Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Change the default Unix attributes

You can modify the Unix attributes that are generated by default when users are Unix-enabled. To change the Login Shell you must have rights to create and delete child objects in the Authentication Services application configuration in Active Directory.

To change the default Unix attributes

  1. Click the Preferences navigation button on the left panel of the Control Center.
  2. Expand Global Unix Options.

    The window displays the current settings for Unix-enabling users, groups and the method used for creating unique IDs.

  3. Click Modify Global Unix Options on the right side of the window.

    The Modify Global Options dialog opens.

  4. Change the Login Shell to /bin/bash and click OK.

    The defaults are saved to Active Directory.

Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, or the Unix command line, the login shell defaults to /bin/bash. You can customize the other Unix defaults similarly.

Active Directory account administration

The topics that follow show you how to perform Active Directory account administration from Management Console for Unix for hosts that are joined to Active Directory.

Enable local user for AD authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

  1. From the mangement console Host tab's All Hosts view, double-click a host to open its properties.
  2. Select the Users tab and double-click the localuser account to open its properties.

    Note: To set up this local user account, see Add local user account.

  3. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.
  4. On the Select AD User dialog, click the Search button to populate the list of Active Directory users, select the ADuser account, and click OK.

    Note: To set up this Active Directory user, see Add an Active Directory user account.

  5. On the localuser's properties, click OK.
  6. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    You have now "mapped" a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.

To assign (or "map") a Unix user to an Active Directory user

  1. From the All Local Users tab, select one or more local Unix users.
  2. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  3. Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
  4. On the Log on to Host dialog, verify your credentials to log onto the host and click OK.

    Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user(s) displays in the AD User column of the All Local Users tab.

Test the mapped user login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are "mapped".

To test the mapped user login

  1. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the local user name, localuser, in the User name box

    and click Login to log onto the Unix host with your local user account.

  2. If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
  3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
  4. At the command line prompt, enter id to view the Unix account information.
  5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
  6. Enter exit to close the command shell.

You just learned how to manage local users and groups from Management Console for Unix by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are "mapped".

Related Documents