In order to manage a Unix host from the management console, you must first add the host. Go to the Hosts tab of the management console to either manually enter hosts or import them from a file.
To add hosts to the management console
Once added, the Host column displays the value you enter. The management console uses that value to connect to the host. You can rename the host if it has not been profiled using the Rename Host command on the Host panel of the tool bar. After a host is profiled, the only way to change what is displayed in the Host column is to remove the host from the console and re-add it. For example, if you add a host by its IP address, the IP address displays in the Host column (as well as in the IP Address column); to change what is displayed in the Host column, you must use the Remove from console tool bar button to remove the host from the console; then use the Add Hosts button to re-add the client by its host name. If you had profiled the host before removing it, you will have to re-profile it after re-adding it.
Once imported, the host addresses display in the Add Host dialog list.
Note: The valid format for an import file is:
See Known_hosts File Format in the online help for more information about the supported known_hosts file format.
Note: If you add more hosts to the list than selected in the Rows to show drop-down menu in the View panel of the tool bar, this option is disabled.
The management console lists hosts that were successfully added on the All Hosts view by the FQDN, IP address, or short name of the hosts you entered in the Add Hosts dialog.
Profiling imports information about the host, including local users and groups, into the management console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.
To profile hosts
If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
Once saved, the management console uses these credentials to access the host during this and subsequent sessions.
Note: If you do not save a password to the server, the user name and password fields will be blank the first time the management console needs credentials to complete a task on the host during a logon session. Once entered, the management console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session.
If you choose to save a host's credentials to the server, the management console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across logon sessions, and when needed, the management console pre-populates the user name and password fields each subsequent time it needs them to perform a task. For more information, see Caching Unix Host Credentials in the online help.
Note: When profiling one or more hosts, you must accept at least one key before continuing. The management console only profiles hosts with accepted keys.
By default, the Automatically accept SSH keys option is selected. This enables the management console to automatically accept the SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the management console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host keys to the accepted-keys cache.
Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept and new or changed keys. When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile or reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.
To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the management console to profile hosts automatically.
BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the management console dynamically updates user and group information. See UID or GID Conflicts in the online help.
Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.
The cron job detects changes to the following:
The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.
To configure automatic profiling
Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same "auto-profile" state; that is, they all have Auto-profiling turned on, or they all have Auto-profiling turned off.
When you choose to create the user service account on the host, if it does not already exist, the management console, does the following:
-OR-
Click Select to browse for a user.
Whether you choose to create the user service account or use an existing user account, the management console:
Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:
cron.allow |
cron.deny |
Console’s action |
Resultant user access |
---|---|---|---|
NO |
NO |
Creates cron.allow and adds root and questusr to it |
Both root and questusr have access. |
NO |
YES |
No action |
All users have access except those in cron.deny; questusr has access unless explicitly denied. |
YES |
NO |
Adds questusr to cron.allow |
Users in cron.allow have access. |
YES |
YES |
Adds questusr to cron.allow |
Users in cron.allow have access unless in cron.deny. |
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in the online help to troubleshooting this issue.
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion; however, the management console does not use questusr account to make changes to any configuration files.
If questusr is inadvertently deleted from the console, the console turns auto-profiling off.
To re-create the "questusr" account
Note: This task requires elevated credentials.
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
To disable automatic profiling
When you disable auto-profiling for a host, the management console:
Once you install the software on your remote hosts, the management console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.
Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. See Roles and Permissions System Settings in the management console online help for more information.
To check hosts for Active Directory Readiness
If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center