-
Title
Information on how to setup cross-forest and cross-domain set up -
Description
Information and guidelines on how to include users and groups from other domains or forests.
-
Resolution
Cross-domain, single forest
As a general rule, the VAS client will only use "Unix enabled" security groups that reside in the same domain as the VAS client, or in the default account domain for the VAS client.
Each Unix host running VAS builds a persistent cache of user and group information. By default, the cache is built from users and groups in the same domain to which the Unix host is joined. It is possible to change the searchbase from which the users or groups are loaded from by using the group-search-path and user-search-path options. These search paths can either restrict the location from which the users and groups are loaded, or you can specify a searchbase in an entirely different domain. This is useful in organizations that use Resource Domains, where computer objects are stored in a separate domain from the domains where users and groups are located.
You can specify a group or user search path using the -g or -u options to the vastool join command. For example, the following command joins the Unix host to the computers.example.com domain, and loads users from the base of the sub.example.com domain:
# /opt/quest/bin/vastool -u admin join -u DC=sub,DC=example,DC=com computers.example.com
You can change the default user or group searchbase at any time by adding the group-search-path and user-search-path options to /etc/opt/quest/vas/vas.conf; in the [vasd] section, and running vastool flush.
See the vas.conf man page for an example.Make sure that AD trust is working between the domains. See Microsoft for further details on this.
-----------------------------------------------------------------------------------------------------Cross-Forest Authentication
Administrators can configure the VAS client so that users from one forest can log in to a host in another forest as long as trust exists between the two forests.
To use cross-forest authentication using only simple names, you must enable the cross-forest-domains option in vas.conf.
cross-forest-domains = <DOMAIN>[,<DOMAIN>]...Default value: Not setThe following is an example of how to configure the cross-forest-domains option:
[vasd]
cross-forest-domains = xforest1.example.comNote that you should only include the other domain in the other forest (do not include the joined forest/domain)
This can be set at join time using the -r option.
E.g.
/opt/quest/bin/vastool -u <admin user> join -r <cross forest domain>,<cross forest domain> <domain>
You can also run the following command to add this option to vas.conf:
/opt/quest/bin/vastool configure vas vasd cross-forest-domains <domain name>
Vastool schema will look for separate QAS application Containers (QAC) for the forests in order to determine which attributes are to be used.
If a QAC does not exist in either forest, then it assumes that the samaccountname should be used for the logon name. -
Additional Information
Look at the man pages for vas.conf, for various options that can be used in cross-domain scenarios.