Profiling imports information about the host, including local users and groups, into the mangement console. It is a read-only operation and no changes are made to the host during the profiling operation. Profiling does not require elevated privileges.
To profile hosts
If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
Once saved, the mangement console uses these credentials to access the host during this and subsequent sessions.
|
Note: If you do not save a password to the server, the user name and password fields will be blank the first time the mangement console needs credentials to complete a task on the host during a log on session. Once entered, the mangement console caches the user name and password and reuses these credentials during the current session, and pre-populates the user name and password fields in subsequent tasks during the current log on session. If you choose to save a host's credentials to the server, the mangement console encrypts the credentials and saves them in the Java keystore. Saved user names and passwords persist across log on sessions, and when needed, the mangement console pre-populates the user name and password fields each subsequent time it needs them to perform a task. (For more information, see Caching Unix Host Credentials in the online Help.) |
|
Note: When profiling one or more hosts, you must accept at least one key before continuing. The mangement console only profiles hosts with accepted keys. |
By default the Automatically accept SSH keys option is checked. This enables the mangement console to automatically accept SSH key for all selected hosts that do not have a previously cached key. When it accepts the key, the console adds it to the accepted-keys cache on the Management Console for Unix server. If you clear the Automatically accept SSH keys option, when the mangement console encounters a modified key, it opens the Validate Host SSH Keys dialog, allowing you to manually accept keys that are encountered. Once you have manually verified the fingerprint, the console adds the SSH host key(s) to the accepted-keys cache.
|
Note: Once you profile a host, all future tasks that involve an SSH connection will verify the SSH host key against the accepted-keys cache. When profiling, if the console encounters a modified key, the profile task prompts you to accept new/changed key(s). When performing any other SSH action, other than profile, if the console encounters a different SSH key, the task will fail. To update the accepted-keys cache for the host, you can either profile/reprofile the host, accept the new key, and try the task again. Or, you can import a new SSH host key from the host's properties or from the All Hosts view. (See Import SSH Host Key or Managing SSH Host Keys in the online help for more information.) |
A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.
To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the mangement console to profile hosts automatically.
|
BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the mangement console dynamically updates user and group information. (See UID or GID Conflicts in online Help.) |
Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.
The cron job detects changes to the following:
The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.
To configure automatic profiling
|
Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same ‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turned off. |
When you choose to create the user service account on the host, if it does not already exist, the mangement console, does the following:
-OR-
(Click Select to browse for a user.)
Whether you choose to create the user service account or use an existing user account, the mangement console,
cron.allow | cron.deny | Console’s action | Resultant User Access |
---|---|---|---|
NO | NO | Creates cron.allow and adds root and questusr to it | Both root and questusr have access. |
NO | YES | No action | All users have access except those in cron.deny; questusr has access unless explicitly denied. |
YES | NO | Adds questusr to cron.allow | Users in cron.allow have access. |
YES | YES | Adds questusr to cron.allow | Users in cron.allow have access unless in cron.deny. |
|
Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online Help to troubleshooting this issue. |
The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion, however, the mangement console does not use questusr account to make changes to any configuration files.
If questusr is inadvertently deleted from the console, the console turns ‘Auto-profiling’ off.
To recreate the "questusr" account
|
Note: This task requires elevated credentials. |
If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
To disable automatic profiling
When you disable auto-profiling for a host, the mangement console,
Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the mangement console.
To install Authentication Services software on hosts
|
Note: The Install Software tool bar menu is enabled when you select hosts that are profiled. The tool bar button will not be active if
|
|
Note: You must install the Authentication Services Agent and the Group Policy packages. |
|
Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. (Refer to Set the Authentication Services Client Software Location on the Server in the mangement console online help for details.) |
|
Note: This task requires elevated credentials. |
If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
Once you install the software on your remote hosts, the mangement console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.
|
Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. (See Roles and Permissions System Settings in the mangement console online Help for more information.) |
To check host(s) for Active Directory Readiness
If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.
A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy