Return
-
Title
Is a computer object in Active Directory in order to authenticate with QAS? When unjoining the client is there a way to leave the object in AD? -
Description
Is a computer object in Active Directory in order to authenticate with QAS? When unjoining the client is there a way to leave the object in AD? -
Resolution
You do need a computer object in AD in order to be able to login with an AD account to the unix client. You do not need to remove the computer object from AD when unjoining from the domain. You can do a vastool -u <adadmin account> unjoin -l[root@lab]# vastool unjoin -hUsage: vastool unjoin [-fl] [-n computer] [--skip-config]-f Force unjoin if computer object does not exist-l Leave the computer object in AD after an unjoin-n computer Name of computer object--skip-config Skip automatic unconfiguration of PAM, NSS, LAM and SIABefore unjoining you may want to try a rejoin which is the following command example: vastool -u <adadmin> join -f <yourdomain.com>Here is the help for the join command:Usage: vastool join [-flwUG] [-h string] [-n computer] [-c container] [-r string] [-u string] [-g string] [-s string] [-p string] [--skip-config][--preload-nested-memberships] [--site-only-usn] [--site-only-servers] [--no-timesync] [--autogen-posix-attrs] domain_name [domain_controllers]-n computer Specify name of computer object-c container LDAP DN of the container where the computer will be created-f Overwrite existing computer object-l Don't apply Group Policy Settings (if Group Policy is installed)-w Enable workstation mode - users will not be cached until theylogin-U Load all users from the global catalog-G Load all groups from the global catalog-r string Comma-separated list of cross forest domains (cross-forest-domains)-u string Specify an alternate search path from which to populate theusers cache-g string Specify an alternate search path from which to populate thegroups caches-s string Specify the site name for this machine-p string Specify the path of the Primary Personality Container--skip-config Skip automatic configuration of PAM, NSS, LAM and SIA--preload-nested-memberships After loading users and/or groups, query tokenGroups for all cached users. NOTE: This is deprecated, the default is enabled--site-only-usn Deprecated, use the "--site-only-servers" option.--site-only-servers Restricts all LDAP searches to servers in this machine's site (no out of site failover).--no-timesync Skip automatic time synchronization--autogen-posix-attrs Automatically generate POSIX IDs for Active Directory users