Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Optional Join Commands

You can enter one or more of the following join commands on the Join Host to Active Directory dialog. Separate multiple commands with a single space.

Table 4: Optional Join commands
Option Description
-I cache export filename Load users and groups from the specified cache export file instead of from the network.
-c computer_name

Specify a different name for the computer object than the one usually generated from your host name. Specify either the FQDN or NetBIOS name for the computer object.

NOTE: If you specified a computer account on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the computer account you specify on the dialog.
-c container

Specify the LDAP DN of the container where the computer will be created.

NOTE: If you specified a container on the Join Host to Active Directory dialog, the mangement console ignores this command and uses the container you specify on the dialog.
-l Do not apply Group Policy Settings (if Authentication Services for Group Policy is installed).
-w Enable workstation mode where users are not cached until they log on.
-U Load all users from the global catalog. The mangement console loads all Unix-enabled users in the forest, regardless of location and domain.
-G Load all groups from the global catalog. The mangement console loads all Unix-enabled groups in the forest, regardless of location and domain.
-r domain_list Specify a comma-separated list of alternate authentication domains, used for resolving simple names.
-u search_path Specify an alternate search path from which to populate the user's cache. You must specify a container object within your Active Directory forest in this search path.
-g search_path Specify an alternate search path from which to populate the group's cache. You must specify a container object within your Active Directory forest in this search path.
-s siteName Manually specify the site name for the selected host.
-p UPM_search_path Specify the path of the Primary Personality Container. This command supersedes the -u and -g settings. If the specified UPM search path does not exist, the join command will fail.
--skip-config Skip automatic system configuration of PAM, NSS, LAM and SIA subsystems.
--preload-nested-memberships After loading users and/or groups, query tokenGroups for all cached users to process nested group membership information.
--site-only-usn For USN queries, only use site servers. Use this command when non-site servers are unavailable, for example, blocked by a firewall.
--no-timesync Skip automatic time synchronization.

Unjoin Host from Active Directory

Unjoining a host from the mangement console removes the computer object from Active Directory, preventing further Active Directory user log on. This task does not remove the Authentication Services Agent software installed on the unjoined host.

Note: This task is only available when you are logged on as an Active Directory account in the Manage Hosts role.

To unjoin host(s) from Active Directory

  1. Select one or more hosts from the list on the All Hosts view, open the Unjoin menu tool bar button and choose Unjoin from Active Directory.

    Note: If unjoining multiple hosts, all hosts must be joined to the same domain.

  2. On the Unjoin Host from Active Directory dialog, enter the user credentials of an Active Directory user that has rights to delete computer objects from the Active Directory domain and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: To unjoin the host from Active Directory, Authentication Services requires you to have elevated (root) credentials to complete the task on the host side.

    A progress bar displays in the Task Progress pane. The final status of the task displays, including any failures or advisories encountered. If successfully unjoined, the Active Directory domain, previously listed in the Joined to Domain column, is replaced with the Ready to join icon if you have previously run Check for AD readiness; otherwise the Joined to Domain column is left empty.

Configure Host Access Control

The mangement console allows you to modify Authentication Services access settings. You can add Active Directory users or groups to the users.allow file for a single host or a selected group of hosts. This allows you to control Active Directory user access on Authentication Services hosts.

Note: The mangement console does not allow you to view or modify the users.deny file.

To view the users.allow file for a single host

  1. From the All Hosts view, right-click a host that is joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control tab lists the content of the users.allow file.

    Note: Users and Groups displayed in red text indicate that Authentication Services could not resolve the user/group in Active Directory.

To allow additional Active Directory users or groups to access a single host

  1. From the Host Access Control tab, click Manage Access.
  2. On the Host Access Control dialog, specify the name(s) you want to allow access to the selected host.

    You can either:

    • Type a name into the text box and click Add.

      -OR-

    • Click Select to browse for the Active Directory user or group name.

      Clicking Select opens the Select AD Object dialog.

    Once you have the name(s) listed on the Host Access Control dialog, click OK.

  3. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    The console updates the users.allow file and the database accordingly.

To add or remove access for Active Directory users or groups on multiple hosts

  1. From the All Hosts view, select and right-click multiple hosts that are joined to an Active Directory domain.
  2. Select the Host Access Control option from the context menu.

    The Host Access Control dialog displays two list boxes: one in which to add users or groups, the other to specify users and groups to remove from the users.allow file.

  3. Specify or select names to add or remove and click OK.
  4. On the Log on to Host dialog, enter the user credentials to access the selected hosts and click OK.

    The console updates the users.allow file and the database accordingly.

Check QAS Agent Status

You can either check the health status of Authentication Services agents manually, or you can configure the mangement console to automatically check the QAS agent status and report any warnings or failures to the console.

Note: Running the Check QAS Agent Status commands requires:

  • you are logged on as an Active Directory account in the Manage Hosts role
  • the hosts have Authentication Services 4.0.3.78 (or later) Agent software installed

For more information, see Check QAS Agent Status Commands Not Available.

Related Documents