Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Management Console for Unix Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Management Console for Unix Installing Management Console for Unix Preparing Unix Hosts Working with Host Systems Managing Local Groups Managing Local Users Active Directory Integration Authentication Services Integration Privilege Manager Integration Reporting Setting Preferences Security Troubleshooting Tips
Auto Profile Issues Active Directory Issues Auditing and Compliance Cannot Create a Service Connection Point Check Authentication Services Agent Status Commands Not Available CSV or PDF Reports Do Not Open Database Port Number Is Already in Use Elevation Is Not Working Hosts Do Not Display Import File Lists Fakepath Information Does Not Display in the Console Java Applet Failures License Info in Report is not Accurate Out of Memory Error Post Install Configuration Fails on Unix or Mac Privilege Manager Feature Issues Profile Task Never Completes questusr Account was Deleted Readiness Check Failed Recovering From a Failed Upgrade Reports Are Slow Reset the Supervisor Password Running on a Windows 2008 R2 Domain Controller Service Account Login Fails Setting Custom Configuration Settings Single Sign-on (SSO) Issues JVM Memory Tuning Suggestions Start/Stop/Restart Management Console for Unix Service Tool Bar Buttons Are Not Enabled UID or GID Conflicts
System Maintenance Command Line Utilities Web Services Database Maintenance

Host Reports

Table 11: Host reports
Report Description
Authentication Services Readiness

Provides a snapshot of the readiness of each host to join Active Directory. This report is best used for planning and monitoring migration projects. The basic report includes the following information:

  • Total number of hosts
  • Total number, percentage and names of the hosts ready to join
  • Total number, percentage and names of the hosts ready to join with advisories
  • Total number, percentage and names of the hosts not ready to join
  • Total number of hosts not checked for AD readiness

Use the following report parameters to define details to include in the report.

  • Joined to AD
  • Ready to Join AD
  • Ready to Join AD with Warnings
  • Not Ready to Join AD
  • Not Checked for Readiness

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.
Privilege Manager Readiness

Provides a snapshot of the readiness of each host to join a policy group. The basic report includes the following information:

  • Total number of hosts
  • Total number, percentage and names of the hosts ready to join
  • Total number, percentage and names of the hosts not ready to join
  • Total number of hosts not checked for readiness

Use the following report parameters to define details to include in the report.

  • Joined to a policy group
  • Ready to join a policy group
  • Ready to join a policy group with warnings
  • Not ready to join a policy group
  • Not checked for readiness

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Sudo Policy role or the Audit Sudo Policy role.
Unix Computers in AD

Lists all Unix computers in Active Directory in the requested scope.

By default, this report is created using the default domain as the base container. Browse to search Active Directory to locate and select a different base container to begin the search.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Unix Host Profiles

Summarizes information gathered during the profiling process of each managed host. This report includes the following information:

  • Total number of hosts included in the report
  • Host Name, IP Address, OS, Hardware
  • Sudo version number

Use the following report parameters to define details to include for each host.

  • Authentication Services Properties
  • Privilege Manager Properties
  • Local Users
  • Local Groups
  • Host SSH Keys
  • Installed One Identity Software

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.

User Reports

Table 12: User reports
Report Description
AD User Conflicts

Returns all users with Unix User ID numbers (UID numbers) assigned to other Unix-enabled user accounts.

By default, it creates this report using the default domain as the base container. Browse to search Active Directory to locate and select a different base container to begin the search.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Local Unix User Conflicts

Identifies local user accounts that would conflict with a specified user name and UID on other hosts. You can use this report for planning user consolidation across your hosts. This report includes the following information:

  • Host Name, DNS Name or IP Address where a conflict would occur
  • User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory and Login Shell for each host where conflicts exist

Use the following report parameters to define the user name and UID number that would cause a conflict with existing local user accounts:

  • User Name is
  • UID Number is

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.
Local Unix Users

Lists all users on all hosts or lists the hosts where a specific user account exists in /etc/passwd. This report includes the following information:

  • Host Name, DNS Name or IP Address where the user exists
  • User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory, and Login Shell for each host where the user exists

If you do not define a specific user, it includes all local users on each profiled host in the report.

