Chat now with support
Chat with Support

Safeguard Authentication Services 6.1 - Administration Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services UNIX administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing UNIX hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts UNIX policies One Identity policies
Display specifiers Troubleshooting Glossary

The VASYP daemon

The vasyp daemon acts as a NIS server that can provide backwards compatibility with existing NIS infrastructure. It provides NIS server functionality without having to run the NIS protocol over the network. By default, vasyp only responds to requests from the system on which vasyp is running, and all NIS map data is obtained from Active Directory by means of secure LDAP requests.

vasyp only works on machines that have the Safeguard Authentication Services agent software installed and are joined to the Active Directory domain. You can manage NIS map data in Active Directory using the Safeguard Authentication Services RFC 2307 Nismap Editor.

Using vasyp provides the following features:

  • Security

    NIS is notoriously insecure, without any concept of encryption for data that goes across the network. Typically, user password hashes are also made available in the passwd.byname and passwd.byuid NIS maps. With vasyp, you can still have passwd and group NIS maps, but no password hashes are made available in those maps. Clients can instead use the Safeguard Authentication Services agent components like pam_vas for secure authentication with Active Directory, while still making the passwd NIS maps available to NAS devices and other systems that need the NIS information to function. vasyp uses the same computer identity that vasd does to authenticate to Active Directory and obtain the NIS map data through secure LDAP.

    To successfully advertise a user's password hash by means of vasyp, a password hash must exist on the user object in Active Directory, and this hash must be cached locally.

    To cache an existing hash locally, you must set the vasdcache-unix-password option in the vasd section of vas.conf

    For further details, see the vas.conf man page.

    Initially, creating these password hashes in Active Directory requires installation and configuration of a password filter DLL on the domain controller. One such DLL is included in SFU 3.5.

    NOTE: The password filter .dll does not work on 64-bit versions of Windows Server. As this .dll is an integral part of legacy authentication support, running legacy authentication support using 64-bit versions of Windows is not supported.

    NOTE: Safeguard Authentication Services does not require caching of password hashes to support authentication. Safeguard Authentication Services features a PAM module that provides Active Directory authentication support for most recent applications. It is only necessary to set up caching of UNIX password hashes to support much older applications that are not PAM-enabled and can only do crypt and compare authentication.

  • Disconnected Operation

    vasyp manages a persistent cache of all available NIS maps. This allows applications like autofs, which uses NIS to get configuration information, to continue to function without interruption in situations where the Active Directory domain controller is unreachable.

  • Scalability

    vasyp is a miniature NIS server that runs on each NIS client. Instead of having to deploy a master NIS server along with a number of slave servers, each NIS client talks to the vasyp daemon running on the same machine. This allows each NIS server to only have to handle one client. vasyp has been designed to minimize its memory footprint and computing requirements so that it has a minimal impact on the system's resources.

  • Flexibility

    vasyp uses a two-process model, where the parent process ensures that the child process that handles all of the NIS RPC messages is always running. The NIS RPC process drops root privileges and runs as the daemon user. The parent process runs a separate process to update the NIS map cache periodically. This arrangement avoids potential blocking problems when using vasyp for hosts and services resolving.

    For detailed information on usage and available options, see the vasypd man page.

Maintaining netgroup data

The vasd daemon maintains the netgroup cache data regardless of whether netgroup data is resolved through the name service module or through NIS (vasyp).

You can configure netgroup-mode in the vas.conf file. For more information, see the vas.conf man page.

Automount support

Safeguard Authentication Services provides automount maps from Active Directory (AD).

Automount maps can be imported from NIS into Active Directory with the RFC 2307 NIS Map Import Wizard. The imported automount maps are represented using the generic map classes provided in RFC 2307: nisMap and nisObject.

You can configure automount support in the vas.conf file on the client machine with the following variables:

  • automount-mode: Enables or disables the caching of automount data.

  • automount-search-base: Specifies the search base for automount data in AD.

  • automount-update-interval: Enables or disables automatic updates to the automount cache. Setting the value to 0 disables automatic update.

TIP: For more information about the available automount configuration variables, see the vas.conf man page.

To enable automount support before joining Active Directory

  1. Create a vas.conf configuration file.

  2. Set the automount-mode variable to true.

  3. Enter the Organizational Unit under which the automount maps were imported into the automount-search-base variable.

  4. Join AD.

NOTE: If the variables are included in the vas.conf file before the machine is joined, the automount data will be cached on the client machine during join.

Example: Enabling automount before joining AD
# /opt/quest/bin/vastool configure vas vasd automount-mode true
				
# /opt/quest/bin/vastool configure vas vasd automount-search-base ou=nis,dc=example,dc=com
				
# /opt/quest/bin/vastool -u admin -w password join –fw example.com

To enable automount support if the client is already joined

  1. Set the automount-mode variable to true.

  2. Enter the Organizational Unit under which the automount maps were imported into the automount-search-base variable.

  3. To apply the changes, run the vastool flush automount command.

Example: Enabling automount support if a client is already joined
# /opt/quest/bin/vastool configure vas vasd automount-mode true 

# /opt/quest/bin/vastool configure vas vasd automount-search-base ou=nis,dc=example,dc=com 

# /opt/quest/bin/vastool flush automount

All automount data is obtained and cached by vasd. vasd searches for nisObjects whose nisMapName attribute begins with the string "auto", and retrieves the nisMapName, cn, and nisMapEntry attributes of the objects found.

You can use the following vastool search command example to see what will be included in the automount cache:

# /opt/quest/bin/vastool -u admin -w password search 
-b "ou=nis,dc=example,dc=com" "(&(objectCategory=nisObject)(nisMapName=auto*))" nisMapName cn nisMapEntry

The nisMapName attribute contains the name of the file into which the values of the cn and nisMapEntry attributes are written. vasd always takes the /etc directory as the location of these files. If such a file does not exist there, vasd creates it. However, if a file exists with this name, vasd enters the changes at the beginning of the file, not at the end. If the same mount point is used in two different entries, vasd overwrites the already existing mount point. Therefore, the first entry is used by the automount command, and the second entry is ignored.

After writing the data obtained from AD to the /etc/auto* files, vasd runs the following script:

/opt/quest/libexec/vas/scripts/vas_automount.sh

The purpose of the script is to have the new information used by the autofs processes. The script contains a suitable command for all platforms and can be modified or supplemented, if required.

To disable automount support

  1. Set the automount-mode variable to false:

    # /opt/quest/bin/vastool configure vas vasd automount-mode false

    NOTE: You can also delete the automount-mode variable.

  2. Run vastool flush automount:

    # /opt/quest/bin/vastool flush automount

Automount support is automatically disabled, (that is, the entries written into the /etc/auto* files are removed) if the client is unjoined or if Safeguard Authentication Services is uninstalled. If the file contained only entries written by Safeguard Authentication Services, it is removed.

NOTE: Only vasd and vastool participate in the operation of the automount function, vasypd does not.

Managing access control

Safeguard Authentication Services extends the native access control capabilities of Active Directory to non-Windows systems, providing centralized access control. Safeguard Authentication Services allows non-Windows systems to become full citizens in Active Directory. Once you have joined your UNIX, Linux, and macOS systems to the Active Directory domain, you can easily control which Active Directory users are permitted to authenticate to your non-Windows systems.

Safeguard Authentication Services includes the industry’s largest collection of highly flexible access control options and integrates with your existing technology. This section discusses each of these options in detail:

  • Host access control

  • Access control using the "Logon To" functionality

  • Configuring local file-based access control

  • Access control based on service (PAM only)

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating