Safeguard Authentication Services provides the ability to authenticate an Active Directory user to a Unix system even when Active Directory is unavailable. For example, because Safeguard Authentication Services supports disconnected authentication, you can still log into your laptop when you are traveling and your laptop does not have connectivity to Active Directory.
Safeguard Authentication Services supports several options for disconnected authentication. Two types of disconnected authentication modes are the default disconnected authentication mode and permanent-disconnected authentication mode.
By default, Safeguard Authentication Services relies on a previous successful authentication attempt when the computer was not in disconnected mode. The successful authentication caches a sha256 hash of the user’s password. Safeguard Authentication Services uses this hash to validate the user’s password when it is in disconnected mode for one of the following reasons:
Note: If the host's computer object has been deleted, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to recreate the computer object, then restart vasd.
Note: If the host keytab is deleted or becomes corrupt, then Safeguard Authentication Services can no longer authenticate with Active Directory. The solution to this problem is to delete then recreate the computer object and restart vasd.
You can disable the default disconnected authentication mode by setting allow-disconnected-auth to false in the vas.conf. See the vas.conf man page for more details.
There are situations where a Unix system administrator may be responsible for a large number of Unix systems. In the default mode, you need to log in to every Unix system at least once to be able to log in to the systems in a disconnected state. In a large environment with hundreds or thousands of Unix systems, this requirement would be impractical. Safeguard Authentication Services has added a feature called Permanent-disconnected authentication mode. This mode does not require a previously successful authentication, that is, users or group of users can log into a Unix system in a disconnected state even if they had never logged into the Unix system in the past.
Before you configure permanent-disconnected authentication mode in the vas.conf file, you must first set the service principal name (SPN) for each user who will authenticate using this mode. You can set the SPN by using a tool like the Microsoft Active Directory Service Interfaces Editor (ADSI Edit), or by issuing a vastool command such as the following:
vastool <username> setattrs - u <username> servicePrincipalName "user/<username>@<DomainName>"
Note: The content of the service principal name is unimportant; it just needs to conform to the format of servicePrincipalName.
Configure the permanent-disconnected authentication mode in addition to the default disconnected authentication mode on a per user or group basis by specifying perm-disconnected-users in the vas.conf. See the vas.conf man page for more details. These perm-disconnected-users have encrypted credentials pre-cached when the Safeguard Authentication Services caching daemon starts the first time (immediately upon join if the users are configured as perm-disconnected-users by means of group policy). Typically you configure permanent-disconnected authentication mode to ensure that a certain group of system administrators can access a system, even if the first time they attempt access it is disconnected from the network.
Safeguard Authentication Services continues to operate normally in disconnected mode; thus, it may be difficult to know whether Safeguard Authentication Services is in disconnected mode. Safeguard Authentication Services creates log entries in the system log each time the connection mode changes.
Read-only domain controllers (RODCs) are a new feature in Microsoft Server 2008. Safeguard Authentication Services supports read-only domain controllers as long as the Unix attributes for users and groups are not in the RODC filtered attribute set. You can set the RODC_FILTERED flag on any attribute in the Active Directory schema to add it to the RODC-filtered attribute set. If this flag is set on an attribute, it is not replicated to an RODC. If RODC_FILTERED is set on the attributes used for UID Number, GID Number, Comment (GECOS), Home Directory, or Login Shell, no groups or users are cached because Safeguard Authentication Services cannot identify any Unix-enabled users.
Safeguard Authentication Services supports cross-forest authentication as long as a trust exists between the two forests. You must configure both forests for Safeguard Authentication Services. For more information, refer to the Safeguard Authentication Services Installation Guide.
In addition, you must configure the cross-forest-domains setting in vas.conf. For details about that, see to the vas.conf man page.
Note: When using Unix Personality Management in a cross-forest environment, the user or group to which a personality links must be in the same forest as the personality.
You can enable authentication between domains that do not have a two-way trust between them.
To configure a one-way trust
vastool -u <DomainAdminUserInDomainB> service create ServiceName/@TRUSTED.COM
where ServiceName is any unique identifier you choose.
This creates a keytab file containing the value of the krb5name for your service name.
vastool ktutil -k /etc/opt/quest/vas/ServiceName.keytab list
The results will look something like:
Vno Type Principal
1 arcfour-hmac-md5 unixclient-ServiceName@TRUSTED.COM
1 arcfour-hmac-md5 ServiceName/unixclient.trusting.com@TRUSTED.COM
[vas_host_services]
trusted.com = {
krb5name = ServiceName/hostname.com@trusted.com
}Note: You can also use an interactive script to configure a one-way trust. Run the following:
/opt/quest/libexec/vas/scripts/vas_oneway_setup.sh
This script prompts you for all of the necessary information and creates the one-way trust configuration for you.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center