You can join your Unix host to Active Directory with the vastool join command directly from the command line.
Before you join the Safeguard Authentication Services agent to the Active Directory domain, collect the following information:
- The DNS name of the Active Directory domain of which you want the Safeguard Authentication Services agent to be a member.
- The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory.
To join Active Directory using vastool join
- Run the following command as the root user at a shell prompt:
# /opt/quest/bin/vastool -u <user> join <domain-name>
- Enter the user’s password when prompted.
The vastool join results are shown on the shell’s standard output.
Note: vastool join supports many options that allow you to customize the way the computer is joined to the domain. You can specify the name of the computer object. You can join to a specific organizational unit or use a pre-created computer object. For a list of all vastool join options, refer to the vastool man page.
Using the vastool join command with the --autogen-posix-attrs option allows any user in Active Directory to authenticate to an Safeguard Authentication Services host. If a user is not Unix-enabled (meaning it does not have the uidnumber, gidnumber, gecos, home-directory, and login-shell attributes assigned in Active Directory), the Safeguard Authentication Services daemon automatically assigns those attributes for the user when it looks the user up by means of an LDAP search at the point of login.
This feature provides for the deployment of Safeguard Authentication Services in scenarios where the Unix provisioning of users is not desirable (for example, insufficient rights in Active Directory, not wanting to extend the schema, and so on). It stores each identity locally on the Unix host, not in Active Directory. It generates the uidnumber and gidnumber by an algorithm based on the Active Directory object's globally unique identifier (GUID), so it should yield the same value on every host (unless there happens to be a uid/gid conflict). You can configure the home directory prefix and the login shell per host.
An Administrator can use a Windows Offline Domain Join (ODJ) credential instead of a keytab for scripting an unattended installation of Safeguard Authentication Services to enhance security.
There must be connectivity from the Unix machine to domain controllers. When using this method of joining AD, the [domain] is not needed on the vastool join command, nor credentials. That information will come from the file. More information is in the vastool man page.
The join can work in the following ways:
- vastool join -j <path to the offline join file>
- vastool join and use the ENV option AUTHENTICATION_SERVICES_DJOIN_FILE set to the location of a valid djoin file.
- vastool join and /tmp/AUTHENTICATION_SERVICES_DJOIN file will be used if that file exists, and is a valid djoin file.
For more information, see vastool man page and search for djoin.
To join with Windows Offline Domain Join (ODJ) credential
The option is -j <file>. The variable is AUTHENTICATION_SERVICES_DJOIN_FILE, so for example:
The file is /tmp/AUTHENTICATION_SERVICES_DJOIN.
During package installation, if AUTH_SERVICES_DJOIN_FILE is set to a valid file or /tmp/AUTHENTICATION_SERVICES_DJOIN is a valid file, the package install script will attempt to join Active Directory with the file’s information, and the output will be in ./tmp/AUTHENTICATION_SERVICES_DJOIN.join.out.
More information is in the vastool man page.
vastool join can use a djoin file generated from Window's djoin.exe. There are three ways to pass the file to vastool:
- vastool join -j djoin_file, with the location of a valid djoin file.
- The ENV option AUTHENTICATION_SERVICES_DJOIN_FILE set to the location of a valid djoin file.
- The file /tmp/AUTHENTICATION_SERVICES_DJOIN exists, and is a valid djoin file.
These options are checked in order. When using -j, the domain_name and server should not be set. If either are set, options 2 and 3 above are not checked.
Also, the options -n and -c are not supported, that information is read from the join file. -f is automatically set to use the pre-existing object.
During the join the credentials in the join file are used, and -u -w and -k from vastool are ignored.
This method is similar to the above "join itself", without the security risk as long as the djoin.exe /DEFPW flag isn't used.
Rather than using the vastool join command from the command line, you can join your Unix host to Active Directory using the interactive join script, vasjoin.sh. The script walks you through the domain join process, calling the vastool join command.
The vasjoin.sh script is in /opt/quest/libexec/vas/scripts/ directory. You can use most of the standard vastool join command options when running it. However, you can run the join script with no options; it only requires that you supply the domain name and the name of a user with sufficient Active Directory privileges to perform the join.
Table 10: Common vasjoin script options
||Help; displays options including how to pass vastool join options.|
||Unattended or "quiet" mode; displays less verbose: no explanations, asks no questions.|
||Interactive mode; prompts for common options.|
||Simple mode; installs vasclnt and vasgp with options to add license and join domain.|
To join Active Directory using the vasjoin script
Run the script as the root user at a shell prompt, as follows:
The script ensures that your local host's time is synchronized with that of the controller in the domain you want to join (in order to satisfy Kerberos), then performs the join for you by running vastool join as follows:
vastool -u <username> join <domain-name>
Follow the prompts to complete the join process.
Note: Run the script in interactive mode as follows:
In interactive mode, it prompts you for specific information and allows you to either save the resulting vastool join command in a script or execute the command immediately.
The script presents defaults as part of the prompting and, if you accept them all, the result is identical to running the script in simple mode.
The information gathered by the full, interactive mode of vasjoin.sh includes the following:
- Specific domain controllers to use
- Domain to join
- User, usually administrator, to use in joining
- Keytab file
- Confirm fixing of Kerberos clock skew, if any
- Overwrite your host's existing Active Directory ComputerName object
- Change the name of the AD ComputerName object
- AD container in which to put the ComputerName object
- Site name
- UPM mode (yes or no)
- User search path on which to look for Active Directory users
- Alternate group search path
- Workstation mode (yes or no)
- Alternate domains in which to search if you want cross-domain logins
- Self-enrollment of existing /etc/passwd users (yes or no)
Shows path to lastjoin (/etc/opt/quest/vas/lastjoin)
The lastjoin file contains something similar to:
/opt/quest/bin/vastool -u administrator join -f acme.com