To locate a specific user, use the following report parameters:

  • User Name contains
  • UID Number is
  • Primary GID Number is
  • Comment (GECOS) contains
  • Home Directory contains
  • Login Shell contains

NOTE: When you specify multiple report parameters, it uses the AND expression; therefore, ALL of the selected parameters must be met in order to locate the user account.

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.
Local Unix Users with AD Logon

Identifies the local user accounts that are required to use Active Directory credentials to log onto the Unix hosts. This report includes the following information for hosts that are joined to an Active Directory domain:

  • Host Name, DNS Name or IP Address of hosts where users exist that are required to log on using their AD credentials
  • User Name, UID Number, Primary GID Number and Comment (GECOS) of local user account
  • The SAM account Name of the Active Directory account that the local user account must use to log on

NOTE: This report only includes hosts joined to an Active Directory domain with a Authentication Services 4.x agent.

NOTE: This report is only available when the host has Authentication Services 4.x or later installed and is joined to Active Directory. You must be logged in with an Active Directory account in the Manage Hosts role.
Master /etc/passwd List

Provides a consolidated list of all user accounts from all hosts, excluding any local users marked as system users. This report includes the following information:

  • Username
  • Empty password
  • UID
  • GID
  • GECOS
  • Home directory path
  • Account's shell

You can consolidate the list of user accounts by matching values for accounts across multiple hosts. Accounts found with matching values are listed as a single local account. This list is best used for migrating local users to Active Directory.

Indicate how you want to match user accounts by selecting the value parameters that you want to match:

  • Username
  • UID
  • GID
  • GECOS
  • Home Directory
  • Shell

Optionally, you can include the host name for the accounts, as well:

  • Include the host name for accounts

NOTE: If you select the Include the host name for accounts option, the mangement console adds a column to the Master_etc_passwdList .csv file to identify the host for each user account. One Identity provides the Host column information to help you resolve the entries in the file. However, before you import the .cvs file into the Unix Account Import Wizard, you must remove the Host column.

You can easily migrate local users to Active Directory by exporting the Mater /etc/passwd List report, then importing it into the Unix Account Import Wizard, accessible from the Control Center's Tools link. The Unix Account Import Wizard is a versatile tool that helps migrate Unix account information to Active Directory. It is especially well suited to small, one-shot import tasks such as importing all the local user accounts from a specific Unix host. The Unix Account Import Wizard can import Unix data as new user and group objects or use the data to Unix-enable existing users and groups.

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.

Unix-Enabled AD Users

Lists all Active Directory users that have Unix user attributes.

NOTE:

  • A User object is considered to be 'Unix-enabled' if it has values for the UID Number, Primary GID Number, Home Directory and Login Shell.
  • If Login Shell is /bin/false, the user is considered to be disabled for Unix or Linux logon.
  • Account Disabled indicates whether the Active Directory User account is enabled or disabled.

By default, it creates this report using the default domain as the base container. Browse to search Active Directory to locate and select a different base container to begin the search.

NOTE: This report is only available if you have configured the mangement console to recognize Active Directory objects (see Configuring the Console to Recognize Unix Attributes in AD), and you are logged on as an Active Directory account in the Manage Hosts role.

Group Reports

Table 13: Group reports
Report Description
AD Group Conflicts

Lists all Active Directory groups with Unix Group ID (GID) numbers assigned to other Unix-enabled groups.

By default, it creates this report using the default domain as the base container. Browse to search Active Directory to locate and select the base container to begin the search.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Local Unix Groups

Identifies the hosts where a specific group exists in /etc/group. This report includes the following information:

  • Host Name, DNS Name or IP Address where the group exists
  • Group Name, GID Number, and members for each host where the group exists

If you do not specify a group, it includes all local groups on each profiled host in the report.

To locate a specific group, use the following report parameters:

  • Group Name contains
  • GID Number is
  • Member contains
  • Include all group members in report

NOTE: The Member contains field accepts multiple entries separated by a comma. Spaces are taken literally in the search. For example, entering:

  • adm, user searches for members whose name contains 'adm' or ' user'
  • adm,user searches for members whose name contains 'adm' or 'user'.

NOTE: When you specify multiple report parameters (for example, Group Name contains, GID Number is, and Member contains), it uses the AND expression; therefore, ALL of the selected parameters must be met in order to locate a group.

