quest authentication services...

Quest Authentication Services 4.0

Installation Guide

Copyright (c) 2011 Quest Software, Inc.ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnishedunder a software license or nondisclosure agreement. This software may be used or copied only in accordance with theterms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal usewithout the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppelor otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATINGTO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR APARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSSOF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THISDOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representationsor warranties with respect to the accuracy or completeness of the contents of this document and reserves the right tomake changes to specifications and product descriptions at any time without notice. Quest does not make any commitmentto update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World HeadquartersLEGAL Dept5 Polaris WayAliso Viejo, CA 92656www.quest.comemail: [email protected]

Refer to our Web site for regional and international office information.

PatentsProtected by U.S. Patent # 7,617,501. Additional patents pending.

TrademarksQuest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, BigBrother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, StorageHorizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, VizioncorevWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Incin the United States of America and other countries. Other trademarks and registered trademarks are property of theirrespective owners.

Third Party ContributionsThis product may contain one or more of the following third party components. For copies of the text of any license listed,please go to http://www.quest.com/legal/third-party-licenses.aspx .

NotesComponentApache LicenseApache Commons 1.2Version 2.0, January 2004Boost Software LicenseBoostVersion 1.0, August 2003© 1998, 1999, 2000 Thai Open Source Software Center LtdExpat 2.0.0© 2004 - 2007 Kungliga Tekniska HögskolanHeimdal Krb/GSSapi 1.2(Royal Institute of Technology, Stockholm, Sweden).All rights reserved.This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit (http://www.openssl.org/)

OpenSSL 0.9.8d

© 1998-2008 The OpenSSL Project. All rights reserved.

http://www.quest.com/legal/third-party-licenses.aspx

Contents

Chapter 1: About This Guide......................................................................9About Quest Software.....................................................................................................................................................10Quest One Identity Solution.........................................................................................................................................10Conventions........................................................................................................................................................................10Contacting Quest Support............................................................................................................................................11

Chapter 2: Introducing Quest Authentication Services.........................13Licensing QAS....................................................................................................................................................................14System Requirements.....................................................................................................................................................14

Windows Management Tools Requirements...........................................................................................14Unix Agent Requirements...............................................................................................................................16Quest Identity Manager for Unix Requirements.....................................................................................21

Network Requirements...................................................................................................................................................22

Chapter 3: Installing and Configuring QAS.............................................23Install the Management Console................................................................................................................................24

Install and Configure the Management Console....................................................................................24Install QAS Windows Components............................................................................................................................24

Installing QAS Windows Components.......................................................................................................24Configure Active Directory for QAS...........................................................................................................................25

Configuring Active Directory for QAS.........................................................................................................25About Active Directory Configuration........................................................................................................26Join the Host to AD Without the QAS Application Configuration....................................................27Version 3 Compatibility Mode.......................................................................................................................27

Configure Unix Agent Components..........................................................................................................................28Setup Quest Identity Manager for Unix ....................................................................................................29Quest Identity Manager for Unix Log On Page........................................................................................30Prepare Unix Hosts.............................................................................................................................................31

Chapter 4: Installing and Joining from the Unix Command Line..........37The QAS Pre-Installation Diagnostic Tool................................................................................................................38

Running Preflight...............................................................................................................................................38Upgrading VAS 3.5 From the Command Line........................................................................................................39The QAS Install Script......................................................................................................................................................40

Installing the QAS Agent.................................................................................................................................40Installation Script Options...............................................................................................................................40

Licensing QAS....................................................................................................................................................................42Verifying QAS License Information..............................................................................................................42

Authentication Services 4.0 Installation Guide | TOC | 5

To Add Licenses Using the Control Center...............................................................................................43Installing Licenses From the Command Line...........................................................................................43

Creating the Application Configuration from the Unix Command Line......................................................43Changing the Schema Configuration Mode............................................................................................44

Joining the Domain..........................................................................................................................................................44Joining the Domain Using VASTOOL..........................................................................................................45Joining the Domain Using VASJOIN Script...............................................................................................45Dynamic DNS Update Tool.............................................................................................................................46

Chapter 5: Getting Started with QAS.......................................................49Getting Acquainted with the QAS Control Center...............................................................................................50

Management Console......................................................................................................................................51Group Policy.........................................................................................................................................................51Tools........................................................................................................................................................................52Preferences...........................................................................................................................................................52

Learning the Basics..........................................................................................................................................................57Add a Local Group Account............................................................................................................................57Add Local User Account...................................................................................................................................58Add an Active Directory Group Account...................................................................................................58Add an Active Directory User Account.......................................................................................................59Change the Default Unix Attributes............................................................................................................59Active Directory Account Administration.................................................................................................59Run Reports..........................................................................................................................................................62Use QAS PowerShell..........................................................................................................................................69Quest ChangeAuditor for Active Directory...............................................................................................73Quest Defender...................................................................................................................................................73

Appendix A: Troubleshooting..................................................................75Resolving Preflight Failures...........................................................................................................................................76Unable to Install or Upgrade........................................................................................................................................78Unable to Log In................................................................................................................................................................79Unable to Join the Domain...........................................................................................................................................79Resolving DNS Problems................................................................................................................................................79Time Synchronization Problems.................................................................................................................................80System Optimization.......................................................................................................................................................80Pointer Record (PTR) Updates are Rejected............................................................................................................81Long Startup Delays on Windows..............................................................................................................................81Getting Help from Quest Support..............................................................................................................................81vasypd Has Unsatisfied Dependencies.....................................................................................................................82

Appendix B: Enterprise Package Deployment........................................83Install the QAS Agent Package.....................................................................................................................................84Upgrade the QAS Agent Package...............................................................................................................................86

6 | Authentication Services 4.0 Installation Guide | TOC

To Restart QAS Services...................................................................................................................................88Uninstall the QAS Agent Packages.............................................................................................................................88Solaris 10 Zones/Containers Support........................................................................................................................89

QAS and Solaris 10 Zones Installation Guidelines..................................................................................89

Authentication Services 4.0 Installation Guide | TOC | 7

8 | Authentication Services 4.0 Installation Guide | TOC

Chapter

1About This Guide

The Quest Authentication Services Installation Guide is intended for Windows,Unix, Linux and Mac system administrators, network administrators,

Topics:

• About Quest Software consultants, analysts, and any other IT professionals who will be installing• Quest One Identity Solution and configuring Quest Authentication Services (QAS) for the first time. This

guide walks you through the process of installing, upgrading, and uninstallingthe QAS agent.

• Conventions• Contacting Quest Support

About Quest Software

Note: Quest Authentication Services (QAS), formerly Vintela Authentication Services (VAS), was re-brandedfor the 4.0 release.

Quest Software, Inc. simplifies and reduces the cost of managing IT for more than 100,000 customers worldwide.Our innovative solutions make solving the toughest IT management problems easier, enabling customers to savetime and money across physical, virtual and cloud environments. Contact Quest for more information:

Contacting Quest Software

949.754.8000 (United States and Canada)Phone:

[email protected]:

Quest Software, Inc.Mail:

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656 USA

www.quest.comWeb site:

Quest One Identity Solution

This product is a component of the Quest One Identity Solution, a set of enabling technologies, products, andintegration that empowers organizations to simplify identity and access management by:

• Reducing the number of identities• Automating identity administration• Ensuring the security of identities• Leveraging existing investments, including Microsoft Active Directory

Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance byaddressing identity and access management challenges as they relate to:

• Single sign-on• Directory consolidation• Provisioning• Password management• Strong authentication• Privileged account management• Audit and compliance

Conventions

In order to help you get the most out of this guide, we have used specific formatting conventions. These conventionsapply to procedures, icons, keystrokes and cross-references.

10 | Authentication Services 4.0 Installation Guide | About This Guide

http://www.quest.com

ConventionElement

This word refers to actions such as choosing orhighlighting various interface elements, such as files andradio buttons.

Select

Used to indicate elements that appear in the graphicaluser interface that you are to select such as the OKbutton.

Bold text

Interface elements that appear in Quest products, suchas menus and commands.

Italic text

Used to indicate host names, file names, program names,command names, and file paths.

courier text

Indicates an interactive link to a related topic.Blue Text

Used to highlight additional information pertinent to theprocess or topic being described.

A plus sign between two keystrokes means that you mustpress them at the same time.

+

A pipe sign between elements means that you mustselect the elements in that particular sequence.

|

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Questproduct and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, ourself-service portal.

Contact PointsInformation Sources

SupportLink: support.quest.comQuest Support

Quest SupportLink gives you access to these tools and resources:

• Product Information

Most recent product solutions, downloads, documentation, notifications andproduct lifecycle table.

• Product Downloads

Download the latest Quest product releases and patches.

• Product Documentation

Download Quest product documentation, such as installation, administrator, userguides and release notes.

• Search KnowledgeBase

Search our extensive repository for answers to Quest-product related issues orquestions.

• Case Management

Create new support cases and manage existing cases.

Authentication Services 4.0 Installation Guide | About This Guide | 11

http://support.quest.com

Contact PointsInformation Sources

Email: [email protected]

Phone: 1.800.306.9329

The Community site is a place to find answers and advice, join a discussion forum,or get the latest documentation and release information: All Things Unix Community.

Public Forum

View the Global Support Guide for a detailed explanation of support programs, onlineservices, contact information, policies and procedures. The guide is available atsupport.quest.com.

Global Support Guide

12 | Authentication Services 4.0 Installation Guide | About This Guide

mailto://[email protected]

http://allthingsunix.inside.quest.com


Chapter

2Introducing Quest Authentication Services

Quest Authentication Services is patented technology that enablesorganizations to extend the security and compliance of Active Directory to

Topics:

• Licensing QAS Unix, Linux, and Mac platforms and enterprise applications. It addresses the• System Requirements compliance need for cross-platform access control, the operational need for

centralized authentication and single sign-on, and enables the unification ofidentities and directories for simplified identity and access management.

• Network Requirements

Licensing QAS

Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Machosts.

Note: While you can install and configure QAS on Windows and use the included management tools toUnix-enable users and groups in Active Directory without installing a license, you must have the QASlicense installed for full QAS functionality.

Note: If you are using Quest Identity Manager for Unix, any time there is a change to the QAS licensing,you must also log into the management console with the supervisor account, navigate to Preferences| System settings | Authentication Services and click the Check for licenses button to refresh thelicense information. Quest Identity Manager for Unix does not automatically check for new QAS licenses.

Contact your account representative for a license.

System Requirements

Prior to installing Quest Authentication Services, ensure your system meets the minimum hardware and softwarerequirements for your platform. QAS consists of Windows management tools and Unix client agent components.

Windows Management Tools Requirements

The following are the minimum requirements for installing QAS in your Windows environment:

Table 1: QAS Windows Requirements

System Requirements:

Can be installed on 32-bit or 64-bit editions of thefollowing configurations:

Supported Windows Platforms

• Windows XP SP2 (or later)• Windows Vista• Windows 7• Windows 2003 SP1 (or later)• Windows 2008• Windows 2008 R2

Note: Due to tightened security on theWindows 2008 operating system, whenrunning QAS Control Center on Windows2008 R2, functioning as a domaincontroller, the process must be elevatedor you must add Authenticated Users tothe Distributed COM Users group on thecomputer. As a best practice, Quest doesnot recommend that you install or run theQAS Windows components on ActiveDirectory domain controllers. Therecommended configuration is to install

14 | Authentication Services 4.0 Installation Guide | Introducing Quest Authentication Services


the QAS Windows components on anadministrative workstation.

Note: Microsoft does not support GroupPolicy Management Console (GPMC) on64-bit platforms of Windows; thus, Questdoes not support managing grouppolicies through the QAS Control Centeron Windows 2003 64-bit, Windows 2003R2 64-bit, and XP 64-bit platforms. (SeeGroup Policy Management Console withService Pack 1 for more information.)

You can download all of the following prerequisitesoftware free from the Microsoft website:

Prerequisite Windows Software

• Windows Installer 3.1(http://support.microsoft.com/kb/893803)

• Microsoft .NET Framework 3.5 SP1 or higher• Windows PowerShell 1.0 or higher

(http://support.microsoft.com/kb/968929)

If any of the prerequisites are missing, the QASinstaller suspends the installation process to allowyou to download the required component; it thencontinues the install.

QAS Windows Components

QAS includes the following Windows components:

Table 2: Windows Components

DescriptionWindows Component

A single console to provide access to all of the tools andconfiguration settings for QAS

QAS Control Center

Provides Unix management extensions for ActiveDirectory users and groups

Active Directory Users and Computers MMC SnapinExtensions

Provides Group Policy management for Unix, Linux andMac

Group Policy Management Editor MMC Snapin Extensions

Provides the ability to manage NIS data in Active DirectoryRFC2307 NIS Map Editor MMC Snapin

Import NIS data into Active DirectoryNIS Map Import Wizard

Import Unix identity data into Active DirectoryUnix Account Import Wizard

Provides the ability to script Unix management tasksQAS PowerShell cmdlets

Full product documentation and online helpDocumentation

Authentication Services 4.0 Installation Guide | Introducing Quest Authentication Services | 15

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887


http://support.microsoft.com/kb/893803


Windows Permissions

To install QAS on Windows, you must have:

• Local administrator rights• Rights to create a container and a child container in Active Directory (first-time only)

Authenticated Users must have rights to read cn, displayName, description, and whenCreated attributes for containerobjects in the application configuration location. To change Active Directory configuration settings, Administratorsmust have rights to Create Child Object (container) and Write Attribute for cn, displayName, description,showInAdvancedViewOnly in the application configuration location.

Table 3: Required Windows Permissions

AttributesObject ClassFor UserRightsRequired

ContainerQAS Administrators OnlyCreateChildObject

cn, displayName, description,showInAdvancedViewOnly

ContainerQAS Administrators OnlyWriteAttribute

cn, displayName, description,whenCreated

ContainerAuthenticated UsersReadAttribute

Unix Agent Requirements

Note: To install QAS on Unix, Linux, or Mac, you must have root access rights.

Click here to view a list of supported Unix and Linux platforms that run Quest Authentication Services.

For maximum security and performance, before you begin the installation, make sure that you have the latest patchesfor your operating system version.

Table 4: Patch-Level Requirements

Patch LevelPlatform

glibc 2.3.3-74 or greaterFedora

Patch 108993-01 or greater on SPARCPatch 108994-01 or greater on x86

Solaris 8

OS level 5100-09 or greaterAIX 5.1



QPK1100 B.11.00.62.4 or greaterHPUX 11.00

GOLDQPK11i (i.e. GOLDAPPS11i and GOLDBASE11i)BUNDLE11ild(1) and linker tools cumulative patch (PHSS_30970 or greater)

HPUX 11.11


http://www.quest.com/authentication-Services/supported-platforms.aspx

Patch LevelPlatform

MAINTPACK E0306 or greaterHPUX 11.22

Note:

Quest recommends that you run the Preflight utility to check for supported operating system and correctoperating system patches.

(See Running Preflight on page 38 for details.)

QAS Unix Components

QAS includes the following Unix components:

Table 5: QAS Unix Components

DescriptionUnix Component

The QAS agent background process that manages the persistent cache of Active Directoryinformation used by the other QAS components. vasd is installed as a system service. You

vasd

can start and stop vasd using the standard service start/stop mechanism for your platform.vasd is part of the vasclnt package.

The QAS command line administration utility that allows you to join a Unix host to an ActiveDirectory Domain; access and modify information about users, groups and computers in

vastool

Active Directory; and configure the QAS components. vastool is installed at/opt/quest/bin/vastool. vastool is part of the vasclnt package.

A command line utility that allows you to manage the application of Group Policy settingsto QAS clients. vgptool is installed at /opt/quest/bin/vgptool. vgptool is partof the vasgp package.

vgptool

A command line utility that allows you to modify file ownership on local Unix hosts to matchuser accounts in Active Directory. oat is installed at /opt/quest/libexec/oat/oat.oat is part of the vasclnt package.

oat (OwnershipAlignment Tool)

A background process that secures the authentication channel for applications using LDAPbind to authenticate users without introducing the overhead of configuring secure LDAP(LDAPS). The LDAP proxy is installed by the vasclnt package.

LDAP proxy

A background process that acts as a NIS server which can provide backwards compatibilitywith existing NIS infrastructure. The NIS proxy is installed by the vasyp package.

NIS proxy

The vasdev package, the QAS programming API.SDK package

QAS Permissions Matrix

The following table details the permissions required for full QAS functionality.

Table 6: QAS Permissions

Local Client Req'd PermissionsAD Req'd PermissionsFunction

NALocation in Active Directory with CreateContainer Object rights

QASApplicationConfiguration:creation



NAUpdate permission to the containers createdabove (no particular permissions if you are theone who created it)

QASApplicationConfiguration:changes

• Unix GlobalSettings

• Licensing• Custom

UnixAttributes

NASchema Administrator rightsSchemaoptimization

NAEnterprise Administrator rightsDisplaySpecifierRegistration

NAAdministrator rightsEditing Users

NAGroup Policy Creator Owners rightsCreate anygroup policyobjects

NALocation in Active Directory with CreateContainer Object rights (you create containersfor each NIS map)

RFC 2307 NISImport MapWizard

NAAdministrator rights (you are creating newaccounts)

Unix AccountImport Wizard

NAWrite permissions to the file system folder whereyou want to create the logs

LoggingOptions

vasd must run as rootThe client computer object is expected to haveread access to user and group attributes, whichis the default.

vasd daemon

In order for QAS to update the host objectoperating system attributes automatically, setthe following rights for "SELF" on the clientcomputer object: Write Operating System,Write operatingSystemHotfix, and WriteoperatingSystemServicePack.

Any local userNA (updated by means of vasd)QAS/VAS PAMmodule

Any local userNA (updated by means of vasd)QAS/VAS NSSmodule

vastool nss

Any local user for most commandsDepends on which vastool command is runvastoolcommand-linetool



rootcomputer creation or deletion permissions inthe desired container

vastooljoin

vastoolunjoin

rootNAvastoolconfigure

vastoolunconfigure

Any local userread permission for the desired objects (regularActive Directory user)

vastoolsearch

vastoolattrs

Any local userwrite permissions for the desired objectvastoolsetattrs

Run as root if you want all tables includingauthcache

NAvastoolcache

Any local user; root needed to create a new localcomputer

permissions to create new users, groups, andcomputers as specified

vastoolcreate

Any local userpermissions to delete existing users, groups, orcomputers as specified; permissions to remove

vastooldelete

the keytab entry for the host object created (rootor write permissions in the directory and the file)

rootThe client computer object is expected to haveread access to user and group attributes, whichshould be the default

vastoolflush

Any local userpermission to modify group membershipvastoolgroup add

vastoolgroup del


vastoolgrouphasmember

Any local userNAvastoolinfo { site| domain |domain -n |forest-root|forest-root-dn |server |acl }




vastoolinfo { id |domains |domains -dn|adsecurity| toconf }

Any local userNAvastoolisvas

vastoolinspect

vastoollicense

Any local userlocal client needs permissions to modify thekeytab specified, default is the computer objectwhich is root.

vastoolkinit

vastoolklist

vastoolkdestroy

root if you are using the default host.keytabfile

NAvastoolktutil


vastoollist (with -loption)

Any local userpermissions to create users and groups in thedesired container

vastoolload

rootNAvastoolmerge

vastoolunmerge

Any local userRegular Active Directory uservastoolpasswd

Any local userActive Directory user with password resetpermission

vastoolpasswd <ADuser>

Any local userRegular Active Directory uservastoolschema list

vastoolschemadetect



root (to modify the local cache file)Regular Active Directory uservastoolschemacache

Any local userRegular Active Directory uservastoolservicelist

NAActive Directory user with permission tocreate/delete service principals in desiredcontainer

vastoolservice {create |delete }

rootNAvastoolsmartcard

rootNAvastoolstatus

root, if you only query the time from AD, you canrun as any local user

NAvastooltimesync

Any local userneeds modify permissions on the AD Objectvastooluser {enable |disable }

Any local userNAvastooluser {checkaccess|checkconflict}

Any local userAccess to Active Directory users passwordvastooluserchecklogin

Quest Identity Manager for Unix Requirements

Quest recommends that you install Quest Identity Manager for Unix. This provides a management console that is apowerful and easy-to-use tool that dramatically simplifies deployment, enables management of local Unix usersand groups, provides granular reports on key data and attributes, and streamlines the overall management of yourUnix, Linux, and Mac OS X hosts.

These are the requirements if you intend to install the management console.


Click here to view a list of supported Unix and Linux platforms that run the web server; thatis, hosts that you can manage from the management console.

Client Agent SystemRequirements

Note: Quest Identity Manager for Unix does not support hosting themanagement console on AIX operating systems.

Note: You must have JRE (Java runtime Environment) 1.6 installed on thesupported platform to run Quest Identity Manager for Unix.


http://www.quest.com/authentication-Services/supported-platforms.aspx


Minimum memory requirement: 512 MB

The management console officially supports the following web browsers:Web Browsers

• Microsoft Internet Explorer 7 (or greater)• Mozilla Firefox 3 (or greater)• Apple Safari 4 (or greater) (Mac only; Windows not supported)

Network Requirements

QAS must be able to communicate with Active Directory including domain controllers, global catalogs and DNSservers using Kerberos, LDAP and DNS protocols. The following table summarizes the network ports that must beopen and their function.

Table 7: Network Ports

FUNCTIONPORT

Used for LDAP searches against Active Directory Domain Controllers. TCP is normally used,but UDP is used when detecting the Active Directory site membership.

389

Used for LDAP searches against Active Directory Global Catalogs. TCP is always used whensearching against the Global Catalog.

3268

Used for Kerberos authentication and Kerberos service ticket requests against Active DirectoryDomain Controllers. UDP is used by default, but TCP is also used if the Kerberos ticket is toolarge for UDP transport.

88

Used for changing and setting passwords against Active Directory using the Kerberos changepassword protocol. QAS always uses TCP for password operations.

464

Used for DNS. Since QAS uses DNS to locate domain controllers, DNS servers used by theUnix hosts must serve Active Directory DNS SRV records. Both UDP and TCP are used.

53

UDP only. Used for time-synchronization with Active Directory.123

CIFS port used to enable the client to retrieve configured group policy.445


Chapter

3Installing and Configuring QAS

To extend the authentication, authorization, and administration infrastructureof Active Directory to the rest of your enterprise, allowing Unix, Linux, and

Topics:

• Install the Management Console Mac systems to act as full citizens within Active Directory, you must installand configure Quest Authentication Services.• Install QAS Windows Components

• Configure Active Directory for QAS This section explains the steps you must take in detail:• Configure Unix Agent Components

1. Install Quest Identity Manager for Unix.2. Install Quest Authentication Services Windows components.3. Configure Active Directory for QAS (one time, only).4. Configure Unix Agent Components

a. Configure the management console for Active Directory.b. Prepare the Unix hosts for Active Directory user access:

• Add and profile a host.• Check the host for readiness to join Active Directory.• Install QAS agent software packages on the host to allow Active

Directory user access.

Note: For users to authenticate on Unix, Linux, andMac hosts with Active Directory credentials, your Unixhosts must have the QAS agent installed.

• Join the host to Active Directory.

Install the Management Console

In preparing for your Quest Authentication Services installation, Quest recommends that you install Quest IdentityManager for Unix. This provides a management console that is a powerful and easy-to-use tool that dramaticallysimplifies deployment, enables management of local Unix users and groups, provides granular reports on key dataand attributes, and streamlines the overall management of your Unix, Linux, and Mac OS X hosts.

Of course, you can install QAS without using Quest Identity Manager for Unix. If you wish to do that, skip theseinstructions and go to: Installing and Joining from the Unix Command Line on page 37.

Install and Configure the Management Console

The easiest way to install and configure QAS Unix agent components is by means of the Quest Identity Manager forUnix.

To install the management console on a supported Windows platform

1. From the Quest Authentication Services Autorun Home page, click the Setup tab.

Note: To start the Autorun installation wizard, navigate to the root of the distribution media anddouble-click autorun.exe.

2. From the Setup page, click Quest Identity Manager for Unix.The install wizard guides you through the rest of the setup pages:

• Quest Identity Manager for Unix License Agreement• Installation Directory• Configure TCP/IP Port• Completing the Quest Identity Manager for Unix installation

3. On the Complete page, leave the Launch the Management Console option deselected and click Finish to exit theinstall wizard and return to the Quest Authentication Services Autorun Setup tab.Once you have installed Quest Identity Manager for Unix, you are ready to install or upgrade the QAS Windowscomponents.

Install QAS Windows Components

Quest recommends that you install the Windows components and configure Active Directory before you install theUnix components.

Installing QAS Windows ComponentsInstall Quest Authentication Services on each Windows Workstation you plan to use to administer Unix data in ActiveDirectory.

To install the QAS Windows components

1. From the Autorun Setup page, click Quest Authentication Services to launch the setup wizard.2. Click Next at the Welcome page and follow the wizard prompts.

The wizard leads you through the following pages:

• License Agreement• Choose Destination Location

24 | Authentication Services 4.0 Installation Guide | Installing and Configuring QAS

• Ready to Install the Program• InstallShield Wizard Complete

3. On the Complete page, leave the Launch Quest Authentication Services Control Center option selected andclick Finish to automatically start the QAS Control Center.

Note: The first time you launch the QAS Control Center, the Set up QAS Active DirectoryConfiguration Wizard starts automatically to walk you through the process ofconfiguring Active Directory for QAS. If the configuration has already been performedwhen you click Finish, theQAS Control Center launches.

Configure Active Directory for QASTo use QAS 4.0 with Active Directory, you must first prepare Active Directory to store the configuration settings thatit uses. This is a one-time process that creates the QAS application configuration in your forest.

Note: To use the QAS Active Directory Configuration Wizard, you must have rights to create a containerin Active Directory.

You can also create the QAS application configuration from the Unix command line, if you prefer. See Creating theApplication Configuration from the Unix Command Line on page 43 for more information.

Configuring Active Directory for QAS

The first time you install QAS in your environment, Quest recommends that you perform this one-time Active Directoryconfiguration step to utilize full QAS 4.0 functionality.

Note:

If you do not configure QAS for Active Directory, you can run your QAS client agent in "Version 3Compatibility Mode" which allows you to join a host to an Active Directory domain.

(See Version 3 Compatibility Mode on page 27 for details.)

To configure Active Directory for QAS

1. At the QAS Active Directory Configuration Wizard Welcome page, click Next.2. At the Connect to Active Directory page:

a) Provide Active Directory login credentials for the wizard to use for this task:

• Select Use my current AD logon credentials if you are a user with permission to create a container inActive Directory.

• Select Use different AD logon credentials to specify the Active Directory credentials of another user andenter the User name and Password.

Note: The wizard does not save these credentials; it only uses them for this setup task.

b) Indicate how you want to connect to Active Directory:Select whether to connect to an Active Directory Domain Controller or ActiveRoles Server.

Note: If you have not installed the ActiveRoles Server MMC Console on your computer, theActiveRoles Server option is not available.

c) Optionally enter the Domain or domain controller and click Next.

Authentication Services 4.0 Installation Guide | Installing and Configuring QAS | 25

3. At the License QAS page, browse to select your license file and click Next.

Refer to Licensing QAS on page 53 for more information about licensing requirements.

Note: You can add additional licenses later from the QAS Control Center Preferences Licensing page.

4. At the Configure Settings in Active Directory page, accept the default location in which to store the configurationor browse to select the Active Directory location where you want to create the container and click Setup.

Note: You must have rights to create a container in the selected location. For more information onthe structure and rights required see Windows Permissions on page 16.

5. Once you have configured Active Directory for QAS, click Close.

The QAS Control Center opens. You are now ready to configure your Unix Agent Components. (Proceed toConfigure Unix Agent Components on page 28.)

About Active Directory Configuration

The first time you install or upgrade the QAS 4.0 Windows components in your environment, you must configureActive Directory for QAS to utilize full QAS 4.0 functionality. This is a one-time Active Directory configuration stepthat creates the QAS application configuration in your forest. QAS uses the information found in the QAS applicationconfiguration to maintain consistency across the enterprise. Without the Active Directory configuration you cannotstore Unix identity information in Active Directory. However, you can still join Unix machines to Active Directory.

Note:

If you do not configure QAS for Active Directory, you can run your QAS client agent in "Version 3Compatibility Mode" which allows you to join a host to an Active Directory domain.

(See Version 3 Compatibility Mode on page 27 for details.)

The QAS application configuration stores the following information in Active Directory:

• Application Licenses• Settings controlling default values and behavior for Unix-enabled users and groups• Schema configuration

The Unix agents use the Active Directory configuration to validate license information and determine schemamappings. Windows management tools read this information to determine the schema mappings and the defaultvalues it uses when Unix-enabling new users and groups.

The QAS application configuration information is stored inside a container object with the specific naming of:cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. The default location for this container is cn=Program Data,cn=QuestSoftware,cn=Authentication Services,dc=<your domain>. This location is configurable.

There can only be one Active Directory configuration per forest. If QAS finds multiple configurations, it uses the onecreated first as determined by reading the whenCreated attribute. The only time this would be a problem is if differentgroups are using different schema mappings for Unix attributes in Active Directory. In that case, standardize on oneschema and use local override files to resolve conflicts. You can use the Set-QasUnixUser andSet-QasUnixGroup PowerShell commands to migrate Unix attributes from one schema configuration to another.Refer to the PowerShell help for more information.

The first time you run the QAS Control Center, the QAS Active Directory Configuration Wizard walks you through thesetup.

Note: You can also create the QAS application configuration from the Unix command line, if you prefer.(See Creating the Application Configuration from the Unix Command Line on page 43 for more information.)


You can modify the settings using the QAS Control Center Preferences page. To change Active Directory configurationsettings, you must have rights to Create Child Object (container) and Write Attribute for cn, displayName, description,showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

In order for Unix clients to read the configuration, authenticated users must have rights to read cn, displayName,description, and whenCreated attributes for container objects in the application configuration. For most ActiveDirectory configurations, this does not require any change.

This table summarizes the required rights:

AttributesObject ClassFor UserRights Required

ContainerQAS Administrators OnlyCreate Child Object

cn, displayName,description,showInAdvancedViewOnly

ContainerQAS Administrators OnlyWrite Attribute

cn, displayName,description, whenCreated

ContainerAuthenticated UsersRead Attribute

At any time you can completely remove the QAS application configuration using the Remove-QasConfigurationcmdlet. However, without the QAS application configuration QAS Active Directory-based management tools do notfunction.

Join the Host to AD Without the QAS Application Configuration

You can install the QAS Agent on a Unix system and join it to Active Directory without installing QAS on Windowsand setting up the QAS Application Configuration.

The QAS 4.0 client-side agent required detection of a directory-based Application Configuration data object withinthe Active Directory forest in order to join the host computer to the Active Directory Domain. QAS 4.0.2 removesthis requirement for environments where directory-based User and/or Group identity information is not needed onthe host Unix computer. These environments include full Mapped-User environments, GSS-API basedauthentication-only environments, or configurations where the QAS agent will auto-generate posix attributes forActive Directory Users and Groups objects.

Version 3 Compatibility Mode

When upgrading to or installing QAS 4.0, you can choose not to configure Active Directory for QAS and run yourQAS 4.0 client agent in "Version 3 Compatibility Mode". While this prevents you from running the QAS Control Centerand accessing its many features and tools, you can join a host to an Active Directory domain when operating in"Version 3 Compatibility Mode".

Note: When you run the join command without first creating a Quest Application Configuration (QAC),Authentication Services displays a warning.

Without the QAS application configuration the following information is stored locally:

• Application Licenses• Settings controlling default values and behavior for Unix-enabled users and groups• Schema configuration

Default User Login Name Changes

In VAS 3.5.x, the default user login name was the User Principal Name; QAS 4.0 uses the sAMAccountName as thedefault user login name. After upgrading to QAS 4.0, if you want to continue to login with the User Principal Name,then you must ensure that the username-attr-name in the vas.conf file is set to the User Principal Namebefore you begin the client agent upgrade.


Note: This is not necessary if the value of the User Principal Name prefix and the sAMAccountName arethe same across your enterprise, which is the Active Directory default.

There are two ways to change the username-attr-name in the vas.conf file:

1. Manually configure each client agent to use the User Principal Name.

To manually configure each client agent to use the User Principal Name

1. Before you upgrade each client agent, open the /etc/opt/quest/vas/vas.conf file and find theusername-attr-name attribute in the [vasd] section.

2. If there is no value set for this attribute, then set it to:

username-attr-name = userPrincipalName

Note: If the attribute is already explicitly set to another value (such as: username-attr-name =uid), do not change it.

Note: Alternatively, you can run the following command on each client to change the setting invas.conf:

vastool configure vas vasd username-attr-name userprincipalname

2. Use Group Policy to automatically configure all the clients in your environment.

To automatically configure all the clients in your environment

1. Open the Group Policy Management Editor and navigate to Computer Configuration | Policies | UnixSettings | Quest Authentication Services | Client Configuration.

Note: Your version of Group Policy Management Editor may not have the Policies directory layer.

2. Double click QAS Configuration to open the Properties page.3. Enter username-attr-name in the vas.conf Settings box and click Search.4. Enter userPrincipalName and click OK.

Best Practice

Because Version 3 Compatibility Mode does not allow you run the QAS Control Center and access its many featuresand tools, Quest recommends that you create the application configuration so you can utilize full QAS 4.0 functionality.

There are two ways to create the application configuration:

1. When you start the QAS Control Center from a Windows workstation, the Set up QAS Active Directory ConfigurationWizard starts automatically to lead you through the process of configuring Active Directory for QAS.

2. Alternatively, you can run vastool configure ad from the Unix command line to create the Quest ApplicationConfiguration in Active Directory.

Configure Unix Agent Components

The QAS Control Center gives you access to the tools you need to perform Unix identity management tasks.

Note: If the QAS Control Center is not currently open, you can either double-click the desktop icon oraccess it by means of the Start menu.

Follow the steps outlined on the QAS Control Center Home page to get your Unix agents ready.

Note: Of course, you can install QAS without using Quest Identity Manager for Unix. If you wish to dothat, skip these instructions and go to: Installing and Joining from the Unix Command Line on page 37.


To start the management console

1. From the QAS Control Center, click the Management Console link in the left-navigation pane.

Setup Quest Identity Manager for Unix

The first time you launch the management console, the Setup Quest Identity Manager for Unix wizard leads youthrough some post-installation configuration steps. Choose one of these options:

• Skip the Active Directory configuration, I'll do that later from the console

This option allows you to use the core features of the console.

• Walk me through the configuration steps for using AD user accounts for logon to the console

When you configure the console for Active Directory, you unlock additional Active Directory features.

Note: To use the management console with Quest Authentication Services, you must configure theconsole for Active Directory log on.

Choose an option and click Next.

Note:

If you choose the "Skip" option, the Identify Console page displays. (See Identify Console on page 30.)

If you choose the "Walk" option, it allows you to configure the console for Active Directory log on. (SeeConfigure the Console for Active Directory Logon.)

Note: If you can not configure the console for Active Directory during your initialinstallation of Quest Identity Manager for Unix, choose the "Skip" option. After theinstallation, log into the console as supervisor and configure the console for ActiveDirectory from System Settings in the Preferences menu later. (See Active DirectoryConfiguration in the management console online Help for more information.)

Configure the Console for Active Directory

The setup wizard displays the Configure console for Active Directory Logon page during the post-installationconfiguration steps.

To configure the management console for Active Directory

1. On the Configure console for Active Directory Logon page, enter a valid Active Directory domain in the forest, inthe form example.com.

2. Enter the Active Directory credentials.The wizard uses these credentials to verify the QAS configuration and license in Active Directory and to configurethe management console for use with Active Directory.

