Joining the domain
For full Authentication Services functionality on Unix, you must join the Unix system on which you installed the Authentication Services agent to the Active Directory domain. You can join an Active Directory domain either by running vastool join from the command line or the interactive join script, vasjoin.sh.
Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined.
To determine if you are joined to an Active Directory domain
- Run the following command.
# /opt/quest/bin/vastool info domain
If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain, you will see the following error:
ERROR: No domain could be found. ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm default_realm not configured in vas.conf. Computer may not be joined to domain
Joining the domain using VASTOOL
You can join your Unix host to Active Directory with the vastool join command directly from the command line.
Before you join the Authentication Services agent to the Active Directory domain, collect the following information:
- The DNS name of the Active Directory domain of which you want the Authentication Services agent to be a member.
- The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.
To join Active Directory using vastool join
- Run the following command as the root user at a shell prompt:
# /opt/quest/bin/vastool -u <user> join <domain-name>
- Enter the user’s password when prompted.
The vastool join results are shown on the shell’s standard output.
|
|
Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page. |
Auto-generate user attributes
Using the vastool join command with the --autogen-posix-attrs option allows any user in Active Directory to authenticate to a Authentication Services host. If a user is not Unix-enabled (meaning it does not have a uidnumber, gidnumber, gecos, home-directory, and login-shell -- attributes assigned in Active Directory), the Authentication Services daemon automatically assigns those attributes for the user when it looks the user up by means of an LDAP search at the point of login.
This feature provides for the deployment of Authentication Services in scenarios where the Unix provisioning of users is not desirable (for example, insufficient rights in Active Directory, not wanting to extend the schema, and so forth). It stores each identity locally on the Unix host, not in Active Directory. It generates the uidnumber and gidnumber by an algorithm based on the Active Directory object's GUID (globally unique identifier), so it should yield the same value on every host (unless there happens to be a uid/gid conflict). You can configure the home directory prefix and the login shell per host.
Joining the domain using VASJOIN script
Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command.
The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
| OPTION | FUNCTION |
|---|---|
| -h | Help; displays options including how to pass vastool join options |
| -q | Unattended or quiet mode; displays less verbose: no explanations, asks no questions |
| -i | Interactive mode: prompts for common options |
| <none> | Simple mode; installs vasclnt and vasgp with options to add license and join domain. |
To join Active Directory using the vasjoin script
-
Run the script as the root user at a shell prompt, as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh
The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:
vastool -u <username> join <domain-name>
-
Follow the prompts to complete the join process.
Note: Run the script in interactive mode as follows:
/opt/quest/libexec/vas/scripts/vasjoin.sh -i
In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately.
The script presents defaults as part of the prompting and if you accept them all, the result is identical to running the script in simple mode.
The information gathered by the full, interactive mode of vasjoin.sh includes the following.
- Specific domain controllers to use
- domain to join
- user, usually administrator, to use in joining
- keytab file
- confirm fixing of Kerberos clock skew, if any
- overwrite your host's existing Active Directory ComputerName object
- change the name of the AD ComputerName object
- AD container in which to put the ComputerName object
- site name
- UPM mode (yes or no)
- user search path on which to look for Active Directory users
- alternate group search path
- workstation mode (yes or no)
- alternate domains in which to search if you want cross-domain logins
- self-enrollment of existing /etc/passwd users (yes or no)
- shows path to lastjoin (/etc/opt/quest/vas/lastjoin)
The lastjoin file contains something similar to:
/opt/quest/bin/vastool -u administrator join -f acme.com