Professional Documents
Culture Documents
Evaluation Guide
Copyright (c) 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished
under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the
terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use
without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.
EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING
TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS
DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations
or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to
make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment
to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Refer to our Web site for regional and international office information.
Patents
Protected by U.S. Patent # 7,617,501. Additional patents pending.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big
Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,
Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,
Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,
LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,
PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,
SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage
Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,
vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Vizioncore
vWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc
in the United States of America and other countries. Other trademarks and registered trademarks are property of their
respective owners.
Third Party Contributions
This product may contain one or more of the following third party components. For copies of the text of any license listed,
please go to http://www.quest.com/legal/third-party-licenses.aspx .
Component Notes
Apache Commons 1.2 Apache License
Version 2.0, January 2004
Boost Boost Software License
Version 1.0, August 2003
Expat 2.0.0 © 1998, 1999, 2000 Thai Open Source Software Center Ltd
Heimdal Krb/GSSapi 1.2 © 2004 - 2007 Kungliga Tekniska Högskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
OpenSSL 0.9.8d This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)
© 1998-2008 The OpenSSL Project. All rights reserved.
Quest Authentication Services | TOC | 5
Contents
1
About This Guide
Topics: Welcome to the Quest Authentication Services Evaluation Guide.
• Quest One Identity Solution This is a self-directed, hands-on evaluation of Quest Authentication Services.
The content includes a product overview, installation instructions, and a
• Conventions
"Getting Started" section that will help you get acquainted with the QAS
• About Quest Software Control Center, and how to use QAS to accomplish basic system administration
• Contacting Quest Support tasks.
The guide is divided into three sections:
• Introducing Quest Authentication Services on page 11
• Installing and Configuring QAS on page 15
• Getting Started with QAS on page 23
8 | Quest Authentication Services | About This Guide
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions
apply to procedures, icons, keystrokes and cross-references.
Element Convention
Select This word refers to actions such as choosing or
highlighting various interface elements, such as files and
radio buttons.
Bold text Used to indicate elements that appear in the graphical
user interface that you are to select such as the OK
button.
Italic text Interface elements that appear in Quest products, such
as menus and commands.
courier text Used to indicate host names, file names, program names,
command names, and file paths.
Blue Text Indicates an interactive link to a related topic.
Used to highlight additional information pertinent to the
process or topic being described.
+ A plus sign between two keystrokes means that you must
press them at the same time.
| A pipe sign between elements means that you must
select the elements in that particular sequence.
Quest Authentication Services | About This Guide | 9
Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports
smart systems management products—helping our customers solve everyday IT challenges easier and faster. Contact
Quest for more information:
Contacting Quest Software
Public Forum
The Community site is a place to find answers and advice, join a discussion forum,
or get the latest documentation and release information: Inside Vintela.
2
Introducing Quest Authentication Services
Topics: Quest Authentication Services (formerly Vintela Authentication Services) is
patented technology that enables organizations to extend the security and
• Licensing QAS compliance of Active Directory to Unix, Linux, and Mac platforms and
• System Requirements enterprise applications. It addresses the compliance need for cross-platform
• Windows Permissions access control, the operational need for centralized authentication and single
• Unix Permissions sign-on, and enables the unification of identities and directories for simplified
identity and access management.
12 | Quest Authentication Services | Introducing Quest Authentication Services
Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.
System Requirements
Prior to installing Quest Authentication Services, ensure your system meets the minimum hardware and software
requirements for your platform. QAS consists of Windows management tools and Unix integration agents.
Quest Authentication Services 4.0 supports: Windows 7, Vista, XP, Windows 2008 and Windows 2003.
For a list of supported QAS platforms, refer to the Quest Authentication Services Platform Support.
Windows Permissions
To install QAS on Windows, you must have:
• Local administrator rights
• Rights to create a container and a child container in Active Directory (first-time only)
Authenticated Users must have rights to read cn, displayName, description, and whenCreated attributes for container
objects located under the root Active Directory configuration container. To change Active Directory configuration
settings, Administrators must have rights to Create Child Object (container) and Write Attribute for cn, displayName,
description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.
Unix Permissions
To install QAS on Unix, Linux, or Mac, you must have root access rights.
3
Installing and Configuring QAS
Topics: To extend the authentication, authorization, and administration infrastructure
of Active Directory to the rest of your enterprise, allowing Unix, Linux, and
• Install the Web Console Mac systems to act as full citizens within Active Directory, follow these steps:
• Install QAS Windows Components
1. Install the Quest Identity Manager for Unix web console.
• Configure Active Directory for QAS
2. Install Quest Authentication Services Windows components.
• Configure Unix Agent Components
3. Configure Active Directory for QAS.
4. Configure the web console for Active Directory.
5. Prepare the Unix hosts for Active Directory user access by means of the
Quest Identity Manager for Unix following these steps:
• Add and profile a host, to prepare a host for Active Directory log in.
• Check the host for readiness to join Active Directory.
• Install QAS agent software on the host to allow Active Directory user
access.
Note: For users to authenticate on Unix, Linux, and Mac
hosts with Active Directory credentials, your Unix hosts
must have the QAS agent installed.
5. On the Complete page, leave the Launch Quest Identity Manager for Unix option unselected when you click
Finish to exit the install wizard and return to the Autorun Setup tab.
Once you have installed Quest Identity Manager for Unix, you are ready to install or upgrade the QAS Windows
Components.
1. From the Autorun Setup page, click Quest Authentication Services to launch the Setup wizard.
2. Click Next at the Welcome page and follow the wizard prompts.
Quest Authentication Services | Installing and Configuring QAS | 17
3. Leave the Launch Quest Authentication Services option selected on the InstallShield Wizard Complete page, and
click Finish to automatically start the QAS Control Center.
Note: If this is the first time running QAS Control Center, the QAS Active Directory
Configuration Wizard starts automatically to walk you through the process of
configuring Active Directory for QAS. This is a one-time task, if the configuration has
already been performed when you click Finish, the QAS Control Center launches.
1. At the QAS Active Directory Configuration Wizard Welcome page, click Next.
2. At the Connect to Active Directory page:
a) Provide Active Directory login credentials for the wizard to use for this task:
• Select Use my current AD logon credentials if you are a user with permission to create a container in
Active Directory.
• Select Use different AD logon credentials to specify the Active Directory credentials of another user and
enter the User name and Password.
Note: The wizard does not save these credentials; it only uses them for this setup task.
3. At the License QAS 4.0 page, browse to select your license file and click Next.
Note: You can add additional licenses later from the QAS Control Center Preferences Licensing page.
4. At the Configure Settings in Active Directory page, accept the default location in which to store the configuration
or browse to select the Active Directory location where you want to create the container and click Setup.
Note: You must have rights to create a container in the selected location. For more information on
the structure and rights required see Windows Permissions on page 12.
5. Once you have configured Active Directory for QAS, click Close.
The QAS Control Center opens. You can now begin using QAS Control Center to manage your Unix hosts.
Follow the steps outlined on the QAS Control Center Home page to get your Unix agents ready.
Quest Authentication Services | Installing and Configuring QAS | 19
Of course, you may perform your Unix agent management tasks from the Unix command line, if you prefer. You can
find those instructions in the Quest Authentication Services Administrator's Guide, located in the QAS Control Center
Tools page in the Documentation section, or in the docs directory of the Installation media.
From the QAS Control Center, click the Web Console link in the left-navigation pane.
The first time you launch the web console the setup wizard asks how you plan to use Quest Identity Manager for
Unix.
2. On the Setup Quest Identity Manager for Unix page, indicate that you have a license and click Next.
3. On the Configure console for Quest Authentication Services page,
a) Enter the name of the domain you will manage with the web console.
b) Enter the user name and password and click Verify Configuration.
c) When you see the message that indicates your AD configuration is verified, click Next.
4. On the Set up console access page, select at least one Active Directory account to access the web console and
click Next.
5. On the Identify Console page, enter information about this console and click Next.
The QAS Control Center uses this information to find and identify this console on the network.
6. On the Set console password page, enter a password for the web console supervisor account and click Next.
Note: The Supervisor is the only account that has rights to modify system settings in Quest Identity
Manager for Unix.
1. From the Quest Identity Manager for Unix Getting Started page, click the middle button entitled Get started with
the Add and Join Host wizard.
2. At the Welcome page, click Next.
3. In the Add and Profile Host page:
a) Enter the name of the Unix host you want to add.
b) Enter the login credentials and the SSH Port number for that Unix host.
c) Indicate if you want to Run task as another user (su) and enter the appropriate information in the User name
and Password boxes. (optional).
d) Click Add and profile host.
Note: If the Validate Host SSH Keys dialog displays, select the hosts and click OK to accept the new
fingerprint for each host and cache them on the server.
Note: If you are performing an upgrade and attempted to add and join a host that was previously
joined to your Active Directory domain, the Add and Join a Host process displays a Summary page
that indicates the wizard will skip the remaining steps.
20 | Quest Authentication Services | Installing and Configuring QAS
5. At the Select Software to Install page, select services and components you want to install on your host and click
Install.
6. At the Join the Host to Active Directory page:
a) Enter the name of the domain to which you want to join the host.
b) Enter the computer account name.
Leave this blank to generate a name based on the host DNS name.
c) Enter a name for the container where you want to create the computer account.
Leave this blank to create the computer account in the "computers" container.
d) Enter your Active Directory login credentials and click Join Host to AD.
7. At the Summary page, click View the host properties to close the wizard and open the host Properties page; or
click Close to close the wizard and go to the All Hosts tab of Quest Identity Manager for Unix.
8. Click the Getting Started tab to prepare for the next step.
1. From the Getting Started tab, click the Go to the Active Directory view to enable AD users button.
The Quest Identity Manager for Unix web console's Active Directory tab opens.
2.
Click next to the Search by name box to search for Active Directory objects and locate an Active Directory
user.
Note: For step-by-step instructions on using the search controls at the top of this page refer to the
Quest Identity Manager for Unix Administrator's Guide. You can access it from the web console Help |
PDF link.
Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.
6. Enter the Host name and User name in the Login to remote host boxes in the left navigation panel of the QAS
Control Center and click Login.
7. At the command line enter the password
Quest Authentication Services | Installing and Configuring QAS | 21
Note: Refer to Getting Started with QAS on page 23 to learn how to do some basic
system administration tasks using the QAS Control Center and Quest Identity Manager
for Unix.
Chapter
4
Getting Started with QAS
Topics: Once you have successfully installed QAS you will want to learn how to do
some basic system administration tasks using the QAS Control Center and
• Getting Acquainted with the QAS Quest Identity Manager for Unix.
Control Center
• Learning the Basics
24 | Quest Authentication Services | Getting Started with QAS
Web Console You can run the new web console (Quest Identity Manager for Unix) within the QAS Control
Center or you can run it separately in a supported web browser. The console is a separate
install that you can launch from the ISO. You can install it on Windows, Unix, Linux, or Mac
and typically you would install it one time per environment.
Group Policy Provides the ability to search on Active Directory Group Policy Objects that have Unix and
Mac settings defined. Also provides links to edit these GPO‘s and run reports that show the
detailed settings of the Group Policy Objects
Tools Contains links to tools and resources additionally available with Quest Authentication
Services – a great starting place for anyone new to the product.
Preferences
Centrally manage the preferences and settings of Quest Authentication Services. This
capability affects the behavior of all the ADUC snap-ins installed in an environment. The
settings also impact the default behavior of the included PowerShell cmdlets and even the
Unix command-line tools (/opt/quest/bin/vastool).
Note: The Preferences section now is a place to centrally manage the default
values that are generated by the various Authentication Services management
tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unix
command-Line tools (for example /opt/quest/bin/vastool‘).
Log into remote host A simple SSH client (built on PuTTY) for remote access to Unix systems – simplifies new
installs from having to find and install a separate PuTTY client.
To run QAS Control Center you must be logged in as a domain user. To make changes to global settings you must
have rights in Active Directory to create, delete, and modify objects in the QAS configuration area of Active Directory.
Web Console
Quest Identity Manager for Unix allows you to centrally manage Quest Authentication Services agents running on
Unix, Linux and Mac OS X systems. With the web console you can:
Quest Authentication Services | Getting Started with QAS | 25
Group Policy
The QAS Control Center Group Policy window is a single place for managing core aspects of Group Policy. This is
similar to the Group Policy Management Console, but specific to Unix GPOs. The window allows you to conveniently
view group policy objects that contain Unix and Mac settings. You can show all GPOs or just those with Unix settings,
Mac settings or both by checking the appropriate boxes.
Filter Options
To filter the list of GPOs
1. Double-click Filter Options or click the expansion arrow in the right corner of the window.
2. Enter all or part of a name to filter the list of GPOs.
3. Open the Domain drop down menu to choose a domain.
4. Select the Unix Settings or Mac Settings List Only options to further filter the GPO list.
If you select both options, only the GPOs configured for both Unix and Mac display.
Edit GPO
To edit a group policy object
From the Group Policy window, select a GPO in the list and click Edit GPO... from the Actions menu.
The Group Policy Object Editor opens for the selected GPO.
Note: For more information about the Group Policies, refer to the QAS Administrator's Guide, located
in QAS Control Center Tools page in the Documentation section, or in the docs directory of the
installation media.
Settings Report
A settings report displays all of the Quest Authentication Services group policy object settings that apply to Unix or
Mac systems.
To generate a Unix settings report
From the Group Policy window, select a GPO Name and click Settings Report... from the Actions menu.
An HTML report of the currently configured Unix and Mac settings displays.
Note: You can select multiple GPOs to run several reports simultaneously.
Show Files
To open the Windows Explorer
From the Group Policy window, select a GPO in the list and click Show Files... from the Actions menu.
The Windows Explorer opens and displays the Group Policy Templates for the selected GPO.
26 | Quest Authentication Services | Getting Started with QAS
Launch GPMC
To launch the Group Policy Management Console
From the Group Policy window, click Launch GPMC... from the Actions menu.
Tools
The Tools link on the QAS Control Center gives you access to
• Quest Authentication Services
Direct links to installed applications and tools related to Quest Authentication Services.
• Additional Quest Products
Direct links to other Quest product plug ins.
Note: The Additional Quest Products link is only available if you have installed other Quest products
such as Quest Defender, Authentication Services for Smart Cards. or ActiveRoles Server.
• Other Tools
Direct links to tools related to Quest Authentication Services.
Note: The Other Tools link is only available if you have installed the Group Policy Management
Console.
• Documentation
Direct links to Quest Authentication Services documentation.
Preferences
Quest Authentication Services stores certain preferences and settings in Active Directory. This information is used
by QAS clients and management tools so that behavior remains consistent across all platforms and tools. The
Preferences window allows you to configure these settings and preferences.
Licensing
The Licensing section of the Preferences window in the QAS Control Center displays a list of installed license files. You
can add and remove license files at any time. The license files are stored in Active Directory and QAS Unix hosts
automatically download and apply new license files from Active Directory.
Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.
1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand the Licensing section.
The list box displays all licenses currently installed in Active Directory.
3. Click Add a license... from the Actions menu.
Quest Authentication Services | Getting Started with QAS | 27
Option Description
Require unique user login Select to require a unique user login name attribute within the forest.
names
Require unique UID on users Select to require a unique user's Unix ID (UID) number within the forest.
Minimum UID Number Enter a minimum value for the Unix User ID (UID) number. Typically you set this to a
value higher than the highest UID among local Unix users to avoid conflicts with
users in Active Directory and local user accounts.
Maximum UID Number Enter a maximum value for the Unix User ID (UID) number. Typically you would not
change this value unless you have a legacy Unix platform that does not support the
full 32-bit integer range for UID number.
Primary GID Number Enter the default value for the Primary GID number when Unix-enabling a user.
Set primary GID to UID Select to set the primary GID number to the User ID number.
Default Comments (GECOS) Enter any text in this box.
Login Shell Enter the default value for the login shell used when Unix-enabling a user.
Home Directory Enter the default prefix used when generating the home directory attribute when
Unix-enabling a user. The default value is /home/; use a different value if your Unix
user home directories are stored in another location on the file system. QAS uses the
user's effective Unix name when generating the full home directory path.
Use lowercase user name for Select to use a lower-case representation of the user's effective Unix name when
home directory generating the full home directory path as a user is Unix-enabled.
Option Description
Require unique Group Select to require a unique Unix group name attribute within the forest.
Names
Require unique GID Number Select to require a unique Unix Group ID (GID) attribute within the forest.
28 | Quest Authentication Services | Getting Started with QAS
Option Description
Minimum GID Number Enter the minimum value for the Unix Group ID (GID). Typically this is set to a value
higher than the highest GID among local Unix groups to avoid conflicts with groups
in Active Directory and local group accounts.
Maximum GID Number Enter the maximum value for the Unix Group ID (GID). Typically you would not change
this value unless you have a legacy Unix platform that does not support the full 32-bit
integer range for GID.
Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console
(MMC).
Note: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two
methods can lead to ID conflicts.
