Quest Authentication Services 4.

Evaluation Guide
Copyright (c) 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.

This guide contains proprietary information protected by copyright. The software described in this guide is furnished
under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the
terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use
without the written permission of Quest Software, Inc.

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.
EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING
TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS
DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations
or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to
make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment
to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters

LEGAL Dept
5 Polaris Way
Aliso Viejo, CA 92656
www.quest.com
email: legal@quest.com

Refer to our Web site for regional and international office information.

Patents
Protected by U.S. Patent # 7,617,501. Additional patents pending.

Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big
Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,
Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,
Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,
LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,
PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,
SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage
Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,
vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Vizioncore
vWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc
in the United States of America and other countries. Other trademarks and registered trademarks are property of their
respective owners.
Third Party Contributions
This product may contain one or more of the following third party components. For copies of the text of any license listed,
please go to http://www.quest.com/legal/third-party-licenses.aspx .
Component Notes
Apache Commons 1.2 Apache License
Version 2.0, January 2004
Boost Boost Software License
Version 1.0, August 2003
Expat 2.0.0 © 1998, 1999, 2000 Thai Open Source Software Center Ltd
Heimdal Krb/GSSapi 1.2 © 2004 - 2007 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
OpenSSL 0.9.8d This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)
© 1998-2008 The OpenSSL Project. All rights reserved.
 Quest Authentication Services | TOC | 5

Contents

Chapter 1: About This Guide......................................................................7

Quest One Identity Solution............................................................................................................................................8
Conventions..........................................................................................................................................................................8
About Quest Software.......................................................................................................................................................9
Contacting Quest Support...............................................................................................................................................9

Chapter 2: Introducing Quest Authentication Services.........................11

Licensing QAS....................................................................................................................................................................12
System Requirements.....................................................................................................................................................12
Windows Permissions.....................................................................................................................................................12
QAS Windows Components...........................................................................................................................12
Unix Permissions...............................................................................................................................................................13
QAS Unix Components.....................................................................................................................................13

Chapter 3: Installing and Configuring QAS.............................................15

Install the Web Console..................................................................................................................................................16
Installing Quest Identity Manager for Unix...............................................................................................16
Install QAS Windows Components............................................................................................................................16
Installing QAS Windows Components.......................................................................................................16
Configure Active Directory for QAS...........................................................................................................................17
Configuring Active Directory for QAS.........................................................................................................17
Configure Unix Agent Components..........................................................................................................................18
To Configure the Web Console for Active Directory.............................................................................19
To Prepare Unix Hosts for Active Directory User Access......................................................................19
To Enable Active Directory Users for Unix.................................................................................................20

Chapter 4: Getting Started with QAS.......................................................23

Getting Acquainted with the QAS Control Center...............................................................................................24
Web Console........................................................................................................................................................24
Group Policy.........................................................................................................................................................25
Tools........................................................................................................................................................................26
Preferences...........................................................................................................................................................26
Learning the Basics..........................................................................................................................................................31
Run Reports..........................................................................................................................................................31
Associate Active Directory Authentication to a Local User.................................................................32
Change the Default Unix Attributes............................................................................................................33
Add a New Active Directory User and User Group.................................................................................33
Use QAS PowerShell..........................................................................................................................................34
6 | Quest Authentication Services | TOC

Track Changes to Active Directory...............................................................................................................37

Enable Strong Authentication.......................................................................................................................38
Chapter

1
About This Guide
Topics: Welcome to the Quest Authentication Services Evaluation Guide.

• Quest One Identity Solution
• Conventions
• About Quest Software
• Contacting Quest Support
This is a self-directed, hands-on evaluation of Quest Authentication Services.
The content includes a product overview, installation instructions, and a
"Getting Started" section that will help you get acquainted with the QAS
Control Center, and how to use QAS to accomplish basic system administration
tasks.
The guide is divided into three sections:
• Introducing Quest Authentication Services on page 11
• Installing and Configuring QAS on page 15
• Getting Started with QAS on page 23
8 | Quest Authentication Services | About This Guide

Quest One Identity Solution

Quest Single Sign-on for SAP is a component of the Quest One Identity Solution, a set of enabling technologies,
products, and integration that empowers organizations to simplify identity and access management by:
• Reducing the number of identities
• Automating identity administration
• Ensuring the security of identities
• Leveraging existing investments, including Microsoft Active Directory
Quest One improves efficiency, enhances security and helps organizations achieve and maintain compliance by
addressing identity and access management challenges as they relate to:
• Single sign-on
• Directory consolidation
• Provisioning
• Password management
• Strong authentication
• Privileged account management
• Audit and compliance

Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions
apply to procedures, icons, keystrokes and cross-references.

Element Convention
Select This word refers to actions such as choosing or
highlighting various interface elements, such as files and
radio buttons.
Bold text Used to indicate elements that appear in the graphical
user interface that you are to select such as the OK
button.
Italic text Interface elements that appear in Quest products, such
as menus and commands.
courier text Used to indicate host names, file names, program names,
command names, and file paths.
Blue Text Indicates an interactive link to a related topic.
Used to highlight additional information pertinent to the
process or topic being described.
+ A plus sign between two keystrokes means that you must
press them at the same time.
| A pipe sign between elements means that you must
select the elements in that particular sequence.
 Quest Authentication Services | About This Guide | 9

About Quest Software

Note: Quest Authentication Services, formerly Vintela Authentication Services (or VAS), has been
re-branded for the 4.0 release.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports
smart systems management products—helping our customers solve everyday IT challenges easier and faster. Contact
Quest for more information:
Contacting Quest Software

Phone: 949.754.8000 (United States and Canada)

Email: info@quest.com
Mail: Quest Software, Inc.
World Headquarters
5 Polaris Way
Aliso Viejo, CA 92656 USA
Web site: www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who have purchased a Quest
product and have a valid maintenance contract. Quest Support provides unlimited 24x7 access to SupportLink, our
self-service portal.

Information Sources Contact Points

Quest Support
SupportLink: support.quest.com
Quest SupportLink gives you access to these tools and resources:
• Product Information
Most recent product solutions, downloads, documentation, notifications and
product lifecycle table.
• Product Downloads
Download the latest Quest product releases and patches.
• Product Documentation
Download Quest product documentation, such as installation, administrator, user
guides and release notes.
• Search KnowledgeBase
Search our extensive repository for answers to Quest-product related issues or
questions.
• Case Management
Create new support cases and manage existing cases.
10 | Quest Authentication Services | About This Guide

Information Sources Contact Points

Email: support@quest.com
Phone: 1.800.306.9329

Public Forum
The Community site is a place to find answers and advice, join a discussion forum,
or get the latest documentation and release information: Inside Vintela.

Global Support Guide

View the Global Support Guide for a detailed explanation of support programs, online
services, contact information, policies and procedures. The guide is available at
support.quest.com.
Chapter

2
Introducing Quest Authentication Services
Topics: Quest Authentication Services (formerly Vintela Authentication Services) is
patented technology that enables organizations to extend the security and
• Licensing QAS compliance of Active Directory to Unix, Linux, and Mac platforms and
• System Requirements enterprise applications. It addresses the compliance need for cross-platform
• Windows Permissions access control, the operational need for centralized authentication and single
• Unix Permissions sign-on, and enables the unification of identities and directories for simplified
identity and access management.
12 | Quest Authentication Services | Introducing Quest Authentication Services

Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.

Contact your account representative for a license.

System Requirements
Prior to installing Quest Authentication Services, ensure your system meets the minimum hardware and software
requirements for your platform. QAS consists of Windows management tools and Unix integration agents.
Quest Authentication Services 4.0 supports: Windows 7, Vista, XP, Windows 2008 and Windows 2003.
For a list of supported QAS platforms, refer to the Quest Authentication Services Platform Support.

Windows Permissions
To install QAS on Windows, you must have:
• Local administrator rights
• Rights to create a container and a child container in Active Directory (first-time only)
Authenticated Users must have rights to read cn, displayName, description, and whenCreated attributes for container
objects located under the root Active Directory configuration container. To change Active Directory configuration
settings, Administrators must have rights to Create Child Object (container) and Write Attribute for cn, displayName,
description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.

Table 1: Required Windows Permissions

Rights Required For User Object Class Attributes

Create Child Object QAS Administrators Only Container
Write Attribute QAS Administrators Only Container cn, displayName,
description,
showInAdvancedViewOnly
Read Attribute Authenticated Users Container cn, displayName,
description, whenCreated

QAS Windows Components

QAS includes the following Windows components:
 Quest Authentication Services | Introducing Quest Authentication Services | 13

Table 2: Windows Components

Windows Component Description

QAS Control Center A single console to provide access to all of the tools and
configuration settings for QAS
Active Directory Users and Computers MMC Snapin Provides Unix management extensions for Active
Extensions Directory users and groups
Group Policy Management Editor MMC Snapin Extensions Provides Group Policy management for Unix, Linux and
Mac
RFC2307 NIS Map Editor MMC Snapin Provides the ability to manage NIS data in Active Directory
NIS Map Import Wizard Import NIS data into Active Directory
Unix Account Import Wizard Import Unix identity data into Active Directory
QAS PowerShell cmdlets Provides the ability to script Unix management tasks
Documentation Full product documentation and online help

Unix Permissions
To install QAS on Unix, Linux, or Mac, you must have root access rights.

QAS Unix Components

QAS includes the following Unix components:

Table 3: QAS Unix Components

Unix Component Description

vasd The QAS agent background process that manages the
persistent cache of Active Directory information used by
the other QAS components. vasd is installed as a system
service. You can start and stop vasd using the standard
service start/stop mechanism for your platform. vasd is
part of the vasclnt package.
vastool The QAS command line administration utility that allows
you to join a Unix host to an Active Directory Domain;
access and modify information about users, groups and
computers in Active Directory; and configure the QAS
components. vastool is installed at
/opt/quest/bin/vastool. vastool is part of the
vasclnt package.
vgptool A command line utility that allows you to manage the
application of Group Policy settings to QAS clients.
vgptool is installed at /opt/quest/bin/vgptool.
vgptool is part of the vasgp package.
oat (Ownership Alignment Tool) A command line utility that allows you to modify file
ownership on local Unix hosts to match user accounts in
14 | Quest Authentication Services | Introducing Quest Authentication Services

Unix Component Description

Active Directory. oat is installed at
/opt/quest/libexec/oat/oat. oat is part of the
vasutil package.
LDAP proxy A background process that secures the authentication
channel for applications using LDAP bind to authenticate
users without introducing the overhead of configuring
secure LDAP (LDAPS). The LDAP proxy is installed by the
vasproxy package.
NIS proxy A background process that acts as a NIS server which can
provide backwards compatibility with existing NIS
infrastructure. The NIS proxy is installed by the vasyp
package.
SDK package The vasdev package, the QAS programming API.
Chapter
3
Installing and Configuring QAS
Topics:
• Install the Web Console
• Install QAS Windows Components
• Configure Active Directory for QAS
• Configure Unix Agent Components
To extend the authentication, authorization, and administration infrastructure
of Active Directory to the rest of your enterprise, allowing Unix, Linux, and
Mac systems to act as full citizens within Active Directory, follow these steps:
1. Install the Quest Identity Manager for Unix web console.
2. Install Quest Authentication Services Windows components.
3. Configure Active Directory for QAS.
4. Configure the web console for Active Directory.
5. Prepare the Unix hosts for Active Directory user access by means of the
Quest Identity Manager for Unix following these steps:
• Add and profile a host, to prepare a host for Active Directory log in.
• Check the host for readiness to join Active Directory.
• Install QAS agent software on the host to allow Active Directory user
access.
Note: For users to authenticate on Unix, Linux, and Mac
hosts with Active Directory credentials, your Unix hosts
must have the QAS agent installed.
• Join the host to Active Directory.
16 | Quest Authentication Services | Installing and Configuring QAS

Install the Web Console

In preparing for your Quest Authentication Services installation, Quest recommends that you install Quest Identity
Manager for Unix. This provides a web console that is a powerful and easy-to-use tool that dramatically simplifies
deployment, enables management of local Unix users and groups, provides granular reports on key data and
attributes, and streamlines the overall management of your Unix, Linux, and Mac OS X hosts.
Of course, you can install QAS without using Quest Identity Manager for Unix. You can find those instructions in the
QAS Installation Guide, located in QAS Control Center Tools page or in the docs directory of the installation media.

Installing Quest Identity Manager for Unix

The easiest way to install and configure QAS Unix agent components is by means of the Quest Identity Manager for
Unix web console.
To install Quest Identity Manager for Unix on a supported Windows platform

1. Log into any Windows machine on the domain.

2. Insert the QAS distribution media.
The Autorun Home page displays.
Note: If the Autorun Home page does not display, navigate to the root of the distribution media and
double-click autorun.exe.

3. From the Home page, click the Setup tab.

4. From the Setup page, click Quest Identity Manager for Unix.
The install wizard guides you through the rest of the setup pages:
• Quest Identity Manager for Unix License Agreement
• Installation Directory
• Configure TCP/IP Port
• Completing the Quest Identity Manager for Unix installation

5. On the Complete page, leave the Launch Quest Identity Manager for Unix option unselected when you click
Finish to exit the install wizard and return to the Autorun Setup tab.

Once you have installed Quest Identity Manager for Unix, you are ready to install or upgrade the QAS Windows
Components.

Install QAS Windows Components

Quest recommends that you install the Windows components and configure Active Directory before you install the
Unix components.

Installing QAS Windows Components

Install Quest Authentication Services on each Windows Workstation you plan to use to administer Unix data in Active
Directory.
To install the QAS Windows components

1. From the Autorun Setup page, click Quest Authentication Services to launch the Setup wizard.
2. Click Next at the Welcome page and follow the wizard prompts.
 Quest Authentication Services | Installing and Configuring QAS | 17

The wizard leads you through the following pages:

• License Agreement
• Choose Destination Location
• Ready to Install the Program
• InstallShield Wizard Complete

3. Leave the Launch Quest Authentication Services option selected on the InstallShield Wizard Complete page, and
click Finish to automatically start the QAS Control Center.

Note: If this is the first time running QAS Control Center, the QAS Active Directory
Configuration Wizard starts automatically to walk you through the process of
configuring Active Directory for QAS. This is a one-time task, if the configuration has
already been performed when you click Finish, the QAS Control Center launches.

Configure Active Directory for QAS

To use QAS 4.0 with Active Directory, you must first prepare Active Directory to store the configuration settings that
it uses. This is a one-time process.
If you have not configured Active Directory for QAS, the QAS Active Directory Configuration Wizard starts automatically
to assist you in setting up the configuration the first time you start the QAS Control Center Control Center.
Note: To use the QAS Active Directory Configuration Wizard, you must have rights to create a container
in Active Directory.

Configuring Active Directory for QAS

The first time you install QAS in your environment, you must perform a one-time Active Directory configuration step.
This section walks you through the configuration process. If you have already performed this configuration, skip this
section.
To configure Active Directory for QAS

1. At the QAS Active Directory Configuration Wizard Welcome page, click Next.
2. At the Connect to Active Directory page:
a) Provide Active Directory login credentials for the wizard to use for this task:
• Select Use my current AD logon credentials if you are a user with permission to create a container in
Active Directory.
• Select Use different AD logon credentials to specify the Active Directory credentials of another user and
enter the User name and Password.
Note: The wizard does not save these credentials; it only uses them for this setup task.

b) Indicate how you want to connect to Active Directory:

Select whether to connect to an Active Directory Domain Controller or ActiveRoles Server.
Note: If you have not installed the ActiveRoles Server MMC Console on your computer, the
ActiveRoles Server option is not available.

c) Optionally enter the Domain or domain controller and click Next.

18 | Quest Authentication Services | Installing and Configuring QAS

3. At the License QAS 4.0 page, browse to select your license file and click Next.
Note: You can add additional licenses later from the QAS Control Center Preferences Licensing page.

4. At the Configure Settings in Active Directory page, accept the default location in which to store the configuration
or browse to select the Active Directory location where you want to create the container and click Setup.
Note: You must have rights to create a container in the selected location. For more information on
the structure and rights required see Windows Permissions on page 12.

5. Once you have configured Active Directory for QAS, click Close.
The QAS Control Center opens. You can now begin using QAS Control Center to manage your Unix hosts.

About Active Directory Configuration

The first time you install or upgrade to QAS 4.0 you must configure Active Directory for QAS. This is typically a
one-time process. Most organizations will not need to update the Active Directory configuration unless they want
to change default values for new users. You can modify the settings using the QAS Control Center Preferences page.
QAS stores configuration information in Active Directory. The first time you run the QAS Control Center, the QAS
Active Directory Configuration wizard walks you through the setup and it stores the following information in Active
Directory:
• Application Licenses
• Settings controlling default values and behavior for Unix-enabled users and groups
• Schema configuration
QAS uses the information found in the Active Directory configuration to maintain consistency across the enterprise.
Without the Active Directory configuration none of the QAS components function correctly. The Unix agents use
the Active Directory configuration to validate license information and determine schema mappings. Windows
management tools read this information to determine the schema mappings and the default values it uses when
Unix-enabling new users and groups.
The Active Directory configuration is stored in a "root" container object
cn={786E0064-A470-46B9-83FB-C7539C9FA27C}. There can only be one Active Directory configuration.
If multiple configurations are found, QAS uses the one created first as determined by reading the whenCreated
attribute. If another group in your organization has already created an Active Directory configuration, use the existing
configuration. You may want to discuss which global configuration settings you want to use. You can use the provided
PowerShell cmdlet Move-QasConfiguration to move the configuration data to another location in Active
Directory. At any time you can completely remove the QAS Active Directory configuration using the
Remove-QasConfiguration cmdlet.
Without the Active Directory configuration
• QAS Unix agents will not join the domain
• QAS updates will not complete
• QAS management tools will not function

Configure Unix Agent Components

QAS 4.0 allows you to perform all of your Unix identity management tasks from the QAS Control Center.
Note: If the QAS Control Center is not currently open, you can either double-click the desktop icon or
access it by means of the Start menu.

Follow the steps outlined on the QAS Control Center Home page to get your Unix agents ready.
 Quest Authentication Services | Installing and Configuring QAS | 19

Of course, you may perform your Unix agent management tasks from the Unix command line, if you prefer. You can
find those instructions in the Quest Authentication Services Administrator's Guide, located in the QAS Control Center
Tools page in the Documentation section, or in the docs directory of the Installation media.

To Configure the Web Console for Active Directory

1. Note: To launch the Control Center in your default browser, click the Tools link in the left-navigation
pane, open the Quest Authentication Services section and click Launch in default browser under
Quest Identity Manager for Unix.

From the QAS Control Center, click the Web Console link in the left-navigation pane.
The first time you launch the web console the setup wizard asks how you plan to use Quest Identity Manager for
Unix.
2. On the Setup Quest Identity Manager for Unix page, indicate that you have a license and click Next.
3. On the Configure console for Quest Authentication Services page,
a) Enter the name of the domain you will manage with the web console.
b) Enter the user name and password and click Verify Configuration.
c) When you see the message that indicates your AD configuration is verified, click Next.
4. On the Set up console access page, select at least one Active Directory account to access the web console and
click Next.
5. On the Identify Console page, enter information about this console and click Next.
The QAS Control Center uses this information to find and identify this console on the network.
6. On the Set console password page, enter a password for the web console supervisor account and click Next.
Note: The Supervisor is the only account that has rights to modify system settings in Quest Identity
Manager for Unix.

7. On the Console setup summary page, click Finish.

The Quest Identity Manager for Unix web console opens within the QAS Control Center.

To Prepare Unix Hosts for Active Directory User Access

Since you are using Quest Identity Manager for Unix with a licensed version of Quest Authentication Services, you
are ready to prepare your host for Active Directory user access.

1. From the Quest Identity Manager for Unix Getting Started page, click the middle button entitled Get started with
the Add and Join Host wizard.
2. At the Welcome page, click Next.
3. In the Add and Profile Host page:
a) Enter the name of the Unix host you want to add.
b) Enter the login credentials and the SSH Port number for that Unix host.
c) Indicate if you want to Run task as another user (su) and enter the appropriate information in the User name
and Password boxes. (optional).
d) Click Add and profile host.
Note: If the Validate Host SSH Keys dialog displays, select the hosts and click OK to accept the new
fingerprint for each host and cache them on the server.

