-
Title
Can Safeguard Authentication Services (SAS) work without DNS? -
Description
Is a working DNS must for SAS to function properly?
Scenario:
Nameserver(s) specified in /etc/resolv.conf not helping in name resolution.
AD server pingable by its ip address, but not by its hostname, from the Unix host.
Any attempt to do a listing of users or vastool flush, results in error messages (like, KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm) -
Resolution
a) First of all, set up hostname mappings in /etc/hosts to achieve name resolution for the domain and AD domain controller(s). For example:
192.168.0.1 dc01.example.com dc01.example.com. dc01 example.comnote the . in the above dc01.example.com. Adding the . is a DNS trick to tell the OS to not do /etc/resolv.conf search expansion.
b) /opt/quest/bin/vastool configure vas libvas use-dns-srv false
c) /opt/quest/bin/vastool configure vas libvas use-srvinfo-cache false
d) /opt/quest/bin/vastool configure realm {domain name} {server fqdn} [{server fqdn} {server fqdn} ..](these servers should already have been specified in /etc/hosts in step a)
or, vastool configure extra-realm {domain name} {server fqdn} [{server fqdn} {server fqdn} ..]
e) /etc/init.d/vasd restart -
Additional Information
- VAS's default configuration uses DNS in two ways:
1) DNS SRV lookups to locate AD DCs
2) Resolving hostnames to IP addresses when communicating with DCs.
You can completely avoid using DNS with VAS by specifying a join server(s) when running vastool join, and by putting hostname mappings into /etc/hosts.
As stated above in 'Resolution', if you want to use hard coded server configurations, you should set use-dns-srv and use-srvinfo-cache to false.- "vastool configure realm" can be used to pass in a list of server names, these servers will be used as the Active Directory servers for the given realm. It will modify /etc/opt/quest/vas/vas.conf to use the given realm_name as your default realm. In Active Directory terms, the realm will be the domain name of the domain this computer will be a member of.
"vastool configure extra-realm" can be used to configure other domains if you need to support multiple servers in your Active Directory tree. This will add information for these realms, but it will not make the new realm the default realm.- As a bare minimum, ports 88, 389, and 464 TCP are required to be open to the Active Dircetory Server, and the ethereal ports coming back.
Use iptables to block network calls:
iptables -A output -j accept -p tcp --dport 88 -d dc01.example.com
iptables -A output -j accept -p tcp --dport 389 -d dc01.example.com
iptables -A output -j accept -p tcp --dport 464 -d dc01.example.com
iptables -A OUTPUT -j DROP
This will simulate a DMZ, with only the absolute essentals open.