Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

About Active Directory Configuration

The first time you install or upgrade the Authentication Services 4.x Windows tools in your environment, One Identity recommends that you configure Active Directory for Authentication Services. This is a one-time Active Directory configuration step that creates the Authentication Services application configuration in your forest. Authentication Services uses the information found in the Authentication Services application configuration to maintain consistency across the enterprise.

Note: Without the Active Directory configuration you can join Unix machines to Active Directory and if your domain supports Windows 2003 R2 Unix naming attributes, you can store Unix identity information in Active Directory. (See Configure Windows 2003 R2 Schema for details.)

The Authentication Services application configuration stores the following information in Active Directory:

  • Application Licenses
  • Settings controlling default values and behavior for Unix-enabled users and groups
  • Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schema mappings. Windows management tools read this information to determine the schema mappings and the default values it uses when Unix-enabling new users and groups.

The Authentication Services application configuration information is stored inside a container object with the specific naming of: cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=Quest Software,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If multiple configurations are found, Authentication Services uses the one created first as determined by reading the whenCreated attribute. If another group in your organization has already created an application configuration, use the existing configuration. The only time this would be a problem is if different groups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on one schema and use local override files to resolve conflicts. You can use the Set-QasUnixUser and Set-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another. Refer to the PowerShell help for more information.

You can modify the settings using the Control Center Preferences. To change Active Directory configuration settings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName, description, and whenCreated attributes for container objects in the application configuration. For most Active Directory configurations, this does not require any change.

This table summarizes the required rights:

Table 3: Required rights
Rights Required For User Object Class Attributes
Create Child Object Authentication Services Administrators Only Container  
Write Attribute Authentication Services Administrators Only Container cn, displayName, description, showInAdvancedViewOnly
Read Attribute Authenticated Users Container cn, displayName, description, whenCreated

At any time you can completely remove the Authentication Services application configuration using the Remove-QasConfiguration cmdlet. However, without the Authentication Services application configuration (or Windows 2003 R2 schema),

  • Unix agents will not load Unix identity from Active Directory
  • The mangement console will not find any Authentication Services licenses
  • The mangement console will not know which schema to use; thus, it will run as if Authentication Services had never been installed.
  • Authentication Services Active Directory-based management tools will not function

View the Authentication Services Agent Columns

If the information related to Authentication Services does not display in the mangement console, you can use the Columns menu in the View panel of the task bar to expose the Authentication Services-related columns in the mangement console; that is, the Authentication Services state column, represented with the icon, the Version, and Joined to Domain columns.

To display the Authentication Services-related information

  1. From the All Hosts view, open the Columns menu, in the View panel, and choose Authentication Services.

    The Authentication Services columns display in the mangement console; that is, the Authentication Services state column, represented with the icon, the Authentication Services Version and Joined to Domain columns.

Note: Once you have opened (or closed) a column group, the mangement console remembers the setting from session to session. However, if you reinstall Management Console for Unix, it reverts back to the default of showing all columns.

Set Authentication Services Software Path

During the installation process, the setup wizard copies the Authentication Services software packages to a default location on the local computer

The default client directories are:

  • On Windows 32-bit platforms:
    %SystemDrive%:\Program Files\Quest Software\Management Console for Unix\software\qas\<version#>
  • On Windows 64-bit platforms:
    %SystemDrive%:\Program Files (x86)\Quest Software\Management Console for Unix\software\qas\<version#>
  • On Unix/Mac platforms:
    /opt/quest/mcu/software/qas/<version#>

If you plan to install Authentication Services or Defender client software packages, or run the AD Readiness check, you must ensure the path to the software packages is correctly set in System Settings.

To ensure the path to the Authentication Services software packages is correctly set

  1. Make note of where your Authentication Services client software packages are located.

  2. Ensure that System Settings points to that location:

    1. Log in with the supervisor account or an Active Directory account with rights to change System Settings; that is, an account in the Console Administration role. (See Console Roles and Permissions System Settings for details.)
    2. From the top-level Settings menu, navigate to System settings | Authentication Services.

    3. In the Path box, enter the path where the Authentication Services client software packages are located on the server and click OK.

    NoteS: The path to the software packages must point to the folder containing the client directory. If the path to the software packages is not pointing to where the client files are, you can either change the path or copy the files to the location.

    When running Management Console for Unix on Windows, the location of the Authentication Services software packages must be accessible to the mangement console service which runs as 'NT AUTHORITY\NetworkService'.

Check Host for AD Readiness

The Check for AD Readiness command performs a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain.

Note:

To check host(s) for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.

  2. In the Check AD Readiness dialog, enter the Active Directory domain to use for the readiness check.

  3. Enter Active Directory user credentials, and click OK.

  4. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.

    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

  5. To check the results of the readiness check,

    1. Right-click the host on the All Hosts view of the Hosts tab, and choose Properties.

    2. Select the Readiness Check Results tab on the properties.

    3. Choose AD Readiness from the drop-down menu, if necessary.

    AD Readiness Check runs these tests:

    • Checks for supported operating system and correct OS patches
    • Checks for sufficient disk space to install software
    • Checks that the host name of the system is not 'localhost'
    • Checks if the name service is configured to use DNS
    • Checks /etc/resolv.conf for proper formatting of name service entries and that the name servers can be resolved example.com
    • Checks for a name server that has the appropriate DNS SRV records for Active Directory example.com
    • Selects a writable DC with port 389 (UDP) open to use for the checks example.com
    • Displays AD site of user running checks, if available
    • Checks if port 464 (TCP) is open for Kerberos Kpasswd windows.example.com
    • Checks if port 88 (UDP and TCP) is open for Kerberos Traffic windows.example.com
    • Checks if port 389 (TCP) is open for LDAP windows.example.com
    • Checks for Global Catalog and port 3268 (TCP) is open to the GC example.com
    • Checks for a valid time skew against Active Directory DC windows.example.com
    • Checks for Authentication Services Application Configuration windows.example.com
    • Checks if port 445 (TCP) is open for Microsoft Directory Services windows.example.com

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered.

  6. If the Readiness Check completed with failures or advisories, correct the issue(s) and rerun the Readiness Check until all tests pass.

Related Documents