To prevent Safeguard Authentication Services from resolving netgroup data from the name service module
-
Run the following command as root to remove name service netgroup support:
vastool configure vas vasd netgroup-mode
-
Run the following command as root to configure the Safeguard Authentication Services name service module:
-
On Linux, Oracle Solaris, or HP-UX:
vastool unconfigure nss netgroup
-
On AIX:
vastool unconfigure irs netgroup
-
Run the following command as root to configure the Safeguard Authentication Services name service module:
-
On Linux, Oracle Solaris, or HP-UX:
vastool configure nss
-
Flush the netgroup caches by running the following command as root:
vastool flush netgroup
To minimize network traffic and load on Active Directory, Safeguard Authentication Services maintains a local cache of user and group data.
You can force Safeguard Authentication Services to immediately reload the cache by running the following command as root:
vastool flush
Note: When you run vastool flush the entire user and group cache database is reloaded from Active Directory. This can generate a significant amount of network traffic so use this command sparingly.
It is not uncommon for systems to generate hundreds of user and group lookup requests per second. Because of this, Safeguard Authentication Services enforces a "blackout period" during which all name service requests are resolved from the local cache. By default, the blackout period is set to 10 minutes. This means that changes to UNIX account information in Active Directory may take up to 10 minutes to propagate to Safeguard Authentication Services clients.
There are two events that cause Safeguard Authentication Services to update the local cache:
You can adjust the blackout period by changing the update-interval setting in the [vasd] section of vas.conf. For an example, see the vas.conf man page. For information about accessing the vas.conf man page, see Using manual pages (man pages). In small installations (less than 100 hosts or less than 100 users) you can safely reduce the blackout period. In larger installations it is recommended that the blackout period remain at the default value or set to 30 minutes or 1 hour.
Regardless of the blackout period, you can reset the blackout period timer by signaling vasd with SIGHUP, using the vasd init script to restart vasd, or by executing vastool flush.
To force Safeguard Authentication Services to update the cache immediately regardless of the blackout period, run this command:
vastool flush -f {users|groups}
Safeguard Authentication Services provides the ability to authenticate an Active Directory user to a UNIX system even when Active Directory is unavailable. For example, because Safeguard Authentication Services supports disconnected authentication, you can still log into your laptop when you are traveling and your laptop does not have connectivity to Active Directory.
Safeguard Authentication Services supports several options for disconnected authentication. Two types of disconnected authentication modes are the default disconnected authentication mode and permanent-disconnected authentication mode.
Default disconnected authentication mode
By default, Safeguard Authentication Services relies on a previous successful authentication attempt when the computer was not in disconnected mode. The successful authentication caches a sha256 hash of the user’s password. Safeguard Authentication Services uses this hash to validate the user’s password when it is in disconnected mode for one of the following reasons:
-
The computer is physically disconnected from the network or the network is down.
-
The computer object has been deleted.
Note: If the host's computer object has been deleted, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to recreate the computer object, then restart vasd.
-
The host keytab file (/etc/opt/quest/vas/host.keytab) is missing or invalid.
Note: If the host keytab is deleted or becomes corrupt, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to delete then recreate the computer object and restart vasd.
-
The Active Directory server is down or object unreachable.
You can disable the default disconnected authentication mode by setting allow-disconnected-auth to false in the vas.conf. For more information, see the vas.conf man page.
Permanent-disconnected authentication mode
There are situations where a UNIX system administrator may be responsible for a large number of UNIX systems. In the default mode, you need to log in to every UNIX system at least once to be able to log in to the systems in a disconnected state. In a large environment with hundreds or thousands of UNIX systems, this requirement would be impractical. Safeguard Authentication Services has added a feature called Permanent-disconnected authentication mode. This mode does not require a previously successful authentication, that is, users or group of users can log into a UNIX system in a disconnected state even if they had never logged into the UNIX system in the past.
Before you configure permanent-disconnected authentication mode in the vas.conf file, you must first set the service principal name (SPN) for each user who will authenticate using this mode. You can set the SPN by using a tool like the Microsoft Active Directory Service Interfaces Editor (ADSI Edit), or by issuing a vastool command such as the following:
vastool <username> setattrs - u <username> servicePrincipalName "user/<username>@<DomainName>"
Note: The content of the service principal name is unimportant; it just needs to conform to the format of servicePrincipalName.
Configure the permanent-disconnected authentication mode in addition to the default disconnected authentication mode on a per user or group basis by specifying perm-disconnected-users in the vas.conf. For more details, see the vas.conf man page. These perm-disconnected-users have encrypted credentials pre-cached when the Safeguard Authentication Services caching daemon starts the first time (immediately upon join if the users are configured as perm-disconnected-users by means of group policy). Typically you configure permanent-disconnected authentication mode to ensure that a certain group of system administrators can access a system, even if the first time they attempt access it is disconnected from the network.
Safeguard Authentication Services continues to operate normally in disconnected mode; thus, it may be difficult to know whether Safeguard Authentication Services is in disconnected mode. Safeguard Authentication Services creates log entries in the system log each time the connection mode changes.