3. Click Connect to Active Directory.4. When you see the message that indicates the console connected to Active Directory successfully, click Next.

The Set up console access by role page opens.

Setup Console Access by Role

After you complete the Configure Console for Quest Authentication Services page, the setup wizard displays the Setup console access by role page.

To add Active Directory users or groups to the console access list


1. On the Set up console access by role page, click Add... to specify the Active Directory users and groups that youwant to have access to the features available in Quest Identity Manager for Unix.

2. On the Select Users and Groups page, use the search controls to find and select Active Directory user(s) or group(s).Select one or more objects from the list and click OK.The management console adds the selected object(s) to the list on the Set up console access by role page.

By default the management console assigns users to All Roles, which gives those accounts permissions to accessand perform all tasks within the console. (See Roles and Permissions in the management console online Help formore information.)

Note: During the initial set up, you can only assign a user to one role. Use System Settings to addadditional roles to a user. (See Add Role Members in the management console online Help for moreinformation.)

3. Click in the Roles cell to activate a drop-down menu from which you can choose a role for the user account.4. Click Next to save your selections.

The Identify Console page opens.

Identify Console

The setup wizard displays the Identify Console page during the post-installation configuration steps.

To identify the management console

On the Identify Console page, modify the information about this management console, if necessary, and clickNext to open the Set supervisor password page.

Note: You can modify these settings from Preferences | System settings | General | ConsoleInformation.

Set Supervisor Password Page

The supervisor is the only account by default that has rights to modify system settings in Quest Identity Managerfor Unix. The supervisor has all permissions in the management console. That is, he can do anything, and nopermissions can be removed from supervisor.

To set the supervisor password

On the Set supervisor password page, enter a password for the supervisor account and click Next.The Summary page displays.

Summary Page

To complete the Setup Quest One Management Console for Unix wizard

On the Summary page, click Finish.The Quest Identity Manager for Unix log-in screen opens.

Quest Identity Manager for Unix Log On Page

Whenever you launch the management console, you must enter an authorized account to proceed. The QuestIdentity Manager for Unix features that are available depend on the account with which you log in.

To use the core version to manage local Unix users and groups and to access the management console systemsettings, you must use the supervisor account (that is, you must log on with the supervisor user name). However,to use the Active Directory features of Quest Identity Manager for Unix, you must log on with an Active Directoryaccount that has been granted access to the management console. That is, defined during the post-installation


configuration on the Setup console access by Role page. To add additional accounts to this access list, see ChangeRole Properties in the management console online Help for more information.

To log on to the management console

1. Enter a user name and password and click Log on.

Enter one of the following:

• the supervisor account name• a sAMAccountName, which uses the default domain• a net bios name in the form, domain\username• a User Principal Name in the form, username@domain

The management console opens and displays the user name you specified in the upper right-hand corner of thescreen.

2. To log on using a different account, select Log out in the upper right-hand region of the window.The Log-on page redisplays, allowing you to enter a different account.

Prepare Unix Hosts

Once you have successfully installed Quest Identity Manager for Unix, you must add your hosts to the managementconsole, and profile them to gather system information. Then you can manage users and groups on the hosts andrun reports from the console.

Using Quest Identity Manager for Unix with a licensed version of Quest Authentication Services, not only allows youto centrally manage your hosts, but it allows you to do these additional features for managing Unix systems withActive Directory:

• Remotely install QAS agents, join systems to Active Directory, and implement AD-based authentication for Unix,Linux, and Mac systems.

• Generate reports about both local Unix users and groups and Unix-enabled users and groups in Active Directory.• Generate access control reports that show which user is permitted to log into which Unix host.

Add Host(s) to the Management Console

In order to manage a Unix host from the management console, you must first add the host. Go to the Hosts tab ofthe management console to either manually enter hosts or import them from a file.

To add host(s) to the management console

1. Click the Add Hosts tool bar button to display the Add Hosts page.2. To manually add one or more hosts, enter the FQDN, IP address, or short name of a host you want to add to the

management console and either press Enter or click the icon.

Note:

Once added, the Host column displays the value you enter. The management console uses that valueto connect to the host. The only way to change what is displayed in the Host column is to removethe host from the console and re-add it. For example, if you add a host by its IP address, the IP addressdisplays in the Host column (as well as in the IP Address column); to change what is displayed in theHost column, you must use the Remove from console tool bar button to remove the host from theconsole; then use the Add Hosts button to re-add the client by its host name. If you had profiled thehost before removing it, you will have to re-profile it after re-adding it.

Repeat this step to add additional hosts.3. To add hosts from a known_hosts file, click the Import button.


a) On the Import hosts from file page, browse to select a .txt file containing a list of host addresses to import.

Once imported, the host addresses display in Add Host page.

Note:

The valid format for an import file is:

• .txt file - contains the IP address or DNS name, one per line• known_hosts file - contains address algorithm hostKey (separated by a space), one entry per

line

For more details about the supported known_hosts file format, see Known_hosts File Format inthe management console online Help for more information.

4. Once you have a list of one or more hosts to add, click OK.

If you do not wish to profile the host(s) at this time, clear the Profile hosts after adding option before you clickOK.

Note: If you add more than 50 hosts to the list, this option is disabled.

5. If you do not clear the Profile hosts after adding option on the Add Hosts page, when you click OK, the ProfileHost page prompts you to enter the user credentials to access the host(s) and automatically leads you throughthe profile steps. (Refer to Profile Host(s) which walks you through the tasks to profile the host(s).)

6. If you clear the Profile hosts after adding option on the Add Hosts page, when you click OK, the Add Hosts pagecloses and control returns to the management console from which you can profile the hosts later manually.

The management console lists hosts that were successfully added on the All Hosts page.

Profile Host(s)Profiling imports information about the host, including local users and groups, into the management console. It isa read-only operation and no changes are made to the host during the profiling operation. Profiling does not requireelevated privileges.

To profile host(s)

1. Select one or more hosts on the All Hosts tab, open the Profile menu and choose Profile.2. In the Profile Host page, enter user credentials to access the host(s).

If you selected multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) orenter different credentials for each host.

3. If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter the followinginformation:a) Enter the user name and password to log onto the selected host(s).b) Optionally enter the SSH port to use. It uses port 22 by default.c) To save the credentials entered for the host, select the Save my credentials on the server option.

Once saved, the management console uses these credentials to access the host during this and subsequentsessions.

Note:

If you do not save a password to the server, the user name and password fields will be blank the firsttime the management console needs credentials to complete a task on the host during a log onsession. Once entered, the management console caches the user name and password and reusesthese credentials during the current session, and pre-populates the user name and password fieldsin subsequent tasks during the current log on session.


4. If you selected multiple hosts and the Enter different credentials for each selected host option, a grid displaysallowing you to enter different credentials and specify different settings for each host.a) To enter different credentials, place your cursor in the Username and Password columns to the right of the

Host column and enter the credentials to use.b) To change the SSH port for a host, place your cursor in the SSH Port column and enter the new SSH port

number.c) To save the credentials entered for a host, select the check box in the Save column.

5. If you do not trust the selected hosts' SSH keys and want the management console to prompt you to review andaccept new SSH keys, clear the Automatically accept SSH keys option before you click OK .Before the profile process begins, Quest Identity Manager for Unix checks the SSH key for the selected host(s).By default, the Automatically accept SSH keys option is selected to enable the management console toautomatically accept SSH keys and cache them on the server. When you clear this option, if the managementconsole finds SSH keys on the hosts that are not cached on the server, or if it finds new keys that are differentfrom keys cached on the server, it displays the Validate Host SSH Keys dialog which allows you to manually acceptthe new fingerprint for each host and cache them on the server.

Note: When profiling one or more hosts, you must accept at least one key before continuing. Themanagement console only profiles hosts with accepted keys.

Note: When you select the Automatically accept SSH keys option and a modified key is encountered,the profile task will prompt you to accept the new changed key(s). (See Managing SSH Host Keys inthe management console online Help for more information on uploading a host's SSH key.)

A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, includingany errors encountered.SSH Terminal Access to Host

Quest Identity Manager for Unix uses SSH as the network protocol to provide secure remote access and administrationof Unix hosts. By default, new SSH keys will be automatically accepted prior to initiating the profiling process.However, if you do not trust the selected hosts' SSH keys and want to be prompted to review and accept new SSHkeys, clear the Automatically accept SSH keys check box on the Profile Host page. With this option cleared, profilinga host for the first time will now prompt you to validate and accept the SSH key for the selected hosts. Once accepted,the fingerprint will be cached on the Quest Identity Manager for Unix server. Once a fingerprint is cached, you willonly be asked to validate and accept new fingerprints that are different than those cached on the server.

Note: When the Automatically accept SSH keys option is selected and a modified key is encountered,the profile task will prompt you to accept the new changed key(s).

To upload a host's SSH key, use one of the following methods:

• Profile a host. When profiling a host, new SSH keys are automatically accepted for the selected host. However,you can clear the Automatically accept SSH keys option on the Profile Hosts page if you want to be promptedto validate the host's SSH key if it is not already cached or if it is different than the one stored on the server. Youmust accept a host's new fingerprint in order to proceed with the profiling process.

• Import hosts. When adding hosts, you can use the Import option to add hosts from a known_host file whichcontains the host addresses and public key data for known server hosts. When these hosts are profiled, new SSHkeys are automatically accepted unless you clear the Automatically accept SSH keys option on the Profile Hostpage. When this option is cleared, you will be prompted to validate each hosts' fingerprint.

• Import SSH Host Keys. You can use the Import SSH Host Key tool bar command to upload a new public SSHkey for a selected host. When using this command, you are prompted to accept the new fingerprint for theselected host.

You can view the SSH fingerprint and algorithm used to access a host on the Details page of a host's properties tab.

By default, Quest Identity Manager for Unix prevents you from adding hosts with the same SSH public key to themanagement console. This is to ensure uniqueness of hosts since a host can have more than one resolvable DNSname and multiple IP addresses. There should only be one public key returned for whichever DNS name or IP address


is used to access the host. However, if you want to allow hosts with the same SSH key to be added to the managementconsole, you can enable the Duplicate SSH Public Keys setting on the General page of the System Settings dialog,which is accessed in the Preferences menu.Profile Automatically

To keep the Quest Identity Manager for Unix database up to date with accurate information about users and groups,you can configure the management console to profile hosts automatically.

Configuring a host for auto-profiling sets up a cron job on the client that runs every five minutes. If it detects changeson the host, it triggers a profile operation.

The cron job detects changes to the following:

• local users, groups, or shells• installed QAS or Privilege Manager for Sudo software• QAS access control lists• QAS mapped user information• Privilege Manager for Sudo configuration• QAS configuration• Privilege Manager for Sudo licenses

The cron job also sends a heartbeat every day at midnight. This updates the Last profiled date displayed on the host

properties page. If the Last profiled date is more than 24 hours, the host icon changes to indicate: .

Note: Automatic Profile does not detect QAS product license changes. Any time there is a change toQAS licensing, click the Check for licenses button in the Authentication Services page of System Settingsto refresh the license information in management console. (See Check for QAS Licenses in the managementconsole online Help for details.)

To configure automatic profiling

1. Select one or more hosts on the All Hosts tab, open the Profile menu from the Prepare panel of the tool bar, andchoose Profile Automatically...

Note: The Profile Automatically option is only available for multiple hosts if all hosts are in the same‘Auto-profile’ state; that is, they all have ‘Auto-profile’ turned on, or they all have ‘Auto-profile’ turnedoff.

2. In the Profile Automatically page, select the Profile the host automatically option.3. Choose the user account you want to use for profiling, either:

• Create a Quest user service account on the host

-OR-

• Use an existing user account (user must exist on all selected hosts)

(Click Select to browse for a user.)

4. Click OK on the Profile Automatically page.

When you auto-profile a host, if you choose to create the Quest user service account on the host, the managementconsole,

1. creates "questusr", the Quest Service User account, and a corresponding "questgrp" account on the host thatthe management console uses for automatic profiling.

2. adds questusr as an implicit member of questgrp.

Then, whether you choose to create the Quest user service account or use an existing user account, themanagement console,


3. adds the user account (the "questusr" or your existing user account) to the cron.allow file.4. adds the auto-profile SSH key to that user's authorized_keys file.

The authorized_keys file for "questusr" is at:/var/opt/quest/home/questusr/.ssh/authorized_keys.

Note:

The questusr account is a non-privileged account that does not require root-level permissions. Thisaccount is used by the console to gather information about existing user and groups in a read-onlyfashion, however, the management console does not use questusr account to make changes to anyconfiguration files.

If questusr is inadvertently deleted, the console turns ‘Auto-profiling’ off. To recreate the "questusr"account,

1. Re-profile the host.2. Configure the host for automatic profiling again.

5. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

Note: This task requires elevated credentials.

If you select multiple hosts, you are asked if you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your

credentials to log on to access the selected host(s) and click OK.b) If you selected multiple hosts and the Enter different credentials for each selected host option, it displays

a grid which allows you to enter different credentials for each host listed. Place your cursor in a cell in the gridto activate it and enter the data.

To disable automatic profiling

1. Select one or more hosts on the All Hosts tab and choose Profile Automatically...2. Clear the Profile the host automatically option and click OK.3. On the Log on to Host page, enter the user credentials to access the selected host(s) and click

OK.

When you disable auto-profiling for a host, the management console,

1. leaves the "questusr" and the corresponding "questgrp" accounts on the host, if they werepreviously created.

2. leaves questusr as an implicit member of questgrp, if it exists.3. removes the user account (the "questusr" or your existing user account) from the

cron.allow file.4. removes the auto-profile SSH key from that user's authorized_keys file.

Check Readiness

Once you add and profile hosts, the Quest Identity Manager for Unix allows you to perform a series of tests to verifythat a host meets the minimum requirements to join an Active Directory domain. Running the readiness checks doesNOT require elevated privileges.

To check host(s) for Active Directory Readiness

1. Select one or more hosts on the All Hosts page of the Hosts tab, open the Check menu from the Prepare panel ofthe tool bar, and choose Check for AD Readiness.


2. In the Check AD Readiness page, enter the Active Directory domain to use for the readiness check.3. Enter Active Directory user credentials, and click OK.4. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your



A progress bar displays in the Task Progress pane on the All Hosts page. The final status of the task displays, includingany failures or advisories encountered.

Install Software on Host(s)Once a you have successfully added and profiled one or more hosts, you can remotely deploy software products tothem from the management console.

To install software on host(s)

1. Select one or more profiled hosts on the All Hosts page and click the Install Software tool bar button.2. On the Install Software page, select the software products you want to install and click OK.

• Quest Privilege Manager Plugin for Sudo• Quest Authentication Services Agent (required)• Quest Authentication Services for Group Policy (required)• Quest Authentication Services for NIS (optional)• Quest Authentication Services for LDAP (optional)• Dynamic DNS Updater (optional)• Quest Defender Pam Module (optional)

Note: If you do not see all of these software packages, verify the path to the software packages iscorrectly set in System settings. (See Set the Client Software Location on the Server in the managementconsole online Help for more information.)

3. On the Log on to Host page, enter the user credentials to access the selected host(s) and click OK.

Note: To install Quest Authentication Services software packages, you must have elevated privilegeson the host and in Active Directory with rights to install software and configure the join to ActiveDirectory.

If you selected multiple hosts, it asks whether you want to use the same credentials for all the hosts (default) orenter different credentials for each host.a) If you selected multiple hosts and the Use the same credentials for all selected hosts option, enter your



A progress bar and the final status of the task(s) display in the Task Progress pane on the All Hosts page, includingany errors encountered.


Chapter

4Installing and Joining from the Unix Command Line

While you can use Quest Identity Manager for Unix to install and configureQAS as explained in Installing and Configuring QAS on page 23, you can also

Topics:

• The QAS Pre-Installation DiagnosticTool

manually install the QAS agent on each Unix, Linux, or Mac OS X host fromthe command line.

• Upgrading VAS 3.5 From theCommand Line

The sections in this chapter walk you through the process of installing theQAS Unix agent directly from the command line. For information about

• The QAS Install Script installing, upgrading, and uninstalling the QAS agent on supported platforms• Licensing QAS in an enterprise environment using platform package management tools,

refer to Enterprise Package Deployment on page 83.• Creating the ApplicationConfiguration from the UnixCommand Line

Before installing and configuring the QAS Unix agent, Quest recommendsthat you run the preflight tool to check a host's suitability to run QAS.

• Joining the Domain After you determine that the Unix host is ready, run the QAS installation script,install.sh, to install the Unix/Linux agent.

The QAS Pre-Installation Diagnostic Tool

Quest provides the preflight utility to check a host's suitability to run QAS by verifying a number of environmentalconsiderations necessary for joining an Active Directory domain.

This utility obtains answers to the following questions:

• Does QAS support the host on which this utility is being run?• Are the operating system and any patches at requisite levels?• Is there at least one visible domain controller (DC)?• Are global catalogs available on any of the domain controllers?• Are all services needed by QAS available?• Is a QAS application configuration set up on the target domain?

The preflight command-line utility performs the following verifications:

Install Checks:

• Check for supported operating system and correct operating system patches.• Check for sufficient disk space to install QAS.

Join Checks:

• Check that the hostname of the system is not 'localhost'.• Check if the name service is configured to use DNS.• Check resolv.conf for proper formatting of name service entries and that the host can be resolved.• Check for a name server that has the appropriate DNS SRV records for Active Directory.• Detect a writable domain controller with UDP port 389 open.• Detect Active Directory site, if available.• Check if TCP port 464 is open for Kerberos kpasswd.• Check if UDP port 88 and TCP port 88 are open for Kerberos traffic.• Check if TCP port 389 is open for LDAP.• Check for a global catalog server and if TCP port 3268 is open for communication with global catalog servers.• Check for a valid time skew against Active Directory.• Check for the QAS application configuration in Active Directory.

Post-Join Checks:

• Check if TCP port 445 is open for Microsoft CIFS traffic.