In addition, it includes all of the group members in the report by default, but you can clear the Include all group members in report option.

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Hosts role.
Unix-Enabled AD Groups

Lists all Active Directory groups that have Unix group attributes.

NOTE: A Group object is considered 'Unix-enabled' if it has a value for the GID Number.

By default, it creates this report using the default domain as the base container. Browse to search Active Directory to locate and select a different base container to begin the search.

NOTE: This report is only available if you have configured the mangement console to recognize Active Directory objects. (See Configuring the Console to Recognize Unix Attributes in AD), and you are logged on as an Active Directory account in the Manage Hosts role.

Access & Privileges Reports

Note: The Access & Privileges reports do not report on users and groups from a NIS domain.

Table 14: Access & Privileges reports
Report Description
Access & Privileges by Host

Identifies all users with log-on access to hosts and the commands the users can run on the hosts. This report includes the following information:

  • Total number of users that can log on to the host
  • The users that can log on to the host
  • The commands users can run on the host
  • The runas aliases for which the user can run commands on the host
  • The commands the runas alias can run on the host

Browse to select a host.

Optionally, select the Show detailed report option.

Note: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Access & Privileges by User

Identifies the users with log on access to hosts, the commands that user can run on each host, and the "runas aliases" information for that user. This report includes the following information:

  • Total number of hosts where the user can logon
  • The hosts where the user can logon
  • The commands the user can run on each host
  • The runas aliases for which the user can run commands on each host
  • The commands the runas alias can run on each host

Use the following report parameters to specify the user to include in the report:

  • A local user (default)
  • An AD user

Browse to select a user.

Optionally select the Show detailed report option.

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Commands Executed

Provides details about the commands executed by users on hosts joined to a policy group, based on their privileges and recorded as events or captured in keystroke logs by Privilege Manager. This report allows you to search for commands that have been recorded as part of events or keystroke logs for a policy group and includes the following information:

  • Command name
  • User who executed the command
  • Date and time the command was executed
  • Host where the command was executed

Use the following report parameters to define details in the report:

  • Policy Group
  • Command
  • Host
  • Log status
  • Date

NOTE: You can use wildcards in the text string you enter in the "Command" box, such as * and ?.

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Console Access and Permissions

Lists users who have access to the mangement console based on membership in a console role and the permissions assigned to that role. This report includes the following information:

  • List of roles
  • List of permissions assigned to each role
  • List and number of members assigned to each role

NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Console Access role. However, when you access this report as supervisor, the mangement console requires that you authenticate to Active Directory.
Logon Policy for AD User

Identifies the hosts where Active Directory users have been granted log on permission. This report includes the following information for hosts joined to an Active Directory domain:

  • Total number of hosts where the AD user has access
  • List of hosts where the AD user has access

Specify the Active Directory users to include in the report:

  • All AD users (default)
  • Select AD user

Browse to search Active Directory to locate and select an Active Directory user.

NOTE: The report might show both the Active Directory login name and local user name(s) in the Login Name column for a selected AD user account because an Active Directory user account can have one or more local user accounts mapped to it.

NOTE: Only hosts joined to an Active Directory domain with a Authentication Services 4.x agent are included in this report.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Logon Policy for Unix Host

Identifies the Active Directory users that have been explicitly granted log on permissions for one or more Unix computers. This report includes the following information for hosts joined to an Active Directory domain:

  • Host Name, DNS Name or IP Address of the host selected for the report
  • Users that have been granted permission to log on

Specify the managed hosts to include in the report:

  • All profiled hosts (default)
  • Select host

Browse to locate and select a managed host that is joined to Active Directory.

NOTE: This report only includes hosts joined to an Active Directory domain with a Authentication Services 4.x agent.

NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Policy Changes

Provides details of changes made to a policy for a Privilege Manager policy group. This report includes the following information:

  • Name of the user that made changes to the policy
  • Version number for the changes
  • Time and date the changes were saved and actively used to enforce policy
  • Changes made to the policy based on version

Select a policy group.

Select either to:

  • Show all changes to the policy
  • Show only changes for a specific pmpolicy file (not available for sudo-based policy)
  • Show changes to the policy for changes for one or more revisions

NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Related Documents