Read-only domain controllers (RODCs) are a new feature in Microsoft Server 2008. Safeguard Authentication Services supports read-only domain controllers as long as the UNIX attributes for users and groups are not in the RODC filtered attribute set. You can set the RODC_FILTERED flag on any attribute in the Active Directory schema to add it to the RODC-filtered attribute set. If this flag is set on an attribute, it is not replicated to an RODC. If RODC_FILTERED is set on the attributes used for UID Number, GID Number, Comment (GECOS), Home Directory, or Login Shell, no groups or users are cached because Safeguard Authentication Services cannot identify any UNIX-enabled users.
Safeguard Authentication Services supports cross-forest authentication as long as a trust exists between the two forests. You must configure both forests for Safeguard Authentication Services. For more information, see the Safeguard Authentication Services Installation Guide.
In addition, you must configure the cross-forest-domains setting in vas.conf. For details about that, see the vas.conf man page.
NOTE: When using UNIX Personality Management in a cross-forest environment, the user or group to which a personality links must be in the same forest as the personality.
You can enable authentication between domains that do not have a two-way trust between them.
To configure a one-way trust
-
On the UNIX host joined to domain A (TRUSTING.COM) that trusts domain B (TRUSTED.COM), create a service principal in domain B, as follows:
vastool -u <DomainAdminUserInDomainB> service create ServiceName/@TRUSTED.COM
where ServiceName is any unique identifier you choose.
This creates a keytab file containing the value of the krb5name for your service name.
-
To list the keytab file, enter the following:
vastool ktutil -k /etc/opt/quest/vas/ServiceName.keytab list
The results will look something like:
Vno Type Principal
1 arcfour-hmac-md5 unixclient-ServiceName@TRUSTED.COM
1 arcfour-hmac-md5 ServiceName/unixclient.trusting.com@TRUSTED.COM
-
Create a trust mapping by adding the service principal name to the vas_host_services section of the vas.conf file, as follows:
[vas_host_services]
trusted.com = {
krb5name = ServiceName/hostname.com@trusted.com
}
NOTE: You can also use an interactive script to configure a one-way trust. Run the following:
/opt/quest/libexec/vas/scripts/vas_oneway_setup.sh
This script prompts you for all of the necessary information and creates the one-way trust configuration for you.
You can use vastool service to create and delete service accounts in Active Directory (AD). An AD service account is a user account that services running on UNIX hosts use.
When you create a service account, a random password is generated for the account and a Kerberos keytab is created for the service.
vastool [vastool options] service create [-c container] [-k keytab] [-A] [-U] {name} [spn...]
vastool [vastool options] service delete [-k keytab] {name}
vastool [vastool options] service list {name}
Each service account has a Service Principal Name (SPN), an optional set of additional Service Principal Names (SPNs), and an optional User Principal Name (UPN).
The SPN is typically service/host@domain, where service matches the type of service running, for example, HTTP/ or FTP/.
The keytab file created for the service is named service.keytab and it is created in the Safeguard Authentication Services configuration directory at /etc/opt/quest/vas. The default permissions on the keytab file is 0600 and root owns the file. To give permission to the corresponding service to read the keytab file, update the ownership of the file.
Creating a service account
To create a service account, you must run vastool service create <name-of-your-service-account> as root. For example, to create the sql service account, run:
vastool -u admin service create sql/
By default, the service account is created in the container of the default computer. To override the location where the service account is created, use the -c option to specify an alternate Organizational Unit (OU).
The name of the service account is generated automatically based on the names of the host and the service. To specify the name of the service account, use the -n option.
If you specify service/ as the Principal Name, the hostname of the machine vastool runs on is used to build a complete Service Principal Name.
You must supply the username and password of an AD user that has permissions to create users. You can also add an optional list of other Service Principal Names to the account.
NOTE: The other Service Principal Names define aliases for the ticket name that can be requested for the service, but they cannot be used as a client name to authenticate as the service itself.
To disable the use of AES encryption in Kerberos tickets for the service, use the -A option.
To suppress the setting of the UPN attribute, use the -U option.
NOTE: Not setting the UPN attribute is useful for accounts made in or migrated to Azure AD where the UPN attribute must be in the Internet-style sign-in format (for example, user@contoso.com) and not in service/host@domain format.
Deleting a service account
To delete a service account, run vastool service delete <name-of-your-service-account>. For example, to delete the sql service account, run:
vastool -u admin service delete sql/
Both the account in AD and the keytab file for the service are deleted.
To list the service principals associated with a service account, run vastool service list service. For example, to list the principals associated with the sql service account, run:
vastool -u admin service list sql/