uxpreinstall Utility Check for System Compliance
Valid on UNIX
capamsc141
Valid on UNIX
The uxpreinstall utility verifies that a UNIX endpoint complies with UNIX Authentication Broker system requirements. uxpreinstall performs the following checks:
- Queries the operating system for the installed version, patches, libraries, and modules
- Resolves the domain name by querying the DNS server
- Searches for the LDAP and Kerberos services
- Uses the LDAP service to query Active Directory for information
- Scans for available ports
- Verifies the clock skew between the local host and the Active Directory domain
- Verifies that network applications, network servers, and ssh and sshd characteristics support Kerberized Single Sign On (SSO) login
- Discovers and displays all Global Catalog hosts in the domain
If the uxpreinstall utility finds a critical error that means it cannot perform subsequent checks, the utility stops immediately.
After uxpreinstall runs, it displays the result of the checks. Any errors or conflicts in the uxpreinstall output are issues that may cause UNIX Authentication Broker operational problems, for example, user authentication failure. We strongly recommend that you resolve any errors or conflicts that uxpreinstall identifies before you activate and use UNIX Authentication Broker.
The uxpreinstall utility informs you of real or potential problems but does not correct them. You cannot use the utility to configure the operating system or UNIX Authentication Broker.
You can run uxpreinstall before or after you install UNIX Authentication Broker. If you run uxpreinstall before you install UNIX Authentication Broker, the utility creates a temporary Kerberos file and checks the configuration of the Kerberos file instead of the uxauth.ini configuration. If you run uxpreinstall after you install UNIX Authentication Broker, the utility does not create the temporary Kerberos file. Instead, it checks the value of the lookup_dc_list token in the [ad] section of the uxauth.ini file.
To run uxpreinstall before you install UNIX Authentication Broker, copy the utility from another endpoint on which UNIX Authentication Broker is installed.
The following sections of the uxpreinstall output check if the endpoint configuration lets UNIX Authentication Broker users use Kerberized SSO login. If you do not want to enable SSO logins for UNIX Authentication Broker users, you can ignore any information in these sections:
- CHECKING KERBEROS RPMS
- CHECKING NATIVE KERBEROS
- == Reporting sshd characteristics affecting SSO operation ==
- == Reporting ssh characteristics affecting SSO operation ==
- Checks of network applications
- Checks of network servers
For more information about using uxpreinstall to check system compliance, see the
Implementation Guide
.This command has the following format:
uxpreinstall [-a user] [-w passwd] [-n ntp_server] [{-d domain | -s server}] [-p port] [-f logfile] [-force] [-v level] [-l] [-h]
- -auserDefines the user account to use to log in to Active Directory.Default: Administrator
- -wpasswdDefines the password for the user account.
- -nntp_serverDefines the name of the Network Time Server (NTP).
- -ddomainDefines the domain name where the Active Directory is installed.
- -sserverDefines the name of the Active Directory server.
- -pportDefines the port number on which Active Directory listens.
- -flogfileDefines the name of the log file to use.
- -forceSpecifies to force continue the system compliance check regardless of errors
- -vlevelDefines the verbosity level of uxpreinstall output.Options:0Displays a summary of the checks that uxpreinstall performs and any errors or conflicts that it identifies.1Displays the same information as 0 and additional information about each check.2Displays the same information as 1 and the commands that uxpreinstall uses for each check.3Displays the same information as 2 and the output of each command.4Displays the same information as 3 and extra information for some checks, for example, package details.Default: 0
- -lSpecifies to perform checks on the syslog file. Applicable for root users only.
- -hSpecifies to display the utility help and exit.
Example: Run the uxpreinstall Utility
This example runs the uxpreinstall utility with the credentials of the administrator user against the Active Directory domain mydomain.com with a verbosity level of 1:
/opt/CA/uxauth/bin/uxpreinstall -a administrator -w admin -d mydomain.com -v 1
Example: The uxpreinstall Utility Report
The following is a snippet of the uxpreinstall utility report that shows how you determine whether your system complies with the system requirements:
OS detected: Linux 2.6.5-7.244-default ******************************************** CHECKING CLOCK SYNCHRONIZATION ******************************************** Comparing the value of the currentTime attribute in DSE with the local time ... Current clock skew is 34 sec. The default value for the maximum clock skew is 300 seconds. Warning! Significant clock skew can cause user authentication failure --------------------------------------------- W A R N I N G --------------------------------------------- ******************************************** CHECKING KERBEROS AUTHENTICATION VIA AD ******************************************** principal_name = <[email protected]> Kerberos authentication for <[email protected]> succeeded --------------------------------------------- S U C C E S S --------------------------------------------- ******************************************** CHECKING AD SCHEMA VERSION ******************************************** Trying LDAP service at server.mydomain.com:389 Binding to Active Directory via 'server1.mydomaiin.com' ... AD Schema version 31 (Windows Server 2003 R2 or Windows Server 7 (AD LDS)) supports full and partial UNAB integration modes. --------------------------------------------- S U C C E S S --------------------------------------------- . . .
In this example, the output shows the following information:
- The operating system running on the local host - Linux 2.6.5-7.244-default
- The clock skew - 34 seconds
- The Kerberos service - Kerberos authentication for <[email protected]> succeeded
- The Active Directory schema version - AD Schema version 31
- The operating system version where Active Directory is installed - Windows Server 2003 R2 or Windows Server 7
- The Active Directory schema supports both full and partial UNIX Authentication Broker integration modes