Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command.
The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
| Option | Function |
|---|---|
| -h | Help; displays options including how to pass vastool join options. |
| -q | Unattended or "quiet" mode; displays less verbose: no explanations, asks no questions. |
| -i | Interactive mode; prompts for common options. |
| <none> | Simple mode; installs vasclnt and vasgp with options to add license and join domain. |
To join Active Directory using the vasjoin script
Run the script as the root user at a shell prompt, as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh
The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:
vastool -u <username> join <domain-name>
Follow the prompts to complete the join process.
Note: Run the script in interactive mode as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh -i
In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately.
The script presents defaults as part of the prompting and, if you accept them all, the result is identical to running the script in simple mode.
The information gathered by the full, interactive mode of vasjoin.sh includes the following:
Shows path to lastjoin (/etc/opt/quest/vas/lastjoin)
The lastjoin file contains something similar to:
/opt/quest/bin/vastool -u administrator join -f acme.com
Unix manual pages (man pages) provide help for commands and configuration files. Safeguard Authentication Services installs man pages for the following components:
Man pages are installed and configured automatically by Safeguard Authentication Services. Use the man command to access Safeguard Authentication Services man pages. For example, to access the vastool man page, enter the following at the Unix prompt:
man vastool
Alternatively, you can access the Safeguard Authentication Services man pages in HTML format by navigating to the docs/vas-man-pages directory on the distribution media.
Safeguard Authentication Services uses /etc/opt/quest/vas/vas.conf as its main configuration file. You can modify, enable, or disable most Safeguard Authentication Services functionality in the vas.conf file. The Safeguard Authentication Services configuration file follows the format of the typical krb5.conf. The file is divided into sections. Each section contains a name enclosed in square brackets followed by a list of settings. Settings are key value pairs. For example:
[vasd] workstation-mode = false
In this example, [vasd] is the section name and workstation-mode is the setting.
For a complete list of all settings, refer to the vas.conf man page.
You can centrally manage and enforce vas.conf settings using Group Policy. For more information, see Configuration policy.
Users logging in to Unix hosts using Active Directory credentials must identify themselves using a user name. You can specify either the configured Unix Name of the Active Directory user or a combination of the domain and sAMAccountName attribute.
You can configure the Active Directory attribute used for Unix Name. By default, with the Windows 2003 R2 schema, the Unix Name is mapped to sAMAccountName. If you map the Unix Name to the user principal name attribute, the user can log in with either the full UPN or just the user portion of the UPN (that is, the portion before the @ symbol) for backward compatibility.
Users can always log in using a combination of domain and sAMAccountName. Cross-forest login requires the user to specify domain and sAMAccountName unless you have configured the cross-forest-domain option in vas.conf. The following formats are accepted when authenticating:
You can specify DOMAIN as either the full DNS domain name (example.com) or the NETBIOS domain name (EXAMPLE).
Note: A Unix Name that ends with a / is not valid. Names that end with a / are reserved for services on Unix hosts.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center
