Embed Size (px)
Citation preview
Authentication Services 4.1
Trusts – one-way and two-way configurations
© 2014 Dell Inc. ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of Dell Inc.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Dell Inc. Attn: LEGAL Dept 5 Polaris Way Aliso Viejo, CA 92656
Refer to our Web site (software.dell.com) for regional and international office information.
Patents
This product is protected by U.S. Patent #: 7,617,501; 7,895,332; 7,904,949; 8,086,710; 8,087,075, and 8,245,242. Additional Patents Pending. For more information, go to http://software.dell.com/legal/patents.aspx.
Trademarks
Dell, the Dell logo, Quest, Quest Software, the Quest Software logo, ActiveRoles, ChangeAuditor, Defender, InTrust, and Vintela are trademarks of Dell Inc. and/or its affiliates. Apache Tomcat and Tomcat are trademarks of the Apache Software Foundation. IBM, AIX, DB2, and WebSphere are registered trademarks of International Business Machines Corporation. JBoss, Red Hat, and Red Hat Enterprise Linux are registered trademarks or trademarks of Red Hat, Inc. in the U.S. and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries. SLES is a trademark of Novell, Inc. in the United States and other countries. SAP is the registered trademark of SAP AG in Germany and in several other countries. Sun, Oracle, Java, and Oracle Solaris are trademarks or registered trademarks of Oracle and/or its affiliates in the United States and other countries. SPARC is a registered trademark of SPARC International, Inc. in the United States and other countries. Products bearing the SPARC trademarks are based on an architecture developed by Oracle Corporation. UNIX is a registered trademark of The Open Group in the United States and other countries. VMware and ESX are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Windows is a registered trademark of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims any proprietary interest in the marks and names of others.
Legend
CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.
WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.
IMPORTANT, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.
Trusts – one-way and two-way configurations Authentication Services 4.1 Updated – September 2014
Product Name Version Number 3
Type of Guide
Contents
Introduction ................................................................................................ 5
Two-way trusts ............................................................................................. 6
Managing two-way trusts with Authentication Services ............................................. 6
One-way trusts or no trust .............................................................................. 7
Managing one-way trusts with Authentication Services ............................................. 7
Method 1: vas_oneway_setup.sh script ............................................................ 7
Method 2: Using the create-keytab.sh script against an existing service account ......... 8
Frequently asked questions ........................................................................... 10
Troubleshooting ......................................................................................... 11
Check that the service account can authenticate using the keytab. ............................ 11
Check the contents of the service account keytab .................................................. 11
Issues creating the service account from the Unix command line ................................ 12
Check that the correct network ports are open ..................................................... 12
Check user access for one of the users in the trusted domain: ................................... 12
Man page entries ........................................................................................ 13
About Dell ................................................................................................. 15
Contacting Dell ............................................................................................ 15
Technical support resources ............................................................................. 15
Product Name Version Number 4
Type of Guide
Product Name Version Number 5
Type of Guide
1
Introduction
This guide introduces you to the Active Directory trust configurations supported by Authentication Services.
While managing two-way trusts is straight forward, managing one-way trusts, or no trusts, is more difficult.
This guide will help you get started.
Product Name Version Number 6
Type of Guide
2
Two-way trusts
Managing two-way trusts with
Authentication Services User accounts in a two-way trust scenario can logon if they are Unix-enabled and given the correct access.
However, without additional configuration, they are not cached and the first logon requires a Fully Qualified
Domain Name, such as Username@DomainName.
Use these settings for seamless usage:
1 Cross-forest-domain
2 User-search-path
3 Group-search-path
For more information, see Error! Reference source not found. at the end of this guide..
NOTE – You can define these settings using the Authentication Services Group Policy tools. For more
information about Group Policy, see “Managing Unix Hosts with Group Policy” in the Authentication Services
Administrator Guide at: http://documents.software.dell.com/DOC58538 or under Release Notes and Guides at
https://support.software.dell.com/authentication-services/4.1.