You can find the preflight.sh script at the root of the ISO. This script runs the correct preflight version for yoursystem.

The most important option and arguments to preflight are:

• domain-name

The domain you want to join with QAS.

• -u username

An identity with administrator rights for the Active Directory domain you want to join.

Note: The preflight utility does not make any changes to your system.

Running Preflight

To run preflight

38 | Authentication Services 4.0 Installation Guide | Installing and Joining from the Unix Command Line

1. Mount the QAS distribution media.2. Enter the following command at the root of the QAS ISO:

# ./preflight.sh -u Administrator example.com

where Administrator is your user name and example.com is the name of your domain.

By default preflight outputs the results of the verifications for the three types of checks (Install Checks, JoinChecks and Post-Join Checks) to the console. Run the preflight utility with the --verbose option to obtaindetailed information about the various checks in those categories.

The last line of the output tells you whether you are ready to continue deploying QAS.

If you did not get a "Preflight Checks ... complete with status Success" message, correct any failures indicatedbefore continuing with the QAS installation. Be aware of any "Advisories" that it returns, as they may impact yourability to install or join.

Note:

If you get a message that says, "Unable to locate QAS Application Configuration",you can ignore that error for now and proceed with the QAS installation. The QASActive Directory Configuration Wizard starts automatically to help you configure ActiveDirectory for QAS the first time you start the QAS Control Center. Or, you can createthe QAS application configuration from the command line, as explained in Creatingthe Application Configuration from the Unix Command Line on page 43

Note: For information about other preflight options, either run preflight--help or refer to the preflight man page located in the docs directory of theinstallation media. (See Resolving Preflight Failures on page 76 for additional help inresolving issues.)

Upgrading VAS 3.5 From the Command Line

To upgrade VAS 3.5 from the Unix command line

1. Install the upgrade package on that host by running:

# ./install.sh upgrade

Note: If you are running your client agent in Version 3 Compatibility Mode, QAS displays a warningmessage. (See Version 3 Compatibility Mode on page 27 for details.)

2. Install the QAS license. (See Licensing QAS on page 42.)3. Create the QAS application configuration. (See Creating the Application Configuration from the Unix Command

Line on page 43.)

Note: This step is optional. If you do not configure QAS for Active Directory, you can run your QASclient agent in "Version 3 Compatibility Mode" which allows you to join a host to an Active Directorydomain.

4. Upgrade the rest of your hosts to the QAS 4.0 Agent.

About the QAS Application Configuration

Authentication Services 4.0 Installation Guide | Installing and Joining from the Unix Command Line | 39

The first time you install or upgrade the QAS 4.0 Windows components in your environment,Quest recommends that you configure Active Directory for QAS to utilize full QAS 4.0 functionality.This is a one-time Active Directory configuration step that creates the QAS applicationconfiguration in your forest. QAS uses the information found in the QAS application configurationto maintain consistency across the enterprise.

If you upgrade VAS 3.5 to QAS 4.0 using the Quest Identity Manager for Unix as explained in theQAS Upgrade Guide, the QAS Active Directory Configuration Wizard starts automatically to assistyou in setting up the application configuration; however, if you are upgrading from the Unixcommand line, you can create the QAS application configuration using the vastool command.

Note: You need only one application configuration per forest. If you already havea QAS application configuration in your forest, you do not need to create anotherone. (For more information about configuring Active Directory for QAS, see AboutActive Directory Configuration on page 26.)

The QAS Install Script

Follow the steps in this topic if you are installing a QAS 4.0 for the first time; that is, if you are not upgrading fromVAS 3.5.

The QAS installation script, install.sh, installs Quest Authentication Services, joins the domain, and allows youto install licenses. You can run the install script in interactive mode by using the -i option. This provides you witha menu of valid operations to perform, including Running preflight.

You can also automate the installation process by running install.sh in "unattended" mode using -q option.In this mode you may specify a set of commands for the script to perform.

Note: For more information on the QAS installation script, run

install.sh --help

Installing the QAS Agent

To install the QAS agent with the installation script

1. Log in and open a root shell.2. Mount the installation DVD for your selected platform and navigate to the mount point.3. Run install.sh by entering the following command:

# ./install.sh vasclnt

Note:

See Install the QAS Agent Package on page 84 for a list of the QAS Agent installation commands.

After installing QAS some services such as cron, sshd and gdm may need to be restarted in orderto reload NSS configuration. If you are unsure of which services to restart, reboot the system.

Installation Script Options

If you run install.sh with no option, it installs (or upgrades) Quest Authentication Services and QuestAuthentication Services Group Policy, installs the license, and joins the domain.


The following is a list of the available options to the QAS install script:

Table 8: install.sh Options

FUNCTIONOPTION

Turn on debug.-d

Help; displays usage information including a brief summary of options.-h

Displays full script help.--help

Displays version and lists products available on this ISO.-v, --version

License; path to Quest license file to copy (unattended mode). Not valid with -i (interactivemode)

-l path

Specify alternate ISO path to search for install packages.-p

Test host and iso and report on what is installed and available.-t

Simple mode<none>

Interactive mode; provides a menu showing choices based on existing QAS softwareinstallation and includes a help mode.

-i

Unattending mode; executes script in unattended (automatic) mode; requires other options.-q

Accept License; signals acceptance of Quest Software, Inc. EULA.-a

Table 9: Special Commands

DescriptionCommand

Upgrades all products on the system.upgrade

Removes all products from the system.remove

Executes interactive vasjoin.sh script. Not valid with -q (Unattended mode).join

Executes interactive preflight test. Not valid with -q (Unattended mode).preflight

Executes interactive install of license files (or use -l option). Not valid in with -q (Unattendedmode).

license

In unattended mode, the following arguments are useful for scripting the components you want to install or uninstall.

Table 10: install.sh Unattended Mode Arguments

FUNCTIONARGUMENT

Installs or upgrades QAS agentvasclnt

Installs or upgrades QAS Group Policy agentvasgp

Installs or upgrades QAS YP servervasyp

Installs or upgrades QAS Proxy daemonvasproxy

Installs or upgrades QAS SDKvasdev

Installs or upgrades QAS Smartcard agentvassc

Uninstalls the QAS agentnovasclnt


FUNCTIONARGUMENT

Uninstalls the QAS Group Policy agentnovasgp

Uninstalls the QAS YP servernovasyp

Uninstalls the QAS Proxy daemonnovasproxy

Uninstalls the QAS SDKnovasdev

Uninstalls the QAS Smartcard agentnovassc

Licensing QAS

You must have the QAS license installed for full Quest Authentication Services functionality on Unix.

There are four ways to manage licenses

1. Using the QAS Control Center

Quest recommends this as a best practice. (See To Add Licenses Using the Control Center on page 53 for details.)

2. Using the Quest Authentication Services Group Policy utilities

See Licensing Policy in the QAS Administrator's Guide for details.

3. Running the install.sh script with the -l option

This allows you to enter a path. The script then places the license in the proper location. See Installation ScriptOptions on page 40 for more information about running the install.sh script.

4. Manually copying files

See Installing Licenses From the Command Line on page 43 for details.

To obtain a license, complete the form located at: Request License Key or contact your account representative for anew license file.

Note: If you are running the Quest Identity Manager for Unix with a licensed version of QAS, any timeyou make a change to the QAS licensing, go into the management console System Setting's Licensespage and lick the Update button to refresh the product license information in Quest Identity Managerfor Unix.

Verifying QAS License Information

To verify that you have a valid QAS license

Run the following vastool command:

vastool license –q

You will see output similar to the following if you have a valid license installed:

Number of Unix Enabled users in use: 150---QAS---Number of Licensed Unix Enabled Users: 1000Valid licenses: 1


https://support.quest.com/LicenseKey.aspx

To Add Licenses Using the Control Center

1. Click the Preferences navigation button on the left panel of the QAS Control Center.2. Expand the Licensing section.

The list box displays all licenses currently installed in Active Directory.

3. Click Add a license... from the Actions menu.4. Browse for the license file and click Open.

The license appears in the list box.

Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours bydefault. This can be changed by modifying the configuration-refresh-interval settingin vas.conf.

To remove a license, select it and click Remove license.

To restore a removed license, click Undo Remove.

Installing Licenses From the Command Line

With root privileges, you can manually install a valid license by copying the new license file to the licensesdirectory on the Unix host.

To install a QAS license manually

1. Copy the license file to the /etc/opt/quest/vas/.licenses directory.

2. Ensure the permissions on the license file are set to 0644.3. Restart vasd as root by running the command corresponding to your platform:

• Linux/Solaris:

/etc/init.d/vasd restart

• HPUX:

/sbin/init.d/vasd restart

• AIX:

/etc/rc.d/init.d/vasd restart

• Mac OSX:

launchctl unload /Library/LaunchDaemons/com.quest.vasd.plistlaunchctl load /Library/LaunchDaemons/com.quest.vasd.plist

Creating the Application Configuration from the Unix Command LineBefore you join a Unix client to an Active Directory domain, Quest recommends that you create the QAS applicationconfiguration in the domain to which you are joining to utilize full QAS 4.0 functionality. While the QAS Active DirectoryConfiguration Wizard starts automatically to help you configure Active Directory for QAS the first time you start theControl Center, you do not need to have a Windows console to create the QAS application configuration. You can


run the vastool configure ad command from the Unix command line to create it. This is typically a one-timeprocess.

Note: You only need to create one QAS application configuration per forest.

For more information about the QAS application configuration see About Active Directory Configurationon page 26.

To create the QAS application configuration

1. Run the following command from the Unix command line:

# /opt/quest/bin/vastool -u <user> configure -d <domain> ad

By default QAS creates the application configuration in the Program Data container; however, if you do not haverights to create an organizational unit in the Program Data container, you can create the QAS applicationconfiguration in any location you have rights to by specifying the DN (distinguished name) of the creation location,as follows:

vastool -u <user> configure -d <domain> ou cn=myou,dc=example,dc=com

2. Enter the user’s password when prompted.

Changing the Schema Configuration ModeWhen you create the QAS application configuration, you set the global schema configuration mode to R2 by default.However you can configure Authentication Services for "schemaless" operation using the schema configurecommand.

To switch to a schemaless configuration

1. Run the following command:

# /opt/quest/bin/vastool -u <user> schema -d <domain> configure schemaless

The schema configure command only allows you to set the schema mode to either R2 or "schemaless"modes. To set the schema configuration to any other mode, you must do so from the QAS Control CenterPreferences page.

2. Enter the user’s password when prompted.

Joining the DomainFor full Quest Authentication Services functionality on Unix, you must join the Unix system on which you installedthe QAS agent to the Active Directory domain. You can join an Active Directory domain either by running vastooljoin from the command line or the interactive join script, vasjoin.sh.

Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined.

To determine if you are joined to an Active Directory domain

Run the following command.

# /opt/quest/bin/vastool info domain

If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain,you will see the following error:

ERROR: No domain could be found.ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realmdefault_realm not configured in vas.conf. Computer may not be joined to domain


Joining the Domain Using VASTOOL

You can join your Unix host to Active Directory with the vastool join command directly from the commandline.

Before you join the QAS agent to the Active Directory domain, collect the following information:

• The DNS name of the Active Directory domain of which you want the QAS agent to be a member.• The user name and password of a user that has sufficient administrative privileges to create computer objects

in Active Directory.

To join Active Directory using vastool join

1. Run the following command as the root user at a shell prompt:

# /opt/quest/bin/vastool -u <user> join <domain-name>

2. Enter the user’s password when prompted.The vastool join results are shown on the shell’s standard output.

Note: vastool join supports many options that allow you to customize theway the computer is joined to the domain. You can specify the name of the computerobject. You can join to a specific organizational unit or use a pre-created computerobject.

For a list of all vastool join options, refer to the vastool man page.

Joining the Domain Using VASJOIN Script

Rather than using the vastool join command from the command line, you can join your Unix host to ActiveDirectory using the interactive join script, vasjoin.sh. The script walks you through the domain join process,calling the vastool join command.

The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standardvastool join command options when running it. However, you can run the join script with no options; it onlyrequires that you supply the domain name and the name of a user with sufficient Active Directory privileges toperform the join.

Table 11: Common vasjoin Script Options

FUNCTIONOPTION

Help; displays options including how to pass vastool join options-h

Unattended or quiet mode; displays less verbose: no explanations, asks no questions-q

Interactive mode: prompts for common options-i

Simple mode; installs vasclnt and vasgp with options to add license and join domain.<none>

To join Active Directory using the vasjoin script

Run the script as the root user at a shell prompt, as follows:

/opt/quest/libexec/vas/scripts/vasjoin.sh

The script ensures that your local host's time is synchronized with that of the controller in the domain you wantto join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:

vastool -u <username> join <domain-name>


Follow the prompts to complete the join process.

Note: Run the script in interactive mode as follows:

/opt/quest/libexec/vas/scripts/vasjoin.sh -i

In interactive mode, it prompts you for specific information and allows you to either save the resultingvastool join command in a script or execute the command immediately.

The script presents defaults as part of the prompting and if you accept them all, the result is identicalto running the script in simple mode.

The information gathered by the full, interactive mode of vasjoin.sh includes the following.

• Specific domain controllers to use• domain to join• user, usually administrator, to use in joining• keytab file• confirm fixing of Kerberos clock skew, if any• overwrite your host's existing Active Directory ComputerName object• change the name of the AD ComputerName object• AD container in which to put the ComputerName object• site name• UPM mode (yes or no)• user search path on which to look for Active Directory users• alternate group search path• workstation mode (yes or no)• alternate domains in which to search if you want cross-domain logins• self-enrollment of existing /etc/passwd users (yes or no)• shows path to lastjoin (/etc/opt/quest/vas/lastjoin)

The lastjoin file contains something similar to:

/opt/quest/bin/vastool -u administrator join -f acme.com

Dynamic DNS Update Tool

When QAS joins a new computer to a domain, it becomes known to the LDAP and Kerberos protocols, but not toDNS. This is because the IP address of the host is not directly under the control of this part of Active Directory.

Although Active Directory comes with a integrated DHCP and DNS servers, some sites run their own DHCP servers.This means that the leased IP addresses must be communicated to Active Directory's DNS server through another(often manual) means.

The Quest Dynamic DNS Update Tool, dnsupdate, performs this communication. It can automatically and securelyinform Active Directory's DNS server of IP address changes of the host due to DHCP lease acquisition and renewal.

Because dnsupdate uses Kerberos to authenticate itself to the DNS server, only the computer joined with thatname can update its record.

When you run the QAS installation script, install.sh, in interactive mode (the -i option), it gives you an optionto install the Quest Dynamic DNS Update Tool. Dynamic DNS automatically integrates into the host's native DHCPclient infrastructure to securely update DNS servers when its IP address changes. (For more information aboutrunning the install.sh script, see Installation Script Options on page 40.)

Note: If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doingthe update already. Refer to the documentation for the DHCP server being used in your environment.


Microsoft's DHCP server does updates on behalf of the client and this is controlled by the Fully QualifiedDomain Name (FQDN) option. Please refer to Microsoft's Active Directory DNS/DHCP documentation.


Chapter

5Getting Started with QAS

Once you have successfully installed QAS you will want to learn how to dosome basic system administration tasks using the QAS Control Center andQuest Identity Manager for Unix.

Topics:

• Getting Acquainted with the QASControl Center

• Learning the Basics

Getting Acquainted with the QAS Control Center

Quest Authentication Services consists of plug ins, extensions, security modules and utilities spread across nearlyevery operating system imaginable. The QAS Control Center pulls those parts together and provides a single placefor you to find the information and resources you need.

Control Center installs on Windows and is a great starting place for new users to get comfortable with some ofAuthentication Services‘ capabilities.

You can launch the QAS Control Center from the Start menu or by double-clicking the desktop icon, or

Table 12: Quest Authentication Services Control Center

DescriptionControl CenterSection

"Introduction" section contains information about what‘s new in Authentication Services4.0.

Home

The "Get Started with QAS" sections provide the steps needed to authenticate an ActiveDirectory user to a Unix system using the Quest Authentication Services' web-basedadministration console—Quest Identity Manager for Unix.

"How Do I…" section provides additional information about tools and features to solvecommon tasks with Quest Authentication Services.

You can run the new management console (Quest Identity Manager for Unix) within theQAS Control Center or you can run it separately in a supported web browser. The console

Management Console

is a separate install that you can launch from the ISO. You can install it on Windows, Unix,Linux, or Mac. Typically you install one management console per environment to avoidredundancy. Quest does not advise managing a Unix host by more than one managementconsole in order to avoid redundancy and inconsistencies in stored information. If youmanage the same Unix host by more than one management console, you should alwaysre-profile that host to minimize inconsistencies that may occur between instances of themanagement consoles.

Provides the ability to search on Active Directory Group Policy Objects that have Unix andMac settings defined. Also provides links to edit these GPO‘s and run reports that show thedetailed settings of the Group Policy Objects.

Group Policy

Contains links to tools and resources additionally available with Quest AuthenticationServices – a great starting place for anyone new to the product.

Tools

Centrally manage the default values generated by the various Authentication Servicesmanagement tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unixcommand-Line tools (for example /opt/quest/bin/vastool).

Preferences

A simple SSH client (built on PuTTY) for remote access to Unix systems – simplifies newinstalls from having to find and install a separate PuTTY client.

Log into remote host

To run QAS Control Center you must be logged in as a domain user. To make changes to global settings you musthave rights in Active Directory to create, delete, and modify objects in the QAS configuration area of Active Directory.

50 | Authentication Services 4.0 Installation Guide | Getting Started with QAS

Management Console

Quest Identity Manager for Unix allows you to centrally manage Quest Authentication Services agents running onUnix, Linux and Mac OS X systems.

With the management console you can:

• Remotely deploy the QAS agent software.• Manage local user and group accounts.• Configure account mappings from local users to Active Directory accounts.• Report on a variety of security and host access related information.

You can install the management console on any operating system. Once installed, you can access it from a browserusing default port of 9443 or from the QAS Control Center.

