Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Global Unix Options

The Global Unix Options section displays the currently configured options for Unix-enabling users and groups.

Click Modify Global Unix Options to change these settings.

Note: Authentication Services uses the Global Unix Options when enabling users and groups for Unix log in.

Table 17: Unix User Defaults
Option Description

Require unique user login names

Select to require a unique user login name attribute within the forest.

Require unique UID on users

Select to require a unique user's Unix ID (UID) number within the forest.

Minimum UID Number

Enter a minimum value for the Unix User ID (UID) number. Typically you set this to a value higher than the highest UID among local Unix users to avoid conflicts with users in Active Directory and local user accounts.

Maximum UID Number

Enter a maximum value for the Unix User ID (UID) number. Typically you would not change this value unless you have a legacy Unix platform that does not support the full 32-bit integer range for UID number.

Primary GID Number

Enter the default value for the Primary GID number when Unix-enabling a user.

Set primary GID to UID

Select to set the primary GID number to the User ID number.

Default Comments (GECOS)

Enter any text in this box.

Login Shell

Enter the default value for the login shell used when Unix-enabling a user.

Home Directory

Enter the default prefix used when generating the home directory attribute when Unix-enabling a user. The default value is /home/; use a different value if your Unix user home directories are stored in another location on the file system. Authentication Services uses the user's effective Unix name when generating the full home directory path.

Use lowercase user name for home directory

Select to use a lower-case representation of the user's effective Unix name when generating the full home directory path as a user is Unix-enabled.

Table 18: Unix Group Defaults
Option Description
Require unique Group Names Select to require a unique Unix group name attribute within the forest.
Require unique GID Number Select to require a unique Unix Group ID (GID) attribute within the forest.
Minimum GID Number Enter the minimum value for the Unix Group ID (GID). Typically this is set to a value higher than the highest GID among local Unix groups to avoid conflicts with groups in Active Directory and local group accounts.
Maximum GID Number Enter the maximum value for the Unix Group ID (GID). Typically you would not change this value unless you have a legacy Unix platform that does not support the full 32-bit integer range for GID.

These options control the algorithms used to generate unique user and group IDs.

Table 19: Unique IDs
Option Description
Object GUID Hash An ID generated from a hash of the user or group object GUID attribute. This is a fast way to generate an ID which is usually unique. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest.
Samba Algorithm An ID generated from the SID of the domain and the RID of the user or group object. This method works well when there are few domains in the forest. If the generated value conflicts with an existing value, the ID is re-generated by searching the forest.
Legacy Search Algorithm An ID generated by searching for existing ID values in the forest. This method generates an ID that is not currently in use.

Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console (MMC).

BEST PRACTICE: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two methods can lead to ID conflicts.

Logging options

The Logging Options section allows you to enable logging for all Authentication Services Windows components. This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particular problem. Because logging causes components to run slower and use more disk space, you should set the Log Level to disabled when you are finished troubleshooting.

Enable debug logging on Windows

To enable debug logging for all Authentication Services Windows components

  1. Open Control Center and click the Preferences navigation button on the left panel.
  2. Expand the Logging Options section.
  3. Open the Log level drop-down menu and set the log level to Debug.

    Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabled to disable logging.

  4. Click to specify a folder location where you want to write the log files.

    Authentication Services Windows components log information into the specified log folder the next time they are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.

Custom Unix attributes

The Unix schema attributes are fully customizable in Authentication Services. The Custom Unix Attributes section allows you to see which LDAP attributes are mapped to Unix attributes. You can modify this mapping to enable Authentication Services to work with any schema configuration. To customize the mapping, you select a schema template or specify your own custom attributes. A schema template is a pre-defined set of common mappings which adhere to common schema extensions for storing Unix data in Active Directory. Authentication Services supports the following schema templates if the required schema is installed:

Table 20: Unix schema attributes
Schema Template Description

Schemaless

A template that encodes Unix attribute data in an existing multi-valued attribute.

Windows R2

A template that uses attributes from the Windows 2003 R2 schema extension.

Services for Unix 2.0

A template that uses attributes from the SFU 2.0 schema extension.

Services for Unix 3.0

A template that uses attributes from the SFU 3.0 schema extension.

BEST PRACTICE: Use a schema designed for storing Unix data in Active Directory whenever possible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2, and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions in your environment.

NOTE: If you are running Authentication Services without an application configuration in your forest and your domain supports Windows 2003 R2, you can enable Authentication Services to use the Windows 2003 R2 schema. However, please note, some functionality provided by the Authentication Services application configuration will be unavailable. (For more information, see Configure Windows 2003 R2 Schema in the mangement console online Help.)

Related Documents