-
Titolo
Users in cross forest domains cannot login. -
Descrizione
Users in cross forest domains cannot login. Cross forest environment, users in the cross forest domain, access control group in the joined domain.
Password based logins work due to the user's PAC, where Active Directory(AD) is able to process all group memberships for QAS. Passwordless were inconsistent failures. -
Causa
CAUSE 1: Configuration issue.
CAUSE 2: QAS doesn't process all group membership cross domain due to the exponential complexity of AD.
-
Risoluzione
RESOLUTION 1:
1. Run the below commands to configure the /etc/opt/quest/vas/vas.conf file file correctly include all domains:
# /opt/quest/bin/vastool configure vas vasd cross-forest-domains ,
Replace the DNs below with the location of your Unix Users & Groups:
# /opt/quest/bin/vastool configure vas vasd user-search-path
# /opt/quest/bin/vastool configure vas vasd group-search-pathThis can also be done with VGP:
a) On your Domain Controller open Group Policy Management
b) Locate the specific Group Policy Object, right-click and choose Edit...
c) Expand Unix Settings | Quest Authentication Services and select Client Configuration
d) Double-click VAS Configuration
e) Expand the vasd section
f) Select cross-forest-domains and enter the required domains. Then select user-search-path and group-search-path and enter the required DNs.
2. Ensure the Active Directory (AD) trust between the forests exists and is valid. See Microsoft documentation for further details.Additional Information:
cross-forest-domains = ,
Default value: Not set
To enable cross forest authentication using simple names it is necessary to list any domains in foreign forests using the cross-forest-domains option. Cross forest authentication will still be possible if this option is not set, but users will be required to log in specifying the foreign domain in their username using the syntax username@domain. Even without this option set, login using the username@domain syntax is only required when the users information is not cached locally (the first time that particular user logs in after a flush or join). Subsequent logins can determine the foreign domain information from the users cached information.user-search-path = [;]...
Default value: entire AD domain the host is joined toThis option can be used to specify a list of Active Directory
containers that vasd will use to load users from initially. The
option value must be a semicolon-separated list of distinguished
names. Normally these will be organizational units, but they can be
any Active Directory container that can contain user objects. vasd
will only load Unix enabled users from this path, not User
Personalities. The containers may be from any domain that the
computer object used by vasd can search.group-search-path = [;]...
Default value: The entire AD domain the host is joined toThis option is used to specify a list of Active Directory
containers that vasd will use to load groups from initially. The
option value must be a semicolon-separated list of distinguished
names. Normally these will be organizational units, but they can be
any Active Directory container that can contain group objects.
vasd will only load Unix enabled groups from this path, not Group
personalities. The containers may be from any domain that the
computer object used by vasd can search.RESOLUTION 2:
The normal AD way of handling access control cross forest is to, in the cross forest, make a global group. Put all the cross forest user's in that group. Then nest the global group in a domain local(dl) group in the joined domain/forest, and make that dl group the access control group. Works for windows systems where the user will always have a PAC which will have the group memberships.For QAS we suggest using the global group directly for access control. Keeping the users and the groups being used for them in the same forest.