Chat now with support
Tchattez avec un ingénieur du support

One Identity Management Console for Unix 2.5.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix hosts Working with host systems Managing local groups Managing local users Active Directory integration Authentication Services integration Privilege Manager integration
Getting started Configure a primary policy server Configure a secondary policy server Install PM agent or Sudo plugin on a remote host Security policy management
Opening a policy file Edit panel commands Editing PM policy files Reviewing the Access and Privileges by User report Reviewing the Access and Privileges by Host report
Event logs and keystroke logging
Reporting Setting preferences
User preferences System preferences
Security Troubleshooting tips
Auto profiling issues Active Directory Issues Auditing and compliance Cannot create a service connection point Check Authentication Services agent status commands not available CSV or PDF reports do not open Database port number is already in use Elevation is not working Hosts do not display Import file lists fakepath Information does not display in the console License information in report is not accurate Out of memory error Post install configuration fails on Unix or Mac Privilege Manager feature issues Profile task never completes questusr account was deleted Readiness check failed Recovering from a failed upgrade Reports are slow Reset the supervisor password Running on a Windows 2008 R2 domain controller Service account login fails Setting custom configuration settings Single Sign-on (SSO) issues JVM memory tuning suggestions Start/stop/restart Management Console for Unix service Toolbar buttons are not enabled UID or GID conflicts
System maintenance Command line utilities Web services Database maintenance About us

Active Directory is disabled

Kerberos is a time-sensitive protocol and requires that the clocks on the Management Console for Unix server and your Active Directory domain controllers are synchronized within five minutes. If the Management Console for Unix server gets out of sync with the Active Directory domain controller, Active Directory will be disabled temporarily and you will be instructed to check your Active Directory settings.

During the post install process, if you see an error such as "Can't find domain controller for <domain>", verify that the Management Console for Unix server and Active Directory domain controller clocks are synchronized.

Active Directory tasks are disabled

If you are logged on as an Active Directory account in the Manage Hosts role and the host is joined to Active Directory, but are not able to perform the Active Directory tasks, ensure that you have sufficient permission in Active Directory to perform the task.

Note: Read-Only domain controllers do not allow modifications. If you are still unable to perform Active Directory tasks, verify if any read-only domain controllers exist in the configured forest.

Auditing and compliance

Each action performed by the mangement console on a remote host is logged to the local syslog file. The syslog messages show you who performed the action, when, and the output (standard error, standard out).

Syslog reports any action that changes on the host, for example:

  • Add, delete, modify user or group account information
  • Add user to (or remove user from) users.allow
  • Configure Privilege Manager policy server
  • Enable (or disable) Auto Profile, SSH Key login, Auto Authentication Services agent status
  • Install software
  • Join to (or unjoin from) Active Directory or Privilege Manager policy group
  • Map user to (or unmap user from) Active Directory

Note: The messages are logged in the local syslog file. Local host logs messages to local audit log files based on your host configuration.

Cannot create a service connection point

To create an SCP for Management Console for Unix

  • While the mangement console does not need to be configured for Active Directory, Management Console for Unix must be installed on a computer that is joined to an Active Directory domain.
  • The computer object must have access to create child objects under its own computer object.  

    Note: The ability for SELF to create and delete child objects is allowed by default, so you should not have problems creating Service Connection Points (SCPs) unless the Discretionary Access Control List (DACL) has been changed to deny the Create all child objects permission.

  • If the console is installed on a Windows host, SSPI must be enabled.

If you cannot create an SCP, check whether the computer where Management Console for Unix is installed is joined to the Active Directory domain.

  • If the computer is NOT joined to the domain, then the Register a Service Connection Point with Active Directory option on the Console Information settings is disabled.

    Note: When Management Console for Unix is installed on a Unix or Linux computer, it might be possible that the Management Console for Unix server does not have access to the keytab file. When Management Console for Unix cannot read the keytab file, it acts as if it is installed on a Unix computer that is not joined to the domain.

  • If the computer is joined to the domain and the creation of the SCP fails, the most likely cause is that the computer Discretionary Access Control List (DACL) 'Create all child objects' was denied for SELF. Using the Active Directory Users and Computers (ADUC) tool, you can check and modify these permissions on the Security tab of the computer's properties. Consult the Microsoft documentation for information about using ADUC.
Documents connexes