You can UNIX-enable Active Directory groups. A UNIX-enabled group has a Group Name and a GID Number. These attributes cause an Active Directory group to appear as a standard UNIX group. The group membership on UNIX is the same as the Windows group membership, but any users that are not UNIX-enabled are excluded from the group membership on the UNIX host.
Privileged Access Suite for UNIX
Introducing One Identity Safeguard Authentication Services
About licenses
System requirements
UNIX administration and configuration
Windows and cloud requirements
UNIX agent requirements
Network requirements
Joining the domain
Identity management
Joining the domain using VASTOOL
Performing unattended joining using Offline Domain Join (ODJ) credentials
Joining the domain using VASJOIN script
Using manual pages (man pages)
The configuration file
UNIX login syntax
Keytab files
Handling platform limitations on user name length
Configuring Name Service Switch (NSS)
Configuring PAM
Configuring AIX
Configuring SELinux
Enabling diagnostic logging
Working with netgroups
Cache administration
Working with read-only domain controllers
Cross-forest authentication
One-way trust authentication
Configuring services
Supporting legacy LDAP applications
IPv6
Kerberos armoring
Planning your user identity deployment strategy
User and group schema configuration
Managing UNIX user accounts
Migrating from NIS
Managing UNIX users with MMC
Managing user accounts from the UNIX command line
Managing users with Windows PowerShell
Password management
Mapping local users to Active Directory users
Automatically generating Posix user identities
Managing UNIX group accounts
Migrating auto-generated identities to enterprise identities
Migrating auto-generated group identities
UNIX Personality Management
Overriding UNIX account information
Nested group support
Managing UNIX groups with MMC
Managing groups from the UNIX command line
Managing groups with Windows PowerShell
Overriding UNIX group information
Local account migration to Active Directory
AIX extended attribute support
UNIX Account Import Wizard
Import Source Selection
Account matching rules
Search base selection
Account Association
Final Review
Results
UNIX account management in large environments
Using Safeguard Authentication Services to augment or replace NIS
RFC 2307 overview
Installing and configuring the Safeguard Authentication Services NIS components
Managing access control
Installing and configuring the Linux NIS client components
Installing and configuring the Oracle Solaris NIS client components
Installing and configuring the HP-UX NIS client components
Installing and configuring the AIX NIS client components
NIS map search locations
Deploying in a NIS environment
About host access control
Using "Logon To" for access control
Setting up access control
Configuring local file-based access control
Resolving conflicts between the allow and deny files
Per-service access control
Configuring access control on ESX 4
Configuring Sudo access control
Certificate distribution policy
Managing local file permissions
The Ownership Alignment Tool
Changing file ownership manually
Changing file ownership using the script
OAT file formats
Certificate Autoenrollment
Certificate Autoenrollment requirements and setup
Integrating with other applications
Managing UNIX hosts with Group Policy
Java requirement: Unlimited Strength Jurisdiction Policy Files
Installing certificate enrollment web services
Configuring Certificate Services Client - Certificate Enrollment Policy Group Policy
Configuring Certificate Services Client - Auto-Enrollment Group Policy
Configuring Certificate Templates for autoenrollment
Using Certificate Autoenrollment
Certificate autoenrollment on Linux
Troubleshooting Certificate Autoenrollment
Command line tool
Safeguard Authentication Services Group Policy
Display specifiers
Group Policy
Concepts
How Safeguard Authentication Services Group Policy works
Group Policy framework for UNIX
Server-side extensions
vgptool
Client-side extensions
Administrative templates on UNIX
Apply mode
UNIX policies
Scripts
Refresh Scripts policy
Startup Scripts policy
Cron policy
Files policy
Dynamic File Copy policy
Login Prompt policy
Message of the Day policy
Samba Configuration policy
Symbolic Link policy
Custom Service Configuration
Syslog policy
Sudo policy
One Identity policies
Registering display specifiers
Unregistering display specifiers
Display specifier registration tables
Troubleshooting
Getting help from technical support
Disaster recovery
Long startup delays on Windows
Pointer Record updates are rejected
Resolving preflight failures
Resolving DNS problems
Time synchronization problems
Unable to authenticate to Active Directory
Unable to install or upgrade
Unable to join the domain
Unable to log in
UNIX Account tab is missing in ADUC
vasypd has unsatisfied dependencies
Glossary
Managing UNIX group accounts
Nested group support
Safeguard Authentication Services supports the Active Directory nested group concept, where groups can be added as members of other groups such that users in the child group are members of the parent group as well.
Nested group information is provided in the Kerberos ticket. This information is cached when the user logs in. Any time a user performs a non-Kerberos login (such as when using SSH keys), nested group information is not available. In these situations, you can ensure that group memberships include nested groups by enabling the groups-for-user-update option in vas.conf.
For more details, see the vas.conf man page. This will produce more LDAP traffic, but group memberships will remain up-to-date. Unless this option is enabled, nested group memberships are only updated when a user logs in.
Managing UNIX groups with MMC
You can access Active Directory Users and Computers (ADUC) from the Control Center. Navigate to the Tools > Safeguard Authentication Services Extensions for Active Directory Users and Computers.
After installing Safeguard Authentication Services on Windows, a UNIX Account tab appears in the Active Directory group's Properties dialog.
NOTE: If the UNIX Account tab does not appear in the Group Properties dialog, review the installation steps outlined in the Safeguard Authentication Services Installation Guide to ensure that Safeguard Authentication Services was installed correctly or see UNIX Account tab is missing in ADUC for more information.
The UNIX Account tab contains the following information:
-
UNIX-enabled: Check this box to UNIX-enable the group. UNIX-enabled groups appear as standard UNIX groups on UNIX hosts. Checking this box causes Safeguard Authentication Services to generate a default value for the GID number attribute. You can alter the way default values are generated from the Control Center.
-
Group Name: This is the UNIX name of the Windows group.
-
GID Number: Use this field to set the numeric UNIX Group ID (GID). This value identifies the group on the UNIX host. This value must be unique in the forest.
-
Generate Unique ID: Click this link to generate a unique GID Number. If the GID Number is already unique, the GID Number is not modified.
Managing groups from the UNIX command line
Using the vastool command you can create and delete groups as well as list group information from the UNIX command line.
To create a group, use the vastool create command. The following command creates the sales group in Active Directory that is not UNIX-enabled:
vastool create -g sales
To create a group that is UNIX-enabled, pass in a string formatted like a line from /etc/group as an argument to the -i option, as follows:
vastool create -i "sales:x:1003:" -g sales
By default, all groups created with vastool create are created in the Users container. To create a group in a different Organizational Unit, use the -c command line option. The following command creates a UNIX-enabled group, sales, in the OU=sales,DC=example,DC=com Organizational Unit:
vastool create -i "sales:x:1003" -c "OU=sales,DC=example,DC=com" -g sales
To delete a group, use vastool delete with the -g option. The following command deletes the sales group:
vastool delete -g sales
To list groups, use vastool list groups. The following command lists all the groups with UNIX accounts enabled:
vastool list groups
This command produces output similar to the following:
eng:VAS:1001:pspencer,djones@example.com it:VAS:1002:molsen sales:VAS:1003:bsmith