The following table details the encryption types used in Safeguard Authentication Services.
Encryption types | Specification | Active Directory version | Safeguard Authentication Services version |
---|---|---|---|
KERB_ENCTYPE_DES_CBC_CRC | |||
CRC32 | RFC 3961 | All | All |
KERB_ENCTYPE_DES_CBC_MD5 | |||
RSA-MD5 | RFC 3961 | All | All |
KERB_ENCTYPE_RC4_HMAC_MD5 | |||
RC4-HMAC-MD5 | RFC 4757 | All | All |
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | |||
HMAC-SHA1-96-AES128 | RFC 3961 | Windows Server 2008 + | 3.3.2+ |
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | |||
HMAC-SHA1-96-AES256 | RFC 3961 | Windows Server 2008 + | 3.3.2+ |
One Identity recommends that you install One Identity Management Console for Unix, a separate One Identity product that provides a management console that is a powerful and easy-to-use tool that dramatically simplifies deployment of Safeguard Authentication Services agents to your clients. The management console streamlines the overall management of your Unix, Linux, and macOS hosts by enabling centralized management of local Unix users and groups and providing granular reports on key data and attributes.
Prior to installing Management Console for Unix, ensure your system meets the minimum hardware and software requirements for your platform.
Component | Requirements |
---|---|
Supported platforms |
Can be installed on the following configurations:
|
Server requirements |
The Management Console for Unix server requires Java 8 (also referred to as JRE 8, JDK 8, JRE 1.8, and JDK 1.8). |
Managed Host Requirements |
Click www.oneidentity.com/products/safeguard-authentication-services/ to view a list of Unix, Linux, and Mac platforms that support Safeguard Authentication Services. Click www.oneidentity.com/products/privilege-manager-for-unix/ to review a list of Unix and Linux platforms that support Privilege Manager for Unix. Click www.oneidentity.com/products/privilege-manager-for-sudo/ to review a list of Unix, Linux, and Mac platforms that support Safeguard for Sudo. Considerations:
|
Default memory requirement |
1024 MB NOTE: See JVM memory tuning suggestions in the One Identity Management Console for Unix Administration Guide for information about changing the default memory allocation setting in the configuration file. |
Safeguard Authentication Services must be able to communicate with Active Directory, including domain controllers, global catalogs, and DNS servers using Kerberos, LDAP, and DNS protocols. The following table summarizes the network ports that must be open and their function.
Port | Function |
---|---|
389 | Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used, but UDP is used when detecting Active Directory site membership. |
3268 | Used for LDAP searches against Active Directory Global Catalogs. TCP is always used when searching against the Global Catalog. |
88 | Used for Kerberos authentication and Kerberos service ticket requests against Active Directory Domain Controllers. TCP is used by default. |
464 | Used for changing and setting passwords against Active Directory using the Kerberos change password protocol. Safeguard Authentication Services always uses TCP for password operations. |
53 | Used for DNS. Since Safeguard Authentication Services uses DNS to locate domain controllers, DNS servers used by the Unix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used. |
123 | UDP only. Used for time-synchronization with Active Directory. |
445 | CIFS port used to enable the client to retrieve configured group policy. |
Note: Safeguard Authentication Services, by default, operates as a client, initiating connections. It does not require any firewall exceptions for incoming traffic.
Joining the domain using VASTOOL
Unattended joining using Offline Domain Join (ODJ) credentials
Joining the domain using VASJOIN script
Using manual pages (man pages)
Handling platform limitations on user name length
Configuring Name Service Switch (NSS)
Using VASTOOL to configure NSS
Using VASTOOL to configure PAM
Using VASTOOL to configure AIX
Using VASTOOL to configure SELinux
Configuring netgroup support with name service
Unconfiguring netgroup support with name service
Working with read-only domain controllers
This section explains Safeguard Authentication Services administration and configuration details relevant to administrators who are integrating Unix hosts with Active Directory.
A separate Administration Guide for macOS is available on the distribution media. While many of the concepts covered in this guide apply to macOS it is recommended that you refer to the Safeguard Authentication Services macOS Administration Guide first when working with macOS.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center