Authentication Services 4.2 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting

Unconfiguring netgroup support with name service

To prevent Authentication Services from resolving netgroup data from the name service module

  1. Run the following command as root to remove name service netgroup support:
    vastool configure vas vasd netgroup-mode
  2. Run the following command as root to configure the Authentication Services name service module:
    1. On Linux, Solaris, or HP-UX:
      vastool unconfigure nss netgroup
    2. On AIX:
      vastool unconfigure irs netgroup
  3. Run the following command as root to configure the Authentication Services name service module:
    1. On Linux, Solaris, or HP-UX:
      vastool configure nss
  4. Flush the netgroup caches by running the following command as root:
    vastool flush netgroup

Cache administration

To minimize network traffic and load on Active Directory, Authentication Services maintains a local cache of user and group data.

You can force Authentication Services to immediately reload the cache by running the following command as root:

vastool flush

Note: When you run vastool flush the entire user and group cache database is reloaded from Active Directory. This can generate a significant amount of network traffic so use this command sparingly.

Blackout period

It is not uncommon for systems to generate hundreds of user and group lookup requests per second. Because of this, Authentication Services enforces a "blackout period" during which all name service requests are resolved from the local cache. By default, the blackout period is set to 10 minutes. This means that changes to Unix account information in Active Directory may take up to 10 minutes to propagate to Authentication Services clients.

There are two events that cause Authentication Services to update the local cache:

  • A user logs in
  • The blackout period expires

You can adjust the blackout period by changing the update-interval setting in the [vasd] section of vas.conf. For an example, refer to the vas.conf man page. See Using Authentication Services manual pages (man pages) for information about accessing the vas.conf man page. In small installations (less than 100 hosts or less than 100 users) you can safely reduce the blackout period. In larger installations it is recommended that the blackout period remain at the default value or set to 30 minutes or 1 hour.

Regardless of the blackout period, you can reset the blackout period timer by signaling vasd with SIGHUP, using the vasd init script to restart vasd, or by executing vastool flush.

To force Authentication Services to update the cache immediately regardless of the blackout period, run this command:

vastool flush -f {users|groups}

Disconnected authentication

Authentication Services provides the ability to authenticate an Active Directory user to a Unix system even when Active Directory is unavailable. For example, because Authentication Services supports disconnected authentication, you can still log into your laptop when you are traveling and your laptop does not have connectivity to Active Directory.

Authentication Services supports several options for disconnected authentication. Two types of disconnected authentication modes are the default disconnected authentication mode and permanent-disconnected authentication mode.

Default disconnected authentication mode

By default, Authentication Services relies on a previous successful authentication attempt when the computer was not in disconnected mode. The successful authentication caches a sha256 hash of the user’s password. Authentication Services uses this hash to validate the user’s password when it is in disconnected mode for one of the following reasons:

  • The computer is physically disconnected from the network or the network is down.
  • The computer object has been deleted.

    Note: If the host's computer object has been deleted, then Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to recreate the computer object, then restart vasd.

  • The host keytab file (/etc/opt/quest/vas/host.keytab) is missing or invalid.

    Note: If the host keytab is deleted or becomes corrupt, then Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to delete then recreate the computer object and restart vasd.

  • The Active Directory server is down or object unreachable.

You can disable the default disconnected authentication mode by setting allow-disconnected-auth to false in the vas.conf. See the vas.conf man page for more details.

Permanent-disconnected authentication mode

There are situations where a Unix system administrator may be responsible for a large number of Unix systems. In the default mode, you need to log in to every Unix system at least once to be able to log in to the systems in a disconnected state. In a large environment with hundreds or thousands of Unix systems, this requirement would be impractical. Authentication Services has added a feature called Permanent-disconnected authentication mode. This mode does not require a previously successful authentication, that is, users or group of users can log into a Unix system in a disconnected state even if they had never logged into the Unix system in the past.

Before you configure permanent-disconnected authentication mode in the vas.conf file, you must first set the service principal name (SPN) for each user who will authenticate using this mode. You can set the SPN by using a tool like the Microsoft Active Directory Service Interfaces Editor (ADSI Edit), or by issuing a vastool command such as the following:

vastool <username> setattrs - u <username> servicePrincipalName "user/<username>@<DomainName>"

Note: The content of the service principal name is unimportant; it just needs to conform to the format of servicePrincipalName.

Configure the permanent-disconnected authentication mode in addition to the default disconnected authentication mode on a per user or group basis by specifying perm-disconnected-users in the vas.conf. See the vas.conf man page for more details. These perm-disconnected-users have encrypted credentials pre-cached when the Authentication Services caching daemon starts the first time (immediately upon join if the users are configured as perm-disconnected-users by means of group policy). Typically you configure permanent-disconnected authentication mode to ensure that a certain group of system administrators can access a system, even if the first time they attempt access it is disconnected from the network.

Authentication Services continues to operate normally in disconnected mode; thus, it may be difficult to know whether Authentication Services is in disconnected mode. Authentication Services creates log entries in the system log each time the connection mode changes.

Related Documents