Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Installation Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Installing and joining from the Unix command line Getting started with Authentication Services Troubleshooting Enterprise package deployment

Join hosts to Active Directory

In order to manage access to a host using Authentication Services for Active Directory, you must join the host to an Active Directory domain. Joining a host to a domain creates a computer account for that host. Once you have deployed and installed the Authentication Services Agent software on a host, use the Join to Active Directory command on the All Hosts view's Join menu to join the host to an Active Directory domain.

To join hosts to Active Directory

  1. Select one or more hosts from the list on the All Hosts view, open the Join or Configure menu tool bar button and select Join to Active Directory.

    Note: The Join to Active Directory tool bar menu is enabled when you select hosts that have the Authentication Services Agent installed and are not joined Active Directory.

    The tool bar button will not be active if:

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (joined, not joined).

  2. On the Join Host to Active Directory dialog, enter the following information to define how and where you want to join the host to Active Directory:
    1. Select the Active Directory domain to use for the join operation or enter the FQDN of the Active Directory domain.

      Use the same domain you entered when you performed the Check for AD Readiness.

    2. Optionally enter a name for the computer account for the host.

      Leave this field blank to generate a name based on the host's DNS name.

    3. Click the button to locate and select a container in which to create the host computer account.
    4. Enter the optional join commands to use.

      See Optional Join Commands in the mangement console online Help for a list of commands available.

    5. Enter the user name and password to log onto Active Directory.

      The user account you enter must have elevated privileges in Active Directory with rights to create a computer account for the host.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials. The mangement console pre-populates this information.

    The Task Progress pane on the All Hosts view displays a progress bar and the final status of the tasks, including any failures or advisories encountered.

Check QAS agent status

You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS Agent Status and report any warnings or failures to the console.

Note: Running the Check QAS Agent Status commands requires:

  • you are logged on as an Active Directory account in the Manage Hosts role
  • the hosts have Authentication Services 4.0.3.78 (or later) Agent software installed

See Check QAS Agent Status Commands Not Available in the mangement console online Help for more information.

Check QAS Agent Status Manually

To check QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar and choose Check QAS agent status.
  2. In the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    A progress bar displays in the Task Progress pane and the Host Notifications tab indicates the number of hosts with warnings or failures detected.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.
  3. Select the Host Notifications tab to view the reported warnings or failures.

    (See View the QAS Agent Status in the mangement console online Help for details.)

Check QAS Agent Status Automatically

To have updated information about the status of Authentication Services agents, you can configure the mangement console to periodically check the QAS Agent Status automatically. If it detects a status change on the host, it reports the following warnings or failures to the Host Notifications tab:

  • Critical Failure
  • Failure
  • Warning

To configure the console to automatically check the QAS agent status

  1. Select one or more hosts on the All Hosts view, open the Check menu from the Prepare panel of the tool bar, and choose Check QAS Agent Status automatically.

    Note: This option is only available for multiple hosts if all hosts are in the same "Check QAS Agent Status" state; that is, they all have automatic status checking turned on, or they all have automatic status checking turned off.

  2. Select the Check status automatically option, set the frequency for the health status check, and click OK.

    Note: Use standard crontab syntax when entering Advanced schedule settings.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    When configured for automatic checking, the Authentication Services state column on the All Hosts view displays the icon. Then, if the server does not receive a heartbeat in over 4 hours (by default), it displays the icon. No icon in the Authentication Services state column indicates the host is not configured to check the QAS agent status automatically.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    • If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    • If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

    Note: If you receive a GID conflict error, see UID or GID Conflicts in online Help.

  4. View the QAS Agent Status for each host on the Host Notification tab.

    (See View the Authentication Services Status Errors in online Help for details.)

    When you configure a host to check the QAS agent status automatically, the mangement console,

    1. Creates "questusr" (the service account user), if it does not already exist, and, a corresponding "questgrp" group on the host that the mangement console uses for automatic QAS agent status checking.
    2. Adds questusr as an implicit member of questgrp.
    3. Adds the auto-check SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    4. Verifies the service account user can login to the host.
    5. Creates a cron job that runs QAS agent status according to the specified interval.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online Help to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing users and groups in a read-only fashion, however, the mangement console does not use the questusr account to make changes to any configuration files.

    Note: If questusr is inadvertently deleted from the console, the console will not be updated. To recreate the "questusr" account, re-configure the host for automatic QAS agent status checking.

To disable automatic status checking

  1. Select one or more hosts on the All Hosts view and choose Check QAS Agent Status automatically....
  2. Clear the Check status automatically option on the Check QAS Agent Status Automatically dialog and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

When you disable auto-status checking for a host, the mangement console

  1. Leaves the "questusr" and the corresponding "questgrp" accounts on the host.
  2. Leaves questusr as an implicit member of questgrp.
  3. Removes the auto-check SSH key from that user's authorized_keys file.
  4. Removes the cron job on the host.
Related Documents