Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Forcing lowercase names

In some environments, the user and group names in Active Directory are upper case or mixed case. Normally user and group names on Unix systems are lowercase. It is possible to have the Authentication Services name service module force user and group names to lowercase.

To enable this, add the following line to the nss_vas section in vas.conf

lowercase-names = true

To apply the change, you can either restart vasd or flush the cache.

Configuring PAM

Pluggable Authentication Module (PAM) is a common Unix authentication API. A PAM module provides a PAM implementation. You can stack PAM modules together to allow a single Unix host to authenticate using several back-end authentication providers. Authentication Services provides a PAM module that provides advanced Active Directory authentication.

Depending on the platform, PAM is controlled by configuration settings in the /etc/pam.conf or by individual service-specific files in the /etc/pam.d directory. When you join the domain, Authentication Services automatically configures PAM to work with the Authentication Services PAM module.

Using VASTOOL to configure PAM

vastool can automatically update the PAM configuration files on your system.

To modify the PAM configuration

  1. To configure PAM to use the Authentication Services PAM module, execute the following command as root:
    vastool configure pam
  2. To remove the Authentication Services PAM module configuration, run the following command as root:
    vastool unconfigure pam

    When you join the domain, PAM is configured for all existing services. If you install a new service that requires PAM configuration, you can configure individual services using vastool.

  3. To configure sshd to use the Authentication Services PAM module, execute the following command as root:
    vastool configure pam sshd
  4. To remove the PAM configuration from sshd, execute the following command as root:
    vastool unconfigure pam sshd
  5. After modifying the PAM configuration, you may have to restart the affected services.

Home directory creation

By default, Authentication Services creates users' home directories if they do not exist, using native operating system methods. It creates the home directories with the permissions of 0700 (readable, writable, and executable only by the owner of the directory) and owned by the user. Authentication Services can only create home directories on local file systems.

On systems where home directories are stored on network file servers, it may be useful to disable automatic home directory creation. To disable automatic home directory creation, edit the PAM configuration file, (/etc/pam.conf or /etc/pam.d/<service>). As root, modify the auth line to remove the create_homedir option. For example, if the auth line looks like:

auth sufficient pam_vas.so create_homedir

The modified entry will look like the following:

auth sufficient pam_vas.so
Related Documents