Enabling local user for AD authentication
This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.
To enable a local user for Active Directory authentication
In the mangement console, navigate to Hosts | All Hosts.
Double-click a host to open its properties.
From a host's properties, select the Users tab and double-click a local user account to open its Properties.
On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.
On the Select AD User dialog, select the ADuser account and click OK.
On the local user's properties, click OK.
On the Log on to Host dialog, verify your credentials to log onto the host and click OK.
Note: This task requires elevated credentials.
You have now "mapped" a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.
You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.
To assign (or "map") a Unix user to an Active Directory user
- From the All Local Users tab, select one or more local Unix users.
- In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.
(Click the Directory button to search in a specific folder.)
- Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
- On the Log on to Host dialog, verify your credentials to log onto the host and click OK.
Note: This task requires elevated credentials.
The Active Directory user assigned to the selected local Unix user displays in the AD User column of the All Local Users tab.
Listing local users required to use AD authentication
You can view a list of the host accounts that are required to log on using a particular Active Directory account from the All Local Users tab of the mangement console.
To view local user accounts required to log on with an Active Directory Account
- From the All Local Users tab of the mangement console, click the AD User column title to sort the list of users by those required to log on with an Active Directory user account.
- Right-click a user name and choose Properties to open its properties.
- Select the AD Logon tab to view or modify the Active Directory user properties.
To see which local user accounts are enabled to use Active Directory account credentials
- From the Active Directory tab, search for users.
- Double-click a user name to open its properties.
- Select the Local User Accounts tab to display a list of all the local user accounts that are required to log on using the selected Active Directory user account.
Note: The Local Unix Users with AD Logon report is another way to identify the local user accounts that are required to use Active Directory credentials. See Reports.
Testing the mapped user login
Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are "mapped". The Control Center offers a simple way to log into the host.
To test the mapped user login
- From the Control Center, under Login to remote host:
Click Login to log onto the Unix host with your local user account.
- If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
- Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
- At the command line prompt, enter id to view the Unix account information.
- Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
- Enter exit to close the command shell.
You just learned how to manage local users and groups from themangement console by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are "mapped".
Configuring the console to recognize Unix attributes in AD
Configuring the mangement console to recognize Unix attributes in Active Directory, enables these features:
- Unix Account tab on the user and group properties
- Ability to query Unix-enabled users or groups
- Reports that include Active Directory Unix information
There are two ways to configure the mangement console to recognize Unix attributes in Active Directory:
- Installing Authentication Services 4.0 or greater in your Active Directory domain and creating the Authentication Services application container in your forest. See Configure Active Directory for Authentication Services for details.
Authentication Services adds the Unix properties of Active Directory users and groups to Active Directory and allows you to map a Unix user to an Active Directory user.
- If you are running Authentication Services without a Authentication Services application configuration in your forest, to configure the console to recognize Active Directory objects, enable Management Console for Unix to use the default Windows 2003 R2 schema to recognize Unix naming attributes. See Configuring Windows 2003 R2 schema for details.
The Windows 2003 R2 schema option extends the schema to support the direct look up of Unix identities in Active Directory domain servers.