Chat now with support
Chat with Support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Managing groups from the Unix command line

Using the vastool command you can create and delete groups as well as list group information from the Unix command line.

To create a group, use the vastool create command. The following command creates the sales group in Active Directory that is not Unix-enabled:

vastool create -g sales

To create a group that is Unix-enabled, pass in a string formatted like a line from /etc/group as an argument to the -i option, as follows:

vastool create -i "sales:x:1003:" -g sales

By default, all groups created with vastool create are created in the Users container. To create a group in a different organizational unit, use the -c command line option. The following command creates a Unix-enabled group, sales, in the OU=sales,DC=example,DC=com organisational unit:

vastool create -i "sales:x:1003" -c "OU=sales,DC=example,DC=com" -g sales

To delete a group, use vastool delete with the -g option. The following command deletes the sales group:

vastool delete -g sales

To list groups, use vastool list groups. The following command lists all the groups with Unix accounts enabled:

vastool list groups

This command produces output similar to the following:

eng:VAS:1001:jdoe,djones@example.com
it:VAS:1002:molsen
sales:VAS:1003:bsmith

Managing groups with Windows PowerShell

Using Windows PowerShell you can Unix-enable, Unix-disable, modify, report on, and clear Unix attributes of Active Directory groups using the Authentication Services PowerShell commands.

Note: You can access the Authentication Services PowerShell commands from Tools in the Control Center. To add Authentication Services cmdlets to an existing PowerShell session run Import-Module Quest.AuthenticationServices. See PowerShell cmdlets for a complete list of available commands.

To Unix-enable a group, use the Enable-QasUnixGroup command. The following command Unix-enables the Active Directory group named UNIXusers:

Enable-QasUnixGroup -Identity <domain>\UNIXusers

To disable a group for Unix use the Disable-QasUnixGroup command:

Disable-QasUnixGroup -Identity <domain>\UNIXusers

To report on a group, use the Get-QASUnixGroup <groupname> command. The following commands shows all groups that start with "sa":

Get-QasUnixGroup -Identity sa

The Authentication Services PowerShell commands are designed to work with the Active Directory commands from Microsoft (Get-ADGroup) and One Identity (Get-QADGroup). You can pipe the output of these commands to any of the Authentication Services PowerShell commands that operate on groups. For example, the following command clears the Unix attributes from the group UNIXusers:

Get-QADGroup -Identity <domain>\UNIXusers | Clear-QasUnixGroup

The Authentication Services PowerShell commands are aware of the options and schema settings configured in Control Center. Scripts written using the Authentication Services PowerShell commands work without modification in any Authentication Services environment.

Overriding Unix group information

You can override group account attributes on the local Unix host. This allows you to use the group information from Active Directory but modify individual attributes on certain hosts as needed. Group overrides are specified in the /etc/opt/quest/vas/group-override configuration file. Overrides are specified as follows:

DOMAIN\sAMAccountName:<Group Name>:<GID Number>:<Group Membership>

DOMAIN\sAMAccountName must refer to a valid Active Directory group account. You can omit any of the Unix account fields. If a field is not specified, it will get the default value for that group. The group membership field consists of a comma-separated list of Active Directory user accounts specified in DOMAIN\sAMAccountName format. For examples, refer to the /etc/opt/quest/vas/group-override.sample file.

You can manage group overrides using Group Policy. For more information, see Account Override policies.

Local account migration to Active Directory

On Unix, a user or group is identified by a 32-bit ID number. This is usually sufficient for individual Unix hosts or NIS environments. As more and more Unix hosts are brought into the Active Directory domain, the possibility for conflicting user and group IDs increases. Ideally, each Unix-enabled Active Directory user or group is assigned a unique ID number and this ID is used across all Unix hosts. In practice, this is difficult to achieve because Unix hosts are often managed independently and user accounts are populated organically which leads to many conflicting or duplicated accounts. Authentication Services provides several mechanisms to help alleviate this problem.

The Authentication Services MMC snapin provides a Unix Account tab for users and groups. The Unix Account dialog checks UID and GID numbers against the Global Catalog to ensure the value is unique in the forest. In addition, Authentication Services has updated the default method used to generate unique UID and GID numbers. The generated values are based on a hash of the object GUID of the account. This results in a unique number with the added benefit that the same object always generates the same number.

To avoid conflicting with existing local accounts, Authentication Services provides UID and GID ranges that you can configure in Control Center. The Authentication Services management tools do not allow you to set the UID or GID on an Active Directory object to a value that is outside of the configured range.

Using Management Console for Unix, you can gather all of the disparate local account information into one console to consolidate and map local users to the appropriate Active Directory account without disrupting normal operation of the Unix hosts.

Once you have mapped all of the local accounts to Unix-enabled Active Directory users, you can use the Ownership Alignment Tool (OAT) to take the final step of adjusting local file permissions and eliminating the local user (and group) accounts. See Managing local file permissions for more information about using OAT.

Related Documents