Note: If you are performing an upgrade and attempted to add and join a host that was previously
joined to your Active Directory domain, the Add and Join a Host process displays a Summary page
that indicates the wizard will skip the remaining steps.
20 | Quest Authentication Services | Installing and Configuring QAS

4. At the Check for AD Readiness page:

a) Enter the name of the domain you want to use for the readiness check.
b) Enter your credentials to log into Active Directory.
c) Click Check AD Readiness.
Note: If the Check for Readiness to Join Active Directory completed with "advisories", indicated by
an , you can ignore them for now; click Next to continue. However, you must resolve any
failures before going on.

5. At the Select Software to Install page, select services and components you want to install on your host and click
Install.
6. At the Join the Host to Active Directory page:
a) Enter the name of the domain to which you want to join the host.
b) Enter the computer account name.
Leave this blank to generate a name based on the host DNS name.
c) Enter a name for the container where you want to create the computer account.
Leave this blank to create the computer account in the "computers" container.
d) Enter your Active Directory login credentials and click Join Host to AD.
7. At the Summary page, click View the host properties to close the wizard and open the host Properties page; or
click Close to close the wizard and go to the All Hosts tab of Quest Identity Manager for Unix.
8. Click the Getting Started tab to prepare for the next step.

To Enable Active Directory Users for Unix

Now that your host is joined to Active Directory, you can enable Active Directory users for Unix to allow them access
to the host.

1. From the Getting Started tab, click the Go to the Active Directory view to enable AD users button.
The Quest Identity Manager for Unix web console's Active Directory tab opens.
2.
Click next to the Search by name box to search for Active Directory objects and locate an Active Directory
user.
Note: For step-by-step instructions on using the search controls at the top of this page refer to the
Quest Identity Manager for Unix Administrator's Guide. You can access it from the web console Help |
PDF link.

3. Double-click an Active Directory user to open its Property page.

4. Select the Unix Account tab and select the Unix-enabled option.
It populates the Properties page with default Unix attribute values.
5. Make any required changes and click OK to Unix-enable the user using these settings.
Note: There are additional settings that you can set using PowerShell which allows you to validate
entries for the GECOS, Home Directory, and Login Shell attributes. Refer to Use QAS PowerShell on
page 34 to learn more about that.

Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.
6. Enter the Host name and User name in the Login to remote host boxes in the left navigation panel of the QAS
Control Center and click Login.
7. At the command line enter the password
 Quest Authentication Services | Installing and Configuring QAS | 21

8. At the Unix client command line, enter:

/opt/quset/bin/vastool -v
vastool returns the QAS Version, proving that you have installed QAS on your Unix host.

Note: Refer to Getting Started with QAS on page 23 to learn how to do some basic
system administration tasks using the QAS Control Center and Quest Identity Manager
for Unix.
Chapter

4
Getting Started with QAS
Topics: Once you have successfully installed QAS you will want to learn how to do
some basic system administration tasks using the QAS Control Center and
• Getting Acquainted with the QAS Quest Identity Manager for Unix.
Control Center
• Learning the Basics
24 | Quest Authentication Services | Getting Started with QAS

Getting Acquainted with the QAS Control Center

Quest Authentication Services consists of plug ins, extensions, security modules and utilities spread across nearly
every operating system imaginable. The QAS Control Center pulls those parts together and provides a single place
for you to find the information and resources you need.
Control Center installs on Windows and is a great starting place for new users to get comfortable with some of
Authentication Services‘ capabilities.

Table 4: Quest Authentication Services Control Center

Control Center Description

Section
Home
"Introduction" section contains information about what‘s new in Authentication Services
4.0.
The "Get Started with QAS 4.0" sections provide the steps needed to authenticate an Active
Directory user to a Unix system using the Quest Authentication Services' web-based
administration console—Quest Identity Manager for Unix.
"How Do I…" section provides additional information about tools and features to solve
common tasks withQuest Authentication Services.

Web Console You can run the new web console (Quest Identity Manager for Unix) within the QAS Control
Center or you can run it separately in a supported web browser. The console is a separate
install that you can launch from the ISO. You can install it on Windows, Unix, Linux, or Mac
and typically you would install it one time per environment.
Group Policy Provides the ability to search on Active Directory Group Policy Objects that have Unix and
Mac settings defined. Also provides links to edit these GPO‘s and run reports that show the
detailed settings of the Group Policy Objects
Tools Contains links to tools and resources additionally available with Quest Authentication
Services – a great starting place for anyone new to the product.
Preferences
Centrally manage the preferences and settings of Quest Authentication Services. This
capability affects the behavior of all the ADUC snap-ins installed in an environment. The
settings also impact the default behavior of the included PowerShell cmdlets and even the
Unix command-line tools (/opt/quest/bin/vastool).
Note: The Preferences section now is a place to centrally manage the default
values that are generated by the various Authentication Services management
tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unix
command-Line tools (for example /opt/quest/bin/vastool‘).

Log into remote host A simple SSH client (built on PuTTY) for remote access to Unix systems – simplifies new
installs from having to find and install a separate PuTTY client.

To run QAS Control Center you must be logged in as a domain user. To make changes to global settings you must
have rights in Active Directory to create, delete, and modify objects in the QAS configuration area of Active Directory.

Web Console
Quest Identity Manager for Unix allows you to centrally manage Quest Authentication Services agents running on
Unix, Linux and Mac OS X systems. With the web console you can:
 Quest Authentication Services | Getting Started with QAS | 25

• Remotely deploy the QAS agent software.

• Manage local user and group accounts.
• Configure account mappings from local users to Active Directory accounts.
• Report on a variety of security and host access related information.
You can install the web console on any operating system. Once installed, you can access it from a browser using
default port of 9443 or from the QAS Control Center.

Group Policy
The QAS Control Center Group Policy window is a single place for managing core aspects of Group Policy. This is
similar to the Group Policy Management Console, but specific to Unix GPOs. The window allows you to conveniently
view group policy objects that contain Unix and Mac settings. You can show all GPOs or just those with Unix settings,
Mac settings or both by checking the appropriate boxes.

Filter Options
To filter the list of GPOs

1. Double-click Filter Options or click the expansion arrow in the right corner of the window.
2. Enter all or part of a name to filter the list of GPOs.
3. Open the Domain drop down menu to choose a domain.
4. Select the Unix Settings or Mac Settings List Only options to further filter the GPO list.
If you select both options, only the GPOs configured for both Unix and Mac display.

Edit GPO
To edit a group policy object

From the Group Policy window, select a GPO in the list and click Edit GPO... from the Actions menu.
The Group Policy Object Editor opens for the selected GPO.
Note: For more information about the Group Policies, refer to the QAS Administrator's Guide, located
in QAS Control Center Tools page in the Documentation section, or in the docs directory of the
installation media.

Settings Report
A settings report displays all of the Quest Authentication Services group policy object settings that apply to Unix or
Mac systems.
To generate a Unix settings report

From the Group Policy window, select a GPO Name and click Settings Report... from the Actions menu.
An HTML report of the currently configured Unix and Mac settings displays.
Note: You can select multiple GPOs to run several reports simultaneously.

