Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Add AD User to a Local Group

Once you have successfully joined a host to an Active Directory domain, use the Groups view on the host's properties to add an Active Directory user to a local group (or remove users from a group).

Note: This feature is only available when you are logged on as an Active Directory account in the Manage Hosts role. (See Console Roles and Permissions System Settings for details.)

To add an Active Directory user to a local group

  1. On the All Hosts view, right-click a host that is joined to an Active Directory domain and choose the Groups.

    You can also double-click the host name to open its properties, then click the Groups tab.

  2. Double-click a local group name or right-click the group name and choose Properties to open its properties.

  3. On the group's properties, click the Members tab, open the Add menu and choose AD user.

  4. On the Select Unix-Enabled AD User dialog, search Active Directory to locate user(s) to add.

    Note: When searching Active Directory, the mangement console only lists Unix-enabled users. (See Unix-Enable an Active Directory User for details.)

    To find a particular user you can filter the list of users. Enter one or more characters in the Search by name box. The mangement console automatically displays the users whose name contains the character(s) you enter.

    You can also click to select the container where you want to being the search.

  5. Select one or more users from the list and click OK.

    The mangement console adds the selected users(s) to the list on the Members tab with an icon.

  6. Click OK on the Members tab to save your selections.

  7. On the Log on to Host dialog, enter the user credentials to access the selected host and click OK.

    This information is pre-populated if you saved the credentials for the host.

Note: To remove objects from a local group, select one or more objects from the list on the Members tab and click Remove User.

Mapping Local Users to Active Directory Users

Management Console for Unix provides a feature called "Require AD Logon" where you can map local Unix user accounts to Active Directory users accounts. In other words, you can specify an Active Directory user account with which local users can authenticate, or login to a Unix host. Active Directory password policies are enforced requiring that these users use their Active Directory password with their local user name or Active Directory log on name. Local users retain all of their local Unix attributes such as UID Number and Login Shell, but they authenticate using their Active Directory password.

Note: This feature is only available if you meet these criteria:

  • Authentication Services 4.x is installed on the client host
  • Your client host is joined to Active Directory
  • You are logged on as an Active Directory account in the Manage Hosts role. (See Console Roles and Permissions System Settings for details.)

Advantages of Requiring Users to Log in with Active Directory Authentication:

  • Provides a rapid deployment path to take advantage of Active Directory authentication
  • Kerberos authentication provides stronger security
  • Enables centralized access control
  • Enforces Active Directory Password policies
  • Provides a path for consolidating identities in Active Directory with the Ownership Alignment Tool (OAT)
  • Low impact to existing applications and systems on the Unix host
  • Easy to deploy with Authentication Services self enrollment

By "mapping" a local user to an Active Directory account, the user can log in with his Unix user name and Active Directory password.

Enable Local User for AD Authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

  1. In the mangement console, navigate to Hosts | All Hosts.

  2. Double-click a host to open its properties.

  3. From a host's properties, select the Users tab and double-click a local user account to open its Properties.

    Note: To set up the local user, see Add Local User.

  4. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.

  5. On the Select AD User dialog, select the ADuser account and click OK.

    Note: To set up the Active Directory user, see Add an Active Directory User Account.

  6. On the local user's properties, click OK.

  7. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

    You have now "mapped" a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.

To assign (or "map") a Unix user to an Active Directory user

  1. From the All Local Users tab, select one or more local Unix users.
  2. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  3. Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
  4. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user displays in the AD User column of the All Local Users tab.

List Local Users Required to Use AD Authentication

You can view a list of the host accounts that are required to log on using a particular Active Directory account from the All Local Users tab of the mangement console.

Note: This feature is only available when you are logged on as an Active Directory account in the Manage Hosts role. (See Console Roles and Permissions System Settings for details.)

To view local user accounts required to log on with an Active Directory Account

  1. From the All Local Users tab of the mangement console, click the AD User column title to sort the list of users by those required to log on with an Active Directory user account.
  2. Right-click a user name and choose Properties to open its properties.
  3. Select the AD Logon tab to view or modify the Active Directory user properties.

To see which local user accounts are enabled to use Active Directory account credentials

  1. From the Active Directory tab, search for users.
  2. Double-click a user name to open its properties.
  3. Select the Local User Accounts tab to display a list of all the local user accounts that are required to log on using the selected Active Directory user account.

Note: The Local Unix Users with AD Logon report is another way to identify the local user accounts that are required to use Active Directory credentials. (See Reports.)

Related Documents