Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

Time synchronization problems

Kerberos is a time-sensitive protocol. Your Unix hosts must be synchronized within five minutes of your Active Directory domain controllers. Run the following command as root to have Authentication Services synchronize the local time with Active Directory:

vastool timesync 

System optimization

Kerberos works best with a random number generator package installed on the operating system. If one is not installed, it will use a potential slow fallback entropy generating system.

HP-UX

HP provides a /dev/random driver for hp-UX 11i (11.11), named 'KRNG11I'. It is available, for free, from the KRNG11I depot. You can check if this is already installed by running:

$ swlist KRNG11I

For older versions (hp-UX 11.00), an open-source implementation of /dev/random is available from "random" DLKM (dynamically loadable kernel module) for HP-UX .

Solaris

Entropy is generally obtained from /dev/random which is an interface to a kernel random source. On Solaris 8, the /dev/random driver is provided in the following patches from ORACLE:

  • solaris8/sparc: OS patch 112438
  • solaris8/x86: OS patch 112439

Unable to install or upgrade

The most common installation or upgrade failure is that the Unix host cannot read the Authentication Services application configuration in Active Directory. Ensure that you have followed the instructions in Configure Active Directory for Authentication Services and that the configuration has been created successfully.

During an upgrade you may see an error that Authentication Services cannot upgrade because the application configuration cannot be located. If you previously joined to a specific domain controller Authentication Services disabled DNS SRV record lookups. This means that Authentication Services cannot resolve other domains in the forest and may be unable to locate the application configuration. In this case you must ensure that the domain controller you specified is a global catalog. Otherwise, you must create the Authentication Services application configuration in the domain that you join or you must properly configure DNS to return SRV records and join normally, rather than specifying a domain controller when you join.

For more information, see About Active Directory configuration.

Unable to join the domain

If you are unable to join the domain, run the preflight utility to validate your environment.

(For more information, see The Authentication Services Pre-Installation Diagnostic Tool in the Authentication Services Installation Guide.)

Then, verify the following:

  • Check that the Active Directory account specified during join has rights to join the computer to the domain.
  • Check that the Unix host is able to properly resolve the domain name through DNS.

If you are joining to a specific domain controller you must ensure that Authentication Services can locate and read the configuration information in Active Directory. You should do one of the following:

  • Make sure the domain controller you specify is a global catalog.
  • Create the Authentication Services application configuration in the domain to which you are joining.

    For more information, see About Active Directory configuration.

  • Properly configure DNS to return srv-records and avoid joining to a specific domain controller.
Related Documents