-
Title
Planning for Disaster Recovery Scenarios with Authentication Services -
Description
Information for Disaster Recovery
-
Resolution
It is recommended to have permanently disconnected users setup. During disaster recovery when you restore the system with Authentication Services installed on it, to make sure the database files are restored in a good state You can see the users with the /opt/quest/bin/vastool list users command. The users must have logged on at least once previously to the system so a copy of the encrypted password is stored. If a user is unsure of their password when in disconnected mode, an administrators can reset a user's cached password by running the following command with root access: # vastool passwd -c jdoe
The Authentication Servicese database files are in /var/opt/quest/vas. The database is also referred to as the cache. The database files end with the extension vdb and our sqlite3 database files.
Here is some information on caching and disconnected mode:
Quest Authentication Services (QAS) uses a persistent client side storage to cache frequently accessed user account information. The persistent cache allows QAS to be configured to continue working even when it loses contact with the Active Directory server.
pam_vas provides disconnected authentication, which means that users can continue to access Unix systems even when Active Directory is not available. In this situation, the Unix identity will not be updated by vasd, but the cached identity and group information will still be available from the QAS caches. There are two modes of disconnected authentication, persistent and non-persistent. Non-persistent disconnected authentication requires that users have previously logged into the system and authenticated against AD.
In this case, a SHA-1 hash of their password will be stored in a secure cache that is only readable by the root user. This hash will then be used in subsequent disconnected authentication attempts. By default, this mechanism is used for all users. This mode also requires that users continually login in connected mode. By default, if no connected login has occurred for 30 days, then the cached password hash will be deleted. This time frame can be modified with the password-cache-age in the [vas_auth] section in /etc/opt/quest/vas/vas.conf.
The value for this option should be the number of days after which cached password hashes should be deleted. Persistent disconnected authentication allows users to login in disconnected mode without having to have logged in to the machine previously. This mechanism uses cached Kerberos tickets to validate the users during the disconnected authentication attempt. This provides disconnected authentication for environments where a small number of users manage large numbers of machines, and don't necessarily access all of those machines before there is a need for disconnected authentication.
For persistent disconnected authentication, Administrators can configure a set of users who will use the persistent disconnected auth mode instead of the password hash mode. This is done with the perm-disconnected-users option in the [vas_auth] section in /etc/opt/quest/vas/vas.conf. -
Attachments