To install Safeguard Authentication Services in a Oracle Solaris 10 Zones configuration

  • In Oracle Solaris 10 Zones, only the global zone is permitted to do time synchronization. Therefore, if you want to run Safeguard Authentication Services in any Oracle Solaris Zone configuration, you must timesync the Global Zone with Active Directory. Time synchronization is a requirement of the Kerberos protocol and since Safeguard Authentication Services is built on Kerberos, Safeguard Authentication Services also has this requirement.

  • The same version of Safeguard Authentication Services should be installed in any combination of global, whole root, and sparse root zone configurations.

  • To disable time synchronization for Safeguard Authentication Services on the sparse zone, run the below command:

    vastool configure vas vasd timesync-interval 0
  • The following symlinks must exist in the global zone in order for the sparse zones to work correctly:

    • /usr/lib/security/pam_vas3.so > /opt/quest/usr/lib/security/pam_vas3.so

    • /usr/lib/security/sparcv9/pam_vas3.so > /opt/quest/usr/lib/security/sparcv9/pam_vas3.so

    If /usr is shared, you need the following symlinks in the global zone pointing to counterpart files in /opt/quest/lib:

    • /usr/lib/nss_vas4.so.1 > /opt/quest/lib/nss/nss_vas4.so.1

    • /usr/lib/security/pam_vas3.so > /opt/quest/usr/lib/security/pam_vas3.so

    In such a scenario, you do not need Safeguard Authentication Services joined to a domain in the global zone in order for sparse zones to work, but the symlinks must exist.

Each zone must have its own unique copy of /etc and /var because Safeguard Authentication Services stores zone-specific information in those locations. Sharing /etc and /var with the global zone is not a supported configuration.