Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Auto generating Posix user identities

When user identity information is not stored centrally within Active Directory, it is possible for Active Directory users to have Posix identity attributes automatically generated for them when interacting with Unix Hosts, allowing the user to authenticate with an Active Directory password.

This is convenient in situations where you can not utilize enterprise user and group identification from Active Directory. For example, when you do not have sufficient rights to modify User identity objects, or are unable to create the Authentication Services Application Configuration object, you can configure Authentication Services to auto-generate Posix identity attributes on the Unix Host for Active Directory users.

The following attributes are auto-generated:

  • UID Number: This attribute is derived from a hash of the Active Directory Users GUID (Globally Unique Identifier).
  • GID Number: This attribute is derived from the hash of the Active Directory Group GUID that is assigned as the Windows Primary Group object.
  • Gecos: The gecos field is populated by the users CN, but is configurable by using the [vasd] realname-attr vas.conf setting.
  • Unix Home Directory: This attribute is a concatenation of the per-machine configurable home directory base option, [vasd] autogen-posix-homedir-base, and the users sAMAccountName value.
  • Login Shell: This attribute is set by the per-machine [vasd] autogen-posix-default-shell configuration option.

The generated attributes are stored locally on each Unix host and remain in effect until manually removed by the system administrator.

Migrating auto-generated identities to enterprise identities

Once a host has Posix identity attributes generated for an Active Directory user or group, they remain in effect until you manually remove them. This ensures that you take the proper steps when migrating user identities, specifically when you realign the file and directory ownerships to the new UID and GID values.

To migrate an auto-generated user to use an enterprise identity

  1. Make sure that you have realigned the file and directory ownerships to the new UID and GID values, including the user's home directory.

    (For more information, see Managing local file permissions.)

  2. Locate the user record in the /etc/opt/quest/vas/autogen.passwd file, and remove it.
  3. Force Authentication Services to update the user by means of logging in or by running:
    vastool list –f user <username>

Migrating auto-generated group identities

To migrate an auto-generated group to use an enterprise identity

  1. Make sure that you have realigned the file and directory ownerships to the new UID and GID values, including the user's home directory.

    (For more information, see Managing local file permissions.)

  2. Locate the user record in the /etc/opt/quest/vas/autogen.group file, and remove it.
  3. Force Authentication Services to update the user by means of logging in or by running:
    vastool list –f group <groupname>

Unix Personality Management

Unix Personality Management (UPM) delivers a highly flexible model for managing multiple Unix identities for a user or group. This preserves the administrative boundaries typical to Unix systems while still allowing for consolidation into Active Directory.

In Unix Personality Management, Unix hosts are joined to a "personality container" when they join the domain. The personality container provides a constrained view of the users and groups available in Active Directory. Personality containers can contain Unix-enabled users. In addition, you can define Unix personality objects and link them to regular Windows users. This allows an override mechanism for Unix identity data which is stored in Active Directory. In this way a single Active Directory user is associated with multiple Unix identity objects. Personality containers can also link to secondary containers which allows for a shared repository of globally unique Unix identities.

NIS domains are particularly applicable to Unix Personality Management. If you have several NIS domains where users have different Unix identities in each NIS domain, you can create a personality container corresponding to each NIS domain. Unix hosts are then joined to the personality container corresponding to their NIS domain. To aid in this scenario, you can create a personality container directly from a NIS domain. (See the Unix Account Import Wizard online help for more information.)

Note: Unix Personality Management is not appropriate when Unix identity data is divergent across Unix hosts. For example, if users have a different UID number on every Unix host, UPM is not the best choice because you need to maintain a personality container per-host.

Related Documents