Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Perform a cross-domain search

To perform a cross-domain search

  1. Enter the following command.
    vastool -u admin -w password search -b "dc=example2,dc=com" "(objectCategory=person)" sAMAccountName > results_file

    This command performs a cross-domain search of all person objects in the example2.com domain, and puts their sAMAccountName into a new file called results_file.

  2. Use the results_file for the oat_match.

    For more information about vastool search options, refer to the OAT man page.

OAT matching scripts

The OAT matching scripts allow for flexible resolution of user name rules. These scripts match local Unix accounts to Active Directory accounts. You can customize or replace these scripts to work as needed in your environment.

The basic match scripts match users and groups by comparing naming attributes.

  • oat_match_group.awk
  • oat_match_user.awk

The mapped user script matches users based on an existing mapped user file.

  • oat_match_user_mappeduser.awk

The override scripts match users and groups using an existing Authentication Services override file.

  • oat_match_user_override.awk
  • oat_match_group_override.awk

Rollback changes

In the event that you want to revert the files back to the original User ID and Group ID, you can use the rollback option.

To change the ownership of a directory and remove the users from the system with oat_changeowner, enter:

oat_changeowner process -b backup_dir -d /home/user -u user_match_file -m

To undo the changes made by the oat_changeowner command, enter:

oat_changeowner rollback -b backup_dir

Changing file ownership using the script

One Identity provides an interactive script, called oat that walks you through the process of changing file ownerships to match Active Directory. This script calls oat_adlookup, oat_match, and oat_changeowner with appropriate arguments based on responses that you provide.

Note: You must have Authentication Services installed and your system joined to an Active Directory domain to run the interactive script.

To change file ownership

  1. At the command prompt enter:
    /opt/quest/libexec/oat/oat

    The interactive script requests information about:

    1. Active Directory users and passwords
    2. Attributes
    3. Local users and passwords
    4. Group names and path
    5. Path where you want OAT to perform the Ownership Alignment process.

    Note: No changes are made to your system until you have reviewed and approved the list of files and directories.

  2. Enter the requested information or press Enter to accept the default values enclosed in square brackets.
  3. At the end of the interview, it asks you to specify the directory for which you want to change file ownership.

    Typically you would specify "/" for the root directory.

    Note: If you choose "/", it changes the file ownership for every file in your file system. One Identity recommends that you run OAT against a test directory first to confirm your understanding of what OAT does.

    The oat_changeowner script creates a list of files that will be modified.

  4. Review the list of files that will be changed.
  5. If the files in the list are what you want changed, respond with a yes or no.

    oat saves rollback information in a directory called oatwork<date> (where <date> is today's date). For example, in the /var/opt/quest/oat/oatwork20100513/ you would see a list of files similar to this:

    ad_groups
    ad_users
    filelist
    group_mapping
    log

    The log file is especially useful because it lists all the commands or scripts that were run, the options that were passed to them, and any error messages that were produced.

    For more information, refer to the OAT man page. (See Using Authentication Services manual pages (man pages) for information about accessing the OAT man page.)

Related Documents