Auth Services and Domain Trusts

Hi,

Looking for some help and advice.

I have a Active Directory that I administer and can install Auth Services into. Within this AD I have some admin users that need access to Redhat machines, all no problem with Auth Services. However, my question is this.

If the AD at the other end of the Trust has users that I need to "Unix Enable", so they can also access the RedHat machines using their AD accounts, is that possible?

Note - the other AD is managed by another company and I have no possibility of getting anything installed or changed other than a trust established.

Can anyone help/suggest if this is possible?

Thanks,

Steve

Parents
  • Hi Steve,

    * If you are using our tools, which again we strongly recommend when you check that 'Unix Enable' box we will populate a number of defaults within those fields and ensure the UID Number chosen is unique. For example the default for loginShell is usually '/bin/sh' and the home directory is '/home/<username>'.

    * If a one-way trust is setup you will need to configure each machine with a keytab which should be explained in some of the information I sent previously I believe.

    * Concerning caching, we don't actually cache credentials themselves for all users. We cache information about those users, the uidnumber's, gidnumber's, group memberships, stuff like that. This is for efficiency, so that if a user gets asked about we can get that information locally instead of going back to AD in order to minimize traffic.

    When a user log's in however we do establish a disconnected credential cache so that if the server was to become disconnected from the network or the AD servers were unavailable they could still login. This feature however can be turned off on a server using a setting in '/etc/opt/quest/vas/vas.conf'. I will include the man page entry below.

           allow-disconnected-auth = <true | false>
              Default value: true

              To globally disallow disconnected authentication set this option to
              false. This may be useful for high security installations that
              should never allow disconnected authentication. By default,
              disconnected authentication is supported by all the QAS
              authentication modules.

              NOTE: This only applies to regular disconnected authentication.
              Persistent disconnected authentication will continue to work if
              configured. To disable that unconfigure perm-disconnected-users.

              The following is an example of how to globally turn off disconnected
              authentication.

              [vas_auth]
               allow-disconnected-auth = false

    Thank you,
    Leigh Grant

Reply
  • Hi Steve,

    * If you are using our tools, which again we strongly recommend when you check that 'Unix Enable' box we will populate a number of defaults within those fields and ensure the UID Number chosen is unique. For example the default for loginShell is usually '/bin/sh' and the home directory is '/home/<username>'.

    * If a one-way trust is setup you will need to configure each machine with a keytab which should be explained in some of the information I sent previously I believe.

    * Concerning caching, we don't actually cache credentials themselves for all users. We cache information about those users, the uidnumber's, gidnumber's, group memberships, stuff like that. This is for efficiency, so that if a user gets asked about we can get that information locally instead of going back to AD in order to minimize traffic.

    When a user log's in however we do establish a disconnected credential cache so that if the server was to become disconnected from the network or the AD servers were unavailable they could still login. This feature however can be turned off on a server using a setting in '/etc/opt/quest/vas/vas.conf'. I will include the man page entry below.

           allow-disconnected-auth = <true | false>
              Default value: true

              To globally disallow disconnected authentication set this option to
              false. This may be useful for high security installations that
              should never allow disconnected authentication. By default,
              disconnected authentication is supported by all the QAS
              authentication modules.

              NOTE: This only applies to regular disconnected authentication.
              Persistent disconnected authentication will continue to work if
              configured. To disable that unconfigure perm-disconnected-users.

              The following is an example of how to globally turn off disconnected
              authentication.

              [vas_auth]
               allow-disconnected-auth = false

    Thank you,
    Leigh Grant

Children
No Data