立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.0.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Resolving DNS problems

It is imperative that DNS is correctly configured. Safeguard Authentication Services relies on DNS in order to locate domain controllers. Follow these steps to verify that domain controllers can be located using DNS:

  1. Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the Unix command prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:
    dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name> 

    If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNS administrator to resolve the issue.

  2. Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix command prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your Active Directory DNS domain name.
    dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>

    If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS administrator to resolve the issue.

It is possible to work around DNS problems using the vastool join command to specify the domain controller host name on the command line. Safeguard Authentication Services can work without DNS configured as long as the forward lookup in the /etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.

You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your domain controller in /etc/hosts, then as root, enter the following commands replacing <administrator> with the name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and <DC Host Name> with the host name of your domain controller:

iptables -A INPUT -p udp --dport 53 -j DROP 
iptables -A OUTPUT -p udp --dport 53 -j DROP 
/opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>

Time synchronization problems

Kerberos is a time-sensitive protocol. Your Unix hosts must be synchronized within five minutes of your Active Directory domain controllers. Run the following command as root to have Safeguard Authentication Services synchronize the local time with Active Directory:

vastool timesync 

Unable to authenticate to Active Directory

If Safeguard Authentication Services can no longer authenticate with Active Directory, the following solutions may help you troubleshooting the issue.

Table 31: Troubleshooting authentication problems
Problem Solution
The host's computer object has been deleted. Recreate the computer object, then restart vasd.
The host keytab is deleted or becomes corrupt. Delete then recreate the computer object and restart vasd.

Unable to install or upgrade

The most common installation or upgrade failure is that the Unix host cannot read the Safeguard Authentication Services application configuration in Active Directory. Ensure that you have followed the instructions in the Configure Active Directory for Safeguard Authentication Services section of the Safeguard Authentication Services Installation Guide and that the configuration has been created successfully.

During an upgrade, you may see an error that Safeguard Authentication Services cannot upgrade because the application configuration cannot be located. If you previously joined to a specific domain controller, Safeguard Authentication Services disabled DNS SRV record lookups. This means that Safeguard Authentication Services cannot resolve other domains in the forest and may be unable to locate the application configuration. In this case, you must ensure that the domain controller you specified is a global catalog. Otherwise, you must create the Safeguard Authentication Services application configuration in the domain that you join or you must properly configure DNS to return SRV records and join normally, rather than specifying a domain controller when you join.

For more information, see the About Active Directory Configuration section in the Safeguard Authentication Services Installation Guide.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级