Will QAS authentication work between forests if the appropriate trusts are in place?
From the "Cross-Forest Authentication" section of the Admin Guide, page 42:
"Authentication Services supports cross-forest authentication as long as a trust exists between the two forests. You must configure both forests for Authentication Services. (For more information, refer to the Authentication Services Installation Guide.)
In addition to the 'cross-forest-authentication' setting you may also with to include settings for search paths. There are user and group search paths. Examples are below. Note: It is possible to configure these via GPO in AD.
user-search-path = <DN>[;<DN>]...
Default value: entire AD domain the host is joined to
This option can be used to specify a list of Active Directory
containers that vasd will use to load users from initially. The
option value must be a semicolon-separated list of distinguished
names. Normally these will be organizational units, but they can be
any Active Directory container that can contain user objects. vasd
will only load Unix-enabled users from this path, not User
Personalities. The containers may be from any domain that the
computer object used by vasd can search.
Users are not restricted to these paths. Any valid user can still
log in. Note that you can set this option when running vastool join
with the -u vastool join option. When this option is changed
directly in the vas.conf file, vastool flush must be run for the
change to take effect. The following example shows how to configure
vasd to load users from two OUâs from different domains.
[vasd]
user-search-path = OU=unix,DC=example,DC=com; OU=unix,DC=sub,DC=example,DC=com
group-search-path = <DN>[;<DN>]...
Default value: The entire AD domain the host is joined to
This option is used to specify a list of Active Directory containers
that vasd will use to load groups from initially. The option value
must be a semicolon-separated list of distinguished names. Normally
these will be organizational units, but they can be any Active
Directory container that can contain group objects. vasd will only
load Unix enabled groups from this path, not Group personalities.
The containers may be from any domain that the computer object used
by vasd can search.
Groups are not restricted to these paths. Any valid group can still
be cached and used. Note that you can set this option when running
vastool join with the -g vastool join option. When this option is
changed directly in the vas.conf file, vastool flush must be run for
the change to take effect. The following example shows how to
configure vasd to load groups from two OUâs from different domains.
[vasd]
group-search-path = OU=unix,DC=example,DC=com; OU=unix,DC=sub,DC=example,DC=com
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center