Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Working with netgroups

With the Windows 2003 R2 schema, you can access netgroup data based on RFC 2307 stored in Active Directory through the Authentication Services name service module. Authentication Services caches the netgroup information locally. This netgroup support is built-in to the name service module and does not require the Authentication Services LDAP proxy service to be running.

Note: Netgroup data through the Authentication Services name service module is only supported on Linux, Solaris, HP-UX, and AIX.

Configuring netgroup support with name service

To configure Authentication Services to resolve netgroup data from the name service module

  1. Run the following command as root to configure Authentication Services for netgroup support:
    vastool configure vas vasd netgroup-mode NSS
  2. Run the following command as root to configure the Authentication Services name service module:
    1. On Linux, Solaris or HP-UX:
      vastool configure nss netgroup
    2. On AIX:
      vastool configure irs netgroup

      Note: To create a netgroup map, if needed, you can enter the following at the command line:

      nisedit -u <admin> add -m netgroup -f an /etc/netgroup style file>

      For more information about the nisedit tool see Using NIS map command line administration utility.

  3. Load the netgroup caches by running the following command as root:
    vastool flush netgroup
  4. To test the netgroup configuration run the following command:

    vastool nss getnetgrent <netgroup name>

Unconfiguring netgroup support with name service

To prevent Authentication Services from resolving netgroup data from the name service module

  1. Run the following command as root to remove name service netgroup support:
    vastool configure vas vasd netgroup-mode
  2. Run the following command as root to configure the Authentication Services name service module:
    1. On Linux, Solaris or HP-UX:
      vastool unconfigure nss netgroup
    2. On AIX:
      vastool unconfigure irs netgroup
  3. Run the following command as root to configure the Authentication Services name service module:
    1. On Linux, Solaris or HP-UX:
      vastool configure nss
  4. Flush the netgroup caches by running the following command as root:
    vastool flush netgroup

Cache administration

To minimize network traffic and load on Active Directory, Authentication Services maintains a local cache of user and group data.

You can force Authentication Services to immediately reload the cache by running the following command as root:

vastool flush

Note: When you run vastool flush the entire user and group cache database is reloaded from Active Directory. This can generate a significant amount of network traffic so use this command sparingly.

Related Documents