Group Policy

Microsoft Group Policy provides excellent policy-based configuration management tools for Windows. QAS GroupPolicy enables you to manage Unix resources in much the same way. QAS Group Policy allows you to consolidateconfiguration management tasks by using the Group Policy functionality of Microsoft Windows Server to manageUnix operating systems and Unix application settings.

To open QAS Group Policy, click Group Policy on the left navigation panel of the QAS Control Center.

Filter Options

To filter the list of GPOs

1. Expand the Filter Options section.2. Enter all or part of a name to filter the list of GPOs.3. Open the Domain drop down menu to choose a domain.4. Select the Unix Settings or Mac Settings List Only options to further filter the GPO list.

If you select both options, only the GPOs configured for both Unix and Mac display.

Edit GPO

To edit a group policy object

From the Group Policy window, select a GPO in the list and click Edit GPO... from the Actions menu.The Group Policy Object Editor opens for the selected GPO.

Note: For more information about the Group Policies, refer to the QAS Administrator's Guide, locatedin QAS Control Center Tools page in the Documentation section, or in the docs directory of theinstallation media.

Settings Report

A settings report displays all of the Quest Authentication Services group policy object settings that apply to Unix orMac systems.

To generate a Unix settings report

From the Group Policy window, select a GPO Name and click Settings Report... from the Actions menu.

An HTML report of the currently configured Unix and Mac settings displays.

Authentication Services 4.0 Installation Guide | Getting Started with QAS | 51

Note: You can select multiple GPOs to run several reports simultaneously.

Show Files

To open the Windows Explorer

From the Group Policy window, select a GPO in the list and click Show Files... from the Actions menu.The Windows Explorer opens and displays the Group Policy Templates for the selected GPO.

Launch GPMC

Note: Microsoft does not support Group Policy Management Console (GPMC) on 64-bit platforms ofWindows; thus, Quest does not support managing group policies through the QAS Control Center onWindows 2003 64-bit and Windows 2003 R2 64-bit, XP 64-bit platforms. (See Group Policy ManagementConsole with Service Pack 1 for more information.)

To launch the Group Policy Management Console

From the Group Policy window, click Launch GPMC... from the Actions menu.

Tools

The Tools link on the QAS Control Center gives you access to

• Quest Authentication Services

Direct links to installed applications and tools related to Quest Authentication Services.

• Additional Quest Products

Direct links to other Quest product plug ins.

Note: The Additional Quest Products link is only available if you have installed other Quest productssuch as Quest Defender, Authentication Services for Smart Cards, or ActiveRoles Server.

• Other Tools

Direct links to tools related to Quest Authentication Services.

Note: The Other Tools link is only available if you have installed the Group Policy ManagementConsole.

• Documentation

Direct links to Quest Authentication Services documentation.

Preferences

Quest Authentication Services stores certain preferences and settings in Active Directory. This information is usedby QAS clients and management tools so that behavior remains consistent across all platforms and tools. ThePreferences window allows you to configure these settings and preferences.

Licensing

The Licensing section of the Preferences window in the QAS Control Center displays a list of installed license files. Youcan add and remove license files at any time. The license files are stored in Active Directory and QAS Unix hostsautomatically download and apply new license files from Active Directory.

(Refer to Licensing QAS on page 53 for more information about licensing requirements.)




Note: If you are running the Quest Identity Manager for Unix with a licensed version of QAS, any timeyou make a change to the QAS licensing, navigate to Preferences | System Settings | AuthenticationServices page in the management console and click the Check for licenses button to refresh the productlicense information in Quest Identity Manager for Unix.

Licensing QAS

Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Machosts.

Note: While you can install and configure QAS on Windows and use the included management tools toUnix-enable users and groups in Active Directory without installing a license, you must have the QASlicense installed for full QAS functionality.

Note: If you are using Quest Identity Manager for Unix, any time there is a change to the QAS licensing,you must also log into the management console with the supervisor account, navigate to Preferences| System settings | Authentication Services and click the Check for licenses button to refresh thelicense information. Quest Identity Manager for Unix does not automatically check for new QAS licenses.

Contact your account representative for a license.To Add Licenses Using the Control Center

1. Click the Preferences navigation button on the left panel of the QAS Control Center.2. Expand the Licensing section.

The list box displays all licenses currently installed in Active Directory.

3. Click Add a license... from the Actions menu.4. Browse for the license file and click Open.

The license appears in the list box.

Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours bydefault. This can be changed by modifying the configuration-refresh-interval settingin vas.conf.

To remove a license, select it and click Remove license.

To restore a removed license, click Undo Remove.

Global Unix Options

The Global Unix Options section displays the currently configured options for Unix-enabling users and groups.

Click Modify Global Options... to change these settings.

Note: QAS uses the Global Unix Options when enabling users and groups for Unix log in.

Table 13: Unix User Defaults

DescriptionOption

Select to require a unique user login name attribute within the forest.Require unique user loginnames

Select to require a unique user's Unix ID (UID) number within the forest.Require unique UID on users

Enter a minimum value for the Unix User ID (UID) number. Typically you set this to avalue higher than the highest UID among local Unix users to avoid conflicts withusers in Active Directory and local user accounts.

Minimum UID Number


DescriptionOption

Enter a maximum value for the Unix User ID (UID) number. Typically you would notchange this value unless you have a legacy Unix platform that does not support thefull 32-bit integer range for UID number.

Maximum UID Number

Enter the default value for the Primary GID number when Unix-enabling a user.Primary GID Number

Select to set the primary GID number to the User ID number.Set primary GID to UID

Enter any text in this box.Default Comments (GECOS)

Enter the default value for the login shell used when Unix-enabling a user.Login Shell

Enter the default prefix used when generating the home directory attribute whenUnix-enabling a user. The default value is /home/; use a different value if your Unix

Home Directory

user home directories are stored in another location on the file system. QAS uses theuser's effective Unix name when generating the full home directory path.

Select to use a lower-case representation of the user's effective Unix name whengenerating the full home directory path as a user is Unix-enabled.

Use lowercase user name forhome directory

Table 14: Unix Group Defaults

DescriptionOption

Select to require a unique Unix group name attribute within the forest.Require unique GroupNames

Select to require a unique Unix Group ID (GID) attribute within the forest.Require unique GID Number

Enter the minimum value for the Unix Group ID (GID). Typically this is set to a valuehigher than the highest GID among local Unix groups to avoid conflicts with groupsin Active Directory and local group accounts.

Minimum GID Number

Enter the maximum value for the Unix Group ID (GID). Typically you would not changethis value unless you have a legacy Unix platform that does not support the full 32-bitinteger range for GID.

Maximum GID Number

Table 15: Unique IDs

DescriptionSub-OptionOption

These options control the algorithmsused to generate unique user andgroup IDs:

Generate based on

An ID generated from a hash of theuser or group object GUID attribute.

Object GUID Hash

This is a fast way to generate an IDwhich is usually unique. If thegenerated value conflicts with anexisting value, the ID is re-generatedby searching the forest.

An ID generated from the SID of thedomain and the RID of the user or

Samba Algorithm

group object. This method works wellwhen there are few domains in theforest. If the generated value conflicts


DescriptionSub-OptionOption

with an existing value, the ID isre-generated by searching the forest.

An ID generated by searching forexisting ID values in the forest. This

Legacy Search Algorithm

method generates an ID that is notcurrently in use.

Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console(MMC).

Note: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the twomethods can lead to ID conflicts.

Logging Options

The Logging Options section allows you to enable logging for all Quest Authentication Services Windows components.This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particularproblem. Because logging causes components to run slower and use more disk space, you should set the Log Levelto disabled when you are finished troubleshooting.Enable Debug Logging on Windows

To enable debug logging for all Quest Authentication Services Windows components

1. Open QAS Control Center and click the Preferences navigation button on the left panel.2. Expand the Logging Options section.3. Open the Log level drop-down menu and set the log level to Debug.

Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabledto disable logging.

4.Click to specify a folder location where you want to write the log files.Quest Authentication Services Windows components log information into the specified log folder the next timethey are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.

Custom Unix Attributes

The Unix schema attributes are fully customizable in Quest Authentication Services. The Custom Unix Attributessection allows you to see which LDAP attributes are mapped to Unix attributes. You can modify this mapping toenable QAS to work with any schema configuration. To customize the mapping, you select a schema template orspecify your own custom attributes. A schema template is a pre-defined set of common mappings which adhere tocommon schema extensions for storing Unix data in Active Directory. QAS supports the following schema templatesif the required schema is installed:

Table 16: Unix Schema Attributes

DescriptionSchema Template

A template that encodes Unix attribute data in an existing multi-valued attribute.Schemaless

A template that uses attributes from the Windows 2003 R2 schema extension.Windows 2003 R2

A template that uses attributes from the SFU 2.0 schema extension.Services for Unix 2.0

A template that uses attributes from the SFU 3.0 schema extension.Services for Unix 3.0


Note: It is a best practice to use a schema designed for storing Unix data in Active Directory wheneverpossible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2,and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions inyour environment.

Active Directory Schema Extensions

Quest Authentication Services stores Unix identity and login information in Active Directory. Quest designed QASto provide support for the following standard Active Directory schema extensions:

Table 17: Active Directory Schema Extensions

DescriptionSchema Extension

This schema extension is provided by Microsoft and adds support for the PosixAccountauxiliary class, used to store Unix attributes on user and group objects.

Windows 2003 R2 Schema

Microsoft provides this schema extension with the Services for Unix 2.0 set of tools.It adds custom attributes to user and group objects, used to store Unix accountinformation.

Services for Unix 2.0

Microsoft provides this schema extension with the Services for Unix 3.0 set of tools.It adds custom attributes to user and group objects, used to store Unix accountinformation.

Services for Unix 3.0

Tt is possible to customize the schema setup to work with any schema configuration with QAS. No schema extensionsare necessary with the new "schemaless" storage feature. When you configure QAS for the first time, QAS attemptsto auto-detect the best schema configuration for your environment. The schema configuration is a global applicationsetting that applies to all QAS management tools and Unix agents. You can change the detected settings at anytime using QAS Control Center.Configure a Custom Schema Mapping

If you do not have a schema that supports Unix data storage in Active Directory, you can configure QAS to useexisting, unused attributes of users and groups to store Unix information in Active Directory.

To configure a custom schema mapping

1. Open the QAS Control Center and click the Preferences on the left navigation panel.2. Expand the Custom Unix Attributes.3. Click Customize....4. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type

attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If anattribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute isinvalid.

Note:

When customizing the schema mapping, ensure that the attributes used for User ID Number andGroup ID Number are indexed and replicated to the global catalog.

See Active Directory Optimization (Best Practice) in the QAS Control Center online help for details.

5. Click OK to validate and save the specified mappings in Active Directory.

Active Directory Optimization

Indexing certain attributes used by the Quest Authentication Services Unix agent can have a dramatic effect on theperformance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributespanel in the Preferences section of QAS Control Center displays a warning if the Active Directory configuration isnot optimized according to best practices.


Quest recommends that it is a best practice to index the following attributes in Active Directory. Note: LDAP displaynames vary depending on your Unix attribute mappings.

• User UID Number• User Unix Name• Group GID Number• Group Unix Name

It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of ActiveDirectory lookups that need to be performed by QAS Unix agents.

Click the Optimize Schema link to run a script that updates these attributes as necessary.

Note: The Optimize Schema option is only available if you have not optimized the Unix schema attributesdefined for use in Active Directory.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimizeyour schema, it generates a schema optimization script. You can send the script to an Active Directory administratorwho has rights to make the necessary changes.

All schema optimizations are reversible and no schema extensions are applied in the process.

Learning the Basics

The topics in this section help you learn how to do some basic system administration tasks using the new QAS ControlCenter and Quest Identity Manager for Unix.

Note:

The exercises in this section assume that you have successfully installed Quest Authentication Servicesand Quest Identity Manager for Unix and have added a host to the console and joined it to Active Directory.(See Prepare Unix Hosts on page 31.)

The topics in this section show you how to create the following test user and group accounts used in various examples:

• A local group name called "localgroup"• A local user object called "localuser"• An Active Directory group object called "UNIXusers"• An Active Directory user object called "ADuser"

Quest recommends that you work through the topics in this section in order as a self-directed "test drive" of someof the key product features. You will learn how easy it is to manage your users and groups from the managementconsole

Add a Local Group Account

Note: This topic instructs you to set up a local group by the name of "localgroup" referred to by otherexamples in this guide.

To add a local group to the host

1. From the All Hosts tab, double-click a host name to open its property page.2. Select the Groups tab and click Add Group.3. In the Add New Group dialog, enter localgroup as a local group name in the Group Name box and click Add

Group.4. In the Log on to Host dialog, enter your credentials and click OK.


Note: This task requires elevated credentials. Credential information is entered by default from thecache.

The new local group account is added to the system and management console.

Add Local User Account

Note: This topic instructs you to set up a local user by the name of "localuser" referred to by otherexamples in this guide.

To add a local user account

1. Select the Users tab from the host properties page and click Add User.2. In the Add New user page,

a) Enter localuser as a new local user name in the User name box.b)

Click , the browse button next to the Primary group box, to find and select the localgroup account youset up in Add a Local Group Account on page 57.Use can also the navigation buttons at the bottom of the list to find and select a group.

c) Enter and re-enter a password of your choice and click Add User to add this new local user.

3. On the Log on to Host page, enter your credentials to log onto the host and click OK.

Note: This task requires elevated credentials. The management console enters this information bydefault from the cache.

The new local user account is added to the system and management console.

At this point the new local user is valid for local authentication with the password you just set.

Add an Active Directory Group AccountQuest Authentication Services provides additional tools to help you manage different aspects of migrating Unixhosts into an Active Directory environment. Links to these tools are available from Tools in the QAS Control Center.

Note: This topic instructs you to set up an Active Directory group by the name of "UNIXusers" referredto by other examples in this guide.

To create a new group in Active Directory

1. From the QAS Control Center Welcome page, navigate to Tools and click the link for QAS Extensions for ActiveDirectory Users and Computers.The Active Directory Users and Computers Console opens.

Note: Windows Vista/Windows 7: You must have the Remote Server Administration Tools installedand enabled.

Note: Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Toolsinstalled.

2. Expand the domain folder and select the Users folder.3. Click the New Group button.

The New Object - Group dialog opens.4. Enter UNIXusers in the Group name box and click OK.


Add an Active Directory User Account

Note: This topic instructs you to set up an Active Directory user by the name of "ADuser" referred to byother examples in this guide.

To create an Active Directory user account

1. From the QAS Control Center Welcome page, navigate to Tools and click the link for QAS Extensions for ActiveDirectory Users and Computers.

2. In the Active Directory Users and Computers console, select the Users folder and click the New User button.3. On the New Object - User page, enter information to define a new user named ADuser and click Next.

The New Object - User wizard guides you through the user setup process.

4. When you enter a password, deselect the User must change password at next logon option, before you click Next.5. Click Finish.6. Double-click ADuser, your new Active Directory user account, to open its Properties.7. Select the Member Of tab and click Add.8. Add UNIXusers to the Member of list of this Active Directory user account and click OK.

Note: To set up the Active Directory group account, see Add an Active Directory Group Account onpage 58.

9. Close Active Directory Users and Computers and return to the management console.

Change the Default Unix AttributesYou can modify the Unix attributes that are generated by default when users are Unix-enabled. To change the LoginShell you must have rights to create and delete child objects in the QAS application configuration in Active Directory.

To change the default Unix attributes

1. Click the Preferences navigation button on the left panel of the QAS Control Center.2. Expand Global Unix Options.

The window displays the current settings for Unix-enabling users, groups and the method used for creatingunique IDs.

3. Click Modify Global Unix Options… on the right side of the window.The Modify Global Options dialog opens.

4. Change the Login Shell to /bin/bash and click OK.The defaults are saved to Active Directory.

Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, orthe Unix command line, the login shell defaults to /bin/bash. You can customize the other Unixdefaults similarly.

Active Directory Account Administration

The topics that follow show you how to perform Active Directory account administration from the Quest IdentityManager for Unix.

Enable Local User for AD Authentication

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unixuser. Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantageof the benefits of Active Directory security and access control.


To enable a local user for Active Directory authentication

1. From the QAS Control Center, open the Management Console.2. In the management console, navigate to the Hosts | All Hosts tab.3. Double-click a host to open its properties page.4. From a host's property page, select the Users tab and double-click the localuser account to open its Properties

page.

Note: To set up this local user account, see Add Local User Account on page 58.

5. On the AD Logon tab, select the Require an AD Password to logon to Host option, and click Select.6.

On the Select AD User page, click the Search button to populate the list of Active Directory users, select theADuser account, and click OK.

Note: To set up this Active Directory user, see Add an Active Directory User Account on page 59.

7. On the localuser's properties page, click OK.8. On the Log on to Host page, verify your credentials to log onto the host and click OK.

You have now "mapped" a local user to an Active Directory user and the management console indicates that thelocal user account requires an Active Directory password to log onto the Host in the AD User column.

You can also map multiple Unix users to use a single Active Directory account using the RequireAD Logon pane on the All Local Users page.

To assign (or "map") a Unix user to an Active Directory user

1. From the All Local Users tab, select one or more local Unix users.2.

In the Require AD Logon pane, click the Search button to populate the list of ActiveDirectory users.

(Click the Directory button to search in a specific folder.)

3. Select an Active Directory user and click the Require AD Logon to Host button at the bottomof the Require AD Logon pane.

4. On the Log on to Host page, verify your credentials to log onto the host and click OK.

Note: This task requires elevated credentials.

The Active Directory user assigned to the selected local Unix user displays in the AD User columnof the All Local Users page.

Test the Mapped User Login

Once you have "mapped" a local user to an Active Directory user, you can log into the local Unix host using yourlocal user name and the Active Directory password of the Active Directory user to whom you are "mapped".

To test the mapped user login

1. From the QAS Control Center, under "Login to remote host", enter:

• the Unix host name in the Host name box• the local user name, localuser, in the User name box

and click Login to log onto the Unix host with your local user account.