Product Name Version Number 7
Type of Guide
3
One-way trusts or no trust
Managing one-way trusts with
Authentication Services Unlike two-way trusts, Authentication Services uses a service account and a keytab in the other domain to
authenticate users in the other domain.
There are several ways to create a keytab and establish credentials against a service account in Active
Directory. This document describes two methods using tools provided by Authentication Services. The first
method uses a script to create the service account in the other domain. The second method uses a pre-
created service account.
Note: In the following examples, a Unix host is joined to a domain and the users exist in the other domain.
Method 1: vas_oneway_setup.sh script The vas_oneway_setup.sh script creates the service account in Active Directory, a local keytab with
credentials, and configures the vas.conf file using an interactive wizard. The wizard asks you to provide the
following information:
Enter the user with rights to create objects: Enter a full username in the domain where you want to establish the service account. For example:
Next, the script prompts you for the password.
Enter container [press Enter for default]: Press Enter to use the default location, which is the ‘Computers’ container. (You can safely move the service
account later if you desire.) Or, enter the distinguished name of the location within Active Directory where
you want to create the service account. For example:
OU=ServiceAccounts,OU=Accounts,DC=other,DC=com
Enter Full path for Keytab:
Press Enter to create the keytab in /etc/opt/quest/vas, which is where the host.keytab was saved during
the initial join. Or, enter the full path, like this:
/etc/keytabs
Enter Service name (service/host@domain):
This entry populates the serviceprincipalname attribute in the service account and matches the entries in
the keytab. There are three parts to the service name:
Product Name Version Number 8
Type of Guide
a. service: Enter anything for the service. For example, you might use ‘ow’ to represent
‘oneway’. In this case, the keytab for this service name is ‘ow.keytab’.
b. host: Enter the name of the machine you are configuring.
c. domain: Enter the name of the other domain where you are creating the service account.
For example,
Use this service for authentications: [y/n]
Type “y” to establish a two-way trust using the keytab and the service account when authenticating users.
Never enter ‘n’.
When set to “y”, Authentication Services requests a service ticket for the identity and the identity keytab to
validate the user’s ticket.
Once you have entered everything correctly, you will see a message like this:
Service ow/[email protected] created successfully, keytab located at
/etc/opt/quest/vas/ow.keytab.
At this point, the script adds these settings to vas.conf, located at /etc/opt/quest/vas/vas.conf.
[vas_host_services]
Other.com = {
krb5name = ow/[email protected]
keytab = /etc/opt/quest/vas/ow.keytab
use-for-auth = true
}
If you used another method, you must configure these settings either manually or by using group policy.
For more information about Authentication Services Group Policy, see “Managing Unix Hosts with Group
Policy” in the Authentication Services Administrator Guide at:
http://documents.software.dell.com/DOC58538 or under Release Notes and Guides at
https://support.software.dell.com/authentication-services/4.1.
In addition, you must also set these vas.conf settings:
1 Cross-forest-domain
2 User-search-path
3 Group-search-path
For a full description of all configuration settings, refer to the vas.conf man page.
Once you have satisfied these requirements, the users will be cached and able to authenticate to the host in
question.
For more information, see Error! Reference source not found. at the end of this guide.
Method 2: Using the create-keytab.sh script against
an existing service account Download the create-keytab.sh script from the following knowledge base article:
https://support.software.dell.com/authentication-services/kb/122644
This article includes examples of a successful execution of the script and the answers the questions. Once you
establish the keytab against the service account, then you must configure these additional vas.conf settings:
Product Name Version Number 9
Type of Guide
[vas_host_services]
Other.com = {
krb5name = ow/[email protected]
keytab = /etc/opt/quest/vas/ow.keytab
use-for-auth = true
}
If you used another method, you must configure these settings either manually or by using group policy.