Show Files
To open the Windows Explorer

From the Group Policy window, select a GPO in the list and click Show Files... from the Actions menu.
The Windows Explorer opens and displays the Group Policy Templates for the selected GPO.
26 | Quest Authentication Services | Getting Started with QAS

Launch GPMC
To launch the Group Policy Management Console

From the Group Policy window, click Launch GPMC... from the Actions menu.

Tools
The Tools link on the QAS Control Center gives you access to
• Quest Authentication Services
Direct links to installed applications and tools related to Quest Authentication Services.
• Additional Quest Products
Direct links to other Quest product plug ins.
Note: The Additional Quest Products link is only available if you have installed other Quest products
such as Quest Defender, Authentication Services for Smart Cards. or ActiveRoles Server.

• Other Tools
Direct links to tools related to Quest Authentication Services.
Note: The Other Tools link is only available if you have installed the Group Policy Management
Console.

• Documentation
Direct links to Quest Authentication Services documentation.

Preferences
Quest Authentication Services stores certain preferences and settings in Active Directory. This information is used
by QAS clients and management tools so that behavior remains consistent across all platforms and tools. The
Preferences window allows you to configure these settings and preferences.

Licensing
The Licensing section of the Preferences window in the QAS Control Center displays a list of installed license files. You
can add and remove license files at any time. The license files are stored in Active Directory and QAS Unix hosts
automatically download and apply new license files from Active Directory.
Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.

Contact your account representative for a license.

To Add Licenses

1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand the Licensing section.
The list box displays all licenses currently installed in Active Directory.
3. Click Add a license... from the Actions menu.
 Quest Authentication Services | Getting Started with QAS | 27

4. Browse for the license file and click Open.

The license appears in the list box.
Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours by
default. This can be changed by modifying the configuration-refresh-interval setting
in vas.conf.

To remove a license, select it and click Remove license.

To restore a removed license, click Undo Remove.

Global Unix Options

The Global Unix Options section displays the currently configured options for Unix-enabling users and groups.
Click Modify Global Options... to change these settings.
Note: QAS uses the Global Unix Options when enabling users and groups for Unix log in.

Table 5: Unix User Defaults

Option Description
Require unique user login Select to require a unique user login name attribute within the forest.
names
Require unique UID on users Select to require a unique user's Unix ID (UID) number within the forest.
Minimum UID Number Enter a minimum value for the Unix User ID (UID) number. Typically you set this to a
value higher than the highest UID among local Unix users to avoid conflicts with
users in Active Directory and local user accounts.
Maximum UID Number Enter a maximum value for the Unix User ID (UID) number. Typically you would not
change this value unless you have a legacy Unix platform that does not support the
full 32-bit integer range for UID number.
Primary GID Number Enter the default value for the Primary GID number when Unix-enabling a user.
Set primary GID to UID Select to set the primary GID number to the User ID number.
Default Comments (GECOS) Enter any text in this box.
Login Shell Enter the default value for the login shell used when Unix-enabling a user.
Home Directory Enter the default prefix used when generating the home directory attribute when
Unix-enabling a user. The default value is /home/; use a different value if your Unix
user home directories are stored in another location on the file system. QAS uses the
user's effective Unix name when generating the full home directory path.
Use lowercase user name for Select to use a lower-case representation of the user's effective Unix name when
home directory generating the full home directory path as a user is Unix-enabled.

Table 6: Unix Group Defaults

Option Description
Require unique Group Select to require a unique Unix group name attribute within the forest.
Names
Require unique GID Number Select to require a unique Unix Group ID (GID) attribute within the forest.
28 | Quest Authentication Services | Getting Started with QAS

Option
Minimum GID Number
Maximum GID Number
Description
Enter the minimum value for the Unix Group ID (GID). Typically this is set to a value
higher than the highest GID among local Unix groups to avoid conflicts with groups
in Active Directory and local group accounts.
Enter the maximum value for the Unix Group ID (GID). Typically you would not change
this value unless you have a legacy Unix platform that does not support the full 32-bit
integer range for GID.

Table 7: Unique IDs

Option Sub-Option Description

Generate based on These options control the algorithms
used to generate unique user and
group IDs:
Object GUID Hash An ID generated from a hash of the
user or group object GUID attribute.
This is a fast way to generate an ID
which is usually unique. If the
generated value conflicts with an
existing value, the ID is re-generated
by searching the forest.
Samba Algorithm An ID generated from the SID of the
domain and the RID of the user or
group object. This method works well
when there are few domains in the
forest. If the generated value conflicts
with an existing value, the ID is
re-generated by searching the forest.
Legacy Search Algorithm An ID generated by searching for
existing ID values in the forest. This
method generates an ID that is not
currently in use.

Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console
(MMC).
Note: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two
methods can lead to ID conflicts.

Logging Options
The Logging Options section allows you to enable logging for all Quest Authentication Services Windows components.
This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particular
problem. Because logging causes components to run slower and use more disk space, you should set the Log Level
to disabled when you are finished troubleshooting.
Enable Debug Logging on Windows
To enable debug logging for all Quest Authentication Services Windows components

1. Open QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Logging Options section.
3. Open the Log level drop-down menu and set the log level to Debug.
 Quest Authentication Services | Getting Started with QAS | 29

Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabled
to disable logging.
4.
Click to specify a folder location where you want to write the log files.
Quest Authentication Services Windows components log information into the specified log folder the next time
they are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.

Custom Unix Attributes

In Quest Authentication Services 4.0 the Unix schema attributes are fully customizable. The Custom Unix Attributes
section allows you to see which LDAP attributes are mapped to Unix attributes. You can modify this mapping to
enable QAS to work with any schema configuration. To customize the mapping, you select a schema template or
specify your own custom attributes. A schema template is a pre-defined set of common mappings which adhere to
common schema extensions for storing Unix data in Active Directory. QAS supports the following schema templates
if the required schema is installed:

Table 8: Unix Schema Attributes

Schema Template Description

Schemaless A template that encodes Unix attribute data in an existing multi-valued attribute.
Windows 2003 R2 A template that uses attributes from the Windows 2003 R2 schema extension.
Services for Unix 2.0 A template that uses attributes from the SFU 2.0 schema extension.
Services for Unix 3.0 A template that uses attributes from the SFU 3.0 schema extension.

Note: It is a best practice to use a schema designed for storing Unix data in Active Directory whenever
possible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2,
and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions in
your environment.

Active Directory Schema Extensions

Quest Authentication Services stores Unix identity and login information in Active Directory. Quest designed QAS
to provide support for the following standard Active Directory schema extensions:

Table 9: Active Directory Schema Extensions

Schema Extension Description

Windows 2003 R2 Schema
Services for Unix 2.0
Services for Unix 3.0
This schema extension is provided by Microsoft and adds support for the PosixAccount
auxiliary class, used to store Unix attributes on user and group objects.
Microsoft provides this schema extension with the Services for Unix 2.0 set of tools.
It adds custom attributes to user and group objects, used to store Unix account
information.
Microsoft provides this schema extension with the Services for Unix 3.0 set of tools.
It adds custom attributes to user and group objects, used to store Unix account
information.