2. If the PuTTY Security Alert page opens, click Yes to accept the new key.3. Enter the password for ADuser, the Active Directory user account you mapped to localuser, when you selected

the Require an AD Password to logon to Host option on the user's property page.4. At the command line prompt, enter id to view the Unix account information.

5. Enter /opt/quest/bin/vastool klist to see the credentials of the Active Directory user account.

6. Enter exit to close the command shell.

You just learned how to manage local users and groups from the Quest Identity Manager forUnix by mapping a local user account to an Active Directory user account. You tested this bylogging into the Unix host with your local user name and the password for the Active Directoryuser account to whom you are "mapped".

Unix-Enable a Group

To Unix-enable an Active Directory group

1. On the management console's Active Directory tab, open the Find box drop-down menu and choose Groups.2. Enter UNIX in the Search by name box and press Enter.

3. Double-click the UNIXusers group to open its properties.

Note: To set up this Active Directory user account, see Add an Active Directory Group Account on page58.

4. On the Unix Account tab, select the Unix-enabled option and click OK.

Unix-Enable a User

To Unix-enable an Active Directory user

1. On the management console's Active Directory tab, open the Find box drop-down menu and choose Users.2.

Click to the Search by name box to search for all Active Directory users. Or, enter a portion of your ADuserlog on name in the Search by name box and press Enter.

3. Double-click ADuser, the Active Directory user name, to open its Property page.

Note: To set up this Active Directory user account, see Add an Active Directory User Account on page59.

4. On the Unix Account tab, select the Unix-enabled option.It populates the Properties page with default Unix attribute values.

5. Make other modifications to these settings, if necessary, and click OK to Unix-enable the user.

Note: There are additional settings that you can set using PowerShell which allows you to validateentries for the GECOS, Home Directory, and Login Shell attributes. Refer to Use QAS PowerShell onpage 69 to learn more about that.

Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.

Test the Active Directory User Login

Now that you have Unix-enabled an Active Directory user, you can log into a local Unix host using your ActiveDirectory user name and password.

To test the Active Directory login



• the Unix host name in the Host name box• the Active Directory user name, ADuser, in the User name box

and click Login to log onto the Unix host with your Active Directory user account.

2. Enter the password for the Active Directory user account.3. At the command line prompt, enter id to view the Unix account information.

4. After a successful log in, verify that the user obtained a Kerberos ticket by entering:

/opt/quest/bin/vastool klist

The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves thelocal user is using the Active Directory user credentials.

5. Enter exit to close the command shell.

You just learned how to manage Active Directory users and groups from the Quest IdentityManager for Unix by Unix-enabling an Active Directory group and user account. You tested thisout by logging into the Unix host with your Active Directory user name and password. Optionally,you can expand on this tutorial by creating and Unix enabling additional Active Directory usersand groups and by testing different Active Directory settings such as account disabled andpassword expired.

Run Reports

QAS allows you to run various reports to capture key information about your Unix hosts and the Active Directorydomains joined to these hosts.

To run reports

1. From the management console, click the Reporting tab.2. From the Reports tab, expand the report group names to view the available reports, if necessary.

• Host Reports

Unix host information gathered during the profiling process

• User Reports

Local and Active Directory Unix user information

• Group Reports

Local and Active Directory Unix group information

• Access & Privileges Reports

User access information

3. Use one of the following methods to select a report to run:

• Double-click a report name in the list (such as the Unix Host Profiles report).• Right-click a report name and select Run report.• Click the report icon next to a report.

The selected report name opens a new tab which describes the report and provides some report parameters youcan select or deselect to add or exclude details on the report.

4. Optionally deselect parameters to exclude information from the report.5. Open the Generate report as drop-down menu and select the format you want to use for the report: HTML

(default), PDF, or CSV.


Note: When generating multiple reports simultaneously or generating a single report that containsa large amount of data, Quest recommends that you increase the JVM memory. (See Tune JVM Memoryto Resolve Reporting Issues in the management console online help for details.)

It launches a new browser or application page and displays the report in the selected format.

Quest Identity Manager for Unix report names and descriptions

The management console provides comprehensive reporting which includes reports that can help you plan yourdeployment, consolidate Unix identity, secure your hosts and troubleshoot your identity infrastructure. The followingtable lists the reports that are available in Quest Identity Manager for Unix.

Note:

Report availability depends on several factors:

• User Log-on Credentials: While some reports are available when you are logged in as supervisor,there are some reports that are only available when you are logged on as an Active Directory user.(See Configure the Console for Active Directory in the management console online Help for moreinformation.)

• Roles and Permissions: Reports are hidden if they are not applicable to the user's role. (See Rolesand Permissions in the management console online Help for more information.)

• Licensing: Some reports are not available if there is no license for the respective product. For example,if you do not have a Quest One Privilege Manager for Sudo license, then the sudo-related reports arenot available.

Table 18: Reports

DescriptionReport

Host Reports

Returns all Unix computers in Active Directory in the requested scope.Unix Computers in AD

By default, this report is generated using the default domain as the base container.Browse to search Active Directory to locate and select a different base container tobegin the search.

Note: This report is only available with a licensed version of QuestAuthentication Services 4.0 and when you are logged on as an ActiveDirectory account in the Manage Hosts role.

Provides a snapshot of the readiness of each host. This report is best used for planningand monitoring the readiness of each host to track progress of migration projects.The basic report includes the following information:

Unix Host MigrationPlanning

• Total number of hosts• Total number, percentage and names of the hosts ready to join• Total number, percentage and names of the hosts ready to join with advisories• Total number, percentage and names of the hosts not ready to join• Total number of hosts not checked for AD readiness

Use the following report parameters to define details to include in the report.

• Joined to AD• Ready to Join AD• Ready to Join AD with Warnings


DescriptionReport

• Not Ready to Join AD• Not Checked for Readiness

Note: This report is available when you are logged on as the supervisoror an Active Directory account in the Manage Hosts role.

Summarizes information gathered during the profiling process of each managedhost. This report includes the following information:

Unix Host Profiles

• Total number of hosts included in the report• Host Name, IP Address, OS, Hardware• Sudo version number

Use the following report parameters to define details to include for each host.

• QAS Properties• Local Users• Local Groups• Host SSH Keys


User Reports

Returns all users with Unix User ID numbers (UID numbers) assigned to other Unixor Linux-enabled user accounts.

AD User Conflicts

By default, it generates this report using the default domain as the base container.Browse to search Active Directory to locate and select a different base container tobegin the search.


Identifies local user accounts that would conflict with a specified user name and UIDon other hosts. You can use this report for planning user consolidation across yourhosts. This report includes the following information:

Local Unix User Conflicts

• Host Name, DNS Name or IP Address where a conflict would occur• User Name, UID Number, Primary GID Number, Comment (GECOS), Home Directory

and Login Shell for each host where conflicts exist

Use the following report parameters to define the user name and UID number thatwould cause a conflict with existing local user accounts:

• User Name is• UID Number is



DescriptionReport

Lists all users on all hosts or lists the hosts where a specific user account exists in/etc/passwd. This report includes the following information:

Local Unix Users

• Host Name, DNS Name or IP Address where the user exists• User Name, UID Number, Primary GID Number, Comment (GECOS), Home

Directory, and Login Shell for each host where the user exists

If you do not define a specific user, it includes all local users on each profiled host inthe report.

To locate a specific user, use the following report parameters:

• User Name contains• UID Number is• Primary GID Number is• Comment (GECOS) contains• Home Directory contains• Login Shell contains

Note: When you specify multiple report parameters, it uses the ANDexpression; therefore, ALL of the selected parameters must be met inorder to locate the user account.


Identifies the local user accounts that are required to use Active Directory credentialsto log onto the Unix hosts. This report includes the following information for hoststhat are joined to an Active Directory domain:

Local Unix Users with ADLogon

• Host Name, DNS Name or IP Address of hosts where users exist that are requiredto log on using their AD credentials

• User Name, UID Number, Primary GID Number and Comment (GECOS) of localuser account

• The sAMAccountName of the Active Directory account that the local user accountmust use to log on

Note: This report only includes hosts joined to an Active Directory domainwith a QAS 4.0 agent.


Returns all Active Directory users that have Unix user attributes.Unix Enabled AD Users

Note:

• A User object is considered to be 'Unix-enabled' if it has values for theUID Number, Primary GID Number, Home Directory and Login Shell.

• If Login Shell is /bin/false, the user is considered to be disabledfor Unix or Linux logon.

• Account Disabled indicates whether the Active Directory User accountis enabled or disabled.


DescriptionReport



Group Reports

Lists all Active Directory groups with Unix Group ID (GID) numbers assigned to otherUnix-enabled groups.

AD Group Conflicts

By default, it generates this report using the default domain as the base container.Browse to search Active Directory to locate and select the base container to beginthe search.


Identifies the hosts where a specific group exists in /etc/group. This report includesthe following information:

Local Unix Groups

• Host Name, DNS Name or IP Address where the group exists• Group Name, GID Number and members for each host where the group exists

If you do not specify a group, it includes all local groups on each profiled host in thereport.

To locate a specific group, use the following report parameters:

• Group Name contains• GID Number is• Member contains• Include all group members in report

Note: The Member contains field accepts multiple entries separated bya comma. Spaces are taken literally in the search. For example, entering:

• adm, user searches for members whose name contains 'adm' or 'user'

• adm,user searches for members whose name contains 'adm' or'user'.

Note: When you specify multiple report parameters (for example, GroupName contains, GID Number is, and Member contains), it uses the ANDexpression; therefore, ALL of the selected parameters must be met inorder to locate a group.

In addition, it includes all of the group members in the report by default, but you canclear the Include all group members in report option.



DescriptionReport

Returns all Active Directory groups that have Unix group attributes.Unix Enabled AD Groups

Note: A Group object is considered 'Unix-enabled' if it has a value for theGID Number.



Access & Privileges Reports

Identifies all users with logon access to hosts and the commands the users in thegroups can run on the hosts. This report includes the following information:

Access and Privileges byHost

• Total number of hosts where the group can logon• List of hosts where the group can logon• List of commands the users in the group can run on each host• List of runas aliases for which the users in the group can run commands on each

host• List of commands the runas alias can run on each host

Use the following report parameters to specify the group to include in the report:

• A local group (default)• An AD group

Browse to select a group.

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the Audit Sudo Policy role.

Identifies the hosts where the selected user can login, the commands that user canrun on each host, as well as the "runas aliases" information for that user. This reportincludes the following information:

Access and Privileges by User

• Total number of hosts where the user can logon• List of hosts where the user can logon• List of commands the user can run on each host• List of runas aliases for which the user can run commands on each host• List of commands the runas alias can run on each host

Use the following report parameters to specify the user to include in the report:

• A local user (default)• An AD user

Browse to select a user.

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the Audit Sudo Policy role.


DescriptionReport

Provides information about the commands executed by users on your hosts basedon their privileges. This report allows you to search for commands that have been

Commands Executed

recorded as part of events or keystroke logs for a policy group and includes thefollowing information:

• Command name• User who executed the command• Date and time the command was executed• Host where the command was executed

Use the following report parameters to define details in the report:

• Policy Group• Command• Host• Date

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the either the Manage SudoPolicy or Audit Sudo Policy role.

Lists users who have access to the management console based on membership in arole and the permissions assigned to the role. This report includes the followinginformation:

Console Access andPermissions

• List of roles• List of permissions assigned to each role• List and number of members assigned to each role

Note: This report is available when you are logged on as the supervisoror an Active Directory account in the Manage Console Access role. However,when you access this report as supervisor, the management consolerequires that you authenticate to Active Directory.

Identifies the hosts where one or more Active Directory user has been granted logon permission. This report includes the following information for hosts joined to anActive Directory domain:

Logon Policy for AD User

• Total number of hosts where the AD user has access• List of hosts where the AD user has access

Use the following report parameters to specify the Active Directory users to includein the report:

• All AD users (default)• Select AD user

When you select the Select AD user report parameter, browse to search Active Directoryto locate and select an Active Directory user.

Note: Only hosts joined to an Active Directory domain with a QAS 4.0agent are included in this report.


DescriptionReport


Identifies the Active Directory users that have been explicitly granted log onpermissions for one or more Unix computers. This report includes the followinginformation for hosts joined to an Active Directory domain:

Logon Policy for Unix Host

• Host Name, DNS Name or IP Address of the host selected for the report• List of users that have been granted permission to log on

Use the following report parameters to specify the managed hosts to include in thereport:

• All profiled hosts (default)• Select host

When you select the Select host report parameter, browse to locate and select amanaged host that is joined to Active Directory.

Note: This report only includes hosts joined to an Active Directory domainwith a QAS 4.0 agent.


Provides details of changes made to the sudoers policy for Policy Server groups. Thisreport includes the following information:

Sudo Policy Changes

• Name of the user that made changes to the sudoers policy• Version number for the changes• Time and date the changes were saved and actively used to enforce policy• Changes made to the sudoers policy based on version

Note: This report is available when you are logged on as the supervisoror with a licensed version of Privilege Manager for Sudo and you arelogged on as an Active Directory account in the either the Manage SudoPolicy or Audit Sudo Policy role.

Note: When Quest Identity Manager for Unix creates the Logon Policy for AD User and Logon Policy forUnix Host reports, it reads the users.allow file and reports which users (including nested users) areallowed access on that host. It ignores the users.deny file when determining Logon Policies throughthe Quest Identity Manager for Unix.

Use QAS PowerShell

Quest Authentication Services includes PowerShell modules which provide a "scriptable" interface to many QASmanagement tasks. You can access a customized PowerShell console from the QAS Control Center Tools navigationlink.

You can perform the following tasks using PowerShell cmdlets:


• Unix-enable Active Directory users and groups• Unix-disable Active Directory users and groups• Manage Unix attributes on Active Directory users and groups• Search for and report on Unix-enabled users and groups in Active Directory• Install product license files• Manage QAS global configuration settings• Find Group Policy objects with Unix/Mac settings configured

Using the QAS PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

To Unix-Enable a User and User Group

1. From the QAS Control Center, navigate to Tools | Quest Authentication Services.2. Click QASPowerShell Console.

Note: The first time you launch the PowerShell Console it asks you if you want to run software fromthis untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to yoursystem as a trusted entity. Once you have done this you will never be asked this question again onthis machine.

3. At the PowerShell prompt, enter the following:

Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

Note: You created the UNIXusers group in a previous exercise. (See Add an Active Directory GroupAccount on page 58.)

Unix attributes are generated automatically based on the Default Unix Attributes settings that were configuredearlier and look similar to the following:

ObjectClass : groupDistinguishedName : CN=UNIXusers,CN=Users,DC=example.,DC=comGroupName : UNIXusersUnixEnabled : TrueGidNumber : 1234567AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users, DC=example,DC=comCommonName : UNIXusers

4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:

Enable-QasUnixUser ADuser | Set-QasUnixUser -PrimaryGidNumber 1234567

The Unix properties of the user display:

ObjectClass : userDistinguishedName : CN=ADuser, CN=Users,DC=example.,DC=comUserName : ADuserUnixEnabled : TrueUidNumber : 2062157421PrimaryGidNumber : 1234567Gecos :HomeDirectory : /home/ADuserLoginShell : /bin/bashAdsPath : LDAP://windows.example.com/CN=ADuser,CN=Users, DC=example,DC=comCommonName : ADuser

5. To disable the ADuser user for Unix login, at the PowerShell prompt enter:

Disable-QasUnixUser ADuser


Note: To completely clear all Unix attribute information, enter

Clear-QasUnixUser ADuser

Now that you have Unix-disabled the user, that user can no longer log into systems running the QAS agent.


• the Unix host name in the Host name box• the Active Directory user name, ADuser, in the User name box

and click Login to log onto the Unix host with your Active Directory user account.

A PuTTY window displays.

Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberosis not enabled or properly configured for the remote SSH service.

7. Enter the password for the Active Directory user account.You will receive a message that says, "Access denied".

PowerShell Cmdlets

Quest Authentication Services supports the flexible scripting capabilities of PowerShell to automate administrative,installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Quest AuthenticationServices:

Table 19: PowerShell Cmdlets

Descriptioncmdlet Name

Installs an Authentication Services license file in Active Directory. Licenses installedthis way are downloaded by all Unix clients.

Add-QasLicense

Clears the Unix identity information from group object in Active Directory. The groupis no longer Unix-enabled and will be removed from the cache on the AuthenticationServices Unix clients.

Clear-QasUnixGroup

Clears the Unix identity information from a user object in Active Directory. The useris no longer Unix-enabled will be removed from the cache on the AuthenticationServices Unix clients.

Clear-QasUnixUser

"Unix-disables" a group andwill be removed from the cache on the AuthenticationServices Unix clients. Similar to Clear-QasUnixGroup except the Unix group name isretained.

Disable-QasUnixGroup

Removes an Active Directory user‘s ability to log in on Unix hosts. (The user will stillbe cached on the Authentication Services Unix clients.)

Disable-QasUnixUser

Enables an Active Directory group for Unix by giving a Unix GID number. The GIDnumber is automatically generated.

Enable-QasUnixGroup

Enables an Active Directory user for Unix. The required account attributes UID number,primary GID number, GECOS, login shell and home directory are generatedautomatically.

Enable-QasUnixUser

Returns an object representing the QAS application configuration data stored inActive Directory.

Get-QasConfiguration

Returns a set of objects representing GPOs with Unix and/or Mac settings configured.This cmdlet is in the Quest.AuthenticationServices.GroupPolicy module.

Get-QasGpo


Descriptioncmdlet Name

Returns objects representing the Authentication Services product licenses stored inActive Directory.

Get-QasLicense

Returns a set of configurable global options stored in Active Directory that affect thebehavior of Authentication Services.

Get-QasOption

Returns the currently configured schema definition from the Quest AuthenticationServices application configuration.

Get-QasSchema

Returns a set of schema templates that are supported by the current Active Directoryforest.

