On PAM-enabled systems you can use the system passwd command to change your Active Directory password.
- Type the following command:
# passwd
Note: On some systems such as HPUX and Oracle Solaris, the /bin/passwd command may not use PAM. In this case you may see output such as:
passwd: Changing password for bsmith
Supported configuration for passwd management are as follows:
passwd: files
passwd: files ldap
passwd: files nis
passwd: files nisplus
passwd: compat
passwd: compat AND
passwd_compat: ldap OR
passwd_compat: nisplus
Please check your /etc/nsswitch.conf file Permission denied
If you see this output, you must use the vastool passwd command to change your Active Directory password.
- To change the password of a local user in the /etc/passwd file, run the following command:
passwd -r files
This instructs the system to change the local password directly rather than using PAM to change the password.
Safeguard Authentication Services provides a feature called "mapped user" where you can map local Unix user accounts to Active Directory user accounts. Local users retain all of their local Unix attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password. Active Directory password policies are enforced. You can map users by editing configuration files on the Unix host.
Advantages of mapped users:
- Provides a rapid deployment path to take advantage of Active Directory authentication
- Kerberos authentication provides stronger security
- Enables centralized access control
- Enforces Active Directory Password policies
- Provides a path for consolidating identities in Active Directory with Ownership Alignment Too (OAT)
- Low impact to existing applications and systems on the Unix host
- Easy to deploy with self-enrollment
By mapping a local user to an Active Directory account, the user can log in with their Unix user name and Active Directory password.
Note: Active Directory password policies are not enforced on HP-UX systems that do not have PAM requisite support. To prevent users from authenticating with their old system account password after mapping, install the freely available PAM Requisite package provided by HP.
Instead of modifying password entries directly, you can map local Unix users to Active Directory accounts using map files.
To configure a user mapping file
- Run the following command as root to enable local map files:
vastool configure vas vas_auth user-map-files /etc/user-map
Note: This example configures Safeguard Authentication Services to use /etc/user-map for user mappings. You can specify any filename.
- Add user mappings to the map file.
The format is <local user name>:<sAMAccountName@domain>.
If you want to map a local user named pspencer to the Active Directory account for pspencer@example.com, add the following line to the file:
pspencer:pspencer@example.com
You can only map the root account to an Active Directory account using the mapped-root-user setting in vas.conf.
To map the root user to an Active Directory account
- Run the following command as root:
vastool configure vas vas_auth mapped-root-user Administrator@example.com
Note: If you specify mapped-root-user on AIX you must set VASMU on the system line of the root section in /etc/security/user. Refer to your AIX system documentation for more information.