Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Using Authentication Services manual pages (man pages)

Unix manual pages (man pages) provide help for commands and configuration files. Authentication Services installs man pages for the following components:

  • ldapmodify
  • ldapsearch
  • nisedit
  • nss_vas
  • oat
  • oat_adlookup
  • oat_changeowner
  • oat_match
  • oat_overview
  • pam_defender
  • pam_vas
  • pam_vas_smartcard
  • preflight
  • uptool
  • vas.conf
  • vasd
  • vasproxyd
  • vastool
  • vasypd
  • vgp.conf
  • vgpmod
  • vgptool

Man pages are installed and configured automatically by Authentication Services. Use the man command to access Authentication Services man pages. For example, to access the vastool man page, enter the following at the Unix prompt:

man vastool

Alternatively, you can access the Authentication Services man pages in HTML format by navigating to the docs/vas-man-pages directory on the distribution media.

The Authentication Services configuration file

Authentication Services uses /etc/opt/quest/vas/vas.conf as its main configuration file. You can modify, enable, or disable most Authentication Services functionality in the vas.conf file. The Authentication Services configuration file follows the format of the typical krb5.conf. The file is divided into sections. Each section contains a name enclosed in square brackets followed by a list of settings. Settings are key value pairs. For example:

[vasd]
 workstation-mode = false

In this example, [vasd] is the section name and workstation-mode is the setting.

For a complete list of all settings, refer to the vas.conf man page.

You can centrally manage and enforce vas.conf settings using Group Policy. For more information, see Authentication Services Configuration policy.

Unix login syntax

Users logging in to Unix hosts using Active Directory credentials must identify themselves using a user name. You can specify either the configured Unix Name of the Active Directory user or a combination of the domain and sAMAccountName attribute.

You can configure the Active Directory attribute used for Unix Name. By default, with the Windows 2003 R2 schema, the Unix Name is mapped to sAMAccountName. If you map the Unix Name to the user principal name attribute, the user can log in with either the full UPN or just the user portion of the UPN (that is, the portion before the @ symbol) for backward compatibility.

Users can always log in using a combination of domain and sAMAccountName. Cross-forest login requires the user to specify domain and sAMAccountName unless you have configured the cross-forest-domain option in vas.conf. The following formats are accepted when authenticating:

  • DOMAIN\sAMAccountName (you may need to escape the \ depending on the shell)
  • sAMAccountName@DOMAIN

You can specify DOMAIN as either the full DNS domain name (example.com) or the NETBIOS domain name (EXAMPLE).

Note: A Unix Name that ends with a / is not valid. Names that end with a / are reserved for services on Unix hosts.

Keytab files

A keytab file stores Kerberos keys for computer and service accounts. Authentication Services automatically generates and maintains keytab files when you join the Active Directory domain or when you create service accounts in Active Directory. By default, the keytab files are created in /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Keytab files are stored using the standard MIT style and may be used by third-party applications.

The keytab is essentially the computer's Active Directory password. It is owned by root and must be secured accordingly. The default permissions for a computer object restrict the computer from accessing and modifying sensitive data in Active Directory. The schema extensions are carefully designed to allow computers with default permissions to access only the Unix account data that is absolutely necessary for the normal operation of Authentication Services. One Identity recommends that administrators not modify the default permissions for the computer object to make them either more or less restrictive. Changing the computer object permissions could disrupt normal operation or create a security liability in Active Directory if a Unix host is compromised.

If the host.keytab file is compromised by unauthorized root access on the Unix system, then you can assume the password for the associated computer object is compromised as well. You can reset the computer object's password and generate a new keytab file by running

vastool  -u <admin> passwd –r –k /etc/opt/quest/vas/host.keytab host/

Another option is to delete the computer object and recreate it by running vastool create host/.

Documents connexes