Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Changing passwords

Unix users can change their Active Directory passwords using vastool or with PAM-enabled system password utilities such as passwd.

Changing passwords with VASTOOL

You can use vastool passwd to change your password or to reset another user's password.

  1. To change your password:
    vastool passwd

    Follow the prompts to change your password.

  2. To set another user's password:
    vastool -u <administrator> passwd <target user> 

    For example, to set the user bsmith's password using the administrative user Administrator@example.com:

    vastool -u Administrator@example.com passwd bsmith

    You must first authenticate as the administrative user, then you can specify a new password for bsmith.

Changing passwords with system utilities

On PAM-enabled systems you can use the system passwd command to change your Active Directory password.

  1. Type the following command:
    # passwd

    Note: On some systems such as HPUX and Solaris, the /bin/passwd command may not use PAM. In this case you may see output such as:

    passwd: Changing password for bsmith
    Supported configuration for passwd management are as follows:
      passwd: files
      passwd: files ldap
      passwd: files nis
      passwd: files nisplus
      passwd: compat
      passwd: compat AND
      passwd_compat: ldap OR
      passwd_compat: nisplus
      Please check your /etc/nsswitch.conf file Permission denied

    If you see this output, you must use the vastool passwd command to change your Active Directory password.

  2. To change the password of a local user in the /etc/passwd file, run the following command:
    passwd -r files

    This instructs the system to change the local password directly rather than using PAM to change the password.

Mapping local users to Active Directory users

Authentication Services provides a feature called "mapped user" where you can map local Unix user accounts to Active Directory user accounts. Local users retain all of their local Unix attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password. Active Directory password policies are enforced. You can map users by editing configuration files on the Unix host or using Management Console for Unix.

Advantages of mapped users:
  • Provides a rapid deployment path to take advantage of Active Directory authentication
  • Kerberos authentication provides stronger security
  • Enables centralized access control
  • Enforces Active Directory Password policies
  • Provides a path for consolidating identities in Active Directory with OAT (Ownership Alignment Tool)
  • Low impact to existing applications and systems on the Unix host
  • Easy to deploy with self enrollment

By mapping a local user to an Active Directory account, the user can log in with his Unix user name and Active Directory password.

Note: Active Directory password policies are not enforced on HP-UX systems which do not have PAM requisite support. To prevent users from authenticating with their old system account password after mapping, install the freely available PAM Requisite package provided by HP.

Related Documents