With QAS 4.0 it is possible to customize the schema setup to work with any schema configuration. No schema
extensions are necessary with the new "schemaless" storage feature. When you configure QAS for the first time, QAS
attempts to auto-detect the best schema configuration for your environment. The schema configuration is a global
application setting that applies to all QAS management tools and Unix agents. You can change the detected settings
at any time using QAS Control Center.
30 | Quest Authentication Services | Getting Started with QAS

Configure a Custom Schema Mapping

If you do not have a schema that supports Unix data storage in Active Directory, you can configure QAS to use
existing, unused attributes of users and groups to store Unix information in Active Directory.
To configure a custom schema mapping

1. Open the QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Custom Unix Attributes.
3. Click Customize....
4. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type
attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If an
attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is
invalid.
Note: To customize the schema mapping, ensure that the attributes used for User ID Number and
Group ID Number are indexed and replicated to the global catalog.

5. Click OK to validate and save the specified mappings in Active Directory.

Active Directory Optimization

Indexing certain attributes used by the Quest Authentication Services Unix agent can have a dramatic effect on the
performance and scalability of your Unix and Active Directory integration project. The Custom Unix Attributes
panel in the Preferences section of QAS Control Center displays a warning if the Active Directory configuration is
not optimized according to best practices.
Quest recommends that it is a best practice to index the following attributes in Active Directory. Note: LDAP display
names vary depending on your Unix attribute mappings.
• User UID Number
• User Unix Name
• Group GID Number
• Group Unix Name
It is also a best practice to add all Unix identity attributes to the global catalog. This reduces the number of Active
Directory lookups that need to be performed by QAS Unix agents. You can find the LDAP display name for each Unix
attribute in the Custom Unix Attributes panel in the Preferences section of QAS Control Center. For example, you
can add the following attributes to the global catalog:
• logonHours
• accountExpires
• pwdLastSet
• lockOutTime
Click the Optimize Schema link to run a script that updates these attributes as necessary.
Note: The Optimize Schema option is only available if you have not optimized the Active Directory
schema.

This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize
your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator
who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
 Quest Authentication Services | Getting Started with QAS | 31

Learning the Basics

The topics in this section help you learn how to do some basic system administration tasks using the new QAS Control
Center and Quest Identity Manager for Unix.
Note: The exercises in this section assume that you have successfully installed Quest Authentication
Services and Quest Identity Manager for Unix by following the steps in these topics:
1. Install the Web Console on page 16
2. Install QAS Windows Components on page 16
3. Configure Active Directory for QAS on page 17
4. Configure Unix Agent Components on page 18

Run Reports
QAS allows you to run various reports to capture key information about your Unix hosts and the Active Directory domains
joined to these hosts.
To run reports

1. From the Quest Identity Manager for Unix web console, click the Reporting tab.
2. Click the Reports tab.
3. Expand the report group names to view the available reports, if necessary.
• Host Reports
Unix host information gathered during the profiling process.
• User Reports
Local and AD Unix user information
• Group Reports
Local and AD Unix group information
• Logon Policy Reports
Log on Policy information

4. Assuming that you successfully added a host and joined it to the domain during the installation process, open
the Host Reports group and click the icon to run the Unix Host Migration Planning report.
5. Review the report parameters.
Note that all of the report parameters are selected by default. This information will be included in the report. To
exclude information from the report, unselect the parameter.
6. Click Generate report as to open a context menu from which you can select a format for the report: HTML, PDF
(default), XML, XLS or RTF.
7. Select a format to launch a new browser or application page displaying the report in the selected format.
8. When you have reviewed the report, you may close it or save it for later reference.

Quest Identity Manager for Unix report names and descriptions

Report Name Description

Unix Host Migration Provides a snapshot of the readiness of each host to integrate with Active Directory.
Planning This report is best used for planning and monitoring the readiness of each host to
track progress of projects.
32 | Quest Authentication Services | Getting Started with QAS

Report Name Description

Unix Host Profiles
Unix Computers in AD
Local Unix Users
Local Unix User Conflicts
Local Unix Users with AD
Login
Unix Enabled AD Users
AD User Conflicts
Local Unix Groups
Unix Enabled AD Groups
AD Group Conflicts
Login Policy for AD User
Login Policy for Unix Host
Provides a summary of the information about each host gathered while profiling the
hosts.
Displays all Unix computers in Active Directory in the requested scope.
Reports on all users on all Unix systems, or the Unix systems where a specified user
account exists in /etc/passwd.
Identifies local user accounts that would conflict with a specified user name and UID
on other hosts. This report is useful for planning user consolidation projects across
Unix systems.
Identifies which local Unix accounts are required to use Active Directory credentials
for log into the host.
Displays all Active Directory users that have Unix user attributes.
Displays all users with Unix UID numbers that are assigned to other Unix enabled
user accounts.
Identifies the hosts where a specified group exists in /etc/group.
Displays all Active Directory groups that have Unix group attributes.
Displays all groups with Unix GID numbers that are assigned to other Unix
Identifies the Unix systems where one or more AD users have been granted login
permissions.
Identifies the AD users that have been granted login permissions for one or more
Unix systems.

Associate Active Directory Authentication to a Local User

This feature, also known as user mapping, allows you to associate an Active Directory user account with a local Unix user.
Allowing a local user to log into a Unix host using Active Directory credentials enables that user to take advantage of the
benefits of Active Directory security and access control.
To associate Active Directory authentication to a local user

1. Add a local group:

a) In Quest Identity Manager for Unix, navigate to the Hosts | All Hosts tab,.
b) Double-click a host, select the Groups tab and click Add Group.
c) In the Add New Group dialog, enter localgroup in the Group Name box and click Add Group.
d) In the Log on to Host dialog, enter your credentials and click OK.
2. Add a local user:
a) Select the Users tab and click Add User.
b) In the Add New User dialog, enter localuser in the User name box.
c) Select the localgroup as the Primary group.
d) Select /bin/bash for the Login shell.
e) Enter the Password and click Add User.
f) In the Log on to Host dialog, verify your credentials and click OK.
3. Associate Active Directory authentication to a local user:
a) From the Users tab, double-click the local user named 'localuser' to open the properties dialog.
b) On the AD Login tab, select the Require an AD password to log into Host option.
c) Click Select to open the Select AD user dialog.
 Quest Authentication Services | Getting Started with QAS | 33

d)
Click to display the list of Active Directory users.
e) Select the Active Directory user account to use for logging into the selected host and click OK.
f) From the 'localuser' properties dialog, click OK twice.
g) In the Log on to Host dialog, verify your credentials and click OK.
Now you can log into your local host using your Active Directory login credentials.
4. Open QAS Control Center, and locate Login to remote host in the left navigation panel.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user (such as, localuser) to which you have associated
the Active Directory user and click Login.
A PuTTY window displays.
5. Enter the Active Directory user password.
6. After a successful login with the local user, verify that the user obtained a Kerberos ticket.
a) At the Unix host command line, enter
# /opt/quest/bin/vastool klist
The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves
the local user is using the Active Directory user credentials.

