Joining the domain using VASJOIN script
Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command.
The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
Table 11: Common vasjoin script options
-h |
Help; displays options including how to pass vastool join options. |
-q |
Unattended or "quiet" mode; displays less verbose: no explanations, asks no questions. |
-i |
Interactive mode; prompts for common options. |
<none> |
Simple mode; installs vasclnt and vasgp with options to add license and join domain. |
To join Active Directory using the vasjoin script
-
Run the script as the root user at a shell prompt, as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh
The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:
vastool -u <username> join <domain-name>
-
Follow the prompts to complete the join process.
Note: Run the script in interactive mode as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh -i
In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately.
The script presents defaults as part of the prompting and, if you accept them all, the result is identical to running the script in simple mode.
The information gathered by the full, interactive mode of vasjoin.sh includes the following:
- Specific domain controllers to use
- Domain to join
- User, usually administrator, to use in joining
- Keytab file
- Confirm fixing of Kerberos clock skew, if any
- Overwrite your host's existing Active Directory ComputerName object
- Change the name of the AD ComputerName object
- AD container in which to put the ComputerName object
- Site name
- UPM mode (yes or no)
- User search path on which to look for Active Directory users
- Alternate group search path
- Workstation mode (yes or no)
- Alternate domains in which to search if you want cross-domain logins
- Self-enrollment of existing /etc/passwd users (yes or no)
-
Shows path to lastjoin (/etc/opt/quest/vas/lastjoin)
The lastjoin file contains something similar to:
/opt/quest/bin/vastool -u administrator join -f acme.com
Using manual pages (man pages)
Unix manual pages (man pages) provide help for commands and configuration files. Safeguard Authentication Services installs man pages for the following components:
- ldapmodify
- ldapsearch
- nisedit
- nss_vas
- oat
- oat_adlookup
- oat_changeowner
- oat_match
- oat_overview
- pam_defender
- pam_vas
- pam_vas_smartcard
- preflight
- uptool
- vas.conf
- vasd
- vasproxyd
- vastool
- vasypd
- vgp.conf
- vgpmod
- vgptool
Man pages are installed and configured automatically by Safeguard Authentication Services. Use the man command to access Safeguard Authentication Services man pages. For example, to access the vastool man page, enter the following at the Unix prompt:
man vastool
Alternatively, you can access the Safeguard Authentication Services man pages in HTML format by navigating to the docs/vas-man-pages directory on the distribution media.
The configuration file
Safeguard Authentication Services uses /etc/opt/quest/vas/vas.conf as its main configuration file. You can modify, enable, or disable most Safeguard Authentication Services functionality in the vas.conf file.
The Safeguard Authentication Services configuration file follows the format of the typical krb5.conf. The file is divided into sections. Each section contains a name enclosed in square brackets followed by a list of settings. Settings are key value pairs. For example:
[vasd]
workstation-mode = false
In this example, [vasd] is the section name and workstation-mode is the setting.
For a complete list of all settings, refer to the vas.conf man page.
You can centrally manage and enforce vas.conf settings using Group Policy. For more information, see Configuration policy..
Unix login syntax
Users logging in to Unix hosts using Active Directory credentials must identify themselves using a user name. You can specify either the configured Unix Name of the Active Directory user or a combination of the domain and sAMAccountName attribute.
You can configure the Active Directory attribute used for Unix Name. By default, with the Windows 2003 R2 schema, the Unix Name is mapped to sAMAccountName. If you map the Unix Name to the user principal name attribute, the user can log in with either the full UPN or just the user portion of the UPN (that is, the portion before the @ symbol) for backward compatibility.
Users can always log in using a combination of domain and sAMAccountName. Cross-forest login requires the user to specify domain and sAMAccountName unless you have configured the cross-forest-domain option in vas.conf. The following formats are accepted when authenticating:
- DOMAIN\sAMAccountName (you may need to escape the \ depending on the shell)
- sAMAccountName@DOMAIN
You can specify DOMAIN as either the full DNS domain name (example.com) or the NETBIOS domain name (EXAMPLE).
Note: A Unix Name that ends with a / is not valid. Names that end with a / are reserved for services on Unix hosts.