By default, Safeguard Authentication Services creates users' home directories if they do not exist, using native operating system methods. It creates the home directories with the permissions of 0700 (readable, writable, and executable only by the owner of the directory) and owned by the user. Safeguard Authentication Services can only create home directories on local file systems.
On systems where home directories are stored on network file servers, it may be useful to disable automatic home directory creation. To disable automatic home directory creation, edit the PAM configuration file, (/etc/pam.conf or /etc/pam.d/<service>). As root, modify the auth line to remove the create_homedir option. For example, if the auth line looks like:
auth sufficient pam_vas.so create_homedir
The modified entry will look like the following:
auth sufficient pam_vas.so
The Safeguard Authentication Services PAM module uses the Kerberos protocol to authenticate users against Active Directory. The Kerberos protocol allows users to obtain a Ticket Granting Ticket (TGT) that can then be used to obtain other tickets to authenticate to services. Once the TGT has been obtained, it can be used as a single sign-on mechanism that does not require users to repeatedly enter their password.
By default, when a user establishes a login session by means of a service configured to use the Safeguard Authentication Services PAM module, the ticket is cached by default in the /tmp directory; the name of the cache file is krb5cc_<uid> where <uid> is the User ID (UID) of the account.
AIX does not support NSS in the same way that most other Unix versions do. On AIX there is no /etc/nsswitch.conf or support for NSS modules. AIX uses the Loadable Authentication Module (LAM) system to support name service lookups and authentication. As of AIX 5.3 all native binaries support PAM, but are configured for LAM by default. Safeguard Authentication Services supports both a LAM module and a PAM module on AIX. Configuring the PAM module on AIX is the same as for any other platform. This section explains how to configure the LAM module.
When you join the domain, Safeguard Authentication Services automatically configures the AIX system to use the Safeguard Authentication Services LAM module for authentication as well as name service lookups. The modified files are /usr/lib/security/methods.cfg and /etc/security/user.
vastool can automatically update the AIX configuration files on your system.
To modify the AIX configuration
vastool configure irs
vastool unconfigure irs
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center