Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Unable to install or upgrade

The most common installation or upgrade failure is that the Unix host cannot read the Authentication Services application configuration in Active Directory. Ensure that you have followed the instructions in the Configure Active Directory for Authentication Services section of the Authentication Services Installation Guide and that the configuration has been created successfully.

During an upgrade you may see an error that Authentication Services cannot upgrade because the application configuration cannot be located. If you previously joined to a specific domain controller Authentication Services disabled DNS SRV record lookups. This means that Authentication Services cannot resolve other domains in the forest and may be unable to locate the application configuration. In this case you must ensure that the domain controller you specified is a global catalog. Otherwise, you must create the Authentication Services application configuration in the domain that you join or you must properly configure DNS to return SRV records and join normally, rather than specifying a domain controller when you join.

For more information, see the About Active Directory Configuration section in the Authentication Services Installation Guide.

Unable to join the domain

If you are unable to join the domain, run the preflight utility to validate your environment.

For more information, see The Authentication Services Pre-Installation Diagnostic Tool in the Authentication Services Installation Guide .)

Then, verify the following:

  • Check that the Active Directory account specified during join has rights to join the computer to the domain.
  • Check that the Unix host is able to properly resolve the domain name through DNS.

If you are joining to a specific domain controller you must ensure that Authentication Services can locate and read the configuration information in Active Directory. You should do one of the following:

  • Make sure the domain controller you specify is a global catalog.
  • Create the Authentication Services application configuration in the domain to which you are joining.

    For more information, see the About Active Directory Configuration section in the Authentication Services Installation Guide.

  • Properly configure DNS to return srv-records and avoid joining to a specific domain controller.

Unable to log in

If you are unable to log in as an Active Directory user after installing, check the following:

  1. Log in as root on the Unix host.
  2. Check the status of the Authentication Services subsystems. To do this, run the following command:
    vastool status

    Correct any errors reported by the status command, then try logging in again.

  3. Ensure the user exists locally and is allowed to log in. To check this, run the following command:
    vastool user checklogin <username> 

    The output displays whether the user is a known Active Directory user. If not, you may need to map the user to an Active Directory account or Unix-enable the Active Directory account. If the user is known, an access control rule may prevent them from logging in. The output of the command displays which access control rules are in effect for the user.

You may need to restart window managers such as gdm in order for the window manager to reload NSS modules. Until the window manager reloads the NSS configuration, you will be unable to log in with an Active Directory user. Other services such as cron may also be affected by NSS changes. If you are unsure which services need to be reloaded, reboot the system.

Note:

If you are configuring Authentication Services VMware on ESX Server vSphere (ESX 4.0) the reason you can not log in may be related to access control issues. Please refer to Configuring access control on ESX 4.

Resolving DNS problems

It is imperative that DNS is correctly configured. Authentication Services relies on DNS in order to locate domain controllers. Follow these steps to verify that domain controllers can be located using DNS:

  1. Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the Unix command prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:
    dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name> 

    If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNS administrator to resolve the issue.

  2. Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix command prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your Active Directory DNS domain name.
    dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>

    If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS administrator to resolve the issue.

It is possible to work around DNS problems using the vastool join command to specify the domain controller host name on the command line. Authentication Services can work without DNS configured as long as the forward lookup in the /etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.

You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your domain controller in /etc/hosts then as root, enter the following commands replacing <administrator> with the name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and <DC Host Name> with the host name of your domain controller:

iptables -A INPUT -p udp --dport 53 -j DROP 
iptables -A OUTPUT -p udp --dport 53 -j DROP 
/opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>

Related Documents