Upgrading Authentication Services
The process for upgrading the Authentication Services software packages from an older version is similar to installing it for the first time. The installer detects an older version and automatically upgrades the components.
To upgrade Authentication Services
- Create a directory where you want to store the new Authentication Services client files.
For example, create C:\Program Files\Quest Software\Management Console for Unix\Software\4.n.n.nn
where "4.n.n.nn" is the Authentication Services version number to which you are upgrading.
- Copy the client directory from the ISO to the directory you just created.
- Log into the mangement console using the supervisor account.
- From the top-level Settings menu, navigate to System Settings | Authentication Services.
- In theAuthentication Services software path box, enter the location of the directory where you copied the Authentication Services client files and click OK.
- On the mangement console, select the host you want to upgrade and click Install Software.
- Select the Authentication Services agent software components to upgrade and click OK.
- On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
- If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected hosts and click OK.
- If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
- Wait for the task to finish successfully.
Joining host to Active Directory
In order to manage access to a host using Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account in Active Directory for that host. Once you have deployed and installed the Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join or configure menu to join the host to an Active Directory domain.
To join hosts to Active Directory
- Select one or more hosts from the list on the All Hosts view, open the Join or Configure menu toolbar button and choose Join to Active Directory.
Note: The Join to Active Directory option is only enabled when you select hosts that have the Authentication Services Agent installed.
If you select a host that is already joined to Active Directory, you can 'rejoin' the host to the same Active Directory domain.
-
On the Join Host to Active Directory dialog, enter the following information to define how and where you want to join the host to Active Directory:
- Select the Active Directory domain to use for the join operation or enter the FQDN of the Active Directory domain.
Use the same domain you entered when you performed the Check for AD Readiness.
- Optionally enter a name for the computer account for the host.
Leave this field blank to generate a name based on the host's DNS name.
- Click the button to locate and select a container in which to create the host computer account.
- Enter the optional join commands to use.
See Optional join commands for a list of commands available.
- Enter the user name and password to log onto Active Directory.
The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.
-
On the Log onto Host dialog, enter the user credentials to access the selected host(s) and click OK.
Note: This task requires elevated credentials. The mangement console pre-populates this information.
The task progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.
Optional Join commands
You can enter one or more of the following join commands on the Join Host to Active Directory dialog. Separate multiple commands with a single space.
Table 4: Optional join commands
-I cache export filename |
Load users and groups from the specified cache export file instead of from the network. |
-c computer_name |
Specify a different name for the computer object than the one usually generated from your host name. Specify either the FQDN or NetBIOS name for the computer object.
NOTE: If you specified a computer account on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the computer account you specify on the dialog. |
-c container |
Specify the LDAP DN of the container where the computer will be created.
NOTE: If you specified a container on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the container you specify on the dialog. |
-l |
Do not apply Group Policy Settings (if Authentication Services for Group Policy is installed). |
-w |
Enable workstation mode where users are not cached until they log on. |
-U |
Load all users from the global catalog. The mangement console loads all Unix-enabled users in the forest, regardless of location and domain. |
-G |
Load all groups from the global catalog. The mangement console loads all Unix-enabled groups in the forest, regardless of location and domain. |
-r domain_list |
Specify a comma-separated list of alternate authentication domains, used for resolving simple names. |
-u search_path |
Specify an alternate search path from which to populate the user's cache. You must specify a container object within your Active Directory forest in this search path. |
-g search_path |
Specify an alternate search path from which to populate the group's cache. You must specify a container object within your Active Directory forest in this search path. |
-s siteName |
Manually specify the site name for the selected host. |
-p UPM_search_path |
Specify the path of the Primary Personality Container. This command supersedes the -u and -g settings. If the specified UPM search path does not exist, the join command will fail. |
--skip-config |
Skip automatic system configuration of PAM, NSS, LAM and SIA subsystems. |
--preload-nested-memberships |
After loading users or groups, query tokenGroups for all cached users to process nested group membership information. |
--site-only-usn |
For USN queries, only use site servers. Use this command when non-site servers are unavailable, for example, blocked by a firewall. |
--no-timesync |
Skip automatic time synchronization. |
Unjoining host from Active Directory
Unjoining a host from the mangement console removes the computer object from Active Directory, preventing further Active Directory user log on. This task does not remove the Authentication Services Agent software installed on the unjoined host.
Note: This task is only available when you are logged on as an Active Directory account in the Manage Hosts role.
To unjoin hosts from Active Directory
- Select one or more hosts from the list on the All Hosts view, open the Unjoin menu toolbar button and choose Unjoin from Active Directory.
Note: If unjoining multiple hosts, all hosts must be joined to the same domain.
- On the Unjoin Host from Active Directory dialog, enter the user credentials of an Active Directory user that has rights to delete computer objects from the Active Directory domain and click OK.
- On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.
Note: To unjoin the host from Active Directory, Authentication Services requires you to have elevated (root) credentials to complete the task on the host side.
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered. If successfully unjoined, the Active Directory domain, previously listed in the Joined to Domain column, is replaced with the Ready to join icon if you have previously run Check for AD readiness; otherwise the Joined to Domain column is left empty.