down menu, if necessary.

    AD Readiness Check runs these tests:

    • Checks for supported operating system and correct OS patches
    • Checks for sufficient disk space to install software
    • Checks that the host name of the system is not 'localhost'
    • Checks if the name service is configured to use DNS
    • Checks /etc/resolv.conf for proper formatting of name service entries and that the name servers can be resolved example.com
    • Checks for a name server that has the appropriate DNS SRV records for Active Directory example.com
    • Selects a writable DC with port 389 (UDP) open to use for the checks example.com
    • Displays AD site of user running checks, if available
    • Checks if port 464 (TCP) is open for Kerberos Kpasswd windows.example.com
    • Checks if port 88 (UDP and TCP) is open for Kerberos Traffic windows.example.com
    • Checks if port 389 (TCP) is open for LDAP windows.example.com
    • Checks for Global Catalog and port 3268 (TCP) is open to the GC example.com
    • Checks for a valid time skew against Active Directory DC windows.example.com
    • Checks for Authentication Services Application Configuration windows.example.com
    • Checks if port 445 (TCP) is open for Microsoft Directory Services windows.example.com

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

  6. If the Readiness Check completed with failures or advisories, correct the issues and rerun the Readiness Check until all tests pass.

Check AD Readiness dialog

When you select the Check AD Readiness command on the All Hosts view or a host's properties, the Check AD Readiness dialog displays. It is also displayed when you select the Check the host for readiness to join to Active Directory option on the Profile Host dialog.

Table 47: Check AD Readiness dialog
Option Description
What domain do you want to use for the readiness check?
  Select the name of the Active Directory domain you want to use for the AD readiness check. This should be the same domain that you plan to use when the host is joined to Active Directory.
Log on to Active Directory for readiness check
User name Enter the user name to be used to log onto Active Directory.
Password Enter the password associated with the user account entered above.

Log on to Host dialog

The Log on to Host dialog displays whenever you need to enter user credentials to access a host to perform the selected task. The user name and password are pre-populated if you saved the selected host's credentials on the server.

Note: This user must have elevated privileges on the host with rights to install software and configure the join to Active Directory.

Table 48: Log onto Host dialog
Option Description
Enter your credentials to log on to the host
User name Enter the user name to be used to log onto the selected host.
Password Enter the password associated with the user entered above.
SSH Port Displays the port number to be used for communication. The default port for SSH is 22; however, you can enter a different port number.
Use elevated credentials (optional)

NOTE:The Log On to Host dialog adds these additional controls when it detects that a task requires elevated credentials.

Choose one of these options from the drop-down menu:

  • sudo - Run task as a superuser, as defined in the sudoers policy file.

    Select this option to run this task as a superuser with elevated privileges. When you select this option, enter the alternate User name.

    NOTE: The User name box defaults to root. You can replace root with another account in the User name field if you specify "%s" instead of root when specifying custom privilege elevation commands in System Settings. (See Setting custom privilege elevation commands for details.)

    NOTE: You do not need to supply the password to the User name you specify because the user and group access rules are configured in the sudoers policy file.

    NOTE: The mangement console detects whether or not sudo is installed on the host. It defaults to sudo if the host has sudo installed (at profile time). If sudo is not installed, this option is not available; you can only select su.

  • sudo su - Run task as a superuser, as defined in the sudoers policy file.

    Use this command in the same way that you use sudo.

    NOTE: When using the sudo command the user must have permission (as defined in the sudoers file) to run every command in the script (for example, /bin/cp, /bin/chmod, and so forth); the sudo su command only requires the user to have permission to run su.

    Using sudo su is simpler but less secure since giving the user rights to run su allows the user to run any command on the system as root.

  • su - Run task as another user.

    Select this option to run this task as a substitute user with elevated privileges. When you select this option, enter the substitute user credentials in the User name and Password boxes that are activated.

    NOTE: The User name box defaults to root. You can replace root with another account in the User name field if you specify "%s" instead of root when specifying custom privilege elevation commands in System Settings. (See Setting custom privilege elevation commands for details.)

  • pmrun -

    NOTE: This option is only available if the host you are elevating on has the PM Agent installed and joined.

  • <Custom Command> - Run task using a custom privilege elevation command.

    If available, select a customized privilege elevation command to run this task. (Must be pre-configured in System Settings and the command must exist on the host. (See Setting custom privilege elevation commands for details.)

Save my credentials on the server Select this check box to save the host's credentials on the server.

Note: If you selected multiple hosts, it asks you if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

  • If you selected the Use the same credentials for all selected hosts option, enter the user name and password to log onto the selected hosts, as you would if you selected only a single host.
  • If you selected the Enter different credentials for each selected host option, it displays a grid that allows you to enter a different user name and password for each host listed. Place your cursor in the user name or password cell to activate it and enter the credentials to use.

Review the Authentication Services Readiness report

The Authentication Services Readiness report provides a snapshot of the readiness of each host to join Active Directory.

Note: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.

To create the Authentication Services Readiness report

  1. From the mangement console, navigate to Reporting.
  2. From the Reports view, double-click the Authentication Services Readiness report name.

    The report opens a new Authentication Services Readiness tab on the Reporting tab.

  3. Select or deselect the report parameters to define which details to include in the report:
    • Joined to AD
    • Ready to Join AD
    • Ready to Join AD with Warnings
    • Not Ready to Join AD
    • Not Checked for Readiness
  4. Open the Export drop-down menu and select the format you want to use for the report: PDF, or CSV.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. See JVM memory tuning suggestions for details.

Documents connexes