Installing and joining from the Unix command line
Installing and joining from the Unix command line
While you can use Management Console for Unix to install and configure Safeguard Authentication Services as explained in Installing and configuring Safeguard Authentication Services, you can also manually install the Safeguard Authentication Services agent on each Unix, Linux, or macOS host from the command line.
This section walks you through the process of installing the Safeguard Authentication Services Unix agent directly from the command line. For information about installing, upgrading, and uninstalling the Safeguard Authentication Services agent on supported platforms in an enterprise environment using platform package management tools, refer to Enterprise package deployment.
Before installing and configuring the Safeguard Authentication Services Unix agent, One Identity recommends that you run the preflight tool to check a host's suitability to run Safeguard Authentication Services. After you determine that the Unix host is ready, run the Safeguard Authentication Services installation script, install.sh, to install the Unix/Linux agent.
The pre-installation diagnostic tool
One Identity provides the preflight utility to check a host's suitability to run Safeguard Authentication Services by verifying a number of environmental considerations necessary for joining an Active Directory domain.
This utility obtains answers to the following questions:
- Does Safeguard Authentication Services support the host on which this utility is being run?
- Are the operating system and any patches at requisite levels?
- Is there at least one visible domain controller (DC)?
- Are global catalogs available on any of the domain controllers?
- Are all services needed by Safeguard Authentication Services available?
- Is an Safeguard Authentication Services application configuration set up on the target domain?
The preflight command-line utility performs the following verifications.
Install checks:
- Check for supported operating system and correct operating system patches.
- Check for sufficient disk space to install Safeguard Authentication Services.
Join checks:
- Check that the hostname of the system is not localhost.
- Check if the name service is configured to use DNS.
- Check resolv.conf for proper formatting of name service entries and that the host can be resolved.
- Check for a name server that has the appropriate DNS SRV records for Active Directory.
- Detect a writable domain controller with UDP port 389 open.
- Detect Active Directory site, if available.
- Check if TCP port 464 is open for Kerberos kpasswd.
- Check if UDP port 88 and TCP port 88 are open for Kerberos traffic.
- Check if TCP port 389 is open for LDAP.
- Check for a global catalog server and if TCP port 3268 is open for communication with global catalog servers.
- Check for a valid time skew against Active Directory.
- Check for the Safeguard Authentication Services application configuration in Active Directory.
Post-join checks:
- Check if TCP port 445 is open for Microsoft CIFS traffic.
You can find the preflight.sh script at the root of the ISO. This script runs the correct preflight version for your system.
The most important options and arguments to preflight are:
Note: The preflight utility does not make any changes to your system.
Running preflight
To run preflight
- Mount the Safeguard Authentication Services distribution media.
- Enter the following command at the root of the Safeguard Authentication Services ISO:
# ./preflight.sh -u Administrator example.com
where Administrator is your user name and example.com is the name of your domain.
By default, preflight outputs the results of the verifications for the three types of checks (Install checks, Join checks, and Post-join checks) to the console. Run the preflight utility with the --verbose option to obtain detailed information about the various checks in those categories.
The last line of the output tells you whether you are ready to continue deploying Safeguard Authentication Services.
If you did not get a Preflight Checks complete with status Success message, correct any failures indicated before continuing with the Safeguard Authentication Services installation. Be aware of any "Advisories" that it returns, as they may effect your ability to install or join.
Note: If you get a message that says, Unable to locate Safeguard Authentication Services Application Configuration, you can ignore that error for now and proceed with the Safeguard Authentication Services installation. The Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to help you configure Active Directory for Safeguard Authentication Services the first time you start the Control Center. Or, you can create the Safeguard Authentication Services application configuration from the command line, as explained in Creating the application configuration from the Unix command line.
Note: For information about other preflight options, either run preflight --help or refer to the preflight man page located in the docs directory of the installation media. See Resolving preflight failures for additional help in resolving issues.
The install script
Follow the steps in this topic if you are installing a Safeguard Authentication Services 5.0.1 for the first time; that is, if you are not upgrading from VAS 3.5.
The Safeguard Authentication Services installation script, install.sh, installs Safeguard Authentication Services, joins the domain, and allows you to install licenses. You can run the install script in interactive mode by using the -i option. This provides you with a menu of valid operations to perform, including Running preflight.
You can also automate the installation process by running install.sh in "unattended" mode using -q option. In this mode you may specify a set of commands for the script to perform.
Note: For more information on the Safeguard Authentication Services installation script, run:
install.sh --help