Installation and Conﬁguration Guide Version 2.6 · 5 INSTALLING HP-UX CLIENTS 25 ... synchronizers or perform user administration tasks on multiple systems. VAS users can log in

Installation and Configuration Guide

Version 2.6.47

Copyright c© 2003-2005 Vintela, Inc. All Rights Reserved.

Legal Notice

Vintela documents are protected by the copyright laws of the United States and InternationalTreaties.

PERMISSION TO COPY, VIEW, AND PRINT VINTELA DOCUMENTS IS AUTHORIZED PROVIDEDTHAT:

1. It is used for non-commercial and information purposes.

2. It is not modified.

3. The above copyright notice and this permission notice is contained in each Vinteladocument.

Notwithstanding the above, nothing contained herein shall be construed as conferring anyright or license under the copyright of Vintela, Inc.

RESTRICTED RIGHTS LEGEND

When licensed to a U.S., State, or Local Government, all Software produced by Vintela iscommercial computer software as defined in FAR 12.212, and has been developed exclusivelyat private expense. All technical data, or Vintela commercial computersoftware/documentation is subject to the provisions of FAR 12.211 - Technical Data , and FAR12.212 - Computer Software respectively, or clauses providing Vintela equivalent protectionsin DFARS or other agency specific regulations. Manufacturer: Vintela Inc., 333 South 520 West,Lindon, Utah 84042.

DISCLAIMER

THE VINTELA DOCUMENTS ARE PROVIDED AS IS AND MAY INCLUDE TECHNICALINACCURACIES OR TYPOGRAPHICAL ERRORS. VINTELA, INC. RESERVES THE RIGHTTO ADD, DELETE, CHANGE OR MODIFY THE VINTELA DOCUMENTS AT ANY TIMEWITHOUT NOTICE. THE DOCUMENTS ARE FOR INFORMATION ONLY. VINTELAMAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES OF ANY KIND.

TRADEMARKS

Vintela and the Vintela logo are trademarks or registered trademarks of Vintela, Inc. in theU.S.A. and other countries. Linux is a registered trademark of Linus Torvalds. UNIX is aregistered trademark of The Open Group in the United States and other countries. Microsoft,Windows 2000, Windows 2003, Windows XP, and Active Directory are either registeredtrademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Allother brand and product names are trademarks or registered marks of the respective owners.

CONTENTS

PREFACE 4

1 INTRODUCTION 61.1 What is VAS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 WINDOWS INSTALLATION AND CONFIGURATION 82.1 Extending The Active Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . 82.2 Installing the VAS Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 102.3 Upgrading the VAS Administrative Tools . . . . . . . . . . . . . . . . . . . . . . . . . 112.4 Registering VAS Administrative Tools with Active Directory . . . . . . . . . . . . . . 112.5 Enabling Unix User and Group properties . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.5.1 Enabling Unix Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.5.2 Enabling Unix Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

3 INSTALLING LINUX CLIENTS 163.1 VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.3 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163.4 Installing the Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.4.1 VAS Client Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.4.2 Installing the VAS client rpm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.5 Upgrading the Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.6 Uninstalling the Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

4 INSTALLING SOLARIS CLIENTS 214.1 VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.2 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.3 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.4 Installing the Solaris Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4.4.1 VAS Client Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.4.2 Installing the vasclient pkg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.5 Upgrading the Solaris Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.6 Uninstalling the Solaris Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

5 INSTALLING HP-UX CLIENTS 255.1 VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255.2 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

2

5.3 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.4 Installing the HP-UX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

5.4.1 VAS Client Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265.4.2 Installing the vasclient depot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5.5 Upgrading the HP-UX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.6 Uninstalling the HP-UX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6 INSTALLING AIX CLIENTS 296.1 VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.2 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.3 Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296.4 Installing the AIX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

6.4.1 VAS Client Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306.4.2 Installing the VAS client AIX package . . . . . . . . . . . . . . . . . . . . . . . 30

6.5 Upgrading the AIX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316.6 Uninstalling the vasclient AIX package . . . . . . . . . . . . . . . . . . . . . . . . . . 32

7 LICENSING AND CONFIGURING THE VAS CLIENT 337.1 Installing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337.2 VAS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

7.2.1 vastool join Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347.2.2 vastool join and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

A TROUBLESHOOTING COMMON INSTALLATION PROBLEMS 36A.1 Problems with Windows MMC Extensions . . . . . . . . . . . . . . . . . . . . . . . . 36

A.1.1 Unix Account Tab is Not Displayed for User and Group Properties . . . . . . 36A.2 Time Synchronization Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36A.3 Domain Discovery Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37A.4 Permissions and Authentication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

A.4.1 Authentication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38A.4.2 Permissions Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

A.5 Using syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3

PREFACE

Why VAS?

System administrators today must support heterogeneous platforms and applications for theirusers’ business needs and requirements. When providing users with the best networkaccessibility and state of the art applications, system administrators are left with an integrationand security nightmare.

Critical to the security of any network is the authentication and verification of user identities.Adopting Microsoft Active Directory solves some issues with authentication and identitymanagement. However, this introduces significant problems for the organization thatadditionally runs business-critical applications on Unix and Linux platforms. When systemadministrators maintain multiple user authentication systems, users must often remembermultiple passwords. System administrators might be clever enough to devise script-basedpassword synchronization tools but this solution can become hard to support, maintain, and trainadditional staff to use.

Vintela Authentication Services (VAS) provides the solution for integrating Unix and Linuxsystems with Active Directory. It supplies the discipline and controls necessary to ensure thesecurity and integrity demanded in business environments.

VAS allows administrators to provide a secure environment where users have the same username and password for Windows, Unix, and Linux logins without having to maintain passwordsynchronizers or perform user administration tasks on multiple systems. VAS users can log inand authenticate to Active Directory from their Unix servers and workstations the same way theydo from Windows XP and Windows 2000/2003. VAS makes it possible to manage all users fromwithin the standard Active Directory management environment.

Audience and Scope

This guide is intended for Windows, UNIX, and Linux system administrators who will beinstalling VAS for the first time. By following the instructions presented in this guide a systemadministrator will be able to configure new or existing UNIX/Linux systems so that theyauthenticate user logins against user and group accounts stored in Windows Active Directory.

