立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.6 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Configuring a Files policy

You can configure the Files policy to copy a standard /etc/hosts file to a Unix agent using the Group Policy Object Editor (GPOE).

To configure the Files policy

  1. Create the hosts file that you would like to distribute through Safeguard Authentication Services.

    Ensure that the file is accessible from your Windows computer.

  2. Start the Group Policy Editor.
  3. Navigate to and select Unix Settings | Authentication Services | Client Configuration node in the left-hand results pane.
  4. Double-click Files in the results pane.

    The Files Properties dialog opens.

  5. Click Add.

    The File Settings dialog opens.

  6. In the Target File Path field, type the full path for the target file in Unix path format.

    The path must start with a "/", for example: /etc/hosts

  7. In the User Name field, type name of the user that will own this file.

    If the user does not exist on the Unix host, this defaults to root.

    Note: Typically /etc/hosts is owned by root.

  8. In the Group Name field, type the name of the group that will own this file.

    If the group does not exist on the Unix host, this defaults to root (or system on AIX).

  9. Click the Set User Rights option to indicate you want to explicitly specify the permissions for the user that owns the file.

    Note: If this option is not set, the permissions default to the permissions for the target file on the target machine. If the file does not already exist on the target machine, the permissions on the new file default to read/write for the user.

  10. Click the Set Group Rights option to indicate that you would like to explicitly specify the permissions for the group that owns the file.

    Note: If this option is not set, the permissions default to the permissions on the existing file. If the file does not exist, the permissions default to none.

  11. Click the Set Other Rights option to indicate you want to explicitly specify the permissions for everyone.

    Note: If this option is not set, the permissions default to the permissions on the existing file. If the file does not exist, the permissions default to none.

  12. Click Browse to select a source file.
  13. Select the file you created in Step 1.
  14. Select the Copy File Permanently option to permanently copy the file.

    By default, Safeguard Authentication Services removes copied files when the policy no longer applies. If the policy overwrote an existing file, it will be restored when policy is un-applied.

  15. Click OK.

    The file you just configured displays in the list of files to copy.

  16. Select the Copy As User Applying Policy option to copy the file as the user applying policy.

    By default, Safeguard Authentication Services removes copied files when the policy no longer applies.

  17. Click OK.

    The file you just configured displays in the list of files to copy.

Text Replacement Macros

The Text Replacement Macros tab allows policies to be dynamically adjusted as policy is being applied on the Unix host. Any text specified in the policy either directly by the user or in files that are placed on the target system can be aliased to a command or environment variable.

For example, you might have a policy that uses the hostname as part of a policy setting. You can create a Text Replacement Macro called %%HOSTNAME%% and specify that this macro text be replaced by the output of the /bin/hostname command. This makes it possible for a single GPO to serve as a template on a wide range of Unix systems.

Specifying a text replacement macro

To specify a text replacement macro

  1. Select the Text Replacement Macro tab.
  2. Click Add.

    The Text Replacement Settings dialog opens.

  3. In the Find Text field, type the text that you want to find.
  4. In the Replace With field, type an environment variable or command.
  5. Specify if you want to replace the text with a Command Result or the value of an Environment Variable.
    • Command Result: The replacement text specifies a Unix command.

      Note: You must enter the full path to the file.

    • Environment Variable: The replacement text specifies an environment variable.
  6. Click OK to close the dialog and save the changes.

    Group Policy makes these replacements when it applies the policy.

    Note: You should test the target systems to ensure that the commands and environment variables can resolve.

Dynamic File Copy policy

The Dynamic File Copy policy allows you to specify a network file that will be pulled down by Group Policy agents. In contrast to the Files policy, the Dynamic File Copy policy specifies network files that are not stored in the Group Policy Template on SYSVOL. This allows an administrator to set special permissions on the files in order for Unix administrators to update the file contents without requiring full rights to Group Policy.

You can specify the target path, ownership, and permissions for each file. Each time the Group Policy agent applies policy, it copies the file from the specified source network share to the target location on the local host.

Dynamic File Copy policies provide all of the advantages of Group Policy's built-in undo mechanism. When you unlink or delete file policies, it deletes the associated files on the host or replaces it with the previous file contents, unless you select the Copy Files Permanently option. If no source is specified, the Group Policy agent searches for the target file and sets the specified ownership and permissions. The ownership and permissions are restored when the policy is un-applied.

Dynamic File Copy policy only supports Kerberos for authentication. Machine Dynamic File Copy policy always uses the host keytab credential. User Dynamic File Copy policy always uses the Kerberos credential of the user that is logging on. In order to use a CIFS share for Dynamic File Copy policy, you must configure it to support Kerberos authentication (GSSAPI/SPNEGO). Dynamic File Copy policy does not support NTLM.

Dynamic File Copy policies can be overridden. If there are multiple policies affecting the same file entry, the permissions, ownership, and contents of the file are dictated by the lowest policy in the hierarchy affecting that file or the highest enforced policy affecting that file in the hierarchy.

Dynamic File Copy supports non-tattooing, block inheritance, ACL filtering, and enforced settings. Multiple entries with the same target are resolved according to the Group Policy Conflict Resolution rules.

After you copy a file, you can customize it using the Text Replacement Macros tab which allows you to find and replace portions of the file's content.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级