Change the Default Unix Attributes

You can modify the Unix attributes that are generated by default when users are Unix-enabled. To change the Login
Shell you must have rights to create and delete child objects in the QAS application configuration in Active Directory.
To change the default Unix attributes

1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand Global Unix Options.
The window displays the current settings for Unix-enabling users, groups and the method used for creating
unique IDs.
3. Click Modify Global Unix Options… on the right side of the window.
The Modify Global Options dialog opens.
4. Change the Login Shell to /bin/bash and click OK.
The defaults are saved to Active Directory.

Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, or
the Unix command line, the login shell defaults to /bin/bash. You can customize the other Unix
defaults similarly.

Add a New Active Directory User and User Group

Quest Authentication Services provides additional tools to help you manage different aspects of migrating Unix
hosts into an Active Directory environment. Links to these tools are available from Tools in the QAS Control Center.
To create a new user and user group in Active Directory

1. Click the Tools navigation button on the left panel of the QAS Control Center.
2. Expand the Quest Authentication Services section.
3. Click QAS Extensions for Active Directory Users and Computers.
The Active Directory Users and Computers Console opens.
Note: Windows Vista/Windows 7: You must have the Remote Server Administration Tools installed
and enabled.
34 | Quest Authentication Services | Getting Started with QAS

Note: Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Tools
installed.

4. Expand the domain folder and right-click Users.

5. Select New | Group.
The New Object - Group dialog opens.
6. Enter UNIXusers in the Group name box and click OK.
7. Right-click Users again and choose New | User.
The New Object - User wizard starts automatically to guide you through the rest of the user setup process.
8. Enter information to define a new user named testQAS.
The PowerShell examples that follow refer to this user and user group object.
9. After you click Finish, navigate to Users folder in the Active Directory Users and Computers Console.
10. Double-click testQAS to open the Properties dialog.
11. Select the Unix Account tab.
Note: To Unix-enable a user, you can select the Unix-enabled option here or you can use the QAS
PowerShell modules.

12. Do not Unix-enable this user for now; close the Active Directory Users and Computers console and return to the
QAS Control Center.

Use QAS PowerShell

Quest Authentication Services includes PowerShell modules which provide a "scriptable" interface to many QAS
management tasks. You can access a customized PowerShell console from the QAS Control Center Tools navigation
link.
You can perform the following tasks using PowerShell cmdlets:
• Unix-enable Active Directory users and groups
• Unix-disable Active Directory users and groups
• Manage Unix attributes on Active Directory users and groups
• Search for and report on Unix-enabled users and groups in Active Directory
• Install product license files
• Manage QAS global configuration settings
• Find Group Policy objects with Unix/Mac settings configured
Using the QAS PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

To Unix-Enable a User and User Group

1. From the QAS Control Center, navigate to Tools | Quest Authentication Services, if necessary.
2. Click QASPowerShell Console.
Note: The first time you launch the PowerShell Console it asks you if you want to run software from
this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your
system as a trusted entity. Once you have done this you will never be asked this question again.

3. At the PowerShell prompt, enter the following:

Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567
Note: You created the UNIXusers group in a previous exercise. (See Add a New Active Directory
User and User Group on page 33.
 Quest Authentication Services | Getting Started with QAS | 35

Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured
earlier and look similar to the following:
ObjectClass : group
DistinguishedName : CN=UNIXusers,CN=Users,DC=example.,DC=com
GroupName : UNIXusers
UnixEnabled : True
GidNumber : 1234567
AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
DC=example,DC=com
CommonName : UNIXusers

4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
Enable-QasUnixUser testQAS | Set-QasUnixUser -PrimaryGidNumber 1234567
The Unix properties of the user display:
ObjectClass : user
DistinguishedName : CN=testQAS, CN=Users,DC=example.,DC=com
UserName : testQAS
UnixEnabled : True
UidNumber : 2062157421
PrimaryGidNumber : 1234567
Gecos :
HomeDirectory : /home/testQAS
LoginShell : /bin/bash
AdsPath : LDAP://windows.example.com/CN=testQAS,CN=Users,
DC=example,DC=com
CommonName : testQAS
Note: To disable the testQAS user for Unix login, enter
Disable-QasUnixUser testQAS
at the PowerShell prompt.

Note: To completely clear all Unix attribute information, enter

Clear-QasUnixUser testQAS

Now that the user is Unix-enabled, that user can log into systems running the QAS agent.
5. In the left panel of the Control Center, locate Login to remote host.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user, testQAS, and click Login.
A PuTTY window displays.
Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos
is not enabled or properly configured for the remote SSH service.

6. Enter the user's Active Directory password, when prompted.

7. After a successful log in, verify that the user obtained a Kerberos ticket by entering:
/opt/quest/bin/vastool klist
The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves the
local user is using the Active Directory user credentials.
36 | Quest Authentication Services | Getting Started with QAS
PowerShell Cmdlets
Quest Authentication Services 4.0 supports the flexible scripting capabilities of PowerShell to automate administrative,
installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Quest Authentication
Services 4.0:
Table 10: PowerShell Cmdlets
cmdlet Name
Add-QasLicense
Clear-QasUnixGroup
Clear-QasUnixUser
Disable-QasUnixGroup
Disable-QasUnixUser
Enable-QasUnixGroup
Enable-QasUnixUser
Get-QasSchema
Get-QasConfiguration
Get-QasGpo
Get-QasLicense
Get-QasOption
Get-QasSchemaDefinition
Get-QasUnixGroup
Get-QasUnixUser
Get-QasVersion
Move-QasConfiguration
Description
Installs an Authentication Services license file in Active Directory. Licenses installed
this way are downloaded by all Unix clients.
Clears the Unix identity information from group object in Active Directory. The group
is no longer Unix-enabled. The group no longer exists on Authentication Services
Unix clients.
Clears the Unix identity information from a user object in Active Directory. The user
is no longer Unix-enabled. The user no longer exists on Authentication Services Unix
clients.
"Unix-disables" a group. The group will no longer exist on QAS Unix clients. Similar
to Clear-QasUnixGroup except the Unix group name is retained.
Removes an Active Directory user‘s ability to log in on Unix hosts. (The user still exists.)
Enables an Active Directory group for Unix by giving a Unix GID number. The GID
number is automatically generated.
Enables an Active Directory user for Unix. The required account attributes UID number,
primary GID, GECOS, login shell and home directory are generated automatically.
Returns the currently configured schema definition from the Quest Authentication
Servicesapplication configuration.
Returns an object representing the Authentication Services application configuration
data stored in Active Directory.
Returns a set of objects representing GPOs with Unix and/or Mac settings configured.
Returns objects representing the Authentication Services product licenses stored in
Active Directory.
Returns a set of configurable global options stored in Active Directory that affect the
behavior of Authentication Services.
Returns a set of schema templates that are supported by the current Active Directory
forest.
Returns an object that represents an Active Directory group as a Unix group. The
returned object can be piped into other cmdlets such as Clear-QasUnixGroup or
Enable-QasUnixGroup.
Returns an object that represents an Active Directory user as a Unix user. The returned
object can be piped into other cmdlets such as Clear-QasUnixUser or
Enable-QasUnixUser.
Returns the version of Authentication Services currently installed on the local host.
Moves the Authentication Services application configuration information from one
container to another in Active Directory.
 Quest Authentication Services | Getting Started with QAS | 37

cmdlet Name Description

New-QasAdConnection Creates an object that represents a connection to Active Directory using specified
credentials. You can pass a connection object to most Authentication Services cmdlets
to execute commands using different credentials.
New-QasArsConnection Creates an object that represents a connection to a Quest ActiveRoles Server using
the specified credentials. You can pass a connection object to most Authentication
Services cmdlets to execute commands using different credentials.
New-QasConfiguration Creates a default Authentication Services application configuration in Active Directory
and returns an object representing the newly created configuration.
Remove-QasConfiguration Accepts an Authentication Services application configuration object as input and
removes it from Active Directory. This cmdlet produces no output.
Remove-QasLicense Accepts an Authentication Services product license object as input and removes the
license from Active Directory. This cmdlet produces no output.
Set-QasOption Accepts an Authentication Services options set as input and saves it to Active
Directory.
Set-QasSchema Accepts an Authentication Services schema template as input and saves it to Active
Directory as the schema template that will be used by all Authentication Services
Unix clients.
Set-QasUnixGroup Accepts a Unix group object as input and saves it to Active Directory. You can also
set specific attributes using command line options.
Set-QasUnixUser Accepts a Unix user object as input and saves it to Active Directory. You can also set
specific attributes using command line options.

Track Changes to Active Directory

Quest ChangeAuditor allows you to track changes and send alerts on:
• Changes to Active Directory objects and attributes
• Changes to Unix and Mac settings in Group Policy Objects
• Changes to Product settings and configuration

Install Quest ChangeAuditor

To install Quest ChangeAuditor
Note: ChangeAuditor installation requires a license file. A limited license for ChangeAuditor is included
with Quest Authentication Services; however, to take advantage of all Quest ChangeAuditor functionality,
you must purchase a full ChangeAuditor license.

1. Insert the QAS distribution media.

The Autorun Home page displays.
Note: If the Autorun Home page does not display, navigate to the root of the distribution media and
double-click autoroun.exe

2. Click the Setup tab and select Quest ChangeAuditor.

The Quest ChangeAuditor for Active Directory web page opens.
3. Click the Download link from the left navigation panel.
4. Follow the online instructions to gain access to the Trail Download page.
38 | Quest Authentication Services | Getting Started with QAS

5. From the Trial Download: ChangeAuditor for Active Directory page, click the Installation Guide link.
6. Read the ChangeAuditor Installation Guide to obtain detailed steps for installing Quest Defender.

Enable Strong Authentication

Quest Defender, another Quest product, provides strong authentication functionality that makes it possible for an
Active Directory user to use a hardware or software token to authenticate to Unix, Linux or Mac platforms.

Install Quest Defender

In order to use strong authentication you must download and install Quest Defender.
To install Quest Defender
Note: Quest Defender installation requires a license file. A fully-functional 25-user license for Defender
is included with Quest Authentication Services.

1. Insert the QAS distribution media.

The Autorun Home page displays.
Note: If the Autorun Home page does not display, navigate to the root of the distribution media and
double-click autoroun.exe

2. From the Home page, click the Setup tab.

3. From the Setup page, click Quest Defender.
The Quest Defender web page opens.
4. Click the Download link from left navigation panel.
5. Follow the online instructions to gain access to the Trail Download page.
6. From the Trial Download: Defender page, click the Defender Documentation Archive link.
7. Read the Defender Installation Guide to obtain detailed steps for installing Quest Defender.
8. Once you have installed Quest Defender, see the Quest Defender Integration Guide located in the QAS Control
Center Tools page, or in the docs directory of the QAS Installation media, for detailed configuration instructions
about integrating Quest Defender with Quest Authentication Services.
 Quest Authentication Services | Index | 39

Index
A I
Active Directory 12 install software agents on host 19
changing configuration settings 12 requires elevated privileges 19
Active Directory configuration 18
determines schema mappings 18
moving the configuration data 18
J
purpose defined 18 join host to Active Directory 19
updating 18 requires elevated privileges 19
validates license information 18
Active Directory schema 29
how Quest Authentication Services uses 29 L
ActiveRoles Server option 17, 18
not available if ActiveRoles Server agent is not installed 17, 18 LDAP attributes 29, 30
mapped to Unix attributes 29, 30
license 12, 26
B installing 12, 26
License 26
Best Practice: 27, 29, 30 adding 26
add Unix identity attributes to global catalog 30 Logging 28
index attributes in Active Directory 30 enabling 28
use generated UIDs and GIDs 27 setting options 28
use schema designed for storing Unix data in AD 29, 30

O
C
Optimize Schema 30
contacting 9 requires AD administrator rights 30
Control Center 24, 25, 26, 27, 28, 29, 30
described 24, 25, 26, 27, 28, 29, 30
must be logged in as domain user 24, 25, 26, 27, 28, 29, 30 P
conventions 8
customize the schema mapping 30 performance and scalability 30
Permissions 12
required 12
D PosixAccount auxiliary class schema extension 29
Preferences 26, 27, 28, 29, 30
debug logging 28 configuring settings 26, 27, 28, 29, 30
enabling 28

Q
E
Quest One Identity Solution 8
enable debug logging 28 Quest Support 9

F R
Filter Options 25 Reports 31
required AD rights 24, 25, 26, 27, 28, 29, 30
G Requirements: 12
Windows Permissions 12
global settings modifications 24, 25, 26, 27, 28, 29, 30
Global Unix Options 27
Group Policy 25, 26
S
managing core aspects 25, 26 schema 29, 30
viewing objects 25, 26 configuration 29, 30
Custom Unix attributes 29, 30
extensions 29, 30
40 | Quest Authentication Services | Index

schema (continued) T
LDAP attributes 29, 30
templates 29, 30 TERM 20
Unix attributes 29, 30 Troubleshooting 28
schema configuration 29 using logs 28
defined 29
schema extension 29
PosixAccount auxiliary class 29
U
schema mappings 30 Unix Group ID (GID) 27
customizing 30 Unix identity management tasks 18, 19, 20
index and replicate GUI and UID attributes to global performing from QAS Control Center 18, 19, 20
catalog 30 Unix User ID (UID) 27
set global value 27
standard Active Directory schema extensions 29
W
where to set 27