Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Profile automatically

To keep the Management Console for Unix database up to date with accurate information about users, groups, and One Identity products, you can configure the mangement console to profile hosts automatically.

BEST PRACTICE: Configure newly added hosts for auto-profiling before you perform any other actions so that the mangement console dynamically updates user and group information. (See UID or GID Conflicts in online Help.)

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changes on the host, it triggers a profile operation.

The cron job detects changes to the following:

  • local users, groups, or shells
  • installed Authentication Services or Privilege Manager software
  • Authentication Services access control lists
  • Authentication Services mapped user information
  • Privilege Manager configuration
  • Authentication Services configuration
  • Privilege Manager licenses

The cron job also sends a heartbeat every day. This updates the Last profiled date displayed on the host properties. If the Last profiled date is more than 24 hours old, the host icon changes to to indicate no heartbeat.

To configure automatic profiling

  1. Select one or more hosts on the All Hosts view, open the Profile menu from the Prepare panel of the tool bar, and choose Profile Automatically.

    Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same ‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turned off.

  2. In the Profile Automatically dialog, select the Profile the host automatically option.
  3. Choose the user account you want to use for profiling, either:
    • Create a user service account on the host

      When you choose to create the user service account on the host, if it does not already exist, the mangement console, does the following:

      1. Creates "questusr", the user service account, and a corresponding "questgrp" group on the host that the mangement console uses for automatic profiling.
      2. Adds questusr as an implicit member of questgrp.

      -OR-

    • Use an existing user account (user must exist on all selected hosts)

      (Click Select to browse for a user.)

  4. Click OK on the Profile Automatically dialog.

    Whether you choose to create the user service account or use an existing user account, the mangement console,

    • Adds the user account (the "questusr" or your existing user account) to the cron.allow file, if necessary. For example, the console takes no action if the cron.allow file does not already exist, but there is a cron.deny file:
      cron.allow cron.deny Console’s action Resultant User Access
      NO NO Creates cron.allow and adds root and questusr to it Both root and questusr have access.
      NO YES No action All users have access except those in cron.deny; questusr has access unless explicitly denied.
      YES NO Adds questusr to cron.allow Users in cron.allow have access.
      YES YES Adds questusr to cron.allow Users in cron.allow have access unless in cron.deny.
    • Adds the auto-profile SSH key to questusr's authorized_keys, /var/opt/quest/home/questusr/.ssh/authorized_keys.
    • Verifies the service account user can login to the host.

    Note: If you receive an error message saying you could not log in with the user service account, please refer to Service Account Login Fails in online Help to troubleshooting this issue.

    The questusr account is a non-privileged account that does not require root-level permissions. This account is used by the console to gather information about existing user and groups in a read-only fashion, however, the mangement console does not use questusr account to make changes to any configuration files.

    If questusr is inadvertently deleted from the console, the console turns ‘Auto-profiling’ off.

    To recreate the "questusr" account

    1. Re-profile the host.
    2. Reconfigure the host for automatic profiling.
  5. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

To disable automatic profiling

  1. Select one or more hosts on the All Hosts view and choose Profile Automatically.
  2. Clear the Profile the host automatically option and click OK.
  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

When you disable auto-profiling for a host, the mangement console,

  1. leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they were previously created.
  2. leaves questusr as an implicit member of questgrp, if it exists.
  3. removes the user account (the "questusr" or your existing user account) from the cron.allow file.
  4. removes the auto-profile SSH key from that user's authorized_keys file.

Check readiness

Once you install the software on your remote hosts, the mangement console allows you to perform a series of tests to verify that a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks does NOT require elevated privileges.

Note: This task is only available when you are logged on as supervisor or an Active Directory account in the Manage Hosts role. (See Roles and Permissions System Settings in the mangement console online Help for more information.)

To check host(s) for Active Directory Readiness

  1. Select one or more hosts on the All Hosts view of the Hosts tab, open the Check menu from the Prepare panel of the tool bar, and choose Check for AD Readiness.
  2. In the Check AD Readiness view, enter the Active Directory domain to use for the readiness check.
  3. Enter Active Directory user credentials, and click OK.
  4. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, including any failures or advisories encountered. To see the AD Readiness check results, open the host's property page and select the Readiness Check Results tab.

Install software on hosts

Once you have successfully added and profiled one or more hosts, and checked them for AD Readiness, you can remotely deploy software products to them from the mangement console.

To install Authentication Services software on hosts

  1. Select one or more profiled hosts on the All Hosts view and click the Install Software tool bar button.

    Note: The Install Software tool bar menu is enabled when you select hosts that are profiled.

    The tool bar button will not be active if

    • You have not selected any hosts.
    • You have selected multiple hosts with different states (added, profiled, or joined).

  2. On the Install Software dialog, select the Authentication Services software products you want to install and click OK.
    • Authentication Services Agent (Required) - Select to allow Active Directory users access to selected host. Authentication Services provides centralized user and authentication management. It uses Kerberos and LDAP to provide secure data transport and an authentication framework that works with Microsoft Active Directory. Components include: vasd, nss_vas, pam_vas, and vastool.
    • Authentication Services for Group Policy (Required) - Select to install the Group Policy component which provides Active Directory Group Policy support for Unix, Linux, and Mac OS X platforms.
    • Authentication Services for NIS - Select to install the NIS Proxy component which provides the NIS compatibility features for Authentication Services. vasyp is a NIS daemon that acts as a ypserv replacement on each host.
    • Authentication Services for LDAP - Select to install the LDAP Proxy component which provides a way for applications that use LDAP bind to authenticate users to Active Directory without using secure LDAP (LDAPS). Instead of sending LDAP traffic directly to Active Directory domain controllers, you can configure applications to send plain text LDAP traffic to vasldapd by means of the loopback interface. vasldapd proxies these requests to Active Directory using Kerberos as the security mechanism.
    • Dynamic DNS Updater - Select to install the Dynamic DNS Updater component which provides a way to dynamically update host records in DNS and can be triggered by DHCP updates.
    • Defender PAM Module - Select to install the Defender authentication components for PAM based Unix/Linux systems. Includes PAM module, documentation and utilities to appropriately configure the PAM subsystem for Active Directory/Defender OTP authentication.

    Note: You must install the Authentication Services Agent and the Group Policy packages.

    Note: If you do not see all of these software packages, verify the path to the software packages is correctly set in System Settings. (Refer to Set the Authentication Services Client Software Location on the Server in the mangement console online help for details.)

  3. On the Log on to Host dialog, enter the user credentials to access the selected host(s) and click OK.

    Note: This task requires elevated credentials.

    If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) or enter different credentials for each host.

    1. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your credentials to log on to access the selected host(s) and click OK.
    2. If you selected multiple hosts and the Enter different credentials for each selected host option, it displays a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the grid to activate it and enter the data.

Upgrade Authentication Services client components manually

The easiest way to upgrade Authentication Services client components is from Management Console for Unix. Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products to them from the mangement console. (For more information, see Configure Unix agent components.)

You can also upgrade your Authentication Services client components from the Unix command line, if you prefer.

Related Documents