For more information about Authentication Services Group Policy, see “Managing Unix Hosts with Group
Policy” in the Authentication Services Administrator Guide at:
http://documents.software.dell.com/DOC58538 or under Release Notes and Guides at
https://support.software.dell.com/authentication-services/4.1.
In addition, you must also set these vas.conf settings:
1 Cross-forest-domain
2 User-search-path
3 Group-search-path
For full descriptions of all configuration settings, refer to the vas.conf man pages.
Once you have satisfied these requirements, the users will be cached and able to authenticate to the host in
question.
For more information, see Error! Reference source not found. at the end of this guide.
Product Name Version Number 10
Type of Guide
4
Frequently asked questions
1. Can you use one service account for all hosts with a shared Keytab?
While it is technically possible to configure it this way, Dell recommends that you setup a single service
account for each host you are configuring for a one-way trust scenario. If something happens to the
service account this can be a potential single point of failure for many hosts. Using a unique Service
Account for each host in question minimizes the impact if a Service Account is lost or damaged.
2. Do search paths only include the specified organization unit or does it include the sub-ous?
Search paths include all OUs below the specified OU.
3. Will Authentication Services honor a selective authentication setup in a trust scenario.
Since the authentication process itself occurs on an Active Directory Domain Controller, selective
authentication is enforced normally like any other machine in the domain. Authentication Services is
unable to bypass or otherwise circumvent this behavior.
Product Name Version Number 11
Type of Guide
5
Troubleshooting
To help you troubleshoot, Dell recommends the following resolutions to some of the common problems you
might.
Check that the service account can
authenticate using the keytab. 1. Run the following command on the Unix client,
/opt/quest/bin/vastool kinit <servicename>/<domain>@<TRUSTED DOMAIN>
For example:
/opt/quest/bin/vastool kinit oneway/[email protected]
2. Check that you have received a Kerberos ticket for the trusted domain:
/opt/quest/bin/vastool klist
3. Then try to authenticate using the keytab using this command:
/opt/quest/bin/vastool –u <servicename>/<domain>@<TRUSTED DOMAIN> –k
/etc/opt/quest/vas/<servicename>.keytab auth
For example:
/opt/quest/bin/vastool –u oneway/[email protected] –k
/etc/opt/quest/vas/oneway.keytab auth
Check the contents of the service account
keytab 1. List the contents of the service account keytab by running the following command:
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/<serviceName>.keytab list
For example:
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/oneway.keytab list
2. Ensure that the service account name appears in the list.
3. Check the kvno number in Active Directory using this command:
/opt/quest/bin/vastool –u <username> attrs <username> msDS-KeyVersionNumber
Product Name Version Number 12
Type of Guide
For example:
/opt/quest/bin/vastool –u oneway/[email protected] attrs
oneway/[email protected]
The kvno number in Active Directory should match the vno entry displayed in the keytab list output.
Issues creating the service account from
the Unix command line If the service create command fails, run the command again with additional debug configured, like this:
/opt/quest/bin/vastool -d5 -u <admin user>@trusted.com service create
oneway/[email protected]
Check that the correct network ports are
open See the following knowledge base article for the required ports:
https://support.software.dell.com/kb/SOL13608
To use preflight to check connectivity to the trusted domain, run this command:
/opt/quest/bin/preflight <TRUSTED DOMAIN> --verbose
Check user access for one of the users in
the trusted domain: /opt/quest/bin/vastool -d5 user checkaccess <user>@<domain>
Product Name Version Number 13
Type of Guide
6
Man page entries
cross-forest-domains = <DOMAIN>[,<DOMAIN>]...
Default value: Not set
To enable authentication between trusted forests, it is necessary to specify the trusted forest using the
cross-forest-domains option. The forest you specify must also have an appropriate trust created in Active
Directory Domains and Trusts, and contain an Authentication Services application configuration.
