Using manual pages (man pages)
Unix manual pages (man pages) provide help for commands and configuration files. Safeguard Authentication Services installs man pages for the following components:
- ldapmodify
- ldapsearch
- nisedit
- nss_vas
- oat
- oat_adlookup
- oat_changeowner
- oat_match
- oat_overview
- pam_defender
- pam_vas
- pam_vas_smartcard
- preflight
- uptool
- vas.conf
- vasd
- vasproxyd
- vastool
- vasypd
- vgp.conf
- vgpmod
- vgptool
Man pages are installed and configured automatically by Safeguard Authentication Services. Use the man command to access Safeguard Authentication Services man pages. For example, to access the vastool man page, enter the following at the Unix prompt:
man vastool
Alternatively, you can access the Safeguard Authentication Services man pages in HTML format by navigating to the docs/vas-man-pages directory on the distribution media.
The configuration file
Safeguard Authentication Services uses /etc/opt/quest/vas/vas.conf as its main configuration file. You can modify, enable, or disable most Safeguard Authentication Services functionality in the vas.conf file.
The Safeguard Authentication Services configuration file follows the format of the typical krb5.conf. The file is divided into sections. Each section contains a name enclosed in square brackets followed by a list of settings. Settings are key value pairs. For example:
[vasd]
workstation-mode = false
In this example, [vasd] is the section name and workstation-mode is the setting.
For a complete list of all settings, refer to the vas.conf man page.
You can centrally manage and enforce vas.conf settings using Group Policy. For more information, see Configuration policy..
Unix login syntax
Users logging in to Unix hosts using Active Directory credentials must identify themselves using a user name. You can specify either the configured Unix Name of the Active Directory user or a combination of the domain and sAMAccountName attribute.
You can configure the Active Directory attribute used for Unix Name. By default, with the Windows 2003 R2 schema, the Unix Name is mapped to sAMAccountName. If you map the Unix Name to the user principal name attribute, the user can log in with either the full UPN or just the user portion of the UPN (that is, the portion before the @ symbol) for backward compatibility.
Users can always log in using a combination of domain and sAMAccountName. Cross-forest login requires the user to specify domain and sAMAccountName unless you have configured the cross-forest-domain option in vas.conf. The following formats are accepted when authenticating:
- DOMAIN\sAMAccountName (you may need to escape the \ depending on the shell)
- sAMAccountName@DOMAIN
You can specify DOMAIN as either the full DNS domain name (example.com) or the NETBIOS domain name (EXAMPLE).
Note: A Unix Name that ends with a / is not valid. Names that end with a / are reserved for services on Unix hosts.
Keytab files
A keytab file stores Kerberos keys for computer and service accounts. Safeguard Authentication Services automatically generates and maintains keytab files when you join the Active Directory domain or when you create service accounts in Active Directory. By default, the keytab files are created in /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it.
For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Keytab files are stored using the standard MIT style and may be used by third-party applications.
The keytab is essentially the computer's Active Directory password. It is owned by root and must be secured accordingly. The default permissions for a computer object restrict the computer from accessing and modifying sensitive data in Active Directory. The schema extensions are carefully designed to allow computers with default permissions to access only the Unix account data that is absolutely necessary for the normal operation of Safeguard Authentication Services.
One Identity recommends that administrators not modify the default permissions for the computer object to make them either more or less restrictive. Changing the computer object permissions could disrupt normal operation or create a security liability in Active Directory if a Unix host is compromised.
If the host.keytab file is compromised by unauthorized root access on the Unix system, then you can assume the password for the associated computer object is compromised as well. You can reset the computer object's password and generate a new keytab file by running
vastool -u <admin> passwd –r –k /etc/opt/quest/vas/host.keytab host/
Another option is to delete the computer object and recreate it by running vastool create host/.