Logging Options
The Logging Options section allows you to enable logging for all Quest Authentication Services Windows components.
This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particular
problem. Because logging causes components to run slower and use more disk space, you should set the Log Level
to disabled when you are finished troubleshooting.
Enable Debug Logging on Windows
To enable debug logging for all Quest Authentication Services Windows components
1. Open QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Logging Options section.
3. Open the Log level drop-down menu and set the log level to Debug.
Quest Authentication Services | Getting Started with QAS | 29
Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabled
to disable logging.
4.
Click to specify a folder location where you want to write the log files.
Quest Authentication Services Windows components log information into the specified log folder the next time
they are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.
Note: It is a best practice to use a schema designed for storing Unix data in Active Directory whenever
possible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2,
and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions in
your environment.
With QAS 4.0 it is possible to customize the schema setup to work with any schema configuration. No schema
extensions are necessary with the new "schemaless" storage feature. When you configure QAS for the first time, QAS
attempts to auto-detect the best schema configuration for your environment. The schema configuration is a global
application setting that applies to all QAS management tools and Unix agents. You can change the detected settings
at any time using QAS Control Center.
30 | Quest Authentication Services | Getting Started with QAS
1. Open the QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Custom Unix Attributes.
3. Click Customize....
4. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type
attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If an
attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is
invalid.
Note: To customize the schema mapping, ensure that the attributes used for User ID Number and
Group ID Number are indexed and replicated to the global catalog.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize
your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator
who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
Quest Authentication Services | Getting Started with QAS | 31
Run Reports
QAS allows you to run various reports to capture key information about your Unix hosts and the Active Directory domains
joined to these hosts.
To run reports
1. From the Quest Identity Manager for Unix web console, click the Reporting tab.
2. Click the Reports tab.
3. Expand the report group names to view the available reports, if necessary.
• Host Reports
Unix host information gathered during the profiling process.
• User Reports
Local and AD Unix user information
• Group Reports
Local and AD Unix group information
• Logon Policy Reports
Log on Policy information
4. Assuming that you successfully added a host and joined it to the domain during the installation process, open
the Host Reports group and click the icon to run the Unix Host Migration Planning report.
5. Review the report parameters.
Note that all of the report parameters are selected by default. This information will be included in the report. To
exclude information from the report, unselect the parameter.
6. Click Generate report as to open a context menu from which you can select a format for the report: HTML, PDF
(default), XML, XLS or RTF.
7. Select a format to launch a new browser or application page displaying the report in the selected format.
8. When you have reviewed the report, you may close it or save it for later reference.
d)
Click to display the list of Active Directory users.
e) Select the Active Directory user account to use for logging into the selected host and click OK.
f) From the 'localuser' properties dialog, click OK twice.
g) In the Log on to Host dialog, verify your credentials and click OK.
Now you can log into your local host using your Active Directory login credentials.
4. Open QAS Control Center, and locate Login to remote host in the left navigation panel.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user (such as, localuser) to which you have associated
the Active Directory user and click Login.
A PuTTY window displays.
5. Enter the Active Directory user password.
6. After a successful login with the local user, verify that the user obtained a Kerberos ticket.
a) At the Unix host command line, enter
# /opt/quest/bin/vastool klist
The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves
the local user is using the Active Directory user credentials.
1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand Global Unix Options.
The window displays the current settings for Unix-enabling users, groups and the method used for creating
unique IDs.
3. Click Modify Global Unix Options… on the right side of the window.
The Modify Global Options dialog opens.
4. Change the Login Shell to /bin/bash and click OK.
The defaults are saved to Active Directory.
Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, or
the Unix command line, the login shell defaults to /bin/bash. You can customize the other Unix
defaults similarly.
1. Click the Tools navigation button on the left panel of the QAS Control Center.
2. Expand the Quest Authentication Services section.
3. Click QAS Extensions for Active Directory Users and Computers.
The Active Directory Users and Computers Console opens.
Note: Windows Vista/Windows 7: You must have the Remote Server Administration Tools installed
and enabled.
34 | Quest Authentication Services | Getting Started with QAS
Note: Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Tools
installed.
12. Do not Unix-enable this user for now; close the Active Directory Users and Computers console and return to the
QAS Control Center.
1. From the QAS Control Center, navigate to Tools | Quest Authentication Services, if necessary.
2. Click QASPowerShell Console.
Note: The first time you launch the PowerShell Console it asks you if you want to run software from
this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your
system as a trusted entity. Once you have done this you will never be asked this question again.
Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured
earlier and look similar to the following:
ObjectClass : group
DistinguishedName : CN=UNIXusers,CN=Users,DC=example.,DC=com
GroupName : UNIXusers
UnixEnabled : True
GidNumber : 1234567
AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
DC=example,DC=com
CommonName : UNIXusers
4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
Enable-QasUnixUser testQAS | Set-QasUnixUser -PrimaryGidNumber 1234567
The Unix properties of the user display:
ObjectClass : user
DistinguishedName : CN=testQAS, CN=Users,DC=example.,DC=com
UserName : testQAS
UnixEnabled : True
UidNumber : 2062157421
PrimaryGidNumber : 1234567
Gecos :
HomeDirectory : /home/testQAS
LoginShell : /bin/bash
AdsPath : LDAP://windows.example.com/CN=testQAS,CN=Users,
DC=example,DC=com
CommonName : testQAS
Note: To disable the testQAS user for Unix login, enter
Disable-QasUnixUser testQAS
at the PowerShell prompt.
Now that the user is Unix-enabled, that user can log into systems running the QAS agent.
5. In the left panel of the Control Center, locate Login to remote host.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user, testQAS, and click Login.
A PuTTY window displays.
Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos
is not enabled or properly configured for the remote SSH service.
PowerShell Cmdlets
Quest Authentication Services 4.0 supports the flexible scripting capabilities of PowerShell to automate administrative,
installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Quest Authentication
Services 4.0:
5. From the Trial Download: ChangeAuditor for Active Directory page, click the Installation Guide link.
6. Read the ChangeAuditor Installation Guide to obtain detailed steps for installing Quest Defender.
Index
A I
Active Directory 12 install software agents on host 19
changing configuration settings 12 requires elevated privileges 19
Active Directory configuration 18
determines schema mappings 18
moving the configuration data 18
J
purpose defined 18 join host to Active Directory 19
updating 18 requires elevated privileges 19
validates license information 18
Active Directory schema 29
how Quest Authentication Services uses 29 L
ActiveRoles Server option 17, 18
not available if ActiveRoles Server agent is not installed 17, 18 LDAP attributes 29, 30
mapped to Unix attributes 29, 30
license 12, 26
B installing 12, 26
License 26
Best Practice: 27, 29, 30 adding 26
add Unix identity attributes to global catalog 30 Logging 28
index attributes in Active Directory 30 enabling 28
use generated UIDs and GIDs 27 setting options 28
use schema designed for storing Unix data in AD 29, 30
O
C
Optimize Schema 30
contacting 9 requires AD administrator rights 30
Control Center 24, 25, 26, 27, 28, 29, 30
described 24, 25, 26, 27, 28, 29, 30
must be logged in as domain user 24, 25, 26, 27, 28, 29, 30 P
conventions 8
customize the schema mapping 30 performance and scalability 30
Permissions 12
required 12
D PosixAccount auxiliary class schema extension 29
Preferences 26, 27, 28, 29, 30
debug logging 28 configuring settings 26, 27, 28, 29, 30
enabling 28
Q
E
Quest One Identity Solution 8
enable debug logging 28 Quest Support 9
F R
Filter Options 25 Reports 31
required AD rights 24, 25, 26, 27, 28, 29, 30
G Requirements: 12
Windows Permissions 12
global settings modifications 24, 25, 26, 27, 28, 29, 30
Global Unix Options 27
Group Policy 25, 26
S
managing core aspects 25, 26 schema 29, 30
viewing objects 25, 26 configuration 29, 30
Custom Unix attributes 29, 30
extensions 29, 30
40 | Quest Authentication Services | Index
schema (continued) T
LDAP attributes 29, 30
templates 29, 30 TERM 20
Unix attributes 29, 30 Troubleshooting 28
schema configuration 29 using logs 28
defined 29
schema extension 29
PosixAccount auxiliary class 29
U
schema mappings 30 Unix Group ID (GID) 27
customizing 30 Unix identity management tasks 18, 19, 20
index and replicate GUI and UID attributes to global performing from QAS Control Center 18, 19, 20
catalog 30 Unix User ID (UID) 27
set global value 27
standard Active Directory schema extensions 29
W
where to set 27