Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Unix-enable an Active Directory group

To Unix-enable an Active Directory group

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Groups.
  2. Enter a group name, such as UNIX, in the Search by name box and press Enter.
  3. Double-click the group name, such as UNIXusers, to open its properties.

    Note: To set up this Active Directory user account, see Add an Active Directory group account.

  4. On the Unix Account tab, select the Unix-enabled option and click OK.

Unix-enable an Active Directory user

To Unix-enable an Active Directory user

  1. On the mangement console's Active Directory tab, open the Find box drop-down menu and choose Users.
  2. Click next to the Search by name box to search for all Active Directory users. Or, enter a portion of your ADuser log on name in the Search by name box and press Enter.
  3. Double-click ADuser, the Active Directory user name, to open its properties.
  4. On the Unix Account tab, select the Unix-enabled option.

    It populates the properties with default Unix attribute values.

  5. Make other modifications to these settings, if necessary, and click OK to Unix-enable the user.

    Note: There are additional settings that you can set using PowerShell which allows you to validate entries for the GECOS, Home Directory, and Login Shell attributes. Refer to Use Authentication Services PowerShell to learn more about that.

    Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.

Test the Active Directory user login

Now that you have Unix-enabled an Active Directory user, you can log into a local Unix host using your Active Directory user name and password.

To test the Active Directory login

  1. From the Control Center, under "Login to remote host", enter:
    • the Unix host name in the Host name box
    • the Active Directory user name, such as ADuser, in the User name box

    and click Login to log onto the Unix host with your Active Directory user account.

  2. Enter the password for the Active Directory user account.
  3. At the command line prompt, enter id to view the Unix account information.
  4. After a successful log in, verify that the user obtained a Kerberos ticket by entering:
    /opt/quest/bin/vastool klist

    The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves the local user is using the Active Directory user credentials.

  5. Enter exit to close the command shell.

You just learned how to manage Active Directory users and groups from Management Console for Unix by Unix-enabling an Active Directory group and user account. You tested this out by logging into the Unix host with your Active Directory user name and password. Optionally, you can expand on this tutorial by creating and Unix enabling additional Active Directory users and groups and by testing different Active Directory settings such as account disabled and password expired.

Run reports

You can run various reports that capture key information about the Unix hosts you manage from the mangement console and the Active Directory domains joined to these hosts from the Reports view on the Reporting tab.

Note: The Active Directory reports are only available when you are logged on as an Active Directory account in the Manage Hosts role.

To run reports

  1. Ensure the hosts for which you want to create reports have been recently profiled.

    Reports only generate data gathered from the clients during a Profile procedure. Profiling imports information about the host, including local users and groups.

    Note: You can configure the mangement console to profile hosts automatically. (For more information, see Profile automatically.)

  2. From the mangement console, click the Reporting tab.
  3. From the Reports view, expand the report group names to view the available reports, if necessary.
    • Host Reports

      Unix host information gathered during the profiling process

    • User Reports

      Local and Active Directory user information

    • Group Reports

      Local and Active Directory group information

    • Access & Privileges Reports

      User access information

    • License Usage Reports

      Product licensing information.

  4. Use one of the following methods to select a report:
    • Double-click a report name in the list (such as the Unix Host Profiles report).
    • Right-click a report name and select Run report.
    • Click the report icon next to a report.

    The selected report name opens a new tab on the Reports view which describes the report and provides some report parameters you can select or clear to add or exclude details on the report.

  5. Optionally clear parameters to exclude information from the report.
  6. To create a report, either
    • Click Preview to see a sample of the report in a browser.
    • Open the Export drop-down menu and select the format you want to use for the report: PDF or CSV (if available).

    Note: If the CSV report does not open, you may need to reset your internet options. (See CSV or PDF Reports Do Not Open in online help for details.)

    By default, the mangement console creates reports in the application data directory:

    • On Windows XP/2003 Server:
      %SystemDrive%:\Documents and Settings\All Users\Application Data\Quest Software\Management Console for Unix\reports
    • On Windows 2008 Server/Vista/7:
      %SystemDrive%:\ProgramData\Quest Software\Management Console for Unix\reports
    • On Unix/Mac OS X:
      /var/opt/quest/mcu/reports

    Note: You may need to reconfigure your browser preferences to allow you to save the report in a specific folder.

    It launches a new browser or application page and displays the report in the selected format.

Note: When generating multiple reports simultaneously or generating a single report that contains a large amount of data, One Identity recommends that you increase the JVM memory. (See Tune JVM Memory in the online help for details.)

Related Documents