Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Rollback changes

In the event that you want to revert the files back to the original User ID and Group ID, you can use the rollback option.

To change the ownership of a directory and remove the users from the system with oat_changeowner, enter:

oat_changeowner process -b backup_dir -d /home/user -u user_match_file -m

To undo the changes made by the oat_changeowner command, enter:

oat_changeowner rollback -b backup_dir

Changing file ownership using the script

One Identity provides an interactive script, called oat, that walks you through the process of changing file ownerships to match Active Directory. This script calls oat_adlookup, oat_match, and oat_changeowner with appropriate arguments based on responses that you provide.

Note: You must have Authentication Services installed and your system joined to an Active Directory domain to run the interactive script.

To change file ownership

  1. At the command prompt enter:
    /opt/quest/libexec/oat/oat

    The interactive script requests information about:

    1. Active Directory users and passwords
    2. Attributes
    3. Local users and passwords
    4. Group names and path
    5. Path where you want OAT to perform the Ownership Alignment process.

    Note: No changes are made to your system until you have reviewed and approved the list of files and directories.

  2. Enter the requested information or press Enter to accept the default values enclosed in square brackets.
  3. At the end of the interview, it asks you to specify the directory for which you want to change file ownership.

    Typically you would specify "/" for the root directory.

    Note: If you choose "/", it changes the file ownership for every file in your file system. One Identity recommends that you run OAT against a test directory first to confirm your understanding of what OAT does.

    The oat_changeowner script creates a list of files that will be modified.

  4. Review the list of files that will be changed.
  5. If the files in the list are what you want changed, respond with a yes or no.

    oat saves rollback information in a directory called oatwork<date> (where <date> is today's date). For example, in the /var/opt/quest/oat/oatwork20100513/ you would see a list of files similar to this:

    ad_groups
    ad_users
    filelist
    group_mapping
    log

    The log file is especially useful because it lists all the commands or scripts that were run, the options that were passed to them, and any error messages that were produced.

    For more information, refer to the OAT man page. See Using Authentication Services manual pages (man pages) for information about accessing the OAT man page.

OAT file formats

This section describes the syntax of the files produced and used by the OAT process.

Active Directory User Information file

The Active Directory User Information file contains information about Active Directory user accounts. It is produced by oat_adlookup and is passed to oat_match to create a map between Active Directory and local users.

Syntax
<AD account info> ::= [<QAS property overrides>] <user_account_list>
<QAS property overrides> ::= { 'qas-override-property: ' <override> <CRLF> }
<override> ::= <override name> '-attr-name=' <AD_attr_name>
<override name> ::= 'uid-number' |
'gid-number' |
'gecos' |
'username' |
'groupname'
<user_account_list> ::= { <user_account_record> <CRLF> }
<user_account_record> ::= <header_prop> { <CRLF> <info_prop> }
<header_prop> ::= ('dn' | 'distinguishedName') ':' {<white space>} <prop_value>
<info_prop> ::= ( <gecos-attr-name> |
<uid-number-attr-name> |
'sAMAccountName' |
'cn' |
'userPrincipalName' |
'displayName' |
'givenName' |
'sn' |
<username-attr-name> ) ':' <white space>} <prop_value>
<prop_value> ::= {<character>}
        
Sample
dn: CN=Ivan M. Petrovich,CN=Users,DC=a,DC=vmx
gecos: Ivan M. Petrovich
uidNumber: 1001
sAMAccountName: vanya
cn: Ivan M. Petrovich
userPrincipalName: vanya@a.vmx
displayName: Ivan M. Petrovich
givenName: Ivan
sn: Petrovich
Related Documents