Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Disconnected authentication

Safeguard Authentication Services provides the ability to authenticate an Active Directory user to a Unix system even when Active Directory is unavailable. For example, because Safeguard Authentication Services supports disconnected authentication, you can still log into your laptop when you are traveling and your laptop does not have connectivity to Active Directory.

Safeguard Authentication Services supports several options for disconnected authentication. Two types of disconnected authentication modes are the default disconnected authentication mode and permanent-disconnected authentication mode.

Default disconnected authentication mode

By default, Safeguard Authentication Services relies on a previous successful authentication attempt when the computer was not in disconnected mode. The successful authentication caches a sha256 hash of the user’s password. Safeguard Authentication Services uses this hash to validate the user’s password when it is in disconnected mode for one of the following reasons:

  • The computer is physically disconnected from the network or the network is down.
  • The computer object has been deleted.

    Note: If the host's computer object has been deleted, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to recreate the computer object, then restart vasd.

  • The host keytab file (/etc/opt/quest/vas/host.keytab) is missing or invalid.

    Note: If the host keytab is deleted or becomes corrupt, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to delete then recreate the computer object and restart vasd.

  • The Active Directory server is down or object unreachable.

You can disable the default disconnected authentication mode by setting allow-disconnected-auth to false in the vas.conf. See the vas.conf man page for more details.

Permanent-disconnected authentication mode

There are situations where a Unix system administrator may be responsible for a large number of Unix systems. In the default mode, you need to log in to every Unix system at least once to be able to log in to the systems in a disconnected state. In a large environment with hundreds or thousands of Unix systems, this requirement would be impractical. Safeguard Authentication Services has added a feature called Permanent-disconnected authentication mode. This mode does not require a previously successful authentication, that is, users or group of users can log into a Unix system in a disconnected state even if they had never logged into the Unix system in the past.

Before you configure permanent-disconnected authentication mode in the vas.conf file, you must first set the service principal name (SPN) for each user who will authenticate using this mode. You can set the SPN by using a tool like the Microsoft Active Directory Service Interfaces Editor (ADSI Edit), or by issuing a vastool command such as the following:

vastool <username> setattrs - u <username> servicePrincipalName "user/<username>@<DomainName>"

Note: The content of the service principal name is unimportant; it just needs to conform to the format of servicePrincipalName.

Configure the permanent-disconnected authentication mode in addition to the default disconnected authentication mode on a per user or group basis by specifying perm-disconnected-users in the vas.conf. See the vas.conf man page for more details. These perm-disconnected-users have encrypted credentials pre-cached when the Safeguard Authentication Services caching daemon starts the first time (immediately upon join if the users are configured as perm-disconnected-users by means of group policy). Typically you configure permanent-disconnected authentication mode to ensure that a certain group of system administrators can access a system, even if the first time they attempt access it is disconnected from the network.

Safeguard Authentication Services continues to operate normally in disconnected mode; thus, it may be difficult to know whether Safeguard Authentication Services is in disconnected mode. Safeguard Authentication Services creates log entries in the system log each time the connection mode changes.

Working with read-only domain controllers

Read-only domain controllers (RODCs) are a new feature in Microsoft Server 2008. Safeguard Authentication Services supports read-only domain controllers as long as the Unix attributes for users and groups are not in the RODC filtered attribute set. You can set the RODC_FILTERED flag on any attribute in the Active Directory schema to add it to the RODC-filtered attribute set. If this flag is set on an attribute, it is not replicated to an RODC. If RODC_FILTERED is set on the attributes used for UID Number, GID Number, Comment (GECOS), Home Directory, or Login Shell, no groups or users are cached because Safeguard Authentication Services cannot identify any Unix-enabled users.

Cross-forest authentication

Safeguard Authentication Services supports cross-forest authentication as long as a trust exists between the two forests. You must configure both forests for Safeguard Authentication Services. For more information, refer to the Safeguard Authentication Services Installation Guide.

In addition, you must configure the cross-forest-domains setting in vas.conf. For details about that, see to the vas.conf man page.

Note: When using Unix Personality Management in a cross-forest environment, the user or group to which a personality links must be in the same forest as the personality.

One-way trust authentication

You can enable authentication between domains that do not have a two-way trust between them.

To configure a one-way trust

  1. On the Unix host joined to domain A (TRUSTING.COM) that trusts domain B (TRUSTED.COM), create a service principal in domain B, as follows:
    vastool -u <DomainAdminUserInDomainB> service create ServiceName/@TRUSTED.COM

    where ServiceName is any unique identifier you choose.

    This creates a keytab file containing the value of the krb5name for your service name.

  2. To list the keytab file, enter the following:
    vastool ktutil -k /etc/opt/quest/vas/ServiceName.keytab list

    The results will look something like:

    Vno     Type                 Principal
    1       arcfour-hmac-md5     unixclient-ServiceName@TRUSTED.COM
    1       arcfour-hmac-md5     ServiceName/unixclient.trusting.com@TRUSTED.COM
                    
  3. Create a trust mapping by adding the service principal name to the vas_host_services section of the vas.conf file, as follows:
    [vas_host_services]
      trusted.com = {
      krb5name = ServiceName/hostname.com@trusted.com
      }

Note: You can also use an interactive script to configure a one-way trust. Run the following:

/opt/quest/libexec/vas/scripts/vas_oneway_setup.sh

This script prompts you for all of the necessary information and creates the one-way trust configuration for you.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating