Vintela Authentication from SCO Release 2.2 Installation Guidesco.com/support/docs/vintela/InstallGuide.pdf · client, refer to the Installation and Configuration Guide. Conventions

November 19, 2003

Vintela Authentication from SCORelease 2.2

Installation Guide

ii Vintela Authentication from SCO

COPYRIGHT

(c) Copyright 2003 Vintela, Inc. All Rights Reserved.(c) Copyright 2003 The SCO Group, Inc.

Vintela documents are protected by the copyright laws of the United States and International Treaties.

Permission to copy, view, and print Vintela documents is authorized provided that:

1. It is used for non-commercial and information purposes.

2. It is not modified.

3. The above copyright notice and this permission notice is contained in each Vintela document.

Notwithstanding the above, nothing contained herein shall be construed as conferring any right or license under the copyright of Vintela, Inc.

RESTRICTED RIGHTS LEGEND

When licensed to a U.S., State, or Local Government, all Software produced by Vintela is commercial computer soft-ware as defined in FAR 12.212, and has been developed exclusively at private expense. All technical data, or Vintela commercial computer software/documentation is subject to the provisions of FAR 12.211 - Technical Data, and FAR 12.212 - Computer Software respectively, or clauses providing Vintela equivalent protections in DFARS or other agency specific regulations. Manufacturer: Vintela Inc., 333 South 520 West, Lindon, Utah 84042.

DISCLAIMER

THE VINTELA DOCUMENTS ARE PROVIDED AS IS AND MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. VINTELA, INC. RESERVES THE RIGHT TO ADD, DELETE, CHANGE OR MODIFY THE VINTELA DOCUMENTS AT ANY TIME WITHOUT NOTICE. THE DOCUMENTS ARE FOR INFORMATION ONLY. VINTELA MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRAN-TIES OF ANY KIND.

TRADEMARKS

Vintela and the Vintela logo are trademarks or registered trademarks of Vintela, Inc. in the U.S.A. and other coun-tries. Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows 2000, Windows 2003, Windows XP, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. All other brand and product names are trademarks or registered marks of the respective owners.

Table of Contents iii

Table of ContentsPreface v

Why VAS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vAudience and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viConventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . vi

Introduction 1What is VAS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Windows Installation and Configuration 3Extending The Active Directory Schema . . . . . . . . . . . . . . . . . . . . . 3Installing the VAS Snapin Extension . . . . . . . . . . . . . . . . . . . . . . . 5Enabling Unix User and Group properties . . . . . . . . . . . . . . . . . . . . 6Creating a "Unix enabled" Group . . . . . . . . . . . . . . . . . . . . . . . . 7Creating a "Unix enabled" User . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Installing and Configuring Unixware and OpenServer Clients 13Installing UnixWare Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Synchronizing Time on UnixWare Clients . . . . . . . . . . . . . . . . . . . 14Configuring UnixWare Clients . . . . . . . . . . . . . . . . . . . . . . . . . 15Installing SCO OpenServer Clients . . . . . . . . . . . . . . . . . . . . . . . . 18Synchronizing Time SCO OpenServer Clients . . . . . . . . . . . . . . . . . 20Configuring SCO OpenServer Clients . . . . . . . . . . . . . . . . . . . . . 20

Installing Linux clients 23VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Installing the Linux Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Installing the vas-client rpm . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Uninstalling the Linux Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Installing Solaris clients 27VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

iv Vintela Authentication from SCO

Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Installing the Solaris Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Installing the vasclient pkg . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Uninstalling the Solaris Client . . . . . . . . . . . . . . . . . . . . . . . . . 29

Installing HP-UX clients 31VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Installing the HP-UX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Installing the vasclient depot . . . . . . . . . . . . . . . . . . . . . . . . . . 33Uninstalling the HP-UX Client . . . . . . . . . . . . . . . . . . . . . . . . . 34

Installing AIX clients 35VAS Client Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Installing the AIX Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Installing the VAS client AIX package . . . . . . . . . . . . . . . . . . . . . 36Uninstalling the vasclient AIX package . . . . . . . . . . . . . . . . . . . . . 37Licensing and Configuring the VAS Client . . . . . . . . . . . . . . . . . . . 39Entering License Information . . . . . . . . . . . . . . . . . . . . . . . . . . 39

VAS Client Configuration 40vastool join Modifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41vastool join and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41VAS Client Package Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Troubleshooting Common Installation Problems 45Time Syncronization Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Domain Discovery Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Permissions and Authentication Errors . . . . . . . . . . . . . . . . . . . . . 47Authentication Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Permissions Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Using syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Preface v

PrefaceWhy VAS?System administrators today must support heterogeneous platforms and applications for their users' business needs and requirements. When providing users with the best net-work accessibility and state-of-the art applications, system administrators are left with an integration and security nightmare.

Critical to the security of any network is the authentication and verification of user identities. By adopting Microsoft Active Directory some issues with authentication and identity management are solved. However, this introduces significant problems for the organization that additionally runs business critical applications on UNIX platforms and Linux. When system administrators are required to maintain multiple user authentica-tion systems users are required to remember multiple passwords. System administrators might be clever enough to devise script-based password synchronization tools but this solution can become hard to support, maintain, and train additional staff to use.

Vintela Authentication from SCO (VAS) provides the solution for integrating UNIX and Linux systems with Active Directory. It supplies the discipline and controls neces-sary to ensure the security and integrity demanded in business environments.

VAS allows administrators to provide a secure environment where users have the same username and password for Windows, UNIX, and Linux logins without having to maintain password synchronizers or perform user administration tasks on multiple sys-tems. VAS users can log in and authenticate to Active Directory from their UNIX serv-ers and workstations the same way they do from Windows XP and Windows 2000/2003. VAS makes it possible to manage all users from within the standard Active Direc-tory management environment.

Audience and ScopeThis guide is intended for Windows, UNIX, and Linux system administrators who will be deploying VAS and are interested in the following:

vi Vintela Authentication from SCO

• More detailed explanations of how the VAS client components work

• Detailed explanations of how VAS works in multiple domain environments

• Detailed explanations of how VAS works with Active Directory Sites

• How to migrate existing Unix users and groups into Active Directory

For information on basic installation and configuration of Active Directory and the VAS client, refer to the Installation and Configuration Guide.

Conventions Used in this GuideThe following notation conventions are used throughout this guide:

• Directories and filenames appear in italic. For example, /etc/pam.conf.

• Executable names appear in bold. For example, vascd.

• Specific file and packaging formats appear in bold. For example, the RPM pack-age.

• Shell commands appear in monofont. For example,

# vastool configure pam

Within text, commands are bolded for readability. For example, using vastool you can create users, delete users, and list user information.

• Menu items and buttons appear in bold. For example, click Next.

• Selecting a menu item is indicated as follows: Programs -> Administrative Tools -> VAS -> Active Directory Users and Computers

Introduction 1

Chapter 1 Introduction

What is VAS?Vintela Authentication from SCO (VAS) unifies Windows, UNIX and Linux authenti-cation and identity management so that regardless of the platform being accessed, users login using their Windows Active Directory user name and password. The VAS product securely and conveniently eliminates the need for manual "per-system" identity admin-stration, User and Group NIS maps, and password synchronization scripting.

Above all, VAS eliminates the need to layer third-party software over the top of the crit-ical security components of Windows 2000/2003. Instead, VAS provides fully compati-ble client libraries and utilities that can be used to transparently and securely redirect the core UNIX authentication and identity management functionality to Windows domain controllers using interoperable protocols (such as Kerberos v5 and LDAP).

Other identity management solutions layer additional software on top of Active Direc-tory or replace it altogether. In either case, solutions that interrupt the core Windows 2000/2003 services to provide a gateway for UNIX interoperability add to the Windows management complexity and create dangerous security vulnerabilities that affect overall enterprise security and stability.

The diagram that follows illustrates a typical solution.

2 Vintela Authentication from SCO

The diagram above illustrates how a user named JD with a password of Hockey logs in to a UNIX or Linux system while authenticating against Active Directory. The core pro-tocol interaction between the Windows domain controller, Windows XP, and the UNIX/Linux system is the same. The end result for the user is that they are now able to use the same user name and password to log in to either the Windows or Unix systems.

Windows Installation and Configuration 3

Chapter 2 Windows Installation and Configuration

The installation of the VAS software can be completed in a few short steps. The first of these steps is to extend the Active Directory schema to support the storage of UNIX account information for users and groups. The schema extension needs to be applied only once on the Schema Master domain controller for each Active Directory forest. A schema extension utility is provided with VAS to facilitate the schema extension pro-cess.

The next step is to install the VAS Microsoft Management Console (MMC) Snapin Extension for the Active Directory Users and Computers snapin. The VAS MMC Snapin Extension provides "Unix Account" properties tabs for user and group propery pages. The VAS MMC Snapin Extension can be installed on any domain controller or Windows workstation that is used to run the Active Directory Users and Computers Snapin.

The following sections are found in this chapter:

• Extending The Active Directory Schema

• Installing on an administrative Windows workstation

• Enabling Unix Group properties

• Enabling Unix User properties

Extending The Active Directory SchemaThe schema only needs to be extended once on the Schema Master domain controller of


each Active Directory forest. This schema extension should be considered permanent, and will not need to be reinstalled. An Active Directory forest includes related child domains-- you do not need to extend the schema for each domain, only once for the entire forest.

In order to extend the schema you must be logged on as an Active Directory user account that has been granted Schema Admin privileges. If you don't have Schema Admin privileges, you can not extend the schema. To extend the Active Directory schema complete the following:

1. Insert the product CD into the CDROM drive of the Schema Master Domain Con-troller.

2. Browse to the schema folder on the CD.

3. Double-click the schemext.exe file to initiate the VAS Schema Extension Utility.

4. The following will appear:

Installing the VAS Snapin Extension 5

5. You have the option of applying one or more of the following schema extensions:

• VAS Group and User Schema (required)• VAS NIS Map Schema (optional)

Select the schema extension you want to apply and click Extend Schema.

A Schema Information dialog windows appears.

6. Click Yes to indicate that you want to apply the schema extension.

An hour glass appears as the schema extensions are applied. A dialog window appears indicating that the schema extension has been successfully applied.

7. To install another schema extension, repeat steps 3, 4, 5, and 6.

Only the Group and User Schema extension is required. Only apply the NIS Map Schema extension if you have NIS Map data to migrate to Active Directory.

You do not need to install the schema extender or extend the schema on any worksta-tions. This only needs to be done once on the Schema Master for your Active Directory forest.

VAS supports other Schema extensions. For more information on other supported schema extensions, refer to the VAS Administration Guide to see if you are already using a VAS compatible schema extension. In this case, you do not need to extend the schema, but instead use the available schema extension.

Installing the VAS Snapin ExtensionInstalling the VAS Snapin Extension on an administrative workstation will allow the administrator to manage Unix user and group properties when using the Active Direc-tory Users and Computers Snapin. You can install the VAS Snapin Extension on any workstation that has the Active Directory Users and Computers Snapin installed-- even


the Schema Master. Note that you must have the appropriate administrative rights to install software in order to install the VAS Snapin extension. To install the VAS Snapin Extension, complete the following:

1. Insert the product CD into the CDROM drive.

2. Browse to the win32 folder on the CD.

3. Double-click the VAS MSI file to initiate the Setup Wizard.

4. Click Next on the Welcome screen.

5. Read the license agreement and click I Accept to accept the license agreement then click Next.

6. Select the Admin Workstation install.

7. Click Install.

8. Click Finish.

Enabling Unix User and Group proper-tiesOnce the schema extensions have been applied on the Schema Master domain control-ler of the forest and the Active Directory Users and Computers snap-in extension has been installed, you can "Unix enable" User and Group accounts. A "Unix Enabled" user or group is an Active Directory user or group that has Unix attributes such as a Unix UID or Unix GID. Only "Unix enabled" users and groups will be available on the VAS clients.

Enabling Unix User and Group properties 7

Creating a "Unix enabled" Group

Before creating "Unix enabled" user accounts we recommend you create at least one "Unix enabled" group account that can be used for the primary group (GID) of "Unix enabled" users.

To create a group, do the following:

1. From the Start menu click Programs -> Administrative Tools -> Active Direc-tory Users and Computers .

2. Right-click on the Users folder.

3. Select New -> Group.

4. Enter the Group name.

5. Make sure that Group type is set to Security (default) and click OK.

To "Unix enable" a group, do the following:

1. Right click on an existing group and select Properties.

2. Click the Unix Account tab in the group properties dialog. (The Unix Account tab is provided by the VAS Active Directory Users and Computers snap-in extension)

The following properties dialog appears:


3. Click the Enable Unix Group checkbox. Make sure the group has an appro-priate GID.

If there are no other Unix enabled groups in the current Organizational Unit (OU or commonly referred to as a "container"), the first group receives a suggested GID of 1000. This is a default and can be changed. If there are other "Unix enabled" groups in the group's container, a default GID of one greater than the highest GID in the container is suggested as a default.

On most Unix and Linux operating systems the (local) system groups are assigned GIDs between 0 and 500. To avoid conflicts with local group accounts, we recom-mend that you do not give any Active Directory groups GID's below 1000.

4. When you have finished editing the group information, click OK to save the changes.


Creating a "Unix enabled" User

To enable UNIX and Linux user accounts, complete the following:

1. From the Start menu click Programs -> Administrative Tools -> Active Direc-tory Users and Computers.

2. Open the Users folder.

3. Right-click on an existing user and select Properties to view the properties associ-ated with that account.

4. Click the Unix Account tab in the user properties dialog (The Unix Account tab is provided by the VAS Active Directory Users and Computers Snapin extension).

The following properties dialog appears:


5. Click the Enable UNIX Account checkbox.

6. Modify the suggested defaults as necessary. To select a different Primary group, click on the group selection button labeled with ... next to the Primary Group ID edit box, and select a group from the presented list.


If there are no other UNIX enabled users in the user's Organizational Unit (OU, or commonly referred to as a "container"), the first user receives a suggested UID of 1000. This is a default and can be changed. If there are other "Unix enabled" users in the user's container, a UID of one greater than the highest UID in the container is suggested as a default.

On most UNIX and Linux operating systems the (local) system users typically are assigned UIDs between 0 and 100. To avoid conflict with local user accounts, we recommend that you do not set any "Unix enabled" User UIDs in Active Directory below 1000.

The default value for Login Shell is /bin/bash. If you do not have this shell on the systems the user is logging into, you must change this setting to the location of a valid login shell or make symlinks on systems so that the shell location is valid.


Installing and Configuring Unixware and OpenServer Clients 13

Chapter 3 Installing and Configuring Unixware and OpenServer Clients

Instructions follow for installing and configuring UnixWare and OpenServer clients.

Installing UnixWare ClientsTo install UnixWare clients, complete the following:

1. Log in as root.

2. Mount the VAS CD as follows:

mount -F cdfs -o ro /dev/cdrom/cdrom1 /mnt/cd

Where: /dev/cdrom/cdrom1 is the special device name for your CDROM drive and /mnt/cd is the directory to which the CD will be mounted.

3. Enter the following to install the VAS client components from the uw7/ subdirec-tory in the CD mount directory:

pkgadd -d /mnt/cd/uw7/vasclient_UnixWare_5_x86at-1.2.pkg

4. Press Enter when prompted to specify the packages you want to install.

Note: In certain situations the system requests information on pkadd. Respond appropriately for your system setup.

5. Add the following lines to /etc/syslog.conf to enable the logging of VAS notices and error messages:


daemon.notice /usr/adm/syslogdaemon.emerg *

Important: You must use tabs for the whitespace between the two columns of text, not spaces.

6. Re-start syslogd in order for your changes to take affect:

kill -HUP `cat /etc/syslog.pid`

Important: Use the left-single quotes around `cat /etc/syslog.pid`.

7. To install your license key, change to /opt/vas/bin and enter the following:

# ./vastool license serial_number key

Where: serial_number is a your key serial number and key is your license key. You need both your license key and your license serial number.

Synchronizing Time on UnixWare ClientsIn order to communicate with Active Directory, the VAS client must be synchronized within 2 minutes of the time on the Active Directory domain. The recommended method for synchronizing time is to configure and use the NTP client available on all UNIX and Linux platforms. Refer to your system documentation for instruction on using NTP client.

You can also use vastool timesync, however, this is only a quick fix and will not provide the accuracy required.

To synchronize time with Active Directory, enter the following:

/opt/vas/bin/vastool timesync <adserver>Where adserver is the hostname of the Active Directory server or the server offering NTP time services. Do not enter the brackets.

For additional information on synchronizing time, see “Troubleshooting Common Installation Problems” on page 45.

Installing UnixWare Clients 15

Configuring UnixWare Clients

In order for your client to communicate with Active Directory you must configure the operating system’s PAM and NSS subsystems to use the VAS components (for more information on PAM and NSS, see the VAS Administration Guide), set the realm that the client uses to log in to the Active Directory domain, and add a computer object for your system in Active Directory. This can all be accomplished using the command line configuration tool, vastool join.

Using DNS

By default, VAS searches your DNS server for the Active Directory service locator (SRV) records when it tries to locate an appropriate Active Directory server. Your DNS server must be set up to allow dynamic updates from Active Directory.

If your DNS server is set up to handle auto detection of your Active Directory server, complete the following instructions to configure your UnixWare clients:

1. As root, change directory to /opt/vas/bin.

2. Set the realm that the UnixWare system will use to log in to the Active Directory domain by issuing the following command:

./vastool -u matt join example.com

Where: -u specifies the name of the user with domain administrator equivalent privileges; matt is a user in the sample network with Active Directory Domain Admin privileges, and example.com is the name of the Active Directory domain in the sample network.

Note: For UnixWare systems to join the domain you must use an Active Directory user that has the equivalent privileges of the Domain Admins group. Do not use the built-in Administrator account. This account cannot be used by vastool.

A prompt appears requesting the password for the user you entered.

3. Enter the user’s (matt) account password.


The results of the vastool join command appear. Using this command results in changes made to the configuration files, /etc/opt/vas/vas.conf, /etc/nsswitch.conf, and in the /etc/pam.conf directory and re-starts the vascd daemon automatically.

4. For these changes to take effect reboot your system or enter the following:

shutdown -i6 -g0 -y

Using vastool join Without Using DNS

If you are not using DNS or if your DNS server does not contain the Active Directory SRV records, use the following instructions to configure your UnixWare clients. The following command allows you to pass the name of the Active Directory server to vas-tool on the vastool join command line.

To configure UnixWare clients without using DNS, complete the following:



./vastool -u matt join example.com adserv

Where: -u specifies the name of the user with domain administrator equivalent privileges; matt is a user in the sample network with Active Directory Domain Admin privileges; and, example.com is the name of the Active Directory domain in the sample network; adserv is the machine name of the Active Directory server in the sample network.




Installing UnixWare Clients 17

The results of the join command appear. Using this command results in changes made to the configuration files, /etc/opt/vas/vas.conf, /etc/nsswitch.conf, and /etc/pam.conf directory. The vascd daemon starts automatically.

You can view this UnixWare system by using the Active Directory Users and Computers snapin.


shutdown -i6 -g0 -y

Configuring the Telnet Server

To set up a Telnet server on your UnixWare system, complete the following:

1. Open /etc/inetd.conf and locate the following lines. Make sure both are com-mented out (add a “#” to the beginning of each line if one isn't already there):

# telnet stream tcp nowait root /usr/sbin/in.tcpd in.telnetd# telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd

2. Below those lines, add the following line for the VAS-enabled replacement Telnet server:

telnet stream tcp nowait root /opt/vas/sbin/in.telnetd in.telnetd -a none

3. Restart the inetd server by running:

kill -HUP `cat /etc/saf/inetd/_pid`

VAS-Enabled Applications on UnixWare

Many server services and client applications use the Pluggable Authentication Module (PAM) to integrate with VAS. UnixWare does not ship with PAM. In order to enable these applications and services you must complete the configuration instructions that follow.


Configuring VAS-Enabled Server Applications

All of the VAS-enabled server applications must be installed on your UnixWare system before the installation can be considered complete. Trying to interact with VAS compo-nents without having these applications installed can leave your system unstable and hence is highly discouraged.

Configuring the FTP Server

To set up an FTP server on your UnixWare system, complete the following:

1. In /etc/inetd.conf, locate the following lines and make sure both are commented out (add a “#” to the beginning of each line if one isn't already there):

# ftp stream tcp nowait root /usr/sbin/in.tcpd in.ftpd# ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd

2. Below those lines, add the following line for the VAS-enabled replacement FTP server:

ftp stream tcp nowait root /opt/vas/sbin/in.ftpd in.ftpd -a none

3. Restart the inetd server by running:

kill -HUP `cat /etc/saf/inetd/_pid`

Installing SCO OpenServer ClientsTo install SCO OpenServer clients, complete the following:

1. Log in as root.

2. If you are installing VAS to an OpenServer 5.0.6 system, install Release Supple-ment rs506a. You must install this supplement before continuing.

Installing SCO OpenServer Clients 19

The Release Supplement and instructions on how to install are available at the fol-lowing URL:

ftp://ftp.sco.com/pub/openserver5/rs506a

Note: Versions of SCO OpenServer newer than 5.0.6 do not need this Release Sup-plement.

3. Mount the VAS CD:

mount -o ro -f ISO9660 /dev/cd0 /mnt/cd

Where: /dev/cd0 is the special device for your CDROM drive.

4. Enter the following to install the VAS client components from the osr5/ subdirec-tory in the CD mount directory:

pkgadd -d /mnt/cd/osr5/vasclient_SCO_SV_3.2-2.1.pkg

5. Press Enter when prompted to specify the packages you want to install.

Note: In certain situations the system requests information on pkgadd. Respond appropriately for your system setup.

6. Add the following lines to /etc/syslog.conf to enable the logging of VAS notices and error messages:

daemon.notice /usr/adm/syslogdaemon.emerg *

Important: You must use tabs for the whitespace between the two columns of text, not spaces.

7. Re-start syslogd in order for your changes to take affect:

kill -HUP `cat /etc/syslog.pid`

Important: Use the left-single quotes around `cat /etc/syslog.pid`.

8. To install your license key, change to /opt/vas/bin and enter the following:


# ./vastool license serial_number key

Where: serial_number is a your key serial number and key is your license key. You need both your license key and your license serial number.

Synchronizing Time SCO OpenServer Clients

In order to communicate with Active Directory, the VAS client must be synchronized within 2 minutes of the time on the Active Directory domain. The recommended method for synchronizing time is to configure and use the NTP client available on all UNIX and Linux platforms. Refer to your system documentation for instruction on using NTP client.

You can also use vastool timesync, however, this is only a quick fix and will not provide the accuracy required.

To synchronize time with Active Directory, enter the following:

/opt/vas/bin/vastool timesync <adserver>

Where adserver is the hostname of the Active Directory server or the server offering NTP time services. Do not enter the brackets.

For additional information on synchronizing time, see “Troubleshooting Common Installation Problems” on page 45

Configuring SCO OpenServer Clients

In order for your client to communicate with Active Directory you must configure the operating system’s PAM and NSS subsystems to use the VAS components (for more information on PAM and NSS, see the VAS Administration Guide), set the realm that the client uses to log in to the Active Directory domain, and add a computer object for your system in Active Directory. This can all be accomplished using the command line configuration tool, vastool join.

Installing SCO OpenServer Clients 21

Using DNS

By default, VAS searches your DNS server for the Active Directory service locator (SRV) records when it tries to locate an appropriate Active Directory server. Your DNS server must be set up to allow dynamic updates from Active Directory.

If your DNS server is set up to handle auto detection of your Active Directory server, complete the following instructions to configure your SCO OpenServer clients:



./vastool -u matt join example.comWhere: -u specifies the name of the user with domain administrator equivalent privileges; matt is a user in the sample network with Active Directory Domain Admin privileges, example.com is the name of the Active Directory domain in the sample network.




The results of the vastool join command appear. Using this command results in changes made to the configuration files, /etc/opt/vas/vas.conf, /etc/nsswitch.conf, and in the /etc/pam.conf directory and re-starts the vascd daemon automatically.


shutdown -i6 -g0 -y

Using vastool join Without Using DNS

If you are not using DNS or if your DNS server does not contain the Active Directory


SRV records, use the following instructions to configure your SCO OpenServer clients. The following command allows you to pass the name of the Active Directory server to vastool on the vastool join command line.

To configure SCO OpenServer clients without using DNS, complete the following:



./vastool -u matt join example.com adservWhere: -u specifies the name of the user with domain administrator equivalent privileges; matt is a user in the sample network with Active Directory Domain Admin privileges; example.com is the name of the Active Directory domain in the sample network; and, adserv is the machine name of the Active Directory server in the sample network.




The results of the join command appear. Using this command results in changes made to the configuration files, /etc/opt/vas/vas.conf, /etc/nsswitch.conf, and /etc/pam.conf directory. The vascd daemon starts automatically.

You can view this UnixWare system by using the Active Directory Users and Computers snapin.


shutdown -i6 -g0 -y

Installing Linux clients 23

Chapter 4 Installing Linux clients

This chapter describes how to install and remove the VAS client for Linux operating systems. The following information is included:

• VAS Client Components

• Hardware Requirements

• Software Requirements

• Installing the Linux Client

• Uninstalling the Linux Client

VAS Client ComponentsThe VAS client is packaged in RPM format, and is made up of the following compo-nents:

• A client daemon, vascd

• An NSS module, nss_vas

• A PAM module, pam_vas

• A command line administrative tool, vastool

• A shared library, libvas

• Man pages


Hardware RequirementsThere are no additional hardware requirements for running the VAS client beyond the operating system requirements.

Software RequirementsThe VAS client supports the following Linux distributions:

• RedHat Linux 7.3, 8.0, 9.0, Advanced Server 2.1

• Suse Linux 8.0, 8.1, 8.2

• Linux distributions powered by UnitedLinux

Installing the Linux ClientThis section details how to install the VAS client on supported Linux platforms.

Installing the vas-client rpm

To install the vas-client rpm perform the following:

1. Log in and open a root shell.

2. Mount the installation CD and change to the linux directory at the root of the CD.

On Suse and UnitedLinux distributions, enter:

# mount /media/cdrom

Uninstalling the Linux Client 25

# cd /media/cdrom/linux

On Redhat, enter:

# mount /mnt/cdrom

# cd /mnt/cdrom/linux

3. To install the vas-client rpm, enter:

# rpm -ivh vas-client-2.2.0-1.i386.rpm

If you are installing the evaluation version, the name of the RPM will be vas-client-eval-2.2.0-1.i386.rpm.

If you are installing the site-licensed version, the RPM name will be vas-client-site-2.2.0-1.i386.rpm.

Uninstalling the Linux ClientThis section details how to uninstall the VAS client from supported Linux platforms.

To uninstall the VAS client rpm perform the following:


2. If using the user licensed VAS client, use rpm to remove the package as follows:

# rpm -e vas-client

If using the site licensed VAS client, use rpm to remove the package as follows:

# rpm -e vas-client-site

If using the eval VAS client, use rpm to remove the package as follows:

# rpm -e vas-client-eval


Installing Solaris clients 27

Chapter 5 Installing Solaris clients

This section describes how to install and remove the VAS client for Solaris operating systems. The following information is included:




• Installing the Solaris Client

• Uninstalling the Solaris Client

VAS Client ComponentsThe VAS client is packaged in pkg format, and is made up of the following compo-nents:






• 64 bit versions of the libraries and modules

• Man pages



Software RequirementsThe VAS client supports the following versions of Solaris:

• Solaris 8 and 9 (Sparc only)

Solaris x86 is not supported at this time.

Installing the Solaris ClientThis section details how to install the VAS client on supported Solaris platforms. With the VAS client components installed, your Solaris system can become a member of the Active Directory domain.

Before you begin the installation make sure that you have the latest patches for your version of Solaris from http://www.sun.com/bigadmin/patches/. Solaris 8 requires that you have at least patches 110934-05 and 110380-04.

Installing the vasclient pkg

To install the vasclient pkg, perform the following:

1. Log in and open a root shell

Uninstalling the Solaris Client 29

2. Insert the installation CD. It is mounted automatically. Enter the following to go to the solaris directory on the CD:

# cd /cdrom/cdrom0/solaris

Where /cdrom/cdrom0 is the path to your CDROM device.

3. Use pkgadd to install the vasclient pkg by executing the following command:

# pkgadd -d vasclient_SunOS_5.8_sparc-2.2.0.pkg vasclient

In certain situations pkgadd requests additional information. Respond appropri-ately for your system configuration. Initialization scripts that are part of the vascli-ent package run during installation to help configure the system.

If you are installing the evaluation version, the name of the client pkg will be vasclient_SunOS_5.8_sparc-eval-2.2.0.pkg.

If you are installing the site-licensed version, the pkg name will be vasclient_SunOS_5.8_sparc-site-2.2.0.pkg.

Uninstalling the Solaris ClientThis section details how to uninstall the VAS client from supported Solaris platforms.

To uninstall the VAS client pkg, perform the following:


2. Use pkgrm to remove the package as follows:

# pkgrm vasclient


Installing HP-UX clients 31

Chapter 6 Installing HP-UX clients

This section describes how to install and remove the VAS client for HP-UX operating systems. The following information is included:




• Installing the HP-UX Client

• Uninstalling the HP-UX Client

VAS Client ComponentsThe VAS client is packaged in depot format for both PA-RISC and the IA-64 platforms, and is made up of the following components:






• 64 bit versions of the libraries and modules (the IA-64 package has 32 bit PA-RISC libraries as well).


• Man pages


Software RequirementsThe VAS client supports the following versions of HP-UX:

• HP-UX 11 (HP-UX B.11.0 / PA-RISC)

• HP-UX 11i v1 (HP-UX B.11.11 / PA-RISC)

• HP-UX 11i v1.6 (HP-UX B.11.22 / IA-64)

Installing the HP-UX ClientThis section details how to install the VAS client on supported HP-UX platforms. With the VAS client components installed, your HP-UX system can become a member of the Active Directory domain.

Before you begin the installation make sure that you have the latest support plus patches for your version of HP-UX from http://www.software.hp.com/SUPPORT_PLUS/index.html or at http://www.hp.com.

HP-UX 11 (B.11.0) requires the following patch:

Installing the HP-UX Client 33

• Quality Pack QPK1100 (B.11.00.62.4)

HP-UX 11i v1 (B.11.11) requires the following patches:

• Bundle 11i (B.11.11.0306.1)

• Quality Pack GOLDQPK11i (B.11.11.0306.4)

HP-UX 11i v1.6 (B.11.22) requires the following patch:

• Maintenance Pack (MAINTPACK version E0306)

Installing the vasclient depot

To install the vasclient depot, perform the following:


2. Mount the installation CD by executing the following commands:

# mkdir /cdrom

# mount -F cdfs /dev/dsk/c0t0d0 /cdrom

Where /dev/dsk/c0t0d0 is the name of the device for your CDROM drive.

3. Change to the hpux directory at the root of the mounted CDROM.

# cd /cdrom/hpux

4. If installing on HP-UX 11i v1.6, use swinstall to install the IA-64 depot by execut-ing the following command:

# swinstall -s /cdrom/hpux/vasclient_ia164-2.2.0.depot vasclient

If installing on a HP-UX 11i v1, use the following command line to install the depot for PA-RISC machines:


# swinstall -s /cdrom/hpux/vasclient_9000-2.2.0.depot vasclient

If you are installing the evaluation version, the name of the depot will be vasclient_9000-2.2.0-eval.depot or vasclient_ia64-2.2.0-eval.depot.

If you are installing the site-licensed version, the depot name will be vasclient_9000-2.2.0-site.depot or vasclient_ia64-2.2.0-site.depot.

Uninstalling the HP-UX ClientThis section details how to uninstall the VAS client from supported HPUX platforms.

To uninstall the VAS client depot, perform the following:

1. Log in and open a root shell

2. Use swremove to remove the package as follows:

# swremove vasclient

Installing AIX clients 35

Chapter 7 Installing AIX clients

This section describes how to install and remove the VAS client for AIX operating sys-tems. The following information is included:




• Installing the AIX Client

• Uninstalling the AIX Client

VAS Client ComponentsThe VAS client is packaged in installp format, and is made up of the following compo-nents:


• An Loadable Authentication Module, VAS

• A PAM module, pam_vas (for AIX 5.1 and 5.2)



• Man pages



Software RequirementsThe VAS client supports the following versions of AIX:

• 4.3.3

• 5.1

• 5.2

Installing the AIX ClientThis section details how to install the VAS client on supported AIX platforms.

Installing the VAS client AIX package

To install the VAS client installp package, perform the following:


2. Mount the installation CD by executing the following commands:

# mkdir /cdrom

Uninstalling the vasclient AIX package 37

# mount -o ro -v cdrfs /dev/cd0 /cdrom

Where /dev/cd0 is the name of the device for your CDROM drive.

3. Change to the aix directory at the root of the mounted CDROM.

# cd /cdrom/aix

4. Use installp to install the package appropriate for your version of AIX. For AIX 5.1 and 5.2, run:

# installp -ac -d vasclient_AIX_5_1.2.2.0.0.bff all

For AIX 4.3, run:

# installp -ac -d vasclient_AIX_4_3.2.2.0.0.bff all

If you are installing the evaluation version, the name of the installp package will be vasclient_AIX_4_3-eval.2.2.0.0.bff for AIX 4.3.3, or vasclient_AIX_5_1-eval.2.2.0.0.bff for AIX 5.1 and 5.2.

If you are installing the site-licensed version, the depot name will be vasclient_AIX_4_3-site.2.2.0.0.bff for AIX 4.3.3 or vasclient_AIX_5_1-site.2.2.0.0.bff for AIX 5.1 and 5.2.

Uninstalling the vasclient AIX packageThis section details how to uninstall the VAS client from supported AIX platforms.

To uninstall the VAS client installp package, perform the following:


2. Use installp to uninstall the package appropriate for your version of AIX. For AIX 5.1 and 5.2, run:


# installp -u vasclient.AIX_5_1.rte

For AIX 4.3, run:

# installp -u vasclient.AIX_4_3.rte

Licensing and Configuring the VAS Client 39

Chapter 8 Licensing and Configuring the VAS Client

After installing the appropriate VAS client package for your UNIX/Linux platform, you must install a license key and then configure the VAS client. A VAS client without a license key will only support two users. The license key will be good for a certain num-ber of users-- this is the maximum number of Active Directory user accounts that can access the VAS client.

It is important to keep track of the license key and license serial number, as the license key needs to be reinstalled when installing upgrades to the VAS client. For information on obtaining a license key, visit http://www.vintela.com.

You do not need to install a license key if you are using the evaluation or site license versions of VAS. Both of these support an unlimited number of users without an installed license key.

Entering License InformationYour license key consists of a license serial number and a license key. To install your license key, run the following command as the root user:

# /opt/vas/bin/vastool license serial_number key

Where serial_number is your license serial number, and key is your license key.

As explained in the previous section, the evaluation and site licensed packages include implicit license keys. You cannot install a license key with /opt/vas/bin/vastool license if you have installed the evaluation or site licensed VAS client package.


VAS Client ConfigurationIn order for the VAS client to work correctly, the UNIX/Linux system that you installed the VAS client on must be "joined" to the Active Directory domain. This is done by using the vastool join command.

Before you join the VAS client to the Active Directory domain, make sure you have the following information:

• The name of the Active Directory domain you want the VAS client to be a member of.

• The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory. Normally this is user is a member of the Domain Admins group.

To run vastool join, do the following as the root user at a shell prompt:

# /opt/vas/bin/vastool -u matt join example.com

Where:

matt is the username of an Active Directory user with sufficient administrative privi-leges to create a computer object in Active Directory (normally a user who is a member of the Domain Admins group).

example.com is the name of the Active Directory domain that you are joining the computer to.

When prompted for the user's password, type it on the command line. The results of vastool join will be shown on the shell's standard out.

You cannot use the Active Directory Administrator account, unless you give the Administrator user a User Principal Name (UPN- also known as the User logon name) and reset the password. By default the Administrator account does not have a UPN and cannot be used by vastool.

VAS Client Configuration 41

vastool join Modifications

vastool join makes the following modifications to your UNIX/Linux system:

• The system's configuration files for user and group account information backends are modified to include VAS. This is done by modifying /etc/nsswitch.conf to include vas as an entry for the passwd and group entries. The vas entry will be inserted after the files entry.

• The system's configuration files for authentication are updated to use VAS as an authentication backend. This is done by modifying the PAM configuration file(s) located at /etc/pam.conf or in the /etc/pam.d directory. These modifications will allow the VAS authentication modules to authenticate Active Directory users while allowing the native system authentication modules to continue to authenticate sys-tem users.