4

Conventions Used in this Guide

The following notation conventions are used throughout this guide:

• Directories and filenames appear in mono font. For example, /etc/pam.conf .

• Executable names are bolded. For example, vascd.

• Specific file and packaging formats appear in bold. For example, the RPM package.

• Shell commands appear in mono font. For example,

# vastool configure pam

Within text, commands are bolded for readability. For example, using vastool you cancreate users, delete users, and list user information.

• Menu items and buttons appear in bold. For example, click Next .

• Selecting a menu item is indicated as follows: Programs - > Administrative Tools - >Active Directory Users and Computers

VAS supports a number of different implementations of UNIX R© that include Solaris R©, HP-UX R©,Linux R©, and AIX R©. To refer to all of these platforms, the term ”Unix” will be used forconciseness and consistency.

5

Chapter 1

INTRODUCTION

1.1 What is VAS?

Vintela Authentication Services (VAS) unifies Windows, Unix and Linux authentication andidentity management so that regardless of which platform you want to access, you can log inusing your Windows Active Directory user name and password. The VAS product securely andconveniently eliminates the need for manual ”per-system” identity administration, User andGroup NIS maps, and password synchronization scripting.

Above all, VAS eliminates the need to layer third-party software on top of the critical securitycomponents of Windows 2000/2003. Instead, VAS provides fully compatible client libraries andutilities that transparently and securely redirect the core Unix authentication and identitymanagement functionality to Windows domain controllers using interoperable protocols (such asKerberos v5 and LDAP).

Other identity management solutions layer additional software on top of Active Directory orreplace it altogether. In either case, solutions that interrupt the core Windows 2000/2003 servicesto provide a gateway for Unix interoperability, add to the Windows management complexity andcreate dangerous security vulnerabilities that affect overall enterprise security and stability.

Figure 1.1 shows how a user named JD with a password of Hockey logs into a Unix or Linuxsystem while authenticating against Active Directory. The core protocol interaction between theWindows domain controller and the Unix/Linux system is the same as that of a Windows XPclient. JD can now use the same user name and password to log into either the Windows or Unixsystems.

6

Figure 1.1. User authentication against Active Directory from both Windows and Unix.

7

Chapter 2

WINDOWS INSTALLATION ANDCONFIGURATION

Installing VAS is extremely easy and takes only a few short steps. Administrators should firstinstall and configure the necessary Windows components for VAS before installing or configuringany of the Unix components. This chapter contains the following steps that should be followed toinstall and configure the VAS Windows components:

• Extending the Active Directory Schema

• Registering VAS Administrative Tools with Active Directory

• Installing the VAS Administrative Tools

• Upgrading the VAS Administrative Tools

• Enabling Unix Group properties

• Enabling Unix User properties

2.1 Extending The Active Directory Schema

VAS uses Active Directory as the central repository for all Unix account information for yournetwork. In order for Unix account information to be associated with users and groups, the ActiveDirectory schema definitions must support storing Unix attributes with user and group objects.

Microsoft Windows 2003 R2 contains the full RFC 2307 schema extension, and VAS will work outof the box with an R2 installation without the the need for any additional schema extensions. Ifyou are already using Windows 2003 R2, you do not need to extend your schema.

If you are not yet using Windows 2003 R2 and do not have a suitable schema extension alreadyinstalled, you will need to extend your Active Directory schema. You only need to extend theschema once on the Schema Master domain controller of each Active Directory forest. Sinceextending the Active Directory schema is typically a permanent action, you should ensure thatyou are comfortable with the schema extensions being installed. Also, you should be sure tofollow the standard Active Directory administrative steps, such as ensuring your data is backedup, any time you modify configuration information that impacts the entire AD forest.

The instructions here document how to install the default schema extensions shipped with VAS.The default schema extension used is the subset of the R2 schema extensions needed to support

8

VAS. Using this schema extension will simplify your eventual upgrade to R2. Note that if you areusing Windows 2000, you must use the R2 subset for Windows 2000. Also, if you have extendedthe Active Directory schema with SFU 2.0, you must apply the Microsoft SFU hotfix described inMicrosoft Knowledge Base article 293783. You can view this KB article athttp://support.microsoft.com/kb/293783.

VAS does support other schema extensions such as the Microsoft SFU schema extensions. Forinstructions on working with alternative schema extensions, see the VAS Admininistrators Guide.

In order to extend the schema, log on locally to the Schema Master as an Active Directory userthat has been granted Schema Admin privileges. If you don’t have Schema Admin privileges,you can not extend the schema. To extend the Active Directory schema complete the following:

1. Insert the product CD into the CDROM drive of the Schema Master Domain Controller.

2. Browse to the schema \win32 folder on the CD.

3. Double-click the schemext.exe file to initiate the VAS Schema Extension Utility.

4. The following dialog appears:

5. You have the option of applying one or more of the following schema extensions:

• Windows 2003 R2 Schema Subset for VAS on Windows 2000

• Windows 2003 R2 Schema Subset for VAS on Windows 2003

• VAS NIS Map Schema (optional)

Select the schema extension you want to apply and click Extend Schema .

A Schema Information dialog window appears.

6. Click Yes to indicate that you want to apply the schema extension.

An hour glass appears as it applies the schema extensions. A dialog window appearsindicating that the schema extension has been successfully applied.

7. To install another schema extension, repeat steps 3, 4, 5, and 6.

If desired, you can skip using the Schema Extender and just use the Windows ldifde utility toinstall the schema extension. The VAS Schema Extender Utility simply provides a GUI interface

9

to ldifde itself, and automatically sets the registry required to enable a schema extension. Seeyour ldifde documentation for more information on how to use ldifde. Here is a typical ldifdecommandline that you would use when logged into the schema master:

ldifde -i -f vas_schema_r2subset_for_win2k.ldif -c DC=X <forest DN>

IMPORTANT

Only the R2 Subset is required for VAS. Only apply the VAS NIS Map schemaextension if you have NIS Map data to migrate to Active Directory and areplanning to use the VAS NIS components, and you do not want to use theRFC 2307 NIS Map schema definitions available in R2.

IMPORTANT

You do not need to install the schema extender utility or extend the schemaon any workstations. This only needs to be done once on the Schema Masterfor your Active Directory forest. If you see any errors similar to:

Add error on line 21: Already Exists - or -

Add error on line 78: Unwilling To Perform (during nismap extension)

It is likely that the schema extension has already been installed.