Get-QasSchemaDefinition

Returns an object that represents an Active Directory group as a Unix group. Thereturned object can be piped into other cmdlets such as Clear-QasUnixGroup orEnable-QasUnixGroup.

Get-QasUnixGroup

Returns an object that represents an Active Directory user as a Unix user. The returnedobject can be piped into other cmdlets such as Clear-QasUnixUser orEnable-QasUnixUser.

Get-QasUnixUser

Returns the version of Authentication Services currently installed on the local host.Get-QasVersion

Moves the QAS application configuration information from one container to anotherin Active Directory.

Move-QasConfiguration

Creates an object that represents a connection to Active Directory using specifiedcredentials. You can pass a connection object to most Authentication Services cmdletsto execute commands using different credentials.

New-QasAdConnection

Creates an object that represents a connection to a Quest ActiveRoles Server usingthe specified credentials. You can pass a connection object to most AuthenticationServices cmdlets to execute commands using different credentials.

New-QasArsConnection

Creates a default QAS application configuration in Active Directory and returns anobject representing the newly created configuration.

New-QasConfiguration

Accepts a QAS application configuration object as input and removes it from ActiveDirectory. This cmdlet produces no output.

Remove-QasConfiguration

Accepts an Authentication Services product license object as input and removes thelicense from Active Directory. This cmdlet produces no output.

Remove-QasLicense

Accepts an Authentication Services options set as input and saves it to ActiveDirectory.

Set-QasOption

Accepts an Authentication Services schema template as input and saves it to ActiveDirectory as the schema template that will be used by all Authentication ServicesUnix clients.

Set-QasSchema

Accepts a Unix group object as input and saves it to Active Directory. You can alsoset specific attributes using command line options.

Set-QasUnixGroup

Accepts a Unix user object as input and saves it to Active Directory. You can also setspecific attributes using command line options.

Set-QasUnixUser

QAS PowerShell cmdlets are contained in PowerShell modules named Quest.AuthenticationServices andQuest.AuthenticationServices.GroupPolicy. Use the Import-Module command to import the QAS commands intoan existing PowerShell session.


Quest ChangeAuditor for Active Directory

Quest ChangeAuditor allows you to track changes and send alerts on:

• Changes to Active Directory objects and attributes• Changes to Unix and Mac settings in Group Policy Objects• Changes to Product settings and configuration

Install Quest ChangeAuditor

To install Quest ChangeAuditor

1. Insert the QAS distribution media.The Autorun Home page displays.

Note: If the Autorun Home page does not display, navigate to the root of the distribution media anddouble-click autorun.exe

2. Click the Setup tab and select Quest ChangeAuditor.The Quest ChangeAuditor for Active Directory web page opens.

3. Click the Download on the left navigation panel.

4. Follow the online instructions to gain access to the Trial Download page.5. From the Trial Download: ChangeAuditor for Active Directory page, click the Installation Guide link.6. Read the ChangeAuditor Installation Guide to obtain detailed steps for installing Quest Defender.

Quest DefenderQuest Defender, another Quest product, provides strong authentication functionality that makes it possible for anActive Directory user to use a hardware or software token to authenticate to Unix, Linux or Mac platforms.

Install Quest Defender

In order to use strong authentication you must download and install Quest Defender.

To install Quest Defender

Note: Quest Defender installation requires a license file. A fully-functional 25-user license for Defenderis included with Quest Authentication Services.

1. Insert the QAS distribution media.The Autorun Home page displays.

Note: If the Autorun Home page does not display, navigate to the root of the distribution media anddouble-click autorun.exe

2. From the Home page, click the Setup tab.3. From the Setup page, click Quest Defender.

The Quest Defender web page opens.4. Click the Download on the left navigation panel.5. Follow the online instructions to gain access to the Trial Download page.6. From the Trial Download: Defender page, click the Defender Documentation Archive link.7. Read the Defender Installation Guide to obtain detailed steps for installing Quest Defender.8. Once you have installed Quest Defender, see the Quest Defender Integration Guide located in the QAS Control

Center Tools page, or in the docs directory of the QAS Installation media, for detailed configuration instructionsabout integrating Quest Defender with Quest Authentication Services.


Appendix

ATroubleshooting

To help you troubleshoot, Quest recommends the following resolutions tosome of the common problems you might encounter as you deploy and useQuest Authentication Services.

Topics:

• Resolving Preflight Failures• Unable to Install or Upgrade• Unable to Log In• Unable to Join the Domain• Resolving DNS Problems• Time Synchronization Problems• System Optimization• Pointer Record (PTR) Updates are

Rejected• Long Startup Delays on Windows• Getting Help from Quest Support• vasypd Has Unsatisfied Dependencies

Resolving Preflight Failures

If one of the preflight checks fail, preflight prints a suggested resolution. The following table provides additionalproblem resolution information. The checks are listed by the associated command-line flags.

Table 20: Install Checks

ResolutionCheckPreflight Option

Install the QAS agent on a supported operatingsystem that has the required operating system

Checks for supported operating system andcorrect operating system patches.

--os-patch

patches. For a list of supported QAS platforms,refer to the Quest website.

Free up more disk space. QAS requires diskspace in /opt, /etc, and /var to install.

Checks for sufficient disk space to install QAS.--disk-space

Table 21: Join Checks


Quest recommends that you have a uniquehostname in order to maintain uniqueness of

Checks that the hostname of the system is not'localhost'

--hostname

computer names in Active Directory. Anotheroption is to ignore this check and use -ncomputer_name when joining. (See thevastool man page for more information.)

Ensure your host is configured to use DNSproperly. Consult your platform

Checks if the name service is configured to useDNS.

--name-service

documentation to determine the propermethod to enable DNS for hostnameresolution. See Resolving DNS Problems onpage 79 for solutions.

Check your /etc/resolv.conf file toensure that name server entries are correct

Ensures that the host can resolve names usingDNS.

--host-resolve

and reachable. Make sure that UDP port 53(DNS) is open. This check attempts to resolvethe domain name and can fail if your DNSconfiguration is invalid. This check expects tofind properly formatted IPv4 addresses. Invalidor unreachable name server entries will causedelays even though the check will pass if atleast one valid name server is found. If younotice delays when running this check, makesure that your name server configuration doesnot reference invalid name servers. SeeResolving DNS Problems on page 79 forsolutions.

SRV records advertise various Active Directoryservices. Your configured name server must

Checks for a nameserver that has theappropriate DNS SRV records for ActiveDirectory

--srv-records

provide SRV records in order for QAS to take

76 | Authentication Services 4.0 Installation Guide | Troubleshooting

http://www.quest.com/authentication-services/supported-platforms.aspx


advantage of automatic detection and failover. Ensure that UDP port 53 (DNS) is open.

If a domain controller is passed on the preflightcommand line, preflight checks that UDP

Detects a writable domain controller with UDPport 389 open.

--dc

port 389 is open and that the domaincontroller is writable. In this case, you may beable to specify a different domain controller.

If you do not pass in the name of a domaincontroller, this check attempts to locate awritable domain controller using DNS SRVrecords. Ensure that your DNS SRV records areup to date in the configured DNS server. QAScan work with read-only domain controllers,but the computer object must have alreadybeen created with the proper settings in ActiveDirectory.

This check warns you if QAS was unable tolocate an Active Directory site based on your

Detects Active Directory site, if available.--site

computer's network address. A siteconfiguration is not necessary but QASperforms better if site information isconfigured in Active Directory. To resolve thisproblem, configure a site in Active Directory.

Ensure that TCP port 464 (kpasswd) is open.This port must be open in order for QAS to setthe computer object's password.

Checks if TCP port 464 is open for Kerberoskpasswd.

--kerberos-password

These ports are the main Kerberoscommunication channels; they must be open

Checks if UDP port 88 and TCP port 88 areopen for Kerberos traffic.

--kerberos-traffic

for QAS to authenticate to Active Directory. Bydefault QAS uses UDP, with TCP fail over forlarger packets. If UDP is blocked or droppingfragmented packets, enable theuse-tcp-only setting in the [libvas]section of vas.conf, to force QAS to use TCPexclusively for Kerberos.

This port must be open for QAS tocommunicate with domain controllers using

Checks if TCP port 389 is open for LDAP.--ldap

LDAP. This communication is GSS SASLencrypted and signed.

QAS can function in a limited way without aglobal catalog server, however, QAS will be

Checks whether the Global Catalog isaccessible on TCP port 3268.

--global-catalog

unable to resolve Active Directory users andgroups from domains in the forest other thanthe one to which the host is joined. In addition,some searches may be slower. Make sure thatTCP port 3268 (global catalog) is open and thatyou have configured at least one domaincontroller as a global catalog and that theglobal catalog server is up and reachable.

Authentication Services 4.0 Installation Guide | Troubleshooting | 77


If the time difference between the Unix hostand the domain controller is too large,

Checks the machine's time is not skewed toofar from Active Directory.

--timesync

Kerberos traffic will not succeed. You canusually resolve this failure by runningvastool timesync to synchronize timewith the Active Directory domain. Port 123UDP must be open in order to synchronizetime with the domain controller. This checkautomatically synchronizes the time if youspecify the -S option and run the applicationwith root permissions.

This checks fails if you have not configured theActive Directory forest for QAS. Use QAS

Checks for the QAS application configurationin Active Directory.

--app-configuration

Control Center (Windows) to create thenecessary application configuration. This checkcan also fail due to an invalidusername/password or if there is a timesynchronization problem between the Unixhost and the domain controller.

Note: If you get a message that says, "Unable to locate QAS Application Configuration", you can ignorethat error and proceed with the QAS installation. The QAS Active Directory Configuration Wizard startsautomatically to help you configure Active Directory for QAS the first time you start the QAS ControlCenter.

Table 22: Post-Join Checks


In order to use Group Policy on Unix, this portmust be open to allow QAS to use the CIFS

Checks if TCP port 445 is open for MicrosoftDirectory Services CIFS traffic.

--ms-cifs

protocol to download Group Policy objectsfrom domain controllers.

Unable to Install or Upgrade

The most common installation or upgrade failure is that the Unix host cannot read the QAS application configurationin Active Directory. Ensure that you have followed the instructions in Configure Active Directory for QAS on page 25and that the configuration has been created successfully.

During an upgrade you may see an error that QAS cannot upgrade because the application configuration cannotbe located. If you previously joined to a specific domain controller QAS disabled DNS SRV record lookups. This meansthat QAS cannot resolve other domains in the forest and may be unable to locate the application configuration. Inthis case you must ensure that the domain controller you specified is a global catalog. Otherwise, you must createthe QAS application configuration in the domain that you join or you must properly configure DNS to return SRVrecords and join normally, rather than specifying a domain controller when you join.

For more information, see About Active Directory Configuration on page 26.


Unable to Log In

If you are unable to log in as an Active Directory user after installing, check the following:

1. Log in as root on the Unix host.2. Check the status of the QAS subsystems. To do this, run the following command:

vastool status

Correct any errors reported by the status command, then try logging in again.3. Ensure the user exists locally and is allowed to log in. To check this, run the following command:

vastool user checklogin <username>

The output displays whether the user is a known Active Directory user. If not, you may need to map the user toan Active Directory account or Unix-enable the Active Directory account. If the user is known, an access controlrule may prevent them from logging in. The output of the command displays which access control rules are ineffect for the user.

You may need to restart window managers such as gdm in order for the window manager to reload NSS modules.Until the window manager reloads the NSS configuration, you will be unable to log in with an Active Directory user.Other services such as cron may also be affected by NSS changes. If you are unsure which services need to bereloaded, reboot the system.

Note: If you are configuring QAS on VMware ESX Server vSphere (ESX 4.0) the reason you can not login may be related to access control issues. Please refer to Configuring Access Control on ESX 4 in the QASAdministrator's Guide.

Unable to Join the Domain

If you are unable to join the domain, run the preflight utility to validate your environment.

(See The QAS Pre-Installation Diagnostic Tool on page 38 for details.)

Then, verify the following:

• Check that the Active Directory account specified during join has rights to join the computer to the domain.• Check that the Unix host is able to properly resolve the domain name through DNS.

If you are joining to a specific domain controller you must ensure that QAS can locate and read the configurationinformation in Active Directory. You should do one of the following:

• Make sure the domain controller you specify is a global catalog.• Create the QAS application configuration in the domain to which you are joining.

For more information, see About Active Directory Configuration on page 26.

• Properly configure DNS to return srv-records and avoid joining to a specific domain controller.

Resolving DNS Problems

It is imperative that DNS is correctly configured. QAS relies on DNS in order to locate domain controllers. Followthese steps to verify that domain controllers can be located using DNS:


1. Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the Unixcommand prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:

dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name>

If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNSadministrator to resolve the issue.

2. Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix commandprompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with yourActive Directory DNS domain name.

dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>

If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNSadministrator to resolve the issue.

It is possible to work around DNS problems using the vastool join command to specify the domain controllerhost name on the command line. QAS can work without DNS configured as long as the forward lookup in the/etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.

You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for yourdomain controller in /etc/hosts then as root, enter the following commands replacing <administrator> with thename of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and<DC Host Name> with the host name of your domain controller:

iptables -A INPUT -p udp --dport 53 -j DROP iptables -A OUTPUT -p udp --dport 53 -j DROP /opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>

Time Synchronization Problems

Kerberos is a time-sensitive protocol. Your Unix hosts must be synchronized within five minutes of your ActiveDirectory domain controllers. Run the following command as root to have QAS synchronize the local time with ActiveDirectory:

vastool timesync

System Optimization

QAS kerberos works best with a random number generator package installed on the OS. If one is not installed, it willuse a potential slow fallback entropy generating system.

HP-UX

HP provides a /dev/random driver for hp-UX 11i (11.11), named 'KRNG11I'. It is available, for free, from the KRNG11Idepot. You can check if this is already installed by running:

$ swlist KRNG11I

For older versions (hp-UX 11.00), an open-source implementation of /dev/random is available from "random"DLKM (dynamically loadable kernel module) for HP-UX .

Solaris

Entropy is generally obtained from /dev/random which is an interface to a kernel random source. On Solaris 2.8,the /dev/random driver is provided in the following patches from ORACLE:


http://www.josvisser.nl/hpux11-random

http://www.josvisser.nl/hpux11-random

http://sunsolve.sun.com/

• solaris8/sparc: OS patch 112438• solaris8/x86: OS patch 112439

Pointer Record (PTR) Updates are Rejected

If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doing the update already.Refer to the documentation for the DHCP server used in your environment. Microsoft's DHCP server does updateson behalf of the host and this is controlled by the FQDN option. Please refer to Microsoft's Active Directory DNS/DHCPdocumentation.

Long Startup Delays on Windows

You may experience long delays (over a minute) when starting the QAS Windows installer or certain Windowsmanagement tools such as QAS Control Center. All QAS Windows binaries are Authenticode-signed so that you canbe sure that the binaries are authentic and have not been tampered with. This problem occurs when the .NET runtimeattempts to verify the Authenticode signature by checking against certificate revocation lists (CRLs) atcrl.microsoft.com. If this site cannot be reached, the .NET framework check will time out (up to 60 seconds).This timeout occurs every time a signed assembly is loaded which can lead to very long load times. You can fix thisproblem by allowing access to crl.microsoft.com. See Microsoft KB article Microsoft KB article 936707 forbackground information.

If the computer is not connected to the internet, you can disable CRL checks for the entire system in Internet Explorer.Go to Options, select the Advanced tab, under Settings deselect the Check for publisher's certification revocationoption.

It is also possible to specify a generatePublisherEvidence element in an <app>.exe.config that willdisable CRL checks for the specific application that you are running. Keep in mind that if you are using QAS componentsin PowerShell or MMC, you would need to add this configuration for the powershell.exe.config and/ormmc.exe.config. Refer to <generatePublisherEvidence> Element for details.

Getting Help from Quest SupportIf you are still unable to determine the solution to the problem, contact Quest Support for help.

Note: See Contacting Quest Support on page 11 for contact information.

Before you contact support, please collect the following information:

1. Take a system information snapshot. To do this, run the following command as root:

/opt/quest/libexec/vas/scripts/vas_snapshot.sh

This produces an output file in /tmp.

2. Make note of the Unix attributes for the user that cannot log in (if applicable). To do this, capture the output fromthe following commands:

vastool -u host/ attrs <username>id <username>

Note: Depending on your platform, you may need to run id -a instead of id.

3. Copy the text from any error messages that you see.



http://msdn.microsoft.com/en-us/library/bb629393.aspx

4. Save the results of running a "double su". To do this, log in as root and run su <username> note any errormessages. Then run su <username> again and note any error messages.

Once you have collected the information listed above, contact Quest Support at support.quest.com.

vasypd Has Unsatisfied Dependencies

If you receive the following error message while installing the QAS vasypd Unix component, the rpcbind servicemay not be enabled.

svcadm: Instance "svc:/quest/vas/vasypd:default" has unsatisfied dependencies.Error 4 starting vasypd

To enable the rpcbind service

1. 1. Check the dependencies of vasypd:

# svcs -d quest/vas/vasypdSTATE STIME FMRIdisabled Sep_14 svc:/network/rpc/bind:defaultonline Sep_14 svc:/milestone/single-user:defaultonline Sep_14 svc:/system/filesystem/local:default

2. If rpcbind is disabled, run this command to enable it:

# /usr/sbin/svcadm enable -s /network/rpc/bind

3. Run the following command to start vasypd:

# /etc/init.d/vasypd start



Appendix

BEnterprise Package Deployment

This section details how to install, upgrade, and uninstall the QAS agent onsupported platforms in an enterprise environment using platform packagemanagement tools.

Topics:

• Install the QAS Agent Package• Upgrade the QAS Agent Package• Uninstall the QAS Agent Packages• Solaris 10 Zones/Containers Support

Install the QAS Agent Package

To install the QAS agent package

1. Log in and open a root shell.2. Mount the installation DVD and run the appropriate command:

(See Notes for additional configuration information.)

