What is the QAS Application Configuration (QAC) and why is it required? (4251407)

What is the QAS Application Configuration (QAC) and why is it needed?

In QAS 4.0 it was decided to include a single configuration point for the various components like the *NIX Client, the MMC Snapin, and IMU.

QAS 4.0 and 4.0.1 require this, 4.0.2 and above contain a method of allowing the *NIX client to function without it being present. The 4.0.x MMC snapins without the QAC installed will not display the Unix Attributes on the users/group Properties.

The Quest Application Configuration (QAC) is an Active Directory object used to store QAS product information such as license and default settings for QAS 4.x components. It consists of multiple nested objects of the objectClass ‘Container’ inside a container with the name cn={786E0064-A470-46B9-83FB-C7539C9FA27C}, this container is what QAS uses to query for the location of the QAC in Active Directory.

There should only be one in an Active Directory Forest. If multiple configurations are found, QAS uses the one created first as determined by reading the whenCreated attribute. Creating/configuring the QAC will have no effect on QAS 3.x clients.

For QAC creation, you need a location in Active Directory with Create Container Object rights. For changes to Unix Global Settings, Licensing and Custom Unix Attributes, you need update permission to the containers created above(no particular permissions if you are the one who created it)

With QAS version 4.0.0/4.0.1, QAC must exist in Active Directory before the QAS hosts can be joined.

To create it see the following resolutions:

RESOLUTION 1:

Create the QAS Application Configuration (QAC) from the Windows side.

Please see the QAS 4.0 Install Guide for more information on this, "Configuring Active Directory for QAS".

RESOLUTION 2:

Create the QAC from a QAS client using 4.0.1.22 or above:

/opt/quest/bin/vastool -u <account with container and child container create rights> configure -d <domain> ad [Location DN, default is 'CN=Program Data,DC=<domain>’]

If upgrading from a 3.x VAS version, it is recommended to use the Windows creation method, and select the logon name attribute used previously.

The QAS 3.x default was userPrincipalName(UPN), while QAS 4.x is now sAMAccountName. If UPN needs to be set in the QAC. that is currently only possible using Control Center.

That can be overridden locally by modifying vas.conf and adding:

[vasd]
username-attr-name = userPrincipalName

to any QAS 4.x clients' /etc/opt/quest/vas/vas.conf

This can be accomplished by running the following command before upgrading:

/opt/quest/bin/vastool configure vas vasd username-attr-name userPrincipalName

There is more information about Windows permissions needed in the AuthenticationServices_4.0_AdminGuide.pdf which is in the doc folder of the download. It is in the Introduction to Quest Authentication Service section and then Windows Permissions.