2.2 Installing the VAS Administrative Tools

Installing the VAS Administrative Tools on an administrative workstation allows theadministrator to manage Unix user and group properties when using the Active Directory Usersand Computers Snap-In. You can install the VAS Administrative Tools on any workstation thathas the Active Directory Users and Computers Snap-In installed - even the Schema Master. Notethat you must have the appropriate administrative rights to install software in order to install the VASAdministrative Tools. To install the VAS Administrative Tools, complete the following:

1. Insert the product CD into the CDROM drive.

2. Browse to the adminTools \win32 folder on the CD.

3. Double-click the VAS MSI file to initiate the Setup Wizard.

4. Click Next on the Welcome screen.

5. Read the license agreement and click I Accept to accept the license agreement; then clickNext .

10

6. The VAS Administrative tools install in Program Files\Vintela\VAS . Click Next tobegin the install.

7. Click Finish .

NOTE

You can not install the MSI file from network file share. If you are using anetwork share for installation instead of a CD, you must copy the VAS.msi fileto the local machine first.

2.3 Upgrading the VAS Administrative Tools

The process for upgrading the VAS Administrative Tools from older VAS versions to VAS 2.6 isidentical to the installation process. The VAS Administrative Tools installer will automaticallydetect older versions of the VAS Snapin and automatically upgrade them.

The next time you launch the Active Directory Users and Computers, it will use the updated VASAdministrative Tools.

2.4 Registering VAS Administrative Tools with Active Directory

If you plan to use the VAS NIS compatibility features you must register the VAS AdministrativeTools with Active Directory. This allows for rich support of VAS NIS map objects in ActiveDirectory. The registration process configures ”display specifier” objects for user, group and VASNIS map object classes.

Even if you are not planning to use NIS compatibility, Vintela recommends that you perform thisstep because it will allow the Unix Account tabs to be accessible in more contexts such as theFind User and Group dialog. This step requires Enterprise Admin rights in Active Directory.

The VAS product CD contains a utility called the VAS Display Specifier Registration Wizard whichyou can use to configure the appropriate display specifiers. To register the VAS AdministrativeTools complete the following:

1. Log in to any Windows machine on the domain as a user with Enterprise Admin rights.

2. Insert the VAS product CD into the CDROM drive.

3. Browse to the schema \win32 folder.

4. Double click the DSREG32.EXE file to initiate the VAS Registration Wizard. The WelcomeScreen displays.

5. Click Next on the Welcome Screen.

6. The Provider Selection screen is displayed:

11

Check the box for each management console that you will be using to manage Unix objects.In most cases this will be Active Directory Users and Computers (LDAP), checked bydefault.

NOTE: If you see a message indicating that display specifiers are already installed, clickCancel to exit the wizard. You need only register display specifiers once.

7. Click Next to continue.

8. Registration results display:

Examine the results to be sure that all objects were registered successfully. If any errors arepresent, make sure that you are able to contact the domain controller and that you haveEnterprise Admin rights, and then run the wizard again.

12

2.5 Enabling Unix User and Group properties

Once you apply the schema extensions, register the VAS Administrative Tools with ActiveDirectory, and install the VAS Administrative Tools package, you can ”Unix enable” user andgroup accounts. A Unix-enabled user or group is an Active Directory user or group that has Unixattributes such as a Unix UID or Unix GID. Only users and groups that have been Unix-enabledin Active Directory are available on the VAS clients.

2.5.1 Enabling Unix Groups

Before creating Unix-enabled user accounts we recommend you create at least one Unix-enabledgroup account you can use for the primary group (GID) of Unix-enabled users.

To create a group, do the following:

1. From the Start menu, click Programs - > Administrative Tools - > Active Directory Usersand Computers .

2. Right-click on the Users folder.

3. Select New -> Group .

4. Enter the Group name.

5. Make sure that Group type is set to Security (default) and click OK.

To ”Unix enable” a group, do the following:

1. Right click on an existing group and select Properties .

2. Click the Unix Account tab in the group properties dialog. (The Unix Account tab isprovided by the VAS Administrative Tools MMC extensions.) If you do not see this tab,refer to Section A.1.1 in this guide.

The following properties dialog appears:

3. Click the Enable Unix Group check box. Make sure the group has an appropriate GID.

If there are no other Unix-enabled groups in the current Organizational Unit (OU orcommonly referred to as a ”container”), the first group receives a suggested GID of 1000.

13

This is a default which you can change. If there are other Unix-enabled groups in thegroup’s container, an unused GID which is higher than the lowest allocated GID in thecontainer is suggested as a default.

On most Unix and Linux operating systems the (local) system groups are assigned GIDsbetween 0 and 500. To avoid conflicts with local group accounts, we recommend that you donot set any Active Directory group GID’s less than 1000.

4. When you have finished editing the group information, click OK to save the changes.

2.5.2 Enabling Unix Users

To enable Unix and Linux user accounts, complete the following:

1. From the Start menu click Programs - > Administrative Tools - > Active Directory Usersand Computers .

2. Open the Users folder.

3. Right-click on an existing user and select Properties to view the properties associated withthat user’s account.

4. Click the Unix Account tab in the User Properties dialog (The VAS Administrative ToolsMMC extensions provide a Unix Account ). If you do not see this tab, refer to Section A.1.1in this guide.

The following properties dialog appears:

5. Click the Enable Unix Account check box.

14

6. Modify the suggested defaults as necessary. To select a different Primary group, click on thegroup selection button labeled with ... next to the Primary Group ID edit box, and select agroup from the presented list.

If there are no other Unix-enabled users in the user’s Organizational Unit (OU, orcommonly referred to as a ”container”), the first user receives a suggested UID of 1000. Thisis a default which you can change. If there are other Unix-enabled users in the user’scontainer, an unused UID which is higher than the lowest allocated UID in the container issuggested as a default.

On most Unix and Linux operating systems the (local) system users are typically assignedUIDs between 0 and 100. To avoid conflict with local user accounts, we recommend thatyou do not set any Unix-enabled User UIDs in Active Directory below 1000.

