Preflight man page
Name
preflight — This software checks a host's suitability to run the QAS client and daemons.
Synopsis
preflight [[-h] | [--help] | [--man] | [-v]] [--verbose] [-u [username] ] [[-s] | [-w password]] [-t timeout ] [-S] [CHECK_OPTIONS] {domain} [DC...]
Overview
The preflight utility verifies a number of environmental considerations of the host platform to determine whether it is suitable for running QAS software including binaries, daemons and scripts. This utility obtains answers to the following questions:
Does QAS support the host on which this utility is being run? - Are the OS and any patches at requisite levels?
Is DNS set up and functioning correctly?
Is there at least one visible domain controller (DC)?
Are global catalogs available on any of the domain controllers?
Are all services needed by QAS available?
Is a QAS application container set up on the target domain?
-h
Display the help message and exit
--help
Display the help message and exit
--man
Display the manpages and exit
-v
Display the preflight version and exit
--verbose
Display all information, normal operation is to only display warnings and section results
-u username
User or principal to perform checks
-s
Read password from standard in
-w password
Password used to authenticate, if -s is specified then -w is ignored
-t timeout
Timeout for port checks, the default is 5 seconds
-S
Perform timesync if needed
domain
The Active Directory domain to run checks against
DC
Domain controllers to run checks against
CHECK_OPTIONS
Check options may be specified to perform only requested checks. By default, all checks are performed. Some checks that you specify may require that other checks also be performed. This means that multiple checks may be reported when only one check was specified. Checks will be performed in the order listed below regardless of the order specified on the command line.
--os-patch
Check for supported operating system and correct operating system patches
--disk-space
Check for sufficient disk space to install QAS
--hostname
Check that the hostname of the system is not 'localhost'
--name-service
Check if the name service is configured to use DNS
--host-resolve
Check resolv.conf for proper formatting of name service entries and that the host can be resolved
--srv-records
Check for a name server that has the appropriate DNS SRV records for Active Directory
--dc
Detect a writable domain controller with UDP port 389 open
--site
Detect Active Directory site if available
--kerberos-password
Check if TCP port 464 is open for Kerberos kpasswd
--kerberos-traffic
Check if UDP port 88 and TCP port 88 are open for Kerberos traffic
--ldap
Check if TCP port 389 is open for LDAP
--global-catalog
Check for a global catalog server and if TCP port 3268 is open for communication with global catalog servers
--timesync
Check for a valid time skew against Active Directory
--app-configuration
Check for the QAS application configuration in Active Directory
--ms-cifs
Check if TCP port 445 is open for Microsoft CIFS traffic
Additional Information
This section provides additional information for some of the preflight options and checks.
-u principal
Sets the principal name to authenticate as when the preflight command needs to access Active Directory. If the caller has root access, "host/" can be specified and preflight will authenticate as the computer object on which preflight is running.
If -u is not used, then preflight will authenticate as the calling user, and will attempt to reuse Kerberos tickets from the user's credentials cache. If -u is specified, then no existing credentials cache will be used, and new tickets obtained will not be saved to disk.
-s
This option allows you to read passwords from standard in. The following example shows how you could use preflight from another process which had already obtained a user's password. Note that putting passwords on the command line is a serious security hole. Most scripting languages provide facilities for using the standard in pipe with a child process, which is the preferred mechanism for working with the preflight -s option.
$ preflight -u jdoe -s example.com < $jdoe_passwd
-w password
This option allows you pass in a password on the command line. Please note that this may be a security hole in a production environment, as it may be possible for another user to obtain the password from the argument list by examining the process record (using ps for example). If automation is required for scripts, either a keytab or the -s option should be used to read the password from a file that is protected with appropriate permissions.
-t timeout
This option allows you to change the time allowed before any port testing will timeout. The default is 5 seconds.
-S
This option allows you to timesync with the domain controller. Unless the time between computers is within acceptable limits, communication will fail. This option has no effect unless the --timesync option described below is performed.
DC
The domain controller for the specified domain will be automatically detected through DNS and LDAP lookups. Alternatively, you may specify the domain controllers to use by listing them after the Active Directory domain. These servers will be used in all lookups and DNS will be disabled for all checks.
--os-patch
The QAS agent should be installed on a supported operating system that has the required operating system patches. The list of supported operating systems can be found online at: Quest Authentication Services Platform Support .
--disk-space
This will perform a check to ensure that there is a minimal amount of disk space so that the QAS client software can be installed and function properly. QAS requires disk space in /opt, /etc, and /var to install.
--hostname
This will check that the hostname of the host is not 'localhost'. In order to maintain uniqueness of computer names in Active Directory, it is recommended this machines hostname is made unique. Another option is to use -n computer_name when joining, see the vastool(1) manual page.
--name-service
QAS uses Active Directory information in DNS for redundancy and fault tolerance when communicating with Active Directory. To take advantage of this the host should be configured to use DNS. This check will look at the nsswitch.conf file (netsvc.conf on AIX) to see if the required entries are present.
--host-resolve
This will check the resolv.conf file to see if name server entries are present and can be resolved. It also checks that the domain can be resolved using gethostbyname(). UDP port 53 needs to be open for this to succeed.
--srv-records
This check will determine whether preflight can retrieve SRV records from DNS. To take advantage of automatic detection and failover the host should be pointed to at least one name server that contains Active Directory SRV information. UDP port 53 needs to be open for this to succeed.
--dc
Detects a writable domain controller from the SRV records returned by the --srv-records check. QAS can work with read-only domain controllers but the computer object must have already been created with the proper settings in Active Directory. If a domain controller is passed on the preflight command line, this domain controller will be checked that UDP port 389 is open and that the domain controller is writable.
--site
This will look for a site in the domain that your machine would be configured to use. QAS will perform better if site information is configured in Active Directory.
--kerberos-password
Check if TCP port 464 is open for Kerberos kpasswd. This port must be open in order for QAS to set the computer object's password. QAS generates a random string for the password, and the host.keytab is populated with keys derived from that password.
--kerberos-traffic
Check if UDP port 88 and TCP port 88 are open for Kerberos traffic. These ports are the main Kerberos communication channels; they must be open for QAS to authenticate to Active Directory. By default QAS uses UDP, with TCP failover for larger packets. A vas.conf setting, [libvas] use-tcp-only, can be set to force QAS to only use TCP if UDP is blocked or is dropping fragmented packets.
--ldap
Check if TCP port 389 is open for LDAP. This port must be open for QAS to communicate with domain controllers using LDAP. This communication is GSS SASL encrypted and signed.
--global-catalog
Check for a global catalog server and if TCP port 3268 is open for communication with global catalog servers. QAS will make use of global catalog servers if available. It is recommended but not required for basic behavior that this port be open. If it is closed QAS will be unable to resolve Active Directory users and groups from domains in the forest other than the one to which the host is joined.
--timesync
Check for a valid time skew against Active Directory. If the skew is to great between the host and the domain controller, Kerberos traffic will not succeed. This check will automatically sync the time if the -S is specified and the application is run with root permissions.
--app-configuration
Check for the QAS application configuration in Active Directory. If it is not configured use QAS Control Center on a Windows machine to create the necessary application configuration.
--ms-cifs
Check if TCP port 445 is open for Microsoft CIFS traffic. One advantage of QAS is the ability to use its extensions to Microsoft Group Policy for configuration management. In order to use Group Policy, this port must be open to allow QAS to use the CIFS protocol to download Group Policy objects from domain controllers.
Authors
@VAS_COPYRIGHT_NOTICE@ Protected by U.S. Patent Nos. 7,617,501, 7,895,332, 7,904,949. Patents pending.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center