Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.2 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Nested group support

Safeguard Authentication Services supports the Active Directory nested group concept, where groups can be added as members of other groups such that users in the child group are members of the parent group as well.

Nested group information is provided in the Kerberos ticket. This information is cached when the user logs in. Any time a user performs a non-Kerberos login (such as when using SSH keys), nested group information is not available. In these situations, you can ensure that group memberships include nested groups by enabling the groups-for-user-update option in vas.conf.

For more details, see the vas.conf man page. This will produce more LDAP traffic, but group memberships will remain up-to-date. Unless this option is enabled, nested group memberships are only updated when a user logs in.

Managing UNIX groups with MMC

You can access Active Directory Users and Computers (ADUC) from the Control Center. Navigate to the Tools > Safeguard Authentication Services Extensions for Active Directory Users and Computers.

After installing Safeguard Authentication Services on Windows, a UNIX Account tab appears in the Active Directory group's Properties dialog.

NOTE: If the UNIX Account tab does not appear in the Group Properties dialog, review the installation steps outlined in the Safeguard Authentication Services Installation Guide to ensure that Safeguard Authentication Services was installed correctly or see Unix Account tab is missing in ADUC for more information.

The UNIX Account tab contains the following information:

  • UNIX-enabled: Check this box to UNIX-enable the group. UNIX-enabled groups appear as standard UNIX groups on UNIX hosts. Checking this box causes Safeguard Authentication Services to generate a default value for the GID number attribute. You can alter the way default values are generated from the Control Center.

  • Group Name: This is the UNIX name of the Windows group.

  • GID Number: Use this field to set the numeric UNIX Group ID (GID). This value identifies the group on the UNIX host. This value must be unique in the forest.

  • Generate Unique ID: Click this link to generate a unique GID Number. If the GID Number is already unique, the GID Number is not modified.

Managing groups from the UNIX command line

Using the vastool command you can create and delete groups as well as list group information from the UNIX command line.

To create a group, use the vastool create command. The following command creates the sales group in Active Directory that is not UNIX-enabled:

vastool create -g sales

To create a group that is UNIX-enabled, pass in a string formatted like a line from /etc/group as an argument to the -i option, as follows:

vastool create -i "sales:x:1003:" -g sales

By default, all groups created with vastool create are created in the Users container. To create a group in a different Organizational Unit, use the -c command line option. The following command creates a UNIX-enabled group, sales, in the OU=sales,DC=example,DC=com Organizational Unit:

vastool create -i "sales:x:1003" -c "OU=sales,DC=example,DC=com" -g sales

To delete a group, use vastool delete with the -g option. The following command deletes the sales group:

vastool delete -g sales

To list groups, use vastool list groups. The following command lists all the groups with UNIX accounts enabled:

vastool list groups

This command produces output similar to the following:

eng:VAS:1001:pspencer,djones@example.com
it:VAS:1002:molsen
sales:VAS:1003:bsmith

Managing groups with Windows PowerShell

Using Windows PowerShell you can UNIX-enable, UNIX-disable, modify, report on, and clear UNIX attributes of Active Directory groups using the Safeguard Authentication Services PowerShell commands.

NOTE: You can access the Safeguard Authentication Services PowerShell commands from Tools in the Control Center. To add Safeguard Authentication Services cmdlets to an existing PowerShell session run Import-Module Quest.AuthenticationServices. For a complete list of available commands, see PowerShell cmdlets.

To UNIX-enable a group, use the Enable-QasUnixGroup command. The following command UNIX-enables the Active Directory group named UNIXusers:

Enable-QasUnixGroup -Identity <domain>\UNIXusers

To disable a group for UNIX use the Disable-QasUnixGroup command:

Disable-QasUnixGroup -Identity <domain>\UNIXusers

To report on a group, use the Get-QASUnixGroup <groupname> command. The following commands shows all groups that start with "sa":

Get-QasUnixGroup -Identity sa

The Safeguard Authentication Services PowerShell commands are designed to work with the Active Directory commands from Microsoft (Get-ADGroup) and One Identity (Get-QADGroup). You can pipe the output of these commands to any of the Safeguard Authentication Services PowerShell commands that operate on groups. For example, the following command clears the UNIX attributes from the group UNIXusers:

Get-QADGroup -Identity <domain>\UNIXusers | Clear-QasUnixGroup

The Safeguard Authentication Services PowerShell commands are aware of the options and schema settings configured in Control Center. Scripts written using the Safeguard Authentication Services PowerShell commands work without modification in any Safeguard Authentication Services environment.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating