立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Keytab files

A keytab file stores Kerberos keys for computer and service accounts. Safeguard Authentication Services automatically generates and maintains keytab files when you join the Active Directory domain or when you create service accounts in Active Directory. By default, the keytab files are created in /etc/opt/quest/vas directory. Each keytab file is named according to the service that uses it. For example, the host principal keys are stored in the /etc/opt/quest/vas/host.keytab file. Keytab files are stored using the standard MIT style and may be used by third-party applications.

The keytab is essentially the computer's Active Directory password. It is owned by root and must be secured accordingly. The default permissions for a computer object restrict the computer from accessing and modifying sensitive data in Active Directory. The schema extensions are carefully designed to allow computers with default permissions to access only the Unix account data that is absolutely necessary for the normal operation of Safeguard Authentication Services. One Identity recommends that administrators not modify the default permissions for the computer object to make them either more or less restrictive. Changing the computer object permissions could disrupt normal operation or create a security liability in Active Directory if a Unix host is compromised.

If the host.keytab file is compromised by unauthorized root access on the Unix system, then you can assume the password for the associated computer object is compromised as well. You can reset the computer object's password and generate a new keytab file by running

vastool  -u <admin> passwd –r –k /etc/opt/quest/vas/host.keytab host/

Another option is to delete the computer object and recreate it by running vastool create host/.

Handling platform limitations on user name length

Some platforms limit the length of a user name. By default Safeguard Authentication Services uses the attribute mapped to User Name in the Safeguard Authentication Services application configuration as the Unix user name. You can view this mapping in the Control Center, Preferences | Schema Attributes | Unix Attributes panel.

You may need to override this setting for certain hosts. You can use the username-attr-name option in vas.conf to override this setting. This allows you to work around name length limitations on a machine-by-machine basis by defining an attribute to be used for a short name.

To map the user name to the Active Directory gecos attribute, add the following lines to vas.conf:

[vasd]
username-attr-name = gecos

Configuring Name Service Switch (NSS)

Unix-based operating systems can work with a number of databases for host, user, group, and other information. The name service provides access to these databases. You can configure each database for multiple data sources through plugin modules. For example, host name information can be returned from /etc/hosts, NIS, NIS+, LDAP, or DNS. You may use one or more modules for each database; the modules and their lookup order are specified in the /etc/nsswitch.conf file.

Safeguard Authentication Services provides a name service module (vas4) that resolves user and group information from Active Directory. When the Unix host is joined to the domain, the passwd and group lines of /etc/nsswitch.conf are automatically modified to include the Safeguard Authentication Services name service module (details vary by platform). The following is an example of what the passwd and group lines may look like after a Unix host has been joined to the domain:

passwd: files vas4 nis 
group: files vas4 nis

Note: The Safeguard Authentication Services name service module (vas4) does not apply to AIX or macOS; instead of NSS, AIX uses LAM and macOS uses Directory Services.

Using VASTOOL to configure NSS

Because the name service configuration may vary by platform, Safeguard Authentication Services provides the ability to automatically configure the name service system for Safeguard Authentication Services.

To configure the NSS

  1. Execute the following command as root:
    vastool configure nss
  2. To undo the configuration, run the following command as root:
    vastool unconfigure nss
  3. After modifying the name service configuration, restart any affected services or reboot.
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级