Chat now with support
Chat with Support

Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Configure a Crontab Entry

When you click Add on the Cron Properties dialog, the Crontab Entry Data dialog opens and allows you to configure a crontab entry.

To configure a crontab entry

  1. In the Unix Command field, enter either the full path to the command you want to run or just the command name if it is in the path of the specified user.
  2. In the Username field, enter the login name of the user whose crontab you want to modify.
  3. Under Scheduling Rules, enter the following:

    Minutes: Enter a number from 0 to 59, a comma-separated list of numbers, or a dash-separated range, such as 15-20,59.

    Hours: Enter a number from 0 to 23, a comma-separated list of numbers, or a dash-separated range, such as 18-23,5.

    Day of Month: Enter a number from 1 to 31, a comma-separated list of numbers, or a dash-separated range, such as 14-20,31.

    Month: Enter a number from 1 to 12, a comma-separated list of numbers, or a dash-separated range, such as 1-6,12.

    Day of Week: Enter a number from 0 to 6, a comma-separated list of numbers, or a dash-separated range, such as 6,1-4. Sunday is 0.

  4. Click OK to close the dialog.

Files policy

The Files policy allows you to add, edit, or remove file settings. You can also edit a specific file listed in the File Path field.

The Files policy allows administrators to specify a list of files to copy to Unix hosts. When you add files to the Files policy, Group Policy copies the specified source files to the GPT on SYSVOL. Unix agents download the files from SYSVOL when they apply policy.

You can specify the target path, ownership, and permissions for each file. File policies provide all of the advantages of Group Policy's built-in undo mechanism. When you unlink or delete file policies, it deletes the associated files on the host or replaces it with the previous file contents, unless you select the Copy Files Permanently option. If no source is specified, the Group Policy agent searches for the target file and sets the specified ownership and permissions. The ownership and permissions are restored when the policy is un-applied.

Files policies can be overridden. If there are multiple policies affecting the same file entry, the permissions, ownership, and contents of the file are dictated by the lowest policy in the hierarchy affecting that file or the highest enforced policy affecting that file in the hierarchy.

Files policy supports non-tattooing, block inheritance, ACL filtering, and enforced settings. Multiple entries with the same target are resolved according to the Group Policy Conflict Resolution rules.

Configure a File policy

You can configure the Files policy to copy a standard /etc/hosts file to a Unix agent using the Group Policy Object Editor (GPOE).

To configure the Files policy

  1. Create the hosts file that you would like to distribute through Authentication Services.

    Ensure that the file is accessible from your Windows computer.

  2. Start the Group Policy Editor.
  3. Navigate to and select Unix Settings | Quest Authentication Services | Client Configuration node in the left-hand results pane.
  4. Double-click Files in the results pane.

    The Files Properties dialog opens.

  5. Click Add.

    The File Settings dialog opens.

  6. In the Target File Path field, type the full path for the target file in Unix path format.

    The path must start with a "/", for example: /etc/hosts

  7. In the User Name field, type name of the user that will own this file.

    If the user does not exist on the Unix host, this defaults to root.

    Note: Typically /etc/hosts is owned by root.

  8. In the Group Name field, type the name of the group that will own this file.

    If the group does not exist on the Unix host, this defaults to root (or system on AIX).

  9. Click the Set User Rights option to indicate you want to explicitly specify the permissions for the user that owns the file.

    Note: If this option is not set, the permissions default to the permissions for the target file on the target machine. If the file does not already exist on the target machine, the permissions on the new file default to read/write for the user.

  10. Click the Set Group Rights option to indicate that you would like to explicitly specify the permissions for the group that owns the file.

    Note: If this option is not set, the permissions default to the permissions on the existing file. If the file does not exist, the permissions default to none.

  11. Click the Set Other Rights option to indicate you want to explicitly specify the permissions for everyone.

    Note: If this option is not set, the permissions default to the permissions on the existing file. If the file does not exist, the permissions default to none.

  12. Click Browse to select a source file.
  13. Select the file you created in Step 1.
  14. Select the Copy File Permanently option to permanently copy the file.

    By default, Authentication Services removes copied files when the policy no longer applies. If the policy overwrote an existing file, it will be restored when policy is un-applied.

  15. Click OK.

    The file you just configured displays in the list of files to copy.

  16. Select the Copy As User Applying Policy option to copy the file as the user applying policy.

    By default, Authentication Services removes copied files when the policy no longer applies.

  17. Click OK.

    The file you just configured displays in the list of files to copy.

Text replacement macros

The Text Replacement Macros tab allows policies to be dynamically adjusted as policy is being applied on the Unix host. Any text specified in the policy either directly by the user or in files that are placed on the target system can be aliased to a command or environment variable.

For example, you might have a policy that uses the hostname as part of a policy setting. You can create a Text Replacement Macro called %%HOSTNAME%% and specify that this macro text be replaced by the output of the /bin/hostname command. This makes it possible for a single GPO to serve as a template on a wide range of Unix systems.

Related Documents