Safeguard Authentication Services 5.0.2

Introducing One Identity Safeguard Authentication Services

Windows components Windows permissions Configure Active Directory

Configuring Active Directory About Active Directory configuration Join the host to AD without the Safeguard Authentication Services application configuration Version 3 Compatibility Mode

Unix agent requirements

Unix components Permissions matrix Encryption types

Management Console for Unix requirements

Network requirements

Unix administration and configuration

Joining the domain

Joining the domain using VASTOOL

Automatically generate user attributes

Unattended joining using Offline Domain Join (ODJ) credentials Joining the domain using VASJOIN script

Using manual pages (man pages) The configuration file Unix login syntax Keytab files Handling platform limitations on user name length Configuring Name Service Switch (NSS)

Using VASTOOL to configure NSS Using NSCD Forcing lowercase names

Configuring PAM

Using VASTOOL to configure PAM Home directory creation Kerberos ticket caches

Configuring AIX

Using VASTOOL to configure AIX

Configuring SELinux

Using VASTOOL to configure SELinux

Enabling diagnostic logging Working with netgroups

Configuring netgroup support with name service Unconfiguring netgroup support with name service

Cache administration

Blackout period Disconnected authentication

Working with read-only domain controllers Cross-forest authentication One-way trust authentication Supporting legacy LDAP applications

Installing the LDAP proxy Configuring the LDAP proxy

IPv6

Identity management

Planning your user identity deployment strategy User and group schema configuration

Configuring a custom schema mapping

Active Directory optimization (Best practice)

Managing Unix user accounts

Managing Unix users with MMC Managing user accounts from the Unix command line Managing users with Windows PowerShell

PowerShell cmdlets

Password management

Changing passwords

Changing passwords with VASTOOL Changing passwords with system utilities

Mapping local users to Active Directory users

Using map files to map users Mapping the root account Enable self-enrollment

Restarting services

Automatically generating Posix user identities

Migrating auto-generated identities to enterprise identities Migrating auto-generated group identities

Unix Personality Management

Unix Personality Management schema extension Joining the domain in Unix Personality Management mode

Overriding Unix account information

Managing Unix group accounts

Nested group support Managing Unix groups with MMC Managing groups from the Unix command line Managing groups with Windows PowerShell Overriding Unix group information

Local account migration to Active Directory AIX extended attribute support Unix Account Import Wizard

Import Source Selection Account matching rules Search base selection Account Association Final Review Results

Unix account management in large environments

User and group search paths Minimizing the size of the user cache

Migrating from NIS

Using Safeguard Authentication Services to augment or replace NIS RFC 2307 overview

RFC classes and attributes Limitations of RFC 2307 as implemented by Microsoft

Installing and configuring the Safeguard Authentication Services NIS components

Installing and configuring the Linux NIS client components Installing and configuring the Oracle Solaris NIS client components Installing and configuring the HP-UX NIS client components Installing and configuring the AIX NIS client components

NIS map search locations Deploying in a NIS environment

Starting the NIS Map Import Wizard

Import RFC 2307 NIS map objects from a local file Import RFC 2307 NIS map objects from an existing NIS server

Using NIS map command line administration utility

passwd, group, and netid maps Specific vs generic maps

The VASYP daemon

Maintaining netgroup data

Managing access control

About host access control Using "Logon To" for access control Setting up access control Configuring local file-based access control Resolving conflicts between the allow and deny files Per-service access control Configuring access control on ESX 4 Configuring Sudo access control Certificate distribution policy

Managing local file permissions

The Ownership Alignment Tool

Using OAT Installing OAT

Changing file ownership manually

Performing a cross-domain search OAT matching scripts Rollback changes

Changing file ownership using the script OAT file formats

Active Directory User Information file Active Directory Group Information file User map file Group map file Local User Override file Local Group Override file Files to Process List file Files to Exclude List file Processed Files List file

Certificate Autoenrollment

Certificate Autoenrollment on UNIX and Linux Certificate Autoenrollment requirements and setup

Java requirement: Unlimited Strength Jurisdiction Policy Files Installing certificate enrollment web services Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy Configuring Certificate Services Client - Auto-Enrollment Group Policy Configuring Certificate Templates for autoenrollment

Using Certificate Autoenrollment

Configuring Certificate Autoenrollment manually

Configure a machine for Certificate Autoenrollment Configure a user for Certificate Autoenrollment

Trigger machine-based Certificate Autoenrollment

Troubleshooting Certificate Autoenrollment

Certificate Autoenrollment process exited with an error Enable full debug logging Pulse Certificate Autoenrollment processing Manually apply Group Policy

Command line tool

vascert command reference

vascert commands and arguments

Integrating with other applications

One Identity Starling integration

Starling Two-Factor Authentication requirements Setting up Starling users Joining Safeguard Authentication Services with Starling Configuring Starling to use a proxy server Starling Attributes: Configure LDAP attributes for use with push notifications Logging in with Starling Two-Factor Authentication Unjoining from Starling Disabling Starling 2FA for a specific PAM service

Defender integration

Defender installation prerequisites Installing Defender

Change Auditor for Authentication Services integration

Installing Change Auditor for Authentication Services

Application integration

Managing Unix hosts with Group Policy

Safeguard Authentication Services Group Policy

Group Policy

Administrative interface Unix agent technology

Concepts

How Safeguard Authentication Services Group Policy works Group Policy framework for Unix Server-side extensions vgptool Client-side extensions Administrative templates on Unix Apply mode