[vasd]
cross-forest-domains = example1.com,example2.com
user-search-path = <DN>[;<DN>]...cross-forest-domains = <DOMAIN>[,<DOMAIN>]...
Default value: entire AD domain to which the host is joined
You can use this option to specify a list of Active Directory containers that vasd uses to load users. The option
value must be a semicolon-separated list of distinguished names. Normally these are organizational units, but
they can be any Active Directory container that can contain user objects. vasd only loads Unix-enabled users
from this path, not User Personalities. The containers may be from any domain that the computer object, used
by vasd, can search.
Users are not restricted to these paths. Any valid user can still log in. Note that you can set this option when
running vastool join with the -u vastool join option. When you change this option directly in the
vas.conf file, run vastool flush for the change to take effect. The following example shows you how to
configure vasd to load users from two OUs from different domains.
[vasd]
user-search-path = OU=unix,DC=example,DC=com; OU=unix,DC=sub,DC=example,DC=com
group-search-path = <DN>[;<DN>]...cross-forest-domains = <DOMAIN>[,<DOMAIN>]...
Default value: The entire AD domain to which the host is joined
Use this option to specify a list of Active Directory containers that vasd uses to load groups. The option value
must be a semicolon-separated list of distinguished names. Normally these are organizational units, but they
can be any Active Directory container that can contain group objects. vasd only loads Unix-enabled groups
from this path, not Group personalities. The containers may be from any domain that the computer object,
used by vasd, can search.
Groups are not restricted to these paths. Any valid group can still be cached and used. Note that you can set
this option when running vastool join with the -g vastool join option. When you change this option
directly in the vas.conf file, run vastool flush for the change to take effect. The following example
shows you how to configure vasd to load groups from two OUs from different domains.
[vasd]
group-search-path = OU=unix,DC=example,DC=com;OU=unix,DC=sub,DC=example,DC=com
krb5name = <Kerberos principal name>
Default value: none
You must set this entry to the Kerberos principal name of the identity to use when obtaining the account
information for users and groups in this domain. This is the only required option, and if not set, this
hostservice mapping will not be valid.
Product Name Version Number 14
Type of Guide
Enter a full principal name like "trustservice/vashosts@<domain>" where <domain> is the trusted
domain.
keytab = <absolute file path>
Default value: none
Use this option to set the keytab file that contains the authentication key for the identity. If you do not set
this option, Authentication Services uses then the standard algorithm for locating keytabs. Set the keytab file
permissions and ownership to the same values as the default host keytab
(/etc/opt/quest/vas/host.keytab) for security reasons.
use-for-auth = <true | false>
Default value: false
Use this option to control whether or not to use this identity when authenticating users. If set to true,
Authentication Services requests a service ticket for the identity and the identity keytab to validate the users
tickets. If false, Authentication Servcies uses the default host identity for the service ticket request and ticket
validation. This is false by default because normal one-way trust scenarios allow users to request service
tickets for the default host identity. Only set this option to true when the trusted domain does not have any
Kerberos trusts configured with the joined domain (that is, only when NTLM trusts are in place, which is a no-
way trust configuration).
Product Name Version Number 15
Type of Guide
About Dell
Dell listens to customers and delivers worldwide innovative technology, business solutions and services they
trust and value. For more information, visit www.software.dell.com.
Contacting Dell Technical Support:
Online Support
Product Questions and Sales:
(800) 306-9329
Email:
Technical support resources Technical support is available to customers who have purchased Dell software with a valid maintenance
contract and to customers who have trial versions. To access the Support Portal, go to
http://software.dell.com/support/.
The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours
a day, 365 days a year. In addition, the portal provides direct access to product support engineers through an
online Service Request system.
The site enables you to:
Create, update, and manage Service Requests (cases)
View Knowledge Base articles
Obtain product notifications
Download software. For trial software, go to Trial Downloads.
View how-to videos
Engage in community discussions
Chat with a support engineer