IMPORTANT

The default value for Login Shell is /bin/bash. If you do not have thisshell on the systems the user is logging into, you must change thissetting to the location of a valid login shell or make symlinks on systemsso that the shell location is valid.

15

Chapter 3

INSTALLING LINUX CLIENTS

This chapter describes how to install and remove the VAS client for Linux R© operating systems.The following information is included:

• VAS Client Components

• Hardware Requirements

• Software Requirements

• Installing the Linux Client

• Uninstalling the Linux Client

3.1 VAS Client Components

The VAS client is packaged in RPM format and is made up of the following components:

• A client daemon, vascd

• An NSS module, nss vas

• A PAM module, pam vas

• A command line administrative tool, vastool

• A shared library, libvas

• Man pages

3.2 Hardware Requirements

There are no additional hardware requirements for running the VAS client beyond the operatingsystem requirements.

3.3 Software Requirements

The VAS client supports the following Linux distribution and architecture combinations:

16

• RedHat R© Linux 7.3, 9.0; RedHat Enterprise Linux AS, ES, and WS for 2.1, 3.0, and 4.0 (x86);RedHat Enterprise Linux 3.0 and 4.0 (x86 64)

• Suse R© Linux 8.0, 8.1, 8.2, 9.1, 9.2, 9.3 (x86), 9.3 (x86 64)

• Suse R© Linux Enterprise Server 8.1, 9.0 (ppc, x86), 9.0 (x86 64)

It is recommended that each platform be kept up to date with the recommended patches andupdates for that platform.

3.4 Installing the Linux Client

This section details how to install the VAS client on supported Linux platforms.

3.4.1 VAS Client Package Types

There are two different types of VAS client packages:

• Site Licensed (site)

The VAS site package does not require any licensing and has no user limit.

• User Licensed (licensed packages)

The software in the user-licensed package requires a license file to be installed on thesystem. This license will contain both an expiration date and a User limit. VAS evaluationswill require an evaluation license that will be set to expire. Standard licenses will not havean expiration date. For more information on licensing the VAS client, see Chapter 7,Licensing and Configuring the VAS Client

Your installation media has the appropriate version of the client software.

IMPORTANT

You cannot directly upgrade from the site packages to the licensed packages,or vice-versa. If you are changing the type of VAS client you install, you mustuninstall the old one and install the new one.

3.4.2 Installing the VAS client rpm

To install the VAS client rpm perform the following:

1. Log in and open a root shell.

2. Mount the installation CD, go to the appropriate linux client directory, and run thenecessary rpm command.

For Suse x86 platforms, do the following:

17

# mount /media/cdrom# cd /media/cdrom/client/linux-x86# rpm -ivh vas-client-2.6.47-26.i386.rpm

For Redhat x86 platforms, do the following

# mount /mnt/cdrom# cd /mnt/cdrom/client/linux-x86# rpm -ivh vas-client-2.6.47-26.i386.rpm

For SLES 8 PowerPC platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-libc22-ppc64# rpm -ivh vas-client-glibc22-2.6.47-26.ppc64.rpm

For SLES 9 PowerPC platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-libc23-ppc64# rpm -ivh vas-client-glibc23-2.6.47-26.ppc64.rpm

For Redhat x86 64 platforms, do the following:

# mount /mnt/cdrom# cd /mnt/cdrom/client/linux-x86_64# rpm -ivh vas-client-2.6.47-26.x86_64.rpm

For Suse x86 64 platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-x86_64# rpm -ivh vas-client-2.6.47-26.x86_64.rpm

Note - the x86 64 VAS rpm contains both 64-bit and 32-bit libraries, and has an RPMdependency on both the 32-bit libpam library and the 64-bit libpam library. If the 64-bitLinux OS you are installing on does not have any 32-bit supporting libraries installed, youwill need to use the --nodeps RPM flag to force the installation and avoid error messagesabout missing dependencies.

3. If you are installing the site-licensed version, the RPM name begins with vas-client-siteinstead of vas-client.

For information on configuring the VAS Client, see Chapter 7, Licensing and Configuring the VASClient.

3.5 Upgrading the Linux Client

This section details how to upgrade the VAS client on supported Linux platforms. You will needto upgrade the same VAS client RPM that you previously installed. For example, the vas-client-site RPM can only upgrade an older vas-client-site RPM.

To upgrade the VAS client RPM, perform the following:


18

2. Mount the installation CD, go to the appropriate linux client directory, and run thenecessary RPM command.

For Suse x86 platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-x86# rpm -Uvh vas-client-2.6.47-26.i386.rpm

For Redhat x86 platforms, do the following:

# mount /mnt/cdrom# cd /mnt/cdrom/client/linux-x86# rpm -Uvh vas-client-2.6.47-26.i386.rpm

For SLES 8 PPC platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-glibc22-ppc64# rpm -Uvh vas-client-glibc22-2.6.47-26.ppc64.rpm

For SLES 9 PPC platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-glibc23-ppc64# rpm -Uvh vas-client-glibc23-2.6.47-26.ppc64.rpm

For Redhat x86 64 platforms, do the following:

# mount /mnt/cdrom# cd /mnt/cdrom/client/linux-x86_64# rpm -Uvh vas-client-2.6.47-26.x86_64.rpm

For Suse x86 64 platforms, do the following:

# mount /media/cdrom# cd /media/cdrom/client/linux-x86_64# rpm -Uvh vas-client-2.6.47-26.x86_64.rpm

Note - the x86 64 VAS rpm contains both 64-bit and 32-bit libraries, and has an RPMdependency on both the 32-bit libpam library and the 64-bit libpam library. If the 64-bitLinux OS you are installing on does not have any 32-bit supporting libraries installed, youwill need to use the --nodeps RPM flag to force the installation and avoid error messagesabout missing dependencies.

If you are upgrading the site-licensed version, the RPM name begins with vas-client-siteinstead of vas-client.

During the upgrade, the vascd cache will be flushed and reloaded to ensure that any newdatabase formats are setup correctly. As part of the flush, the vascd daemon will berestarted. You do not need to make any other configuration changes.

3. In version of VAS earlier than 2.6.47, you will need to reinstall your VAS license afterupgrading using the vastool license command. VAS versions 2.6.47 and later use a differentlicensing mechanism that does not require you to reapply your license.

