-
Title
Manually setting up QAS for oneway trusts -
Description
Manually setting up QAS for oneway trusts. How do I configure QAS to for a oneway trust?
-
Resolution
Other than the AD trust, two things need to be done on the QAS clients:
1- A user/service account in the trusted domain. (Where yourdomain.com is the domain the QAS client is joined to)
This could be created with a command similar to below.
# /opt/quest/bin/vastool -u administrator@trusted.com service create oneway/yourdomain.com@TRUSTED.COMThis creates a user/service account in the trusted.com domain (The account will be named yourdomain-oneway) and will create a corresponding keytab on the local machine in the directory:
/etc/opt/quest/vas/oneway.keytab2- vas.conf configuration
The /etc/opt/quest/vas/vas.conf file requires knowledge of the oneway keytab and domain configuration.
An example of the configuration is below:
[vas_host_services]
trusted.com = {
krb5name = oneway/yourdomain.com@TRUSTED.COM
keytab=/etc/opt/quest/vas/oneway.keytab
use-for-auth = 0
}
The keytab, and vas.conf configuration would need to be present on each QAS machine.
To populate vas.conf, you can use the following command, or can be set through Group Policy ( Unix Settings | Quest Authentication Services | Client Configuration | QAS Configuration | Configure under the [vas_host_services] )# /opt/quest/bin/vastool configure vas vas_host_services stanza TRUSTED.COM krb5name=oneway/yourdomain.com@TRUSTED.COM use-for-auth=0
Refer to Quest Solution 65747 for more information on oneway trusts
https://support.quest.com/kb/65747