Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Administration Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Integrating with GPMC
Display specifiers Troubleshooting

Using NIS map command line administration utility

The nisedit command line utility allows you to manage NIS maps stored in Active Directory as RFC 2307 objects. nisedit is located at /opt/quest/bin/nisedit and has been designed to be script- and automation-friendly.

To run the nisedit utility, specify one or more general options and then specify a specific sub-command which may have further options and arguments. The following table contains a complete list of supported nisedit commands and a brief description of each.

Table 17: nisedit commands
Command Description
add Add RFC 2307 NIS maps and/or entries to Active Directory.
delete Delete RFC 2307 NIS map or entries out of Active Directory.
dump Output RFC 2307 NIS maps and entries from Active Directory.
modify Modify an RFC 2307 NIS map or entries in Active Directory.
list List all RFC 2307 NIS map names from Active Directory.
sync Synchronize changes to RFC 2307 NIS maps in Active Directory.

passwd, group, and netid maps

The group, passwd, and netid maps are provided directly from the vasd cache which is populated straight from Active Directory user and group objects, and cannot be edited with nisedit.

Specific vs generic maps

Due to the RFC 2307 specifications, some maps are stored as specific objects, while all other maps are stored as generic objects. nisedit supports the six standard NIS maps. (See RFC classes and attributes.)

These maps generate their sub-maps from the single information source. For example, the services objects in Active Directory provide information used by vasyp to provide the services.byname and services.byservicename maps.

The VASYP daemon

The vasyp daemon acts as a NIS server which can provide backwards compatibility with existing NIS infrastructure. It provides NIS server functionality without having to run the NIS protocol over the network. By default vasyp only responds to requests from the system on which vasyp is running, and all NIS map data is obtained from Active Directory by means of secure LDAP requests.

vasyp only works on machines that have the Authentication Services agent software installed and are joined to the Active Directory domain. You can manage NIS map data in Active Directory using the Authentication Services RFC 2307 Nismap Editor.

Using vasyp provides the following features:

  • Security

    NIS is notoriously insecure without any concept of encryption for data that goes across the network. Typically, user password hashes are also made available in the passwd.byname and passwd.byuid NIS maps. With vasyp, you can still have passwd and group NIS maps, but no password hashes are made available in those maps. Clients can instead use the Authentication Services agent components like pam_vas for secure authentication with Active Directory, while still making the passwd NIS maps available to NAS devices and other systems that need the NIS information to function. vasyp uses the same computer identity that vasd does to authenticate to Active Directory and obtain the NIS map data through secure LDAP.

    To successfully advertise a user's password hash by means of vasyp, a password hash must exist on the user object in Active Directory, and this hash must be cached locally.

    To cache an existing hash locally you must set the vasdcache-unix-password option in the vasd section of vas.conf

    For further details, refer to the vas.conf man page.

    Initially creating these password hashes in Active Directory requires installation and configuration of a password filter DLL on the domain controller. One such DLL is included in SFU 3.5.

    Note: The password filter .dll does not work on 64-bit versions of Windows Server. As this .dll is an integral part of legacy authentication support, running legacy authentication support using 64-bit versions of Windows is not supported.

    Note: Authentication Services does not require caching of password hashes to support authentication. Authentication Services features a PAM module that provides Active Directory authentication support for most recent applications. It is only necessary to set up caching of Unix password hashes to support much older applications that are not PAM-enabled and can only do crypt and compare authentication.

  • Disconnected Operation

    vasyp manages a persistent cache of all available NIS maps. This allows applications like autofs, that uses NIS to get configuration information, to continue to function without interruption in situations where the Active Directory domain controller is unreachable.

  • Scalability

    vasyp is a miniature NIS server that runs on each NIS client. Instead of having to deploy a master NIS server along with a number of slave servers, each NIS client talks to the vasyp daemon running on the same machine. This allows each NIS server to only have to handle one client. vasyp has been designed to minimize its memory footprint and computing requirements so that it has a minimal impact on the system's resources.

  • Flexibility

    vasyp uses a two-process model, where the parent process ensures that the child process which handles all of the NIS RPC messages is always running. The NIS RPC process drops root privileges and runs as the daemon user. The parent process runs a separate process to update the NIS map cache periodically. This arrangement avoids potential blocking problems when using vasyp for hosts and services resolving.

    See the vasypd man page for detailed information on usage and available options.

Related Documents