Chat now with support
Chat with Support

Safeguard Authentication Services 4.2.3 - Installation Guide

Privileged Access Suite for Unix Introducing One Identity Authentication Services Installing and configuring Authentication Services Installing and joining from the Unix command line Getting started with Authentication Services Troubleshooting Enterprise package deployment

Changing the default Unix attributes

You can modify the Unix attributes that are generated by default when users are Unix-enabled. To change the Login Shell you must have rights to create and delete child objects in the Authentication Services application configuration in Active Directory.

To change the default Unix attributes

  1. Open the Control Center and click Preferences on the left navigation pane.
  2. Expand Global Unix Options.

    The window displays the current settings for Unix-enabling users, groups and the method used for creating unique IDs.

  3. Click Modify Global Unix Options on the right side of the window.

    The Modify Global Options dialog opens.

  4. Change the Login Shell to /bin/bash and click OK.

    The defaults are saved to Active Directory.

Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, or the Unix command line, the login shell defaults to /bin/bash. You can customize the other Unix defaults similarly.

Active Directory account administration

The topics that follow show you how to perform Active Directory account administration from Management Console for Unix for hosts that are joined to Active Directory.

Enabling local user for AD authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user. Allowing a local user to log in to a Unix host using Active Directory credentials enables that user to take advantage of the benefits of Active Directory security and access control.

To enable a local user for Active Directory authentication

  1. From the mangement console, open the Host | All Hosts view.
  2. From the All Hosts view, double-click a host to open its properties.
  3. Select the Users tab and double-click the localuser account to open its properties.

    Note: To set up this local user account, see Adding a local user account.

  4. In the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.
  5. In the Select AD User dialog, click the Search button to populate the list of Active Directory users, select the ADuser account, and click OK.

    Note: To set up this Active Directory user, see Adding an Active Directory user account.

  6. On the localuser's properties, click OK.
  7. In the Log on to Host dialog, verify your credentials to log in to the host and click OK.

    You have now mapped a local user to an Active Directory user and the mangement console indicates that the local user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the Require AD Logon pane on the All Local Users tab.

To assign (or "map") a Unix user to an Active Directory user

  1. From the All Local Users tab, select one or more local Unix users.
  2. In the Require AD Logon pane, click the Search button to populate the list of Active Directory users.

    (Click the Directory button to search in a specific folder.)

  3. Select an Active Directory user and click the Require AD Logon to Host button at the bottom of the Require AD Logon pane.
  4. In the Log on to Host dialog, verify your credentials to log in to the host and click OK.

    Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix users displays in the AD User column of the All Local Users tab.

Testing the mapped user login

Once you have mapped a local user to an Active Directory user, you can log in to the local Unix host using your local user name and the Active Directory password of the Active Directory user to whom you are mapped.

To test the mapped user login

  1. From the Control Center, under Login to remote host, enter:
    • Home name: The Unix host name.
    • User name: The local user name, localuser.

    Click Login to log in to the Unix host with your local user account.

  2. If the PuTTY Security Alert dialog opens, click Yes to accept the new key.
  3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected the Require an AD Password to logon to Host option on the user's properties.
  4. At the command line prompt, enter id to view the Unix account information.
  5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.
  6. Enter exit to close the command shell.

You just learned how to manage local users and groups from Management Console for Unix by mapping a local user account to an Active Directory user account. You tested this by logging into the Unix host with your local user name and the password for the Active Directory user account to whom you are mapped.

Related Documents