Table 23: QAS Agent Installation Commands

INSTALLPLATFORM

# rpm -ihv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpmLinux x86 - RPM

# rpm -ihv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpmLinux x64 - RPM

# dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.debLinux x86 - DEB

# dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.debLinux x64 - DEB

# rpm -ihv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpmLinux s390

# rpm -ihv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpmLinux s390x

# rpm -ihv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpmVMware ESX 3.x

# rpm -ihv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpmVMware ESX 4.0

# rpm -ihv/<mount>/client/linux-glibc22-ppc64/vasclnt-glibc22-<version>-<build>.ppc64.rpm

SLES 8 PPC

# rpm -ihv/<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm

SLES 9 PPC

# pkgadd -d /<mount>/client/solaris8-x86/vasclnt_SunOS_5.8_i386-<version>-<build>.pkgvasclnt

Solaris 8-10 x86

# pkgadd -d/<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt

Solaris 10 x64

# pkgadd -d/<mount>/client/solaris8-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt

Solaris 8-10 SPARC

# swinstall -s /<mount>/client/hpux-pa/vasclnt_9000-<version>-<build>.depot vaslcntHP-UX PA-RISC 11.0(B.11.00), 11i v1(B.11.11)

# swinstall -s /<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depotvasclnt

HP-UX PA-RISC 11i v2(B.11.23), 11i v3(B.11.31)

# swinstall -s /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclntHP-UX IA64 11i v1.6(B.11.22), 11i v2(B.11.23), 11i v3(B.11.31)

# installp -acXd /<mount>/client/aix-43/vasclnt.AIX_4.3.<version>-<build>.bff allAIX 4.3.3

# installp -acXd /<mount>/client/aix-51/vasclnt.AIX_5.1.<version>-<build>.bff allAIX 5.1 – 5.2


84 | Authentication Services 4.0 Installation Guide | Enterprise Package Deployment

INSTALLPLATFORM

/usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /Mac OS X

Additional Configuration Information:

Note: To enable QAS authentication for all services you must restart all services thatrequire QAS authentication or restart the system.

Note: Linux - RPM:

The x86_64 QAS rpm contains 64-bit and 32-bit libraries, and has an RPM dependencyon both the 32-bit libpam library and the 64-bit libpam library. If the 64-bit Linuxoperating system on which you are installing QAS does not have any 32-bitsupporting libraries installed, use the -- nodeps RPM flag to force the installationand avoid error messages about missing dependencies.

Note: VMware:

You must enter the following additional command, to configure the VMwareauthentication services:vastool configure pam vmware-authd

Note: Solaris:

For information on Solaris 10 Zones support and installation guides, see Solaris 10Zones/Containers Support on page 89 Solaris 10 Zones Support.

In certain situations pkgadd requests additional information. Respond appropriatelyfor your system configuration. Initialization scripts that are part of the vasclntpackage run during installation to help configure the system.

To install the QAS vasypd Unix component on Solaris 10, you must have therpcbind service enabled on the host. (See vasypd Has Unsatisfied Dependencies onpage 82 for more information.)

Note: HP-UX:

QAS requires that the Unix host system clock be synchronized with the ActiveDirectory server’s system clock. By default, HP-UX uses xntpd for time services. Toproperly synchronize the system clocks either configure xntpd to sync with a DomainController, or disable xntpd to allow QAS to synchronize the system time. Consultthe xntpd documentation for information on disabling xntpd and configuringxntpd.

You must reboot the HP-UX machine to ensure that all of the new files are installed.HP-UX does not allow you to overwrite files that are in use—this is done as part ofthe boot sequence.

Note: Mac OS X:

To install from the command line, you must first mount the QAS DMG image file.

On Mac 10.4 enter:

hdiutil attach <media>/client/macos-104/VAS-<version>.dmg

On Mac 10.6 enter:

hdiutil attach <media>/client/macos-106/VAS-<version>.dmg

Authentication Services 4.0 Installation Guide | Enterprise Package Deployment | 85

Upgrade the QAS Agent Package

Note: When upgrading the QAS packages manually (that is, without using the insall.sh script) onall platforms except Mac OS X, you must first uninstall the old vasclnt and vasutil packages. UpgradeQAS on a Mac OS X either by mounting the .dmg and running the .mpkg GUI installer, or by runningthe install.sh script.

To upgrade the QAS agent package

1. Log in and open a root shell.2. Mount the installation DVD and run the appropriate command:


Table 24: QAS Agent Upgrade Commands

INSTALLPLATFORM

# rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpmLinux x86 - RPM

# rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpmLinux x64 - RPM

# dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.debLinux x86 - DEB

# dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.debLinux x64 - DEB

# rpm -Uhv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpmLinux s390

# rpm -Uhv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpmLinux s390x

# rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpmVMware ESX 3.x

# rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpmVMware ESX 4.0

# rpm -Uhv/<mount>/client/linux-glibc22-ppc64/vasclnt-glibc22-<version>-<build>.ppc64.rpm

SLES 8 PPC

# rpm -Uhv/<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm

SLES 9 PPC

# pkgadd -d /<mount>/client/solaris8-x86/vasclnt_SunOS_5.8_i386-<version>-<build>.pkgvasclnt

Solaris 8-10 x86

# pkgadd -d/<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt

Solaris 10 x64

# pkgadd -d/<mount>/client/solaris8-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt

Solaris 8-10 SPARC

# swinstall -s /<mount>/client/hpux-pa/vasclnt_9000-<version>-<build>.depot vaslcntHP-UX PA-RISC 11.0(B.11.00), 11i v1(B.11.11)

# swinstall -s /<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depotvasclnt

HP-UX PA-RISC 11i v2(B.11.23), 11i v3(B.11.31)

# swinstall -s /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclntHP-UX IA64 11i v1.6(B.11.22), 11i v2


INSTALLPLATFORM

(B.11.23), 11i v3(B.11.31)

# installp -acXd /<mount>/client/aix-43/vasclnt.AIX_4.3.<version>-<build>.bff allAIX 4.3.3



/usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /Mac OS X


Note: During the upgrade, vasd reloads and updates its user and group cache. Torestart the QAS caching service, see To Restart QAS Services on page 88.

Note: If you are using the licensed version of the QAS agent earlier than 3.0, seeLicensing QAS on page 42 for licensing instructions.

Note: VMware:

VMware provides a Host Update Utility to upgrade an ESX 3.5 agent to 4.0, but ifQAS is left installed and configured during the procedure, the machine will beinaccessible after the upgrade. This is because the previous 3.5 installation is pushedaside and mounted under the /esx3-installation directory, but all the keyconfiguration files, like /etc/nsswitch.conf and the pam.d directory, arepreserved.

If QAS is still configured in those files it leaves the machine in a bad state. Becauseof this, Quest recommends that you uninstall QAS before attempting to upgrade toESX 4.0. In the vSphere Upgrade Guide, VMware warns that "no third-partymanagement agents or third-party software applications are migrated," but it doesnot explicitly say they should be uninstalled prior to upgrade.

Should you accidentally leave QAS installed or configured during the upgrade, usethe following steps to fix the machine:

1. Boot into single user mode2. Copy /etc/pam.d/vmware-authd.esx4 over

/etc/pam.d/vmware-authd (backup vmware-authd first if desired)3. Copy /etc/pam.d/system-auth-generic.esx4 over

/etc/pam.d/system-auth-generic

4. Remove "vas4" from the passwd, group, and any other configured lines innsswitch.conf

5. Reboot the machine--the machine should now be accessible6. Install the linux-x86_64 QAS packages

Note: Solaris:

The -a vasclient-defaults option specifies an alternative default file forpkgadd administrative options that allows pkgadd to overwrite an existing packagewith a new package.

pkgadd does not support the concept of upgrading a package, so this allows youto upgrade without having to rejoin your machine to the Active Directory domain,or uninstalling the old version first.


Note: HP-UX:

Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UXdoes not allow you to overwrite files that are in use—this is done as part of the bootsequence.

To Restart QAS Services

The method for restarting services varies by platform:a) To restart QAS on Linux or Solaris, enter:

/etc/init.d/vasd restart

b) To restart QAS on HP-UX, enter:

/sbin/init.d/vasd restart

c) To restart QAS on AIX, enter:

stopsrc -s vasdstartsrc -s vasd

Note: Due to library changes between the QAS 3.x and 4.0, Quest recommends thatyou restart all long-lived processes that use QAS data to force a reload of the newerlibraries. For example, you must restart cron.

Uninstall the QAS Agent Packages

To uninstall the QAS agent packages

1. Log in and open a root shell.2. Run the following commands to remove the packages:


Table 25: QAS Agent Uninstall Commands

COMMANDPACKAGE

# rpm -e vasclntRPM

# dpkg -r vaslcntDEB

# pkgrm vasclntSolaris

# swremove vasclntHP-UX

# installp -u vasclntAIX

/<mount>/Uninstall.app/Contents/MacOS/Uninstall' --console --force vasclntMac OS X



Note: Linux:

The rpm –e vasclnt and the dpkg -r vaslcnt commands run scripts thathalt the daemon, unconfigure QAS, flush and delete the QAS cache before finallyremoving the files.

Note: HP-UX:

The swremove vasclnt command does not clean up the empty directories thatthe vasclnt package used. In order to clean these up, manually remove the/opt/quest directory after you uninstall.

Solaris 10 Zones/Containers SupportSun introduced Zones (or containers) in Solaris 10. Zones is a partitioning technology used to virtualize operatingsystem services and provide an isolated and secure environment for running applications. There are two types ofnon-global zone root filesystem models:

• sparse root• whole root

The sparse root zone model optimizes the sharing of objects while the whole root zone model provides the maximumconfigurability. Additional information on Solaris 10 and Zones can be found at www.sun.com.

QAS and Solaris 10 Zones Installation GuidelinesTo install QAS in a Solaris 10 Zones configuration

• In Solaris 10 Zones, only the global zone is permitted to do time synchronization. Therefore, if you want to runQAS in "any" Solaris Zone configuration, you must timesync the Global Zone with Active Directory. Timesynchronization is a requirement of the Kerberos protocol and since QAS is built on Kerberos, QAS also has thisrequirement.

• The same version of QAS should be installed in any combination of global, whole root, and sparse root zoneconfigurations.

• To disable time synchronization for QAS on the sparse zone, run the below command:

vastool configure vas vasd timesync-interval 0

• The following symlinks must exist in the global zone in order for the sparse zones to work correctly:

• /usr/lib/security/pam_vas3.so | /opt/quest/usr/lib/security/pam_vas3.so• /usr/lib/security/sparcv9/pam_vas3.so |

/opt/quest/usr/lib/security/sparcv9/pam_vas3.so

If /usr is shared, you need the following symlinks in the global zone pointing to counterpart files in/opt/quest/lib:

• /usr/lib/nss_vas4.so.1 | /opt/quest/lib/nss/nss_vas4.so.1• /usr/lib/security/pam_vas3.so | /opt/quest/usr/lib/security/pam_vas3.so

In such a scenario, you do not need QAS joined to a domain in the global zone in order for sparse zones to work,but the symlinks must exist.

Each zone must have its own unique copy of /etc and /var because QAS stores zone-specific information in thoselocations. Sharing /etc and /var with the global zone is not a supported configuration.


Index

A

Active Directory 16changing configuration settings 16

Active Directory configuration 26determines schema mappings 26moving the configuration data 26purpose defined 26updating 26validates license information 26

Active Directory schema 56how Quest Authentication Services uses 56

Active Directory user account 59creating 59

ActiveRoles Server option 25not available if ActiveRoles Server agent is not installed 25

AD user identity formats 30AD users and groups 59, 60, 61

managing 59, 60, 61Add Hosts 31

procedure 31Add Hosts page 31, 32, 33, 34

add hosts to management console 31profile hosts 32, 33, 34

All Hosts page 36install software 36

application configuration 27, 43, 44creating from command line 43, 44running QAS without 27

Application Configuration 27overriding requirement 27

associate an AD user account with a local Unix user 59

B

Best Practice: 14, 15, 16, 42, 43, 50, 51, 52, 53, 55, 56add Unix identity attributes to global catalog 56do not install or run the QAS Windows components on ActiveDirectory domain controllers 14, 15, 16index attributes in Active Directory 56install only one management console per environment 50, 51, 52, 53, 55, 56license management 42, 43use generated UIDs and GIDs 53use schema designed for storing Unix data in AD 55, 56

C

caching of Unix host credentials 32, 33, 34change Active Directory configuration settings 26Check for AD Readiness 35configure for Active Directory 29configure for Quest Authentication Services 29, 30contacting 11Control Center 50, 51, 52, 53, 55, 56

described 50, 51, 52, 53, 55, 56

Control Center (continued)must be logged in as domain user 50, 51, 52, 53, 55, 56

conventions 10credentials 30

accepted user name formats 30customize the schema mapping 56

D

debug logging 55enabling 55

Dynamic DNS Update Tool 46

E

enable debug logging 55enable local user for AD authentication 59

F

Filter Options 51

G

global settings modifications 50, 51, 52, 53, 55, 56Global Unix Options 53group 57

add to console 57

H

hosts 31, 32, 33, 34, 36add to management console 31install software 36profile 32, 33, 34

I

Import Public Key 32, 33, 34using 32, 33, 34

Install Software 36procedure 36

install.sh 40, 46about 40interactive mode 46

Installation Script Options 40installing 37, 38, 39, 40, 42, 43, 44, 45, 46, 84

QAS Linux agent 84QAS Unix agent 37, 38, 39, 40, 42, 43, 44, 45, 46

J

join domain in Version 3 Compatibility Mode 27

Authentication Services 4.0 Installation Guide | Index | 91

joining domain 44, 45, 46determining if joined 44, 45, 46

joining the AD domain 45

K

known_hosts file 31importing 31

L

LDAP attributes 55, 56mapped to Unix attributes 55, 56

license 14, 30, 42, 43, 53Any Authentication Services 3.x or higher license is valid forQAS 4.x. 14, 53installing 14, 53updating 30updating in the management console 14, 42, 43, 53

License 52, 53adding 52, 53

licenses 42, 43installing 43

Limitation: 14, 15, 16Microsoft does not support (GPMC) on 64-bit platforms ofWindows 14, 15, 16

local account administration 57, 58Logging 55

enabling 55setting options 55

login credentials 30accepted formats 30

Login with AD password 60, 61

M

manage local users and groups 59management console 31

add hosts 31management console Requirements 21mapping users 59

O

Optimize Schema 56requires AD administrator rights 56

P

patch level requirements 16, 17performance and scalability 56Permissions 16

required 16permissions required for full QAS functionality 17PosixAccount auxiliary class schema extension 56post-install setup 29, 30PowerShell cmdlets 71PowerShell modules 69, 70, 71Preferences 52, 53, 55, 56

configuring settings 52, 53, 55, 56

preflight Diagnostic Tool 38About 38

preflight utility 38running 38

Profile Host 32, 33, 34procedure 32, 33, 34

profile hosts automatically 34PTR updates are rejected 81

Q

QAS installation script 40using 40

QAS Linux agent 84installing 84

QAS Unix agent 37, 38, 39, 40, 42, 43, 44, 45, 46about installing 37, 38, 39, 40, 42, 43, 44, 45, 46

Quest Authentication Services 29, 30configure management console 29, 30

Quest One Identity Solution 10Quest Support 11

R

reload configuration settings 88reports 63

descriptions 63report parameters 63

required AD rights 50, 51, 52, 53, 55, 56required rights 26Requirements 14, 15, 16

Windows Management Tools 14, 15, 16Requirements: 16, 17, 22

network ports 22QAS Permissions 17Windows Permissions 16

restart services 88

S

saving credentials on server 32, 33, 34saving host credentials on server 35schema 55, 56

configuration 55, 56Custom Unix attributes 55, 56extensions 55, 56LDAP attributes 55, 56templates 55, 56Unix attributes 55, 56

schema configuration 56defined 56

schema extension 56PosixAccount auxiliary class 56

schema mappings 56customizing 56

index and replicate GUI and UID attributes to globalcatalog 56

schemaless configuration 44set global value 53Set supervisor Password page 30Setup Quest Identity Manager for Unix page 29, 30

92 | Authentication Services 4.0 Installation Guide | Index

SSH 33duplicate keys 33upload new key 33

standard Active Directory schema extensions 56supervisor account 30

described 30System Optimization 80

T

troubleshooting 75, 76, 78, 79, 80, 81, 82Troubleshooting 55

using logs 55Troubleshooting: 29, 34, 38, 44, 45, 46, 76, 78, 79, 80, 81, 82, 88

changes made to NSS libraries 88determine if joined to AD 44, 45, 46Diagnostic Tool 38Getting Help from Quest Support 81I can't configure the console for AD during initial install 29Long Startup Delays on Windows 81Profile Automatically option is not available 34PTR updates are rejected 46rejected PTR updates 81Resolving DNS Problems 79Resolving Preflight Failures 76Time Synchronization Problems 80Unable to Install or Upgrade 78Unable to Join the Domain 79Unable to Log In 79vastool kinit delay 80vasypd has unsatisfied dependencies 82

U

Unix agent 83, 84, 86, 88, 89packages 83, 84, 86, 88, 89

Unix Agent Requirements 16, 17Unix Group ID (GID) 53Unix identity management tasks 28, 29, 30, 31, 32, 33, 34, 35, 36

performing from QAS Control Center 28, 29, 30, 31, 32, 33, 34, 35, 36

Unix User ID (UID) 53Unix-enable an Active Directory group 61Unix-enable an Active Directory user 61upgrade VAS 3.5 39upgrading VAS 3.5 to QAS 4.x 38user login name 27

changes for 4.x 27users 58

add to console 58

V

validating SSH keys 33vasd 88

restart 88vasjoin Script 45

using 45vasjoin.sh 44, 45, 46

using 44, 45, 46vastool join 45

using 45Version 3 Compatibility Mode 27, 39

W

where to set 53

Authentication Services 4.0 Installation Guide | Index | 93

94 | Authentication Services 4.0 Installation Guide | Index

quest authentication services...

Documents