Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Joining the domain

For full Safeguard Authentication Services functionality on Unix, you must join the Unix system on which you installed the Safeguard Authentication Services agent to the Active Directory domain. You can join an Active Directory domain either by running vastool join from the command line or the interactive join script, vasjoin.sh.

Before you join the Unix host to the Active Directory domain, you may want to determine if you are already joined.

To determine if you are joined to an Active Directory domain

  1. Run the following command:
    # /opt/quest/bin/vastool info domain

    If you are joined to a valid domain this command returns the domain name. If you are not joined to a domain, you will see the following error:

    ERROR: No domain could be found.
    ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm
    default_realm not configured in vas.conf. Computer may not be joined to domain

Joining the domain using VASTOOL

You can join your Unix host to Active Directory with the vastool join command directly from the command line.

Before you join the Safeguard Authentication Services agent to the Active Directory domain, collect the following information:

  • The DNS name of the Active Directory domain of which you want the Safeguard Authentication Services agent to be a member.
  • The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.

To join Active Directory using vastool join

  1. Run the following command as the root user at a shell prompt:
    # /opt/quest/bin/vastool -u <user> join <domain-name>
  2. Enter the user’s password when prompted.

    The vastool join results are shown on the shell’s standard output.

Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page.

Automatically generate user attributes

Using the vastool join command with the --autogen-posix-attrs option allows any user in Active Directory to authenticate to an Safeguard Authentication Services host. If a user is not Unix-enabled (meaning it does not have the uidnumber, gidnumber, gecos, home-directory, and login-shell attributes assigned in Active Directory), the Safeguard Authentication Services daemon automatically assigns those attributes for the user when it looks the user up by means of an LDAP search at the point of login.

This feature provides for the deployment of Safeguard Authentication Services in scenarios where the Unix provisioning of users is not desirable (for example, insufficient rights in Active Directory, not wanting to extend the schema, and so on). It stores each identity locally on the Unix host, not in Active Directory. It generates the uidnumber and gidnumber by an algorithm based on the Active Directory object's globally unique identifier (GUID), so it should yield the same value on every host (unless there happens to be a uid/gid conflict). You can configure the home directory prefix and the login shell per host.

Unattended joining using Offline Domain Join (ODJ) credentials

An Administrator can use a Windows Offline Domain Join (ODJ) credential instead of a keytab for scripting an unattended installation of Safeguard Authentication Services to enhance security.

There must be connectivity from the Unix machine to domain controllers. When using this method of joining AD, the [domain] is not needed on the vastool join command, nor credentials. That information will come from the file. More information is in the vastool man page.

The join can work in the following ways:

  • vastool join [some flag] <path to the offline join file>
  • vastool join to use a newly defined environment variable that points to the location of the offline join file
  • vastool join to use if the flag wasn't passed and the environment variable is not set, a predefined location is checked for the offline join file

To join with Windows Offline Domain Join (ODJ) credential

The option is -j <file>. The variable is AUTHENTICATION_SERVICES_DJOIN_FILE, so for example:

export AUTHENTICATION_SERVICES_DJOIN_FILE=/tmp/host.djoin.out

The file is /tmp/AUTHENTICATION_SERVICES_DJOIN.

During package installation, if AUTH_SERVICES_DJOIN_FILE is set to a valid file or /tmp/AUTHENTICATION_SERVICES_DJOIN is a valid file, the package install script will attempt to join Active Directory with the file’s information, and the output will be in ./tmp/AUTHENTICATION_SERVICES_DJOIN.join.out.

More information is in the vastool man page.

vastool join can use a djoin file generated from Window's djoin.exe. There are three ways to pass the file to vastool:

  1. vastool join -j djoin_file, with the location of a valid djoin file.
  2. The ENV option AUTHENTICATION_SERVICES_DJOIN_FILE set to the location of a valid djoin file.
  3. The file /tmp/AUTHENTICATION_SERVICES_DJOIN exists, and is a valid djoin file.

These options are checked in order. When using -j, the domain_name and server should not be set. If either are set, options 2 and 3 above are not checked.

Also, the options -n and -c are not supported, that information is read from the join file. -f is automatically set to use the pre-existing object.

During the join the credentials in the join file are used, and -u -w and -k from vastool are ignored.

This method is similar to the above "join itself", without the security risk as long as the djoin.exe /DEFPW flag isn't used.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating