Beruflich Dokumente
Kultur Dokumente
Installation Guide
Copyright (c) 2010 Quest Software, Inc.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide is furnished
under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the
terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use
without the written permission of Quest Software, Inc.
The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel
or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products.
EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING
TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS
OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS
DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations
or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to
make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment
to update the information contained in this document.
If you have any questions regarding your potential use of this material, contact:
Refer to our Web site for regional and international office information.
Patents
Protected by U.S. Patent # 7,617,501. Additional patents pending.
Trademarks
Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, Benchmark Factory, Big
Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, CI Discovery,
Defender, DeployDirector, Desktop Authority, Directory Analyzer, Directory Troubleshooter, DS Analyzer, DS Expert,
Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, JClass, JProbe, LeccoTech,
LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,
PerformaSure, Point, Click, Done!, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic,
SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage
Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vConverter, vEcoShell, VESI,vFoglight, vPackager, vRanger,
vSpotlight, vStream, vToad, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vEssentials, Vizioncore
vWorkflow, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc
in the United States of America and other countries. Other trademarks and registered trademarks are property of their
respective owners.
Third Party Contributions
This product may contain one or more of the following third party components. For copies of the text of any license listed,
please go to http://www.quest.com/legal/third-party-licenses.aspx .
Component Notes
Apache Commons 1.2 Apache License
Version 2.0, January 2004
Boost Boost Software License
Version 1.0, August 2003
Expat 2.0.0 1998, 1999, 2000 Thai Open Source Software Center Ltd
Heimdal Krb/GSSapi 1.2 2004 - 2007 Kungliga Tekniska Hgskolan
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.
OpenSSL 0.9.8d This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/)
1998-2008 The OpenSSL Project. All rights reserved.
Quest Authentication Services | TOC | 5
Contents
Appendix A: Troubleshooting..................................................................53
Resolving Preflight Failures...........................................................................................................................................54
Unable to Install or Upgrade .......................................................................................................................................56
Unable to Log In................................................................................................................................................................57
Unable to Join the Domain...........................................................................................................................................57
Resolving DNS Problems................................................................................................................................................57
Time Synchronization Problems.................................................................................................................................58
System Optimization.......................................................................................................................................................58
Pointer Record (PTR) Updates are Rejected............................................................................................................58
Long Startup Delays on Windows..............................................................................................................................58
Getting Help from Quest Support..............................................................................................................................59
1
About This Guide
Topics: The Quest Authentication Services Installation Guide is intended for Windows,
Unix, Linux and Mac system administrators, network administrators,
Quest One Identity Solution consultants, analysts, and any other IT professionals who will be installing
Conventions and configuring QAS for the first time. This guide walks you through the
About Quest Software process of installing, upgrading, and uninstalling the QAS agent.
Contacting Quest Support
8 | Quest Authentication Services | About This Guide
Conventions
In order to help you get the most out of this guide, we have used specific formatting conventions. These conventions
apply to procedures, icons, keystrokes and cross-references.
Element Convention
Select This word refers to actions such as choosing or
highlighting various interface elements, such as files and
radio buttons.
Bold text Used to indicate elements that appear in the graphical
user interface that you are to select such as the OK
button.
Italic text Interface elements that appear in Quest products, such
as menus and commands.
courier text Used to indicate host names, file names, program names,
command names, and file paths.
Blue Text Indicates an interactive link to a related topic.
Used to highlight additional information pertinent to the
process or topic being described.
+ A plus sign between two keystrokes means that you must
press them at the same time.
| A pipe sign between elements means that you must
select the elements in that particular sequence.
Quest Authentication Services | About This Guide | 9
Now more than ever, organizations need to work smart and improve efficiency. Quest Software creates and supports
smart systems management productshelping our customers solve everyday IT challenges easier and faster. Contact
Quest for more information:
Contacting Quest Software
Public Forum
The Community site is a place to find answers and advice, join a discussion forum,
or get the latest documentation and release information: Inside Vintela.
2
Introducing Quest Authentication Services
Topics: Quest Authentication Services (formerly Vintela Authentication Services) is
patented technology that enables organizations to extend the security and
System Requirements compliance of Active Directory to Unix, Linux, and Mac platforms and
enterprise applications. It addresses the compliance need for cross-platform
access control, the operational need for centralized authentication and single
sign-on, and enables the unification of identities and directories for simplified
identity and access management.
12 | Quest Authentication Services | Introducing Quest Authentication Services
System Requirements
Prior to installing Quest Authentication Services, ensure your system meets the minimum hardware and software
requirements for your platform. QAS consists of Windows management tools and Unix integration agents.
Quest Authentication Services 4.0 supports: Windows 7, Vista, XP, Windows 2008 and Windows 2003.
For a list of supported QAS platforms, refer to the Quest Authentication Services Platform Support.
Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.
Windows Permissions
To install QAS on Windows, you must have:
Local administrator rights
Rights to create a container and a child container in Active Directory (first-time only)
Authenticated Users must have rights to read cn, displayName, description, and whenCreated attributes for container
objects located under the root Active Directory configuration container. To change Active Directory configuration
settings, Administrators must have rights to Create Child Object (container) and Write Attribute for cn, displayName,
description, showInAdvancedViewOnly for the Active Directory configuration root container and all child objects.
System Requirements:
Supported Windows Platforms Can be installed on 32-bit or 64-bit editions of the
following configurations:
Windows XP SP2 (or later)
Quest Authentication Services | Introducing Quest Authentication Services | 13
System Requirements:
Windows Vista
Windows 7
Windows 2003 SP1 (or later)
Windows 2008
Windows 2008 R2
Note: When running QAS Control Center
on Windows 2008 R2, functioning as a
domain controller, the process must be
elevated. As a best practice, Quest does
not recommend that you install or run the
QAS Windows components on Active
Directory domain controllers. The
recommended configuration is to install
the QAS Windows components on an
administrative workstation.
Prerequisite Windows Software You can download all of the following prerequisite
software free from the Microsoft website:
Windows Installer 3.1
(http://support.microsoft.com/kb/893803)
Microsoft .NET Framework 3.5 SP1 or higher
Windows PowerShell 1.0 or higher
(http://support.microsoft.com/kb/968929
If any of the prerequisites are missing, the QAS
installer suspends the installation process to allow
you to download the required component; it then
continues the install.