19

3.6 Uninstalling the Linux Client

This section details how to uninstall the VAS client from supported Linux platforms.

To uninstall the VAS client RPM perform the following:


2. If using the licensed VAS client, use rpm to remove the package as follows:

# rpm -e vas-client

If using the site-licensed VAS client, use rpm to remove the package as follows:

# rpm -e vas-client-site

20

Chapter 4

INSTALLING SOLARIS CLIENTS

This section describes how to install and remove the VAS client for Solaris R© operating systems.The following information is included:




• Installing the Solaris Client

• Uninstalling the Solaris Client


The VAS client is packaged in pkg format, and is made up of the following components:






• 64 bit versions of the libraries and modules

• Man pages




The VAS client supports the following versions of Solaris:

21

• Solaris R©2.6, 2.7, 8, 9, and 10 (Sparc)

• Solaris R©8 and 9 (x86)

It is recommended that each platform be kept up to date with the recommended patch set for thatplatform.

4.4 Installing the Solaris Client

This section details how to install the VAS client on supported Solaris platforms. With the VASclient components installed, your Solaris system can become a member of the Active Directorydomain.

NOTE

Before you begin the installation make sure that you have the lat-est patches for your version of Solaris from http://www.sun.com/bigadmin/patches/ . Solaris 8 for SPARC requires that you have at leastpatches 110934-05 and 110380-04.








IMPORTANT


22

http://www.sun.com/bigadmin/patches/

http://www.sun.com/bigadmin/patches/

4.4.2 Installing the vasclient pkg

To install the VAS client package, perform the following:

1. Log in and open a root shell

2. Insert the installation CD. It is mounted automatically.

3. If installing on Solaris 8, 9, or 10 for SPARC, perform the following commands:

# cd /cdrom/cdrom0/client/solaris8-sparc# pkgadd -d vasclient_SunOS_5.8_sparc-2.6.47.26.pkg vasclient

If installing on Solaris 8, 9, or 10 for x86 platforms, perform the following commands:

# cd /cdrom/cdrom0/client/solaris8-x86# pkgadd -d vasclient_SunOS_5.8_i386-2.6.47.26.pkg vasclient

If installing on Solaris 2.6 for SPARC, perform the following commands:


If installing on Solaris 2.7 for SPARC, perform the following commands:


In the above steps, replace /cdrom/cdrom0 with the path to your CDROM device.

If you are installing the site-licensed version, the name of the client pkg is vasclientSunOS5.8 sparc-2.6.47.26-site.pkg .

NOTE

In certain situations pkgadd requests additional information. Respondappropriately for your system configuration. Initialization scripts that arepart of the vasclient package run during installation to help configure thesystem.


4.5 Upgrading the Solaris Client

This section details how to upgrade the VAS client on supported Solaris platforms.

To upgrade the VAS client package, perform the following:


2. Insert the installation CD. It is mounted automatically.

23

3. If upgrading on Solaris 8, 9, or 10 for SPARC, perform the following commands:

# cd /cdrom/cdrom0/client/solaris8-sparc# pkgadd -a ../solaris-upgrade-defaults \-d vasclient_SunOS_5.8_sparc-2.6.47.26.pkg vasclient

If upgrading on Solaris 8 or 9 for x86 platforms, perform the following commands:

# cd /cdrom/cdrom0/client/solaris8-x86# pkgadd -a ../solaris-upgrade-defaults \-d vasclient_SunOS_5.8_i386-2.6.47.26.pkg vasclient

If upgrading on Solaris 2.6 for SPARC, perform the following commands:


If upgrading on Solaris 2.7 for SPARC, perform the following commands:


In all of the above examples, replace /cdrom/cdrom0 with the appropriate path to yourmounted CD.

If you are upgrading the site-licensed version, the name of the client pkg is vasclientSunOS5.8 sparc-2.6.47.26-site.pkg .

The -a vasclient-defaults option specifies an alternative default file for pkgaddadministrative options that allows pkgadd to overwrite an existing pkg with a new pkg.pkgadd does not support the concept of upgrading a pkg, so this allows you to upgradewithout having to rejoin your machine to the Active Directory domain, or uninstalling theold version first.

4. A post installation script will automatically run vastool flush which will restart vascd andrebuild the VAS caches.

5. If you are using the licensed version of the VAS client earlier than 2.6.47, then reinstall youruser license with the vastool license command. VAS versions 2.6.47 and later use a newlicensing technology that does not require you to reinstall your license as part of anupgrade.

4.6 Uninstalling the Solaris Client

This section details how to uninstall the VAS client from supported Solaris platforms.

To uninstall the VAS client pkg, perform the following:


2. Use pkgrm to remove the package as follows:

# pkgrm vasclient

24

Chapter 5

INSTALLING HP-UX CLIENTS

This section describes how to install and remove the VAS client for HP-UX R© operating systems.The following information is included:




• Installing the HP-UX Client

• Uninstalling the HP-UX Client


The VAS client is packaged in depot format for both PA-RISC and the IA-64 platforms and ismade up of the following components:






• 64-bit versions of the libraries and modules (the IA-64 package has 32 bit PA-RISC librariesas well).

• Man pages



25


The VAS client supports the following versions of HP-UX:

• HP-UX 11 (HP-UX B.11.0 / PA-RISC)

• HP-UX 11i v1 (HP-UX B.11.11 / PA-RISC)

• HP-UX 11i v1.6 (HP-UX B.11.22 / IA-64)

5.4 Installing the HP-UX Client

This section details how to install the VAS client on supported HP-UX platforms. With the VASclient components installed, your HP-UX system becomes a member of the Active Directorydomain.

IMPORTANT

Before you begin the installation make sure that you have thelatest support plus patches for your version of HP-UX fromhttp://www.software.hp.com/SUPPORT PLUS/index.html or at http://www.hp.com .

HP-UX 11 (B.11.0) requires the following patch:

• Quality Pack QPK1100 (B.11.00.62.4)

HP-UX 11i v1 (B.11.11) requires the following patches:

• Bundle 11i (B.11.11.0306.1)

• Quality Pack GOLDQPK11i (B.11.11.0306.4)

HP-UX 11i v1.6 (B.11.22) requires the following patch:

• Maintenance Pack (MAINTPACK version E0306)






The software in the user-licensed package requires a license file to be installed on thesystem. This license will contain both an expiration date and a User limit. VAS evaluationswill require an evaluation license that will be set to expire. Standard licenses will not have

26

http://www.software.hp.com/SUPPORT_PLUS/index.html

http://www.hp.com

http://www.hp.com

an expiration date. For more information on licensing the VAS client, see Chapter 7,Licensing and Configuring the VAS Client


IMPORTANT


5.4.2 Installing the vasclient depot

To install the VAS client depot, perform the following:


2. Mount the installation CD by executing the following commands:

# mkdir /cdrom# mount -F cdfs -o rr /dev/dsk/c0t0d0 /cdrom

Where /dev/dsk/c0t0d0 is the name of the device for your CDROM drive.

3. If installing on HP-UX 11i v1.6, use swinstall to install the IA-64 depot by executing thefollowing command:

# swinstall -s \/cdrom/client/hpux-ia64/vasclient_ia64-2.6.47.26.depot vasclient

If installing on a HP-UX 11i v1 or 11.0, use the following command line to install the depotfor PA-RISC machines:

# swinstall -s \/cdrom/client/hpux-pa/vasclient_9000-2.6.47.26.depot vasclient

If you are installing the site-licensed version, the depot name is vasclient 9000-2.6.47.26-site.depot or vasclient ia64-2.6.47.26-site.depot .

IMPORTANT

VAS requires that the Unix client’s system clock be synchronized with the Ac-tive Directory server’s system clock. By default, HP-UX uses xntpd for timeservices. To properly synchronize the system clocks either configure xntpdto sync with a Domain Controller, or disable xntpd to allow VAS to synchro-nize the system time. Consult the xntpd documentation for information ondisabling xntpd and configuring the xntpd client.

27


5.5 Upgrading the HP-UX Client

This section details how to upgrade the VAS client on supported HP-UX platforms.

To upgrade the vasclient depot, perform the following:



# mkdir /cdrom# mount -F cdfs /dev/dsk/c0t0d0 /cdrom

Where /dev/dsk/c0t0d0 is the name of the device for your CDROM drive.

3. If upgrading on HP-UX 11i v1.6, use swinstall to upgrade the IA-64 depot by executing thefollowing command:

# swinstall -s \/cdrom/client/hpux-ia64/vasclient_ia64-2.6.47.26.depot vasclient

If upgrading on HP-UX 11i v1 or 11.0, use the following command line to upgrade thedepot for PA-RISC machines:

# swinstall -s \/cdrom/client/hpux-pa/vasclient_9000-2.6.47.26.depot vasclient

If you are upgrading the site-licensed version, the depot name is vasclient 9000-2.6.47.26-site.depot or vasclient ia64-2.6.47.26-site.depot .

4. Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UX does notallow you to overwrite files that are in use – this is done as part of the boot sequence.

5. If you are using a licensed version of the VAS client earlier than 2.6.47, reinstall your userlicense with the vastool license command. VAS version 2.6.47 and later use a new licensingtechnology that does not require the license to be reinstalled as part of the upgrade.

5.6 Uninstalling the HP-UX Client

This section details how to uninstall the VAS client from supported HPUX platforms.

To uninstall the VAS client depot, perform the following:


2. Use swremove to remove the package as follows:

# swremove vasclient

The HP-UX swremove command will not clean up the empty directories that the vasclientpackage used. In order to clean these up, manually remove the /opt/vas directory afteruninstallation.

28

Chapter 6

INSTALLING AIX CLIENTS

This section describes how to install and remove the VAS client for AIX R© operating systems. Thefollowing information is included:




• Installing the AIX Client

• Uninstalling the AIX Client


The VAS client is packaged in installp format, and is made up of the following components:


• An Loadable Authentication Module, VAS

• A PAM module, pam vas (for AIX 5.1, 5.2, and 5.3)



• Man pages




The VAS client supports the following versions of AIX:

• 4.3.3 (32-bit only - requires at least maintenance level 11 (4330-11))

29

• 5.1 (32 and 64 bit - requires at least maintenance level 4 (5100-04))



You can check your current maintenance level with the command:

oslevel -r

6.4 Installing the AIX Client

This section details how to install the VAS client on supported AIX platforms.








IMPORTANT


6.4.2 Installing the VAS client AIX package

To install the VAS client installp package, perform the following:



# mkdir /cdrom# mount -o ro -v cdrfs /dev/cd0 /cdrom

Where /dev/cd0 is the name of the device for your CDROM drive.

30

3. Change to the platform specific client directory at the root of the mounted CDROM. Ifinstalling on AIX 5.1 or 5.2, do the following:

# cd /cdrom/client/aix-51

If installing on AIX 4.3.3, change to the AIX 4.3.3 directory as follows:


If installing on AIX 5.3, change to the AIX 5.3 directory as follows:

cd /cdrom/client/aix-53

4. Use installp to install the vasclient package. For AIX 5.1 and 5.2, run:

# installp -ac -d vasclient.AIX_5_1.2.6.47.26.bff all

For AIX 4.3.3, run:


For AIX 5.3, run:


If you are installing the site-licensed version, the depot name is vasclient.AIX 4 3-site.2.6.47.26.bff for AIX 4.3.3, vasclient.AIX 5 1-site.2.6.47.26.bff for AIX 5.1 and 5.2,or vasclient.AIX 5 3-site.2.6.47.26.bff for AIX 5.3.


6.5 Upgrading the AIX Client

This section details how to upgrade the VAS client on supported AIX platforms.

To upgrade the VAS client installp package, perform the following:



# mkdir /cdrom# mount -o ro -v cdrfs /dev/cd0 /cdrom

Where /dev/cd0 is the name of the device for your CDROM drive.

3. Change to the platform specific client directory at the root of the mounted CDROM. Ifupgrading on AIX 5.1 or 5.2, do the following:


If upgrading on AIX 4.3.3, do the following:


If upgrading on AIX 5.3, do the following:


31

4. Use installp to upgrade the package appropriate for your version of AIX. For AIX 5.1 and5.2, run:


For AIX 4.3.3, run:


For AIX 5.3, run:


If you are upgrading the site-licensed version, the depot name is vasclient.AIX 4 3-site.2.6.47.26.bff for AIX 4.3.3, vasclient.AIX 5 1-site.2.6.47.26.bff forAIX 5.1 and 5.2, or vasclient.AIX 5 3-site.2.6.47.26.bff for AIX 5.3.

5. If you are using a licensed version of the VAS client earlier than 2.6.47, then reinstall youruser license with the vastool license command. VAS versions 2.6.47 and later use a newlicensing technology that does not require you to reinstall your license after upgrading.

vascd will be restarted and the vascd caches will be flushed as part of the upgrade process. Youdo not need to make any other configuration changes while upgrading.

6.6 Uninstalling the vasclient AIX package

This section details how to uninstall the VAS client from supported AIX platforms.

To uninstall the VAS client installp package, perform the following:


2. Use installp to uninstall the package appropriate for your version of AIX.

# installp -u vasclient

32

Chapter 7

LICENSING AND CONFIGURING THEVAS CLIENT

There are two types of VAS client packages - the site version and the licensed version. The siteversion does not require any installed licenses. The licensed version requires a Vintela licensefile(s) to be installed in the /etc/opt/vas/.licenses directory. For VAS evaluations, anevalutation Vintela license file which will have an expiration date is required.

Each license file for VAS is good for a certain number of users. There is no limit on the number ofusers that can be used on the Unix host through VAS, but if the license limit is exceeded, warningmessages will be sent through the syslog interfaces. If you are not using the site version of theVAS client, you should ensure that you have the licenses correctly installed before vascd starts up.

7.1 Installing Licenses

There are two ways to manage your license information - through manual installation on eachUnix host, or centrally in Active Directory through Group Policies using the Vintela Group Policy(VGP) utilities.

To manually install a license file, simply copy the file to the /etc/opt/vas/.licensesdirectory and make sure that the permissions on the file are set to 0644. You must not modify thelicense file in any way, as any modifications will invalidate the license signature, and the licensewill be considered invalid.

You can install multiple licenses in the licensing directory, and each valid, unexpired license willbe used in calculating the user limit.

When the VGP utilities are installed alongisde the VAS client, the vastool join command willautomatically use the vgptool utility to apply the VAS specific policies during the join process.For more information on using VGP and configuring the Vintela Licensing Policy, refer to theVGP Administrator’s Guide.

Note that when no license is installed, vastool will operate correctly, but the rest of the VAScomponents will not work. If all licenses expire, then vascd will exit and cease to function.

33

7.2 VAS Client Configuration

In order for the VAS client to work correctly, the UNIX/Linux system that you installed the VASclient on must be ”joined” to the Active Directory domain. This is done by using the vastool joincommand.

IMPORTANT

Before you join the VAS client to the Active Directory domain, make sure youhave the following information:

• The name of the Active Directory domain of which you want the VASclient to be a member .

• The user name and password of a user that has sufficient administrativeprivileges to create computer objects in Active Directory. Normally thisuser is a member of the Domain Admins group.

To run vastool join, do the following as the root user at a shell prompt:

# /opt/vas/bin/vastool -u matt join example.com

Where matt is the username of an Active Directory user with sufficient administrative privilegesto create a computer object in Active Directory (normally a user who is a member of the DomainAdmins group), and example.com is the name of the Active Directory domain to which you arejoining the computer.

When prompted for the user’s password, type it on the command line. The results of vastool joinwill be shown on the shell’s standard out.

7.2.1 vastool join Modifications

vastool join makes the following modifications to your UNIX/Linux system:

• The system’s configuration files for user and group account information backends aremodified to include VAS. This is done by modifying /etc/nsswitch.conf to includevas as an entry for the passwd and group entries. The vas entry will be inserted after thefiles entry.

• The system’s configuration files for authentication are updated to use VAS as anauthentication backend. This is done by modifying the PAM configuration file(s) located at/etc/pam.conf or in the /etc/pam.d directory. These modifications will allow the VASauthentication modules to authenticate Active Directory users while allowing the nativesystem authentication modules to continue to authenticate system users.

• The /etc/opt/vas/vas.conf configuration file is configured with information to enablethe VAS libraries to use Kerberos authentication against Active Directory.

34

• An object in Active Directory is created for the computer. The computer account’s passwordis set to a generated random password, which is stored as a Kerberos key at /etc/opt/vas/host.keytab .

• The vascd daemon is started, and the VAS user and group caches are loaded.

NOTE

After the UNIX/Linux client is joined to the domain, many of the currentlyrunning operating system services (such as telnet, ftp, ssh, etc) need to berestarted so that they can use the new VAS configuration. To do this, youcan either reboot the machine, cycle your init levels to single user mode andback, or individually restart each daemon.

The following services are known to function incorrectly until they are restarted:

• dtlogin on Solaris and HP-UX

• sshd on Red Hat 9 and Advanced Server 3.0

• gdm on all platforms. Be sure to use gdm-restart instead of just cycling run-levels.

7.2.2 vastool join and DNS

As part of the vastool join command, vastool autodetects the Active Directory domains, thedomain controllers for each domain, and the Active Directory site for the UNIX/Linux system.This is done by looking up DNS SRV records and using information stored in the ActiveDirectory configuration container.

If you are not using DNS, or if your DNS server does not support dynamic updates from ActiveDirectory, then vastool will not autodetect the domain controllers for the Active Directorydomain. In this case, specify the domain controllers for your domain on the vastool joincommand line. To run vastool join while specifying the domain controllers, run the following asroot at a shell prompt:

# /opt/vas/bin/vastool -u matt join example.com \server1.example.com server2.example.com

Where server1.example.com and server2.example.com are both domain controllers forthe example.com domain. Specify one or more domain controllers for the realm you are joiningthat are in the UNIX/Linux system’s Active Directory Site.

If you have users from multiple domains outside the VAS client’s default domain that will beaccessing the UNIX/Linux client, then manually configure the server information for each ofthose domains with the VAS client. This is done with the vastool configure extra-realmcommand. Refer to the vastool man page for more information on vastool configure extra-realm

35

Appendix A

TROUBLESHOOTING COMMONINSTALLATION PROBLEMS

This appendix describes common problems you may encounter during the installation of VASand how to fix them. For more troubleshooting tips for individual VAS components, see the VASAdministration Guide.

A.1 Problems with Windows MMC Extensions

A.1.1 Unix Account Tab is Not Displayed for User and Group Properties

There are two possible causes for this problem:

1. The VAS Administrative Tools package has not been installed on the workstation where youare running Active Directory Users and Computers.

To solve this problem, run the VAS.MSI installer from the VAS product CD as specified inthe Windows Installation and Configuration section of this guide.

2. The VAS Administrative Tools have not been registered with Active Directory displayspecifiers.

To solve this problem, run the VAS Display Specifier Registration Wizard by executingDSREG32.EXEfrom the VAS product CD as specified in the Registering VAS AdministrativeTools with Active Directory section of this guide. Be sure that you are logged in withEnterprise Admin rights when you run the wizard.

A.2 Time Synchronization Errors

The VAS client uses the Kerberos protocol to authenticate against Active Directory. Kerberos istime sensitive. This means that all clients in the Active Directory domain must have their clockssynchronized to within a few minutes of each other.

If you see this error:

Could not authenticate, error = Clock skew too great.

36

Then the host you are trying to join to the Active Directory domain does not have its clocksynchronized with Active Directory.

There are number of solutions to this problem. The best solution is to use a Network TimeProtocol (NTP) server to synchronize your Windows Domain Controllers and Linux and UNIXclients against. This allows the Linux and UNIX clients to take advantage of the benefits of NTPand the ntpd daemon that is available on most UNIX and Linux platforms. For more informationon NTP and time synchronization, see the VAS Administration Guide.

If you cannot deploy an NTP server, VAS provides tools to synchronize your Linux or UNIXhost’s clock directly against Active Directory. To quickly synchronize your clock, use vastool todo the following:

# /opt/vas/bin/vastool timesync adserver

where adserver is the hostname of a Domain Controller on your network.

This will synchronize your clock against Active Directory, enabling you to authenticate. However,this only synchronizes your clock once and does not handle clock drift. The vascd daemonsynchronizes your clock continually if no other NTP client is running. To use vascd tosynchronize your clock, first disable any NTP clients on your system and then restart vascd.

A.3 Domain Discovery Errors

When running vastool join to join your Linux/UNIX client to an Active Directory domain,vastool automatically detects the structure of the Active Directory forest. It detects the domainsand the domain controllers and stores that information in a local cache. If vastool cannot detectthis information then you will not be able to join the domain or authenticate users.

In order to detect the domains and domain controllers, you must configure your DNS server toallow dynamic updates from Active Directory. Active Directory registers a number of SRVrecords for Kerberos and LDAP servers. If Active Directory is not able to register its SRV records,it will cause significant problems for your Active Directory deployment.

If you see the following message during vastool join:

Detecting Domain Services for sfu35.vas....ERROR: Realms updatefailed, error = No such file or directory.

then the SRV records for Active Directory have not been registered with your DNS server, or youmay not be using DNS. If you are using DNS, ensure that you are using the correct DNS server,and that Active Directory has registered SRV records such as ldap. tcp.<your domain>. You cancheck for these SRV records by using dig with the following command:

# dig SRV _ldap._tcp.example.com

The output of dig will help you debug problems with your DNS server.

You can also use the vastool realms command to debug problems. vastool realms find srvs willlist the services it can detect through DNS. For more information on vastool see the vastool manpage, or the VAS Administration Guide.

If you are using /etc/hosts entries instead of DNS, specify the hostnames of your domaincontrollers on the vastool join command line. Do this with the following:

37

# /opt/vas/bin/vastool -u admin join example.com \server1.example.com

where example.com is the domain you are joining, and server1.example.com isthe hostname of a domain controller for the example.com domain.

It is important that you have an entry for server1.example.com in /etc/hosts . It is possibleto configure multiple servers by putting multiple servers on the vastool join command line afterthe domain name.

A.4 Permissions and Authentication Errors

A.4.1 Authentication Errors

In order to successfully run vastool join, you must supply a user name and password toauthenticate to Active Directory. If you see this message:

Could not authenticate, error = Preauthentication failed.

you have supplied an incorrect password. Try the command again with the correct password.

If you see this message:

Could not authenticate, error = KDC has no support forencryption type.

you have tried to authenticate as a user that does not have a Kerberos User Principal Name(UPN). This is common with the Active Directory Administrator account - it does not have a UPNby default. In order to authenticate as the Active Directory Administrator account, give that usera user principal name and reset the password. You can do this by using the Active DirectoryUsers and Computers Snapin, viewing the properties page for the Administrator user, and settingthe User logon name fields on the Account tab.

If you see this message:

Could not authenticate, error = Client not found in Kerberosdatabase.

the user you supplied to authenticate does not exist in Active Directory. Try again with a user thatdoes exist in Active Directory.

A.4.2 Permissions Errors

The user you use to authenticate when running vastool join must have the appropriatepermissions in Active Directory to create a computer object. If the user does not have the rightpermissions, you will see this error message:

Adding host/[email protected] to the Domain.....ERROR: Adding to domain failed, error = Access denied

Give the user the appropriate access rights in Active Directory, by adding the user to the DomainAdmins group or by delegating computer creation access to the computers container. For moreinformation on delegating access rights for computer creation see the VAS Administration Guide.

38

A.5 Using syslog

When experiencing problems with the VAS client, it is helpful to view the syslog messages thatthe VAS client produces. The location of these log files varies between Linux/UNIX versions andaccording to how the administrator has configured the syslogd. They are commonly located in /var/adm , /var/log , or /var/adm/syslog . Of the different types of syslog messages, VASuses auth syslog messages from its authentication components, and daemon syslog messagesfrom vascd.

The syslog auth message type is commonly not enabled in syslogd. In order to enable authmessages, configure /etc/syslog.conf to have entries for the auth and daemon syslogmessages. There are many ways to configure /etc/syslog.conf to accomplish this. This is oneexample:

*.debug /var/adm/messages

Refer to your system’s syslogd documentation for information on advanced configuration forsyslogd. Remember to restart syslogd after making any changes to /etc/syslog.conf .

39

Documents

Installation and Conﬁguration Guide Version 2.6 · 5 INSTALLING HP-UX CLIENTS 25 ... synchronizers or perform user administration tasks on multiple systems. VAS users can log in