Setting policy apply mode

Unix policies

Scripts Refresh Scripts policy

Configuring a refresh script

Startup Scripts policy

Configure a startup script

Cron policy

Creating or modifying a crontab file

Configuring a crontab entry

Files policy

Configuring a Files policy Text Replacement Macros

Specifying a text replacement macro

Dynamic File Copy policy Login Prompt policy

Setting the Login Prompt policy

Message of the Day policy

Setting the Message of the Day policy

Samba Configuration policy Symbolic Link policy

Setting a new symbolic link

Syslog policy

Adding a syslog entry

Sudo policy

Adding a Sudo rule

One Identity policies

Quest OpenSSH Configuration policy Licensing policy

Adding a license file

Defender Settings policy

Enabling one-time password authentication for Unix

Privilege Manager for Unix policy

Privilege Manager for Unix policy files

Configuring Privilege Manager policy files

Privilege Manager Configuration policy

Configuring Privilege Manager configuration settings

Safeguard Authentication Services group policies

Group Policy Configuration policy

Configuring Group Policy options

Client-Side Extensions policy

Safeguard Authentication Services policies

Configuration policy Mapped User policy Service Access Control policy Account Override policies

User Account Override policy Group Account Override policy

Host Access Control policy

Configuring a User Allow Entry policy Configure a User Deny Entry policy

Display specifiers

Registering display specifiers Unregistering display specifiers Display specifier registration tables

Troubleshooting

Getting help from technical support Disaster recovery Long startup delays on Windows Pointer Record updates are rejected Resolving preflight failures Resolving DNS problems Time synchronization problems Unable to authenticate to Active Directory Unable to install or upgrade Unable to join the domain Unable to log in Unix Account tab is missing in ADUC vasypd has unsatisfied dependencies

Glossary

Mapping the root account

Identity management > Managing Unix user accounts > Mapping local users to Active Directory users > Mapping the root account

You can only map the root account to an Active Directory account using the mapped-root-user setting in vas.conf.

To map the root user to an Active Directory account

Run the following command as root:

vastool configure vas vas_auth mapped-root-user Administrator@example.com

Note: If you specify mapped-root-user on AIX you must set VASMU on the system line of the root section in /etc/security/user. Refer to your AIX system documentation for more information.

Enable self-enrollment

Identity management > Managing Unix user accounts > Mapping local users to Active Directory users > Enable self-enrollment

Self-enrollment allows users to map their Unix account to an Active Directory account as they log in to Unix. This mapping occurs as part of the standard PAM login. Users are first prompted for their Unix password. Once authenticated to Unix, they are prompted to authenticate to Active Directory. This process happens on the first log in after you enable self-enrollment. Once the self-enrollment is complete, the user logs in with his Unix user name and Active Directory password.

To enable self-enrollment

Run the following command as root:
```
vastool configure vas vas_auth enable-self-enrollment true
```
Note: All users mapped by the self-enrollment process are stored in the /etc/opt/quest/vas/automatic_mappings file.
Force Safeguard Authentication Services to reload configuration settings by restarting the Safeguard Authentication Services services.

Restarting services

Identity management > Managing Unix user accounts > Mapping local users to Active Directory users > Restarting services

The method for restarting services varies by platform:
1. To restart Safeguard Authentication Services on Linux or Oracle Solaris, enter:
```
/etc/init.d/vasd restart
```
2. To restart Safeguard Authentication Services on HP-UX, enter:
```
/sbin/init.d/vasd restart
```
3. To restart Safeguard Authentication Services on AIX, enter:
```
stopsrc -s vasd
startsrc -s vasd
```

Note: Due to library changes between the Safeguard Authentication Services 4.1 and 4.2, the system may need to be rebooted before all processes load the new libraries.

Automatically generating Posix user identities

Identity management > Managing Unix user accounts > Automatically generating Posix user identities

When user identity information is not stored centrally within Active Directory, it is possible for Active Directory users to have Posix identity attributes automatically generated for them when interacting with Unix hosts, allowing the user to authenticate with an Active Directory password.

This is convenient in situations where you can not utilize enterprise user and group identification from Active Directory. For example, when you do not have sufficient rights to modify User identity objects, or are unable to create the Safeguard Authentication Services Application Configuration object, you can configure Safeguard Authentication Services to auto-generate Posix identity attributes on the Unix host for Active Directory users.

The following attributes are auto-generated:

UID Number: This attribute is derived from a hash of the Active Directory Users Globally Unique Identifier (GUID).
GID Number: This attribute is derived from the hash of the Active Directory Group GUID that is assigned as the Windows Primary Group object.
Gecos: The gecos field is populated by the users CN, but is configurable by using the [vasd] realname-attr vas.conf setting.
Unix Home Directory: This attribute is a concatenation of the per-machine configurable home directory base option, [vasd] autogen-posix-homedir-base, and the users sAMAccountName value.
Login Shell: This attribute is set by the per-machine [vasd] autogen-posix-default-shell configuration option.

The generated attributes are stored locally on each Unix host and remain in effect until manually removed by the system administrator.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Safeguard Authentication Services 5.0.2 - Administration Guide

Mapping the root account

Enable self-enrollment

Restarting services

Automatically generating Posix user identities