Unix Permissions
To install QAS on Unix, Linux, or Mac, you must have:
root access rights
vastool command-line tool Depends on which vastool Any local user for most commands
command is run
vastool join computer creation or deletion root
permissions in the desired container
vastool unjoin
vastool unconfigure
vastool search read permission for the desired Any local user
objects (regular Active Directory user)
vastool attrs
vastool setattrs write permissions for the desired Any local user
object
vastool cache NA Run as root if you want all tables
including authcache
vastool create permissions to create new users, Any local user; root needed to create
groups, and computers as specified a new local computer
vastool delete permissions to delete existing users, Any local user
groups, or computers as specified;
permissions to remove the keytab
entry for the host object created (root
or write permissions in the directory
and the file)
vastool flush The client computer object is root
expected to have read access to use
and group attributes, which should
be the default
vastool group add permission to modify group Any local user
membership
vastool group del
vastool group hasmember read permission for the desired Any local user
objects (regular Active Directory user)
vastool info { site | NA Any local user
domain | domain -n |
forest-root | forest-root
-dn | server | acl }
vastool info { id | read permission for the desired Any local user
domains | domains -dn | objects (regular Active Directory user)
adsecurity | toconf }
vastool isvas NA Any local user
vastool inspect
16 | Quest Authentication Services | Introducing Quest Authentication Services
vastool unmerge
vastool schema cache Regular Active Directory user root (to modify the local cache file)
vastool service list Regular Active Directory user Any local user
vastool service { create Active Directory user with permission NA
| delete } to create/delete service principals in
desired container
vastool smartcard NA root
vastool status NA root
vastool timesync NA root, if you only query the time from
AD, you can run as any local user
vastool user { enable | needs modify permissions on the AD Any local user
disable } Object
vastool user { checkaccess NA Any local user
| checkconflict }
vastool user checklogin Access to Active Directory users Any local user
password
3
Installing and Configuring QAS
Topics: To extend the authentication, authorization, and administration infrastructure
of Active Directory to the rest of your enterprise, allowing Unix, Linux, and
Install the Web Console Mac systems to act as full citizens within Active Directory, follow these steps:
Install QAS Windows Components
1. Install the Quest Identity Manager for Unix web console.
Configure Active Directory for QAS
2. Install Quest Authentication Services Windows components.
Configure Unix Agent Components
3. Configure Active Directory for QAS.
4. Configure the web console for Active Directory.
5. Prepare the Unix hosts for Active Directory user access by means of the
Quest Identity Manager for Unix following these steps:
Add and profile a host, to prepare a host for Active Directory log in.
Check the host for readiness to join Active Directory.
Install QAS agent software on the host to allow Active Directory user
access.
Note: For users to authenticate on Unix, Linux, and Mac
hosts with Active Directory credentials, your Unix hosts
must have the QAS agent installed.
5. On the Complete page, leave the Launch Quest Identity Manager for Unix option unselected when you click
Finish to exit the install wizard and return to the Autorun Setup tab.
Once you have installed Quest Identity Manager for Unix, you are ready to install or upgrade the QAS Windows
Components.
1. From the Autorun Setup page, click Quest Authentication Services to launch the Setup wizard.
2. Click Next at the Welcome page and follow the wizard prompts.
Quest Authentication Services | Installing and Configuring QAS | 21
3. Leave the Launch Quest Authentication Services option selected on the InstallShield Wizard Complete page, and
click Finish to automatically start the QAS Control Center.
Note: If this is the first time running QAS Control Center, the QAS Active Directory
Configuration Wizard starts automatically to walk you through the process of
configuring Active Directory for QAS. This is a one-time task, if the configuration has
already been performed when you click Finish, the QAS Control Center launches.
1. At the QAS Active Directory Configuration Wizard Welcome page, click Next.
2. At the Connect to Active Directory page:
a) Provide Active Directory login credentials for the wizard to use for this task:
Select Use my current AD logon credentials if you are a user with permission to create a container in
Active Directory.
Select Use different AD logon credentials to specify the Active Directory credentials of another user and
enter the User name and Password.
Note: The wizard does not save these credentials; it only uses them for this setup task.
3. At the License QAS 4.0 page, browse to select your license file and click Next.
Note: You can add additional licenses later from the QAS Control Center Preferences Licensing page.
4. At the Configure Settings in Active Directory page, accept the default location in which to store the configuration
or browse to select the Active Directory location where you want to create the container and click Setup.
Note: You must have rights to create a container in the selected location. For more information on
the structure and rights required see Windows Permissions on page 12.
5. Once you have configured Active Directory for QAS, click Close.
The QAS Control Center opens. You can now begin using QAS Control Center to manage your Unix hosts.
Follow the steps outlined on the QAS Control Center Home page to get your Unix agents ready.
Quest Authentication Services | Installing and Configuring QAS | 23
Of course, you may perform your Unix agent management tasks from the Unix command line, if you prefer. You can
find those instructions in the Quest Authentication Services Administrator's Guide, located in the QAS Control Center
Tools page in the Documentation section, or in the docs directory of the Installation media.
From the QAS Control Center, click the Web Console link in the left-navigation pane.
The first time you launch the web console the setup wizard asks how you plan to use Quest Identity Manager for
Unix.
2. On the Setup Quest Identity Manager for Unix page, indicate that you have a license and click Next.
3. On the Configure console for Quest Authentication Services page,
a) Enter the name of the domain you will manage with the web console.
b) Enter the user name and password and click Verify Configuration.
c) When you see the message that indicates your AD configuration is verified, click Next.
4. On the Set up console access page, select at least one Active Directory account to access the web console and
click Next.
5. On the Identify Console page, enter information about this console and click Next.
The QAS Control Center uses this information to find and identify this console on the network.
6. On the Set console password page, enter a password for the web console supervisor account and click Next.
Note: The Supervisor is the only account that has rights to modify system settings in Quest Identity
Manager for Unix.
1. From the Quest Identity Manager for Unix Getting Started page, click the middle button entitled Get started with
the Add and Join Host wizard.
2. At the Welcome page, click Next.
3. In the Add and Profile Host page:
a) Enter the name of the Unix host you want to add.
b) Enter the login credentials and the SSH Port number for that Unix host.
c) Indicate if you want to Run task as another user (su) and enter the appropriate information in the User name
and Password boxes. (optional).
d) Click Add and profile host.
Note: If the Validate Host SSH Keys dialog displays, select the hosts and click OK to accept the new
fingerprint for each host and cache them on the server.
Note: If you are performing an upgrade and attempted to add and join a host that was previously
joined to your Active Directory domain, the Add and Join a Host process displays a Summary page
that indicates the wizard will skip the remaining steps.
24 | Quest Authentication Services | Installing and Configuring QAS
5. At the Select Software to Install page, select services and components you want to install on your host and click
Install.
6. At the Join the Host to Active Directory page:
a) Enter the name of the domain to which you want to join the host.
b) Enter the computer account name.
Leave this blank to generate a name based on the host DNS name.
c) Enter a name for the container where you want to create the computer account.
Leave this blank to create the computer account in the "computers" container.
d) Enter your Active Directory login credentials and click Join Host to AD.
7. At the Summary page, click View the host properties to close the wizard and open the host Properties page; or
click Close to close the wizard and go to the All Hosts tab of Quest Identity Manager for Unix.
8. Click the Getting Started tab to prepare for the next step.
1. From the Getting Started tab, click the Go to the Active Directory view to enable AD users button.
The Quest Identity Manager for Unix web console's Active Directory tab opens.
2.
Click next to the Search by name box to search for Active Directory objects and locate an Active Directory
user.
Note: For step-by-step instructions on using the search controls at the top of this page refer to the
Quest Identity Manager for Unix Administrator's Guide. You can access it from the web console Help |
PDF link.
Once enabled for Unix, you can log on to the host with that Active Directory user's log on name and password.
6. Enter the Host name and User name in the Login to remote host boxes in the left navigation panel of the QAS
Control Center and click Login.
7. At the command line enter the password
Quest Authentication Services | Installing and Configuring QAS | 25
Note: Refer to Getting Started with QAS on page 37 to learn how to do some basic
system administration tasks using the QAS Control Center and Quest Identity Manager
for Unix.
Chapter
4
Installing and Joining from the Unix Command Line
Topics: While you can use Quest Identity Manager for Unix to install and configure
QAS as explained in Installing and Configuring QAS on page 19, you can also
The QAS Pre-Installation Diagnostic manually install the QAS agent on each Unix, Linux, or Mac OS X host from
Tool the command line.
QAS Windows Components
The sections in this chapter walk you through the process of installing the
The QAS Install Script QAS Unix agent directly from the command line. For information about
Licensing QAS installing, upgrading, and uninstalling the QAS agent on supported platforms
Joining the Domain in an enterprise environment using platform package management tools,
refer to Enterprise Package Deployment on page 61.
Before installing and configuring the QAS Unix agent, Quest recommends
that you run the preflight tool to check a host's suitability to run QAS.
After you determine that the Unix host is ready, run the QAS installation script,
install.sh, to install the Unix/Linux agent.
28 | Quest Authentication Services | Installing and Joining from the Unix Command Line
Note: The preflight utility does not make any changes to your system.
Running Preflight
To run preflight
Quest Authentication Services | Installing and Joining from the Unix Command Line | 29
Note: If you get a message that says, "Unable to locate QAS Application
Configuration", you can ignore that error for now and proceed with the QAS
installation. The QAS Active Directory Configuration Wizard starts automatically to
help you configure Active Directory for QAS the first time you start the QAS Control
Center.
Note: (See Resolving Preflight Failures on page 54 for additional help in resolving
issues.
Note: For information about other preflight options, either run preflight
--help or refer to the preflight man page located in the docs directory of the
installation media.
4. Leave the Launch Quest Authentication Services option selected on the InstallShield Wizard Complete page, and
click Finish to automatically start the QAS Control Center.
The first time you start the QAS Control Center the QAS Active Directory Configuration Wizard starts automatically
to prepare Active Directory to store the configuration settings for Quest Authentication Services.
5. At the QAS Active Directory Configuration Wizard Welcome page, click Next.
30 | Quest Authentication Services | Installing and Joining from the Unix Command Line
8. At the Configure Settings in Active Directory page, accept the default location in which to store the configuration
or browse to select the Active Directory location where you want to create the container and click Setup.
Note: You must have rights to create a container in the selected location. For more information on
the structure and rights required see Windows Permissions on page 12.
9. Once you have configured Active Directory for QAS, click Close.
The QAS Control Center opens. You can now begin using QAS Control Center to manage your Unix hosts or you
can use the QAS Install Script from the Unix client command line.
Note: After installing QAS some services such as cron, sshd and gdm may need to be restarted in
order to reload NSS configuration. If you are unsure of which services to restart, reboot the system.
OPTION FUNCTION
-i Interactive mode; provides a menu showing choices based on existing QAS software
installation and includes a help mode.
-h Help; displays usage information including a brief summary of options.
-q Unattending mode; executes script in unattended (automatic) mode; requires other options.
-a Accept License; signals acceptance of Quest Software, Inc. EULA.
-l License; path to Quest license file to copy (unattended mode).
In unattended mode, the following arguments are useful for scripting the components you want to install or uninstall.
ARGUMENT FUNCTION
vasclnt Installs or upgrades QAS agent
vasgp Installs or upgrades QAS Group Policy agent
vasyp Installs or upgrades QAS YP server
vasproxy Installs or upgrades QAS Proxy daemon
vasutil Installs or upgrades QAS utilities (OAT)
vasdev Installs or upgrades QAS SDK
vassc Installs or upgrades QAS Smartcard agent
novasclnt Uninstalls the QAS agent
novasgp Uninstalls the QAS Group Policy agent
novasyp Uninstalls the QAS YP server
novasproxy Uninstalls the QAS Proxy daemon
novasutil Uninstalls the QAS utilities (OAT)
novasdev Uninstalls the QAS SDK
novassc Uninstalls the QAS Smartcard agent
32 | Quest Authentication Services | Installing and Joining from the Unix Command Line
Licensing QAS
You must have the QAS license installed for full Quest Authentication Services functionality on Unix.
There are four ways to manage licenses
1. Using the QAS Control Center
Quest recommends this as a best practice. See To Add Licenses on page 40
2. Using the Quest Authentication Services Group Policy utilities
See Licensing Policy
3. Running the install.sh script with the -l option.
This allows you to enter a path. The script then places the license in the proper location. See Installation Script
Options on page 31 for more information about running the install.sh script
4. Manually copying files
See Installing Licenses Manually on page 33
To obtain a license, complete the form located at: Request License Key or contact your account representative for a
new license file.
To Add Licenses
1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand the Licensing section.
The list box displays all licenses currently installed in Active Directory.
3. Click Add a license... from the Actions menu.
4. Browse for the license file and click Open.
The license appears in the list box.
Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours by
default. This can be changed by modifying the configuration-refresh-interval setting
in vas.conf.
HPUX:
/sbin/init.d/vasd restart
AIX:
/etc/rc.d/init.d/vasd restart
Mac OSX:
launchctl unload /Library/LaunchDaemons/com.quest.vasd.plist
launchctl load /Library/LaunchDaemons/com.quest.vasd.plist
Note: vastool join supports many options that allow you to customize the
way the computer is joined to the domain. You can specify the name of the computer
object. You can join to a specific organizational unit or use a pre-created computer
object.
For a list of all vastool join options, refer to the vastool man page.
OPTION FUNCTION
-h Help; displays options including how to pass vastool join options
-q Quiet mode; displays less verbose: no explanations, asks questions
-i Interactive mode: prompts for common options
5
Getting Started with QAS
Topics: Once you have successfully installed QAS you will want to learn how to do
some basic system administration tasks using the QAS Control Center and
Getting Acquainted with the QAS Quest Identity Manager for Unix.
Control Center
Learning the Basics
38 | Quest Authentication Services | Getting Started with QAS
Web Console You can run the new web console (Quest Identity Manager for Unix) within the QAS Control
Center or you can run it separately in a supported web browser. The console is a separate
install that you can launch from the ISO. You can install it on Windows, Unix, Linux, or Mac
and typically you would install it one time per environment.
Group Policy Provides the ability to search on Active Directory Group Policy Objects that have Unix and
Mac settings defined. Also provides links to edit these GPOs and run reports that show the
detailed settings of the Group Policy Objects
Tools Contains links to tools and resources additionally available with Quest Authentication
Services a great starting place for anyone new to the product.
Preferences
Centrally manage the preferences and settings of Quest Authentication Services. This
capability affects the behavior of all the ADUC snap-ins installed in an environment. The
settings also impact the default behavior of the included PowerShell cmdlets and even the
Unix command-line tools (/opt/quest/bin/vastool).
Note: The Preferences section now is a place to centrally manage the default
values that are generated by the various Authentication Services management
tools, including the ADUC snap-in, the PowerShell cmdlets, and the Unix
command-Line tools (for example /opt/quest/bin/vastool).
Log into remote host A simple SSH client (built on PuTTY) for remote access to Unix systems simplifies new
installs from having to find and install a separate PuTTY client.
To run QAS Control Center you must be logged in as a domain user. To make changes to global settings you must
have rights in Active Directory to create, delete, and modify objects in the QAS configuration area of Active Directory.
Web Console
Quest Identity Manager for Unix allows you to centrally manage Quest Authentication Services agents running on
Unix, Linux and Mac OS X systems. With the web console you can:
Quest Authentication Services | Getting Started with QAS | 39
Group Policy
Microsoft Group Policy provides excellent policy-based configuration management tools for Windows. QAS Group
Policy enables you to manage Unix resources in much the same way. QAS Group Policy allows you to consolidate
configuration management tasks by using the Group Policy functionality of Microsoft Windows Server to manage
Unix operating systems and Unix application settings.
To open QAS Group Policy, click the Group Policy navigation button on the left panel of the QAS Control Center.
Filter Options
To filter the list of GPOs
1. Double-click Filter Options or click the expansion arrow in the right corner of the window.
2. Enter all or part of a name to filter the list of GPOs.
3. Open the Domain drop down menu to choose a domain.
4. Select the Unix Settings or Mac Settings List Only options to further filter the GPO list.
If you select both options, only the GPOs configured for both Unix and Mac display.
Edit GPO
To edit a group policy object
From the Group Policy window, select a GPO in the list and click Edit GPO... from the Actions menu.
The Group Policy Object Editor opens for the selected GPO.
Note: For more information about the Group Policies, refer to the QAS Administrator's Guide, located
in QAS Control Center Tools page in the Documentation section, or in the docs directory of the
installation media.
Settings Report
A settings report displays all of the Quest Authentication Services group policy object settings that apply to Unix or
Mac systems.
To generate a Unix settings report
From the Group Policy window, select a GPO Name and click Settings Report... from the Actions menu.
An HTML report of the currently configured Unix and Mac settings displays.
Note: You can select multiple GPOs to run several reports simultaneously.
Show Files
To open the Windows Explorer
From the Group Policy window, select a GPO in the list and click Show Files... from the Actions menu.
40 | Quest Authentication Services | Getting Started with QAS
The Windows Explorer opens and displays the Group Policy Templates for the selected GPO.
Launch GPMC
To launch the Group Policy Management Console
From the Group Policy window, click Launch GPMC... from the Actions menu.
Tools
The Tools link on the QAS Control Center gives you access to
Quest Authentication Services
Direct links to installed applications and tools related to Quest Authentication Services.
Additional Quest Products
Direct links to other Quest product plug ins.
Note: The Additional Quest Products link is only available if you have installed other Quest products
such as Quest Defender, Authentication Services for Smart Cards. or ActiveRoles Server.
Other Tools
Direct links to tools related to Quest Authentication Services.
Note: The Other Tools link is only available if you have installed the Group Policy Management
Console.
Documentation
Direct links to Quest Authentication Services documentation.
Preferences
Quest Authentication Services stores certain preferences and settings in Active Directory. This information is used
by QAS clients and management tools so that behavior remains consistent across all platforms and tools. The
Preferences window allows you to configure these settings and preferences.
Licensing
The Licensing section of the Preferences window in the QAS Control Center displays a list of installed license files. You
can add and remove license files at any time. The license files are stored in Active Directory and QAS Unix hosts
automatically download and apply new license files from Active Directory.
Licensing QAS
Quest Authentication Services must be licensed in order for Active Directory users to authenticate on Unix and Mac
hosts.
Note: While you can install and configure QAS on Windows and use the included management tools to
Unix-enable users and groups in Active Directory without installing a license, you must have the QAS
license installed for full QAS functionality.
1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand the Licensing section.
Quest Authentication Services | Getting Started with QAS | 41
The list box displays all licenses currently installed in Active Directory.
3. Click Add a license... from the Actions menu.
4. Browse for the license file and click Open.
The license appears in the list box.
Note: Unix hosts check for new licenses when the host is joined to the domain or every 24 hours by
default. This can be changed by modifying the configuration-refresh-interval setting
in vas.conf.
Option Description
Require unique user login Select to require a unique user login name attribute within the forest.
names
Require unique UID on users Select to require a unique user's Unix ID (UID) number within the forest.
Minimum UID Number Enter a minimum value for the Unix User ID (UID) number. Typically you set this to a
value higher than the highest UID among local Unix users to avoid conflicts with
users in Active Directory and local user accounts.
Maximum UID Number Enter a maximum value for the Unix User ID (UID) number. Typically you would not
change this value unless you have a legacy Unix platform that does not support the
full 32-bit integer range for UID number.
Primary GID Number Enter the default value for the Primary GID number when Unix-enabling a user.
Set primary GID to UID Select to set the primary GID number to the User ID number.
Default Comments (GECOS) Enter any text in this box.
Login Shell Enter the default value for the login shell used when Unix-enabling a user.
Home Directory Enter the default prefix used when generating the home directory attribute when
Unix-enabling a user. The default value is /home/; use a different value if your Unix
user home directories are stored in another location on the file system. QAS uses the
user's effective Unix name when generating the full home directory path.
Use lowercase user name for Select to use a lower-case representation of the user's effective Unix name when
home directory generating the full home directory path as a user is Unix-enabled.
Option Description
Require unique Group Select to require a unique Unix group name attribute within the forest.
Names
42 | Quest Authentication Services | Getting Started with QAS
Option Description
Require unique GID Number Select to require a unique Unix Group ID (GID) attribute within the forest.
Minimum GID Number Enter the minimum value for the Unix Group ID (GID). Typically this is set to a value
higher than the highest GID among local Unix groups to avoid conflicts with groups
in Active Directory and local group accounts.
Maximum GID Number Enter the maximum value for the Unix Group ID (GID). Typically you would not change
this value unless you have a legacy Unix platform that does not support the full 32-bit
integer range for GID.
Modifications you make to these Global Unix Options take effect after you restart the Microsoft Management Console
(MMC).
Note: It is a best practice to either use the generated default IDs or set the ID manually. Mixing the two
methods can lead to ID conflicts.
Logging Options
The Logging Options section allows you to enable logging for all Quest Authentication Services Windows components.
This setting only applies to the local computer. Logging can be helpful when trying to troubleshoot a particular
problem. Because logging causes components to run slower and use more disk space, you should set the Log Level
to disabled when you are finished troubleshooting.
Enable Debug Logging on Windows
To enable debug logging for all Quest Authentication Services Windows components
1. Open QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Logging Options section.
Quest Authentication Services | Getting Started with QAS | 43
3. Open the Log level drop-down menu and set the log level to Debug.
Debug generates the most log output. Higher levels generate less output. You can set the Log level to Disabled
to disable logging.
4.
Click to specify a folder location where you want to write the log files.
Quest Authentication Services Windows components log information into the specified log folder the next time
they are loaded. Each component logs to a text file named after the DLL or EXE that generates the log message.
Note: It is a best practice to use a schema designed for storing Unix data in Active Directory whenever
possible. Schemas designed for storing Unix data in Active Directory include: Windows 2003 R2, SFU 2,
and SFU 3. Only use "schemaless" or custom mappings if it is impossible to make schema extensions in
your environment.
With QAS 4.0 it is possible to customize the schema setup to work with any schema configuration. No schema
extensions are necessary with the new "schemaless" storage feature. When you configure QAS for the first time, QAS
attempts to auto-detect the best schema configuration for your environment. The schema configuration is a global
44 | Quest Authentication Services | Getting Started with QAS
application setting that applies to all QAS management tools and Unix agents. You can change the detected settings
at any time using QAS Control Center.
Configure a Custom Schema Mapping
If you do not have a schema that supports Unix data storage in Active Directory, you can configure QAS to use
existing, unused attributes of users and groups to store Unix information in Active Directory.
To configure a custom schema mapping
1. Open the QAS Control Center and click the Preferences navigation button on the left panel.
2. Expand the Custom Unix Attributes.
3. Click Customize....
4. Type the LDAP display names of the attributes that you want to use for Unix data. All attributes must be string-type
attributes except User ID Number, User Primary Group ID and Group ID Number which may be integers. If an
attribute does not exist or is of the wrong type, the border will turn red indicating that the LDAP attribute is
invalid.
Note: To customize the schema mapping, ensure that the attributes used for User ID Number and
Group ID Number are indexed and replicated to the global catalog.
This operation requires administrative rights in Active Directory. If you do not have the necessary rights to optimize
your schema, it generates a schema optimization script. You can send the script to an Active Directory administrator
who has rights to make the necessary changes.
All schema optimizations are reversible and no schema extensions are applied in the process.
Quest Authentication Services | Getting Started with QAS | 45
Run Reports
QAS allows you to run various reports to capture key information about your Unix hosts and the Active Directory domains
joined to these hosts.
To run reports
1. From the Quest Identity Manager for Unix web console, click the Reporting tab.
2. Click the Reports tab.
3. Expand the report group names to view the available reports, if necessary.
Host Reports
Unix host information gathered during the profiling process.
User Reports
Local and AD Unix user information
Group Reports
Local and AD Unix group information
Logon Policy Reports
Log on Policy information
4. Assuming that you successfully added a host and joined it to the domain during the installation process, open
the Host Reports group and click the icon to run the Unix Host Migration Planning report.
5. Review the report parameters.
Note that all of the report parameters are selected by default. This information will be included in the report. To
exclude information from the report, unselect the parameter.
6. Click Generate report as to open a context menu from which you can select a format for the report: HTML, PDF
(default), XML, XLS or RTF.
7. Select a format to launch a new browser or application page displaying the report in the selected format.
8. When you have reviewed the report, you may close it or save it for later reference.
d)
Click to display the list of Active Directory users.
e) Select the Active Directory user account to use for logging into the selected host and click OK.
f) From the 'localuser' properties dialog, click OK twice.
g) In the Log on to Host dialog, verify your credentials and click OK.
Now you can log into your local host using your Active Directory login credentials.
4. Open QAS Control Center, and locate Login to remote host in the left navigation panel.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user (such as, localuser) to which you have associated
the Active Directory user and click Login.
A PuTTY window displays.
5. Enter the Active Directory user password.
6. After a successful login with the local user, verify that the user obtained a Kerberos ticket.
a) At the Unix host command line, enter
# /opt/quest/bin/vastool klist
The vastool klist command lists the Kerberos tickets stored in a user's credentials cache. This proves
the local user is using the Active Directory user credentials.
1. Click the Preferences navigation button on the left panel of the QAS Control Center.
2. Expand Global Unix Options.
The window displays the current settings for Unix-enabling users, groups and the method used for creating
unique IDs.
3. Click Modify Global Unix Options on the right side of the window.
The Modify Global Options dialog opens.
4. Change the Login Shell to /bin/bash and click OK.
The defaults are saved to Active Directory.
Note: Now, when you Unix-enable a user from Active Directory Users and Computers, PowerShell, or
the Unix command line, the login shell defaults to /bin/bash. You can customize the other Unix
defaults similarly.
1. Click the Tools navigation button on the left panel of the QAS Control Center.
2. Expand the Quest Authentication Services section.
3. Click QAS Extensions for Active Directory Users and Computers.
The Active Directory Users and Computers Console opens.
Note: Windows Vista/Windows 7: You must have the Remote Server Administration Tools installed
and enabled.
48 | Quest Authentication Services | Getting Started with QAS
Note: Windows 2003/Windows XP: You must have the Windows 2003 Server Administration Tools
installed.
12. Do not Unix-enable this user for now; close the Active Directory Users and Computers console and return to the
QAS Control Center.
1. From the QAS Control Center, navigate to Tools | Quest Authentication Services, if necessary.
2. Click QASPowerShell Console.
Note: The first time you launch the PowerShell Console it asks you if you want to run software from
this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your
system as a trusted entity. Once you have done this you will never be asked this question again.
Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured
earlier and look similar to the following:
ObjectClass : group
DistinguishedName : CN=UNIXusers,CN=Users,DC=example.,DC=com
GroupName : UNIXusers
UnixEnabled : True
GidNumber : 1234567
AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
DC=example,DC=com
CommonName : UNIXusers
4. At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:
Enable-QasUnixUser testQAS | Set-QasUnixUser -PrimaryGidNumber 1234567
The Unix properties of the user display:
ObjectClass : user
DistinguishedName : CN=testQAS, CN=Users,DC=example.,DC=com
UserName : testQAS
UnixEnabled : True
UidNumber : 2062157421
PrimaryGidNumber : 1234567
Gecos :
HomeDirectory : /home/testQAS
LoginShell : /bin/bash
AdsPath : LDAP://windows.example.com/CN=testQAS,CN=Users,
DC=example,DC=com
CommonName : testQAS
Note: To disable the testQAS user for Unix login, enter
Disable-QasUnixUser testQAS
at the PowerShell prompt.
Now that the user is Unix-enabled, that user can log into systems running the QAS agent.
5. In the left panel of the Control Center, locate Login to remote host.
a) In the Host name box, enter the name of the Unix host that you prepared for Active Directory log in.
b) In the User name box, enter the name of the local user, testQAS, and click Login.
A PuTTY window displays.
Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos
is not enabled or properly configured for the remote SSH service.
PowerShell Cmdlets
Quest Authentication Services 4.0 supports the flexible scripting capabilities of PowerShell to automate administrative,
installation, and configuration tasks. A wide range of new PowerShell cmdlets are included in Quest Authentication
Services 4.0:
5. From the Trial Download: ChangeAuditor for Active Directory page, click the Installation Guide link.
6. Read the ChangeAuditor Installation Guide to obtain detailed steps for installing Quest Defender.
A
Troubleshooting
Topics: To help you troubleshoot, Quest recommends the following resolutions to
some of the common problems you might encounter as you deploy and use
Resolving Preflight Failures Quest Authentication Services.
Unable to Install or Upgrade
Unable to Log In
Unable to Join the Domain
Resolving DNS Problems
Time Synchronization Problems
System Optimization
Pointer Record (PTR) Updates are
Rejected
Long Startup Delays on Windows
Getting Help from Quest Support
54 | Quest Authentication Services | Troubleshooting
--site Detects Active Directory site, if available. This check warns you if QAS was unable to
locate an Active Directory site based on your
computer's network address. A site
configuration is not necessary but QAS
performs better if site information is
configured in Active Directory. To resolve this
problem, configure a site in Active Directory.
--kerberos-password Checks if TCP port 464 is open for Kerberos Ensure that TCP port 464 (kpasswd) is open.
kpasswd. This port must be open in order for QAS to set
the computer object's password.
--kerberos-traffic Checks if UDP port 88 and TCP port 88 are These ports are the main Kerberos
open for Kerberos traffic. communication channels; they must be open
for QAS to authenticate to Active Directory. By
default QAS uses UDP, with TCP fail over for
larger packets. If UDP is blocked or dropping
fragmented packets, enable the
use-tcp-only setting in the [libvas]
section of vas.conf, to force QAS to use TCP
exclusively for Kerberos.
--ldap Checks if TCP port 389 is open for LDAP. This port must be open for QAS to
communicate with domain controllers using
LDAP. This communication is GSS SASL
encrypted and signed.
--global-catalog Checks whether the Global Catalog is QAS can function in a limited way without a
accessible on TCP port 3268. global catalog server, however, QAS will be
unable to resolve Active Directory users and
groups from domains in the forest other than
the one to which the host is joined. In addition,
some searches may be slower. Make sure that
TCP port 3268 (global catalog) is open and that
you have configured at least one domain
controller as a global catalog and that the
global catalog server is up and reachable.
56 | Quest Authentication Services | Troubleshooting
Note: If you get a message that says, "Unable to locate QAS Application Configuration", you can ignore
that error and proceed with the QAS installation. The QAS Active Directory Configuration Wizard starts
automatically to help you configure Active Directory for QAS the first time you start the QAS Control
Center.
Unable to Log In
If you are unable to log in as an Active Directory user after installing, check the following:
1. Log in as root on the Unix host.
2. Check the status of the QAS subsystems. To do this, run the following command:
vastool status
Correct any errors reported by the status command, then try logging in again.
3. Ensure the user exists locally and is allowed to log in. To check this, run the following command:
vastool user checklogin <username>
The output displays whether the user is a known Active Directory user. If not, you may need to map the user to
an Active Directory account or Unix-enable the Active Directory account. If the user is known, an access control
rule may prevent them from logging in. The output of the command displays which access control rules are in
effect for the user.
You may need to restart window managers such as gdm in order for the window manager to reload NSS modules.
Until the window manager reloads the NSS configuration, you will be unable to log in with an Active Directory user.
Other services such as cron may also be affected by NSS changes. If you are unsure which services need to be
reloaded, reboot the system.
2. Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix command
prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your
Active Directory DNS domain name.
dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>
If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS
administrator to resolve the issue.
It is possible to work around DNS problems using the vastool join command to specify the domain controller
host name on the command line. QAS can work without DNS configured as long as the forward lookup in the
/etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.
You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your
domain controller in /etc/hosts then as root, enter the following commands replacing <administrator> with the
name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and
<DC Host Name> with the host name of your domain controller:
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
/opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>
System Optimization
QAS kerberos works best with a random number generator package installed on the OS. If one is not installed, it will
use a potential slow fallback entropy generating system.
This timeout occurs every time a signed assembly is loaded which can lead to very long load times. You can fix this
problem by allowing access to crl.microsoft.com. See Microsoft KB article Microsoft KB article 936707 for
background information.
If the computer is not connected to the internet, you can disable CRL checks for the entire system in Internet Explorer.
Go to Options, select the Advanced tab, under Settings unselect the Check for publisher's certification revocation
option.
It is also possible to specify a generatePublisherEvidence element in an <app>.exe.config that will
disable CRL checks for the specific application that you are running. Keep in mind that if you are using QAS components
in PowerShell or MMC, you would need to add this configuration for the powershell.exe.config and/or
mmc.exe.config. Refer to <generatePublisherEvidence> Element for details.
3. Copy the text from any error messages that you see.
4. Save the results of running a "double su". To do this, log in as root and run su <username> note any error
messages. Then run su <username> again and note any error messages.
Once you have collected the information listed above, contact Quest Support at support.quest.com.
Appendix
B
Enterprise Package Deployment
Topics: This section details how to install, upgrade, and uninstall the QAS agent on
supported platforms in an enterprise environment using platform package
Install the QAS Agent Package management tools.
Upgrade the QAS Agent Package
Uninstall the QAS Agent Packages
Solaris 10 Zones/Containers Support
62 | Quest Authentication Services | Enterprise Package Deployment
PLATFORM INSTALL
Linux x86 - RPM # rpm -ihv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
Linux x64 - RPM # rpm -ihv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
Linux x86 - DEB # dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.deb
Linux x64 - DEB # dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.deb
Linux s390 # rpm -ihv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpm
Linux s390x # rpm -ihv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpm
VMware ESX 3.x # rpm -ihv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
VMware ESX 4.x # rpm -ihv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
SLES 8 PPC # rpm -ihv
/<mount>/client/linux-glibc22-ppc64/vasclnt-glibc22-<version>-<build>.ppc64.rpm
SLES 9 PPC # rpm -ihv
/<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm
Solaris 8-10 x86 # pkgadd -d /<mount>/client/solaris8-x86/vasclnt_SunOS_5.8_i386-<version>-<build>.pkg
vasclnt
Solaris 10 x64 # pkgadd -d
/<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt
Solaris 8-10 SPARC # pkgadd -d
/<mount>/client/solaris8-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt
HP-UX 11iv1.6 # swinstall -s \ /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclnt
HP-UX 11.0 # swinstall -s \ /<mount>/client/hpux-pa/vasclnt_9000-<version>-<build>.depot vaslcnt
HP-UX 11iv1 # swinstall -s \
/<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depot vasclnt
AIX 4.3.3 # installp -acXd /<mount>/client/aix-43/vasclnt.AIX_4.3.<version>-<build>.bff all
AIX 5.1 5.2 # installp -acXd /<mount>/client/aix-51/vasclnt.AIX_5.1.<version>-<build>.bff all
AIX 5.3 6.1 # installp -acXd /<mount>/client/aix-53/vasclnt.AIX_5.3.<version>-<build>.bff all
Mac OS X /usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /
Note: To enable QAS authentication for all services you must restart all services that
require QAS authentication or restart the system.
Note: VMware:
You must enter the following additional command, to configure the VMware
authentication services:
vastool configure pam vmware-authd
Note: Solaris:
For information on Solaris 10 Zones support and installation guides, see Solaris 10
Zones/Containers Support on page 66 Solaris 10 Zones Support.
In certain situations pkgadd requests additional information. Respond appropriately
for your system configuration. Initialization scripts that are part of the vasclnt
package run during installation to help configure the system.
Note: HP-UX:
QAS requires that the Unix host system clock be synchronized with the Active
Directory servers system clock. By default, HP-UX uses xntpd for time services. To
properly synchronize the system clocks either configure xntpd to sync with a Domain
Controller, or disable xntpd to allow QAS to synchronize the system time. Consult
the xntpd documentation for information on disabling xntpd and configuring
xntpd.
You must reboot the HP-UX machine to ensure that all of the new files are installed.
HP-UX does not allow you to overwrite files that are in usethis is done as part of
the boot sequence.
Note: Mac OS X:
To install from the command line, you must first mount the QAS DMG image file.
On Mac 10.4 enter:
hdiutil attach <media>/client/macos-104/VAS-<version>.dmg
On Mac 10.6 enter:
hdiutil attach <media>/client/macos-106/VAS-<version>.dmg
PLATFORM INSTALL
Linux x86 - RPM # rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
Linux x64 - RPM # rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
Linux x86 - DEB # dpkg -i /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.deb
Linux x64 - DEB # dpkg -i /<mount>/client/linux-x86_64/vasclnt-<version>-<build>_amd64.deb
Linux s390 # rpm -Uhv /<mount>/client/linux-s390/vasclnt-<version>-<build>.s390.rpm
Linux s390x # rpm -Uhv /<mount>/client/linux-s390x/vasclnt-<version>-<build>.s390x.rpm
VMware ESX 3.x # rpm -Uhv /<mount>/client/linux-x86/vasclnt-<version>-<build>.i386.rpm
VMware ESX 4.x # rpm -Uhv /<mount>/client/linux-x86_64/vasclnt-<version>-<build>.x86_64.rpm
SLES 8 PPC # rpm -Uhv
/<mount>/client/linux-glibc22-ppc64/vasclnt-glibc22-<version>-<build>.ppc64.rpm
SLES 9 PPC # rpm -Uhv
/<mount>/client/linux-glibc23-ppc64/vasclnt-glibc23-<version>-<build>.ppc64.rpm
Solaris 8-10 x86 # pkgadd -d /<mount>/client/solaris8-x86/vasclnt_SunOS_5.8_i386-<version>-<build>.pkg
vasclnt
Solaris 10 x64 # pkgadd -d
/<mount>/client/solaris10-x64/vasclnt_SunOS_5.10_i386-<version>-<build>.pkg vasclnt
Solaris 8-10 SPARC # pkgadd -d
/<mount>/client/solaris8-sparc/vasclnt_SunOS_5.8_sparc-<version>-<build>.pkg vasclnt
HP-UX 11iv1.6 # swinstall -s \ /<mount>/client/hpux-ia64/vasclnt_ia64-<version>-<build>.depot vasclnt
HP-UX 11.0 # swinstall -s \ /<mount>/client/hpux-pa/vasclnt_9000-<version>-<build>.depot vaslcnt
HP-UX 11iv1 # swinstall -s \
/<mount>/client/hpux-pa-11v1/vasclnt_hpux-11.11-<version>-<build>.depot vasclnt
AIX 4.3.3 # installp -acXd /<mount>/client/aix-43/vasclnt.AIX_4.3.<version>-<build>.bff all
AIX 5.1 5.2 # installp -acXd /<mount>/client/aix-51/vasclnt.AIX_5.1.<version>-<build>.bff all
AIX 5.3 6.1 # installp -acXd /<mount>/client/aix-53/vasclnt.AIX_5.3.<version>-<build>.bff all
Mac OS X /usr/sbin/installer -pkg '/<mount>/VAS.mpkg/Contents/Packages/vasclnt.pkg' -target /
Note: During the upgrade, vasd reloads and updates its user and group cache. To
restart the QAS caching service, see Restart QAS Services on page 65.
Note: If you are using the licensed version of the QASagent earlier than 3.0, see
Licensing QAS on page 32 for licensing instructions.
Quest Authentication Services | Enterprise Package Deployment | 65
Note: VMware:
VMware provides a Host Update Utility to upgrade an ESX 3.5 agent to 4.0, but if
QAS is left installed and configured during the procedure, the machine will be
inaccessible after the upgrade. This is because the previous 3.5 installation is pushed
aside and mounted under the /esx3-installation directory, but all the key
configuration files, like /etc/nsswitch.conf and the pam.d directory, are
preserved.
If QAS is still configured in those files it leaves the machine in a bad state. Because
of this, Quest recommends that you uninstall QAS before attempting to upgrade to
ESX 4.0. In the vSphere Upgrade Guide, VMware warns that "no third-party
management agents or third-party software applications are migrated," but it does
not explicitly say they should be uninstalled prior to upgrade.
Should you accidentally leave QAS installed or configured during the upgrade, use
the following steps to fix the machine:
1. Boot into single user mode
2. Copy /etc/pam.d/vmware-authd.esx4 over
/etc/pam.d/vmware-authd (backup vmware-authd first if desired)
3. Copy /etc/pam.d/system-auth-generic.esx4 over
/etc/pam.d/system-auth-generic
4. Remove "vas4" from the passwd, group, and any other configured lines in
nsswitch.conf
5. Reboot the machine--the machine should now be accessible
6. Install the linux-x86_64 QAS packages
Note: Solaris:
The -a vasclient-defaults option specifies an alternative default file for
pkgadd administrative options that allows pkgadd to overwrite an existing package
with a new package.
pkgadd does not support the concept of upgrading a package, so this allows you
to upgrade without having to rejoin your machine to the Active Directory domain,
or uninstalling the old version first.
Note: HP-UX:
Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UX
does not allow you to overwrite files that are in usethis is done as part of the boot
sequence.
PACKAGE COMMAND
RPM # rpm -e vasclnt
DEB # dpkg -r vaslcnt
Solaris # pkgrm vasclnt
HP-UX # swremove vasclnt
AIX # installp -u vasclnt
Mac OS X /<mount>/Uninstall.app/Contents/MacOS/Uninstall' --console --force vasclnt
Note: Linux:
The rpm e vasclnt and the dpkg -r vaslcnt commands run scripts that
halt the daemon, unconfigure QAS, flush and delete the QAS cache before finally
removing the files.
Note: HP-UX:
The swremove vasclnt command does not clean up the empty directories that
the vasclnt package used. In order to clean these up, manually remove the
/opt/quest directory after you uninstall.
The sparse root zone model optimizes the sharing of objects while the whole root zone model provides the maximum
configurability. Additional information on Solaris 10 and Zones can be found at www.sun.com.
The following symlinks must exist in the global zone in order for the sparse zones to work correctly:
/usr/lib/security/pam_vas3.so | /opt/quest/lib/security/pam_vas3.so
/usr/lib/security/sparcv9/pam_vas3.so |
/opt/quest/lib/security/sparcv9/pam_vas3.so
If /usr is shared, you need the following symlinks in the global zone pointing to counterpart files in
/opt/quest/lib:
/usr/lib/nss_vas4.so.1 | /opt/quest/lib/nss/nss_vas4.so.1
/usr/lib/security/pam_vas3.so | /opt/quest/lib/security/pam_vas3.so
In such a scenario, you do not need QAS joined to a domain in the global zone in order for sparse zones to work,
but the symlinks must exist.
Each zone must have its own unique copy of /etc and /var because QAS stores zone-specific information in those
locations. Sharing /etc and /var with the global zone is not a supported configuration.
Quest Authentication Services | Index | 69
Index
A I
Active Directory 12, 13 install software agents on host 23
changing configuration settings 12, 13 requires elevated privileges 23
Active Directory configuration 22 install.sh 30, 31
determines schema mappings 22 about 30, 31
moving the configuration data 22 Installation Script Options 31
purpose defined 22 installing 27, 28, 29, 30, 31, 32, 33, 34, 35, 62
updating 22 QAS Linux agent 62
validates license information 22 QAS Unix agent 27, 28, 29, 30, 31, 32, 33, 34, 35
Active Directory schema 43
how Quest Authentication Services uses 43
ActiveRoles Server option 21, 22
J
not available if ActiveRoles Server agent is not installed 21, 22 join host to Active Directory 23
requires elevated privileges 23
B joining domain 33, 34, 35
determining if joined 33, 34, 35
Best Practice: 12, 32, 33, 41, 43, 44 joining the AD domain 33, 34
add Unix identity attributes to global catalog 44
do not install or run the QAS Windows components on Active
Directory domain controllers 12
L
index attributes in Active Directory 44 LDAP attributes 43, 44
license management 32, 33 mapped to Unix attributes 43, 44
use generated UIDs and GIDs 41 license 12, 40
use schema designed for storing Unix data in AD 43, 44 installing 12, 40
License 40
C adding 40
licenses 32, 33
contacting 9 installing 33
Control Center 38, 39, 40, 41, 42, 43, 44 Logging 42
described 38, 39, 40, 41, 42, 43, 44 enabling 42
must be logged in as domain user 38, 39, 40, 41, 42, 43, 44 setting options 42
conventions 8
customize the schema mapping 44
O
D Optimize Schema 44
requires AD administrator rights 44
debug logging 42
enabling 42
Dynamic DNS Update Tool 35
P
performance and scalability 44
E Permissions 12, 13, 14, 16
required 12, 13
enable debug logging 42 Unix 14, 16
permissions required for full QAS functionality 14
PosixAccount auxiliary class schema extension 43
F Preferences 40, 41, 42, 43, 44
Filter Options 39 configuring settings 40, 41, 42, 43, 44
preflight Diagnostic Tool 28
About 28
G preflight utility 28
running 28
global settings modifications 38, 39, 40, 41, 42, 43, 44 PTR updates are rejected 58
Global Unix Options 41
70 | Quest Authentication Services | Index
schema 43, 44
configuration 43, 44
V
Custom Unix attributes 43, 44 vasd 65
extensions 43, 44 restart 65
LDAP attributes 43, 44 vasjoin Script 34
templates 43, 44 using 34
Unix attributes 43, 44 vasjoin.sh 33, 34, 35
schema configuration 43 using 33, 34, 35
defined 43 vastool join 33
schema extension 43 using 33
PosixAccount auxiliary class 43
schema mappings 44
customizing 44 W
index and replicate GUI and UID attributes to global
catalog 44 where to set 41