A keytab file stores Kerberos keys for computer and service accounts. Safeguard Authentication Services automatically generates and maintains keytab files when you join the Active Directory domain or when you create service accounts in Active Directory. By default, the keytab files are created in /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Keytab files are stored using the standard MIT style and may be used by third-party applications.
The keytab is essentially the computer's Active Directory password. It is owned by root and must be secured accordingly. The default permissions for a computer object restrict the computer from accessing and modifying sensitive data in Active Directory. The schema extensions are carefully designed to allow computers with default permissions to access only the Unix account data that is absolutely necessary for the normal operation of Safeguard Authentication Services. One Identity recommends that administrators not modify the default permissions for the computer object to make them either more or less restrictive. Changing the computer object permissions could disrupt normal operation or create a security liability in Active Directory if a Unix host is compromised.
If the host.keytab file is compromised by unauthorized root access on the Unix system, then you can assume the password for the associated computer object is compromised as well. You can reset the computer object's password and generate a new keytab file by running
vastool -u <admin> passwd –r –k /etc/opt/quest/vas/host.keytab host/
Another option is to delete the computer object and recreate it by running vastool create host/.
Some platforms limit the length of a user name. By default Safeguard Authentication Services uses the attribute mapped to User Name in the Safeguard Authentication Services application configuration as the Unix user name. You can view this mapping in the Control Center, Preferences | Schema Attributes | Unix Attributes panel.
You may need to override this setting for certain hosts. You can use the username-attr-name option in vas.conf to override this setting. This allows you to work around name length limitations on a machine-by-machine basis by defining an attribute to be used for a short name.
To map the user name to the Active Directory gecos attribute, add the following lines to vas.conf:
[vasd] username-attr-name = gecos
Unix-based operating systems can work with a number of databases for host, user, group, and other information. The name service provides access to these databases. You can configure each database for multiple data sources through plugin modules. For example, host name information can be returned from /etc/hosts, NIS, NIS+, LDAP, or DNS. You may use one or more modules for each database; the modules and their lookup order are specified in the /etc/nsswitch.conf file.
Safeguard Authentication Services provides a name service module (vas4) that resolves user and group information from Active Directory. When the Unix host is joined to the domain, the passwd and group lines of /etc/nsswitch.conf are automatically modified to include the Safeguard Authentication Services name service module (details vary by platform). The following is an example of what the passwd and group lines may look like after a Unix host has been joined to the domain:
passwd: files vas4 nis group: files vas4 nis
Note: The Safeguard Authentication Services name service module (vas4) does not apply to AIX or macOS; instead of NSS, AIX uses LAM and macOS uses Directory Services.
Because the name service configuration may vary by platform, Safeguard Authentication Services provides the ability to automatically configure the name service system for Safeguard Authentication Services.
To configure the NSS
vastool configure nss
vastool unconfigure nss
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