• The /etc/opt/vas/vas.conf configuration file is configured with information to enable the VAS libraries to use Kerberos authentication against Active Directory.

• An object in Active Directory is created for the computer. The computer account's password is set to a generated random password, which is stored as a Kerberos key at /etc/opt/vas/hosts.keytab.

• The vascd daemon is started, and the VAS user and group caches are loaded.

After the UNIX/Linux client is joined to the domain, all of the currently running operat-ing system services (such as telnet, ftp, ssh, etc) need to be restarted so that they can use the new VAS configuration. To do this, you can either reboot the machine, cycle your init levels to single user mode and back, or individually restart each daemon.

vastool join and DNS

As part of the vastool join command, vastool autodetects the Active Directory domains, the domain controllers for each domain, and the Active Directory site for the UNIX/Linux system. This is done by looking up DNS SRV records and using informa-tion stored in the Active Directory configuration container.


If you are not using DNS, or if your DNS server does not support dynamic updates from Active Directory, then vastool will not be able to autodetect the domain controllers for the Active Directory domain. In this case, you will need to specify the domain control-lers for your domain on the vastool join command line. To run vastool join while spec-ifying the domain controllers, run the following as root at a shell prompt:

# /opt/vas/bin/vastool -u matt join example.com server1.example.com server2.example.com

Where server1.example.com and server2.example.com are both domain controllers for the example.com domain. You should specify one or more domain controllers for the realm you are joining that are in the UNIX/Linux system's Active Directory Site.

If you have users from multiple domains outside the VAS client's default domain that will be accessing the UNIX/Linux client, then you will need to manually configure the server information for each of those domains with the VAS client. This is done with the vastool configure extra-realm command. Refer to the vastool man page for more information on vastool configure extra-realm.

VAS Client Package Types

There are three different types of VAS client packages:

• Evaluation (eval)

The software in the evaluation package will expire 60 days after installation and has no user limit.

• User Licensed

The software in the user licensed package requires the administrator to enter a license key along with the key's serial number to enable more than 2 users.

For more information about licensing and recommendations for licensing large VAS deployments, see the VAS Administration Guide.

VAS Client Configuration 43

• Site Licensed (site)

The software in the site package does not require a license key and has no user limit.

Your installation media will have the appropriate version of the client software.

If you have previously installed the evaluation package and would like to install the licensed or site version; you must uninstall the evaluation package and then install the licensed or site-licensed package. You cannot convert an evaluation installation into a non-eval installation.


Troubleshooting Common Installation Problems 45

Appendix A Troubleshooting Common Installation Problems

This appendix describes common problems you may encounter during the installation of VAS and how to fix them. For more troubleshooting tips for individual VAS compo-nents, see the VAS Administration Guide.

Time Syncronization ErrorsThe VAS client uses the Kerberos protocol to authenticate against Active Directory. Kerberos is time sensitive, meaning that all clients in the Active Directory domain must have have their clocks synchronized to within a few minutes of each other.

If you see this error:

Could not authenticate, error = Clock skew too great.

then the host you are trying to join to the Active Directory domain does not have it's clock synchronized with Active Directory.

There are number of solutions to this problem. The best solution is to use a Network Time Protocol (NTP) server to syncronize your Windows Domain Controllers and Linux and UNIX clients against. This allows the Linux and UNIX clients to take advan-tage of the benefits of NTP and the ntpd daemon that is available on most UNIX and Linux platforms. For more information on NTP and time synchronization, see the VAS Administration Guide.

If you cannot deploy an NTP server, VAS provides tools to synchronize your Linux or UNIX host's clock directly against Active Directory. To quickly synchronize your clock, you can use vastool to do the following:


# /opt/vas/bin/vastool timesync adserver

where adserver is the hostname of a Domain Controller on your network.

This will synchronize your clock against Active Directory, enabling you to authenticate. However, this only synchronizes your clock once and does not handle clock drift. The vascd daemon will syncronize your clock continually if no other NTP client is running. To use vascd to synchronize your clock, first disable any NTP clients on your system and then restart vascd.

Domain Discovery ErrorsWhen running vastool join to join your Linux/UNIX client to an Active Directory domain, vastool automatically detects the structure of the Active Directory forest. The domains and the domain controllers are detected and that information is stored in a local cache. If vastool cannot detect this information then you will not be able to join the domain or authenticate users.

In order to detect the domains and domain controllers, your DNS server must be config-ured to allow dynamic updates from Active Directory. Active Directory will register a number of SRV records for Kerberos and ldap servers. If Active Directory is not able to register it's SRV records, it will cause significant problems for your Active Directory deployment.

If you see the following message during vastool join:

Detecting Domain Services for sfu35.vas....ERROR: Realms update failed, error = No such file or direc-tory.

then the SRV records for Active Directory have not been registered with your DNS server, or you may not be using DNS. If you are using DNS, ensure that you are using the correct DNS server, and that Active Directory has registered SRV records such as _ldap._tcp.<your domain>. You can check for these SRV records by using dig with the

Permissions and Authentication Errors 47

following command:

# dig SRV _ldap._tcp.example.com

The output of dig will help you debug problems with your DNS server.

You can also use the vastool realms command to debug problems. vastool realms find srvs will list the services that can be detected through DNS. For more information on vastool see the vastool man page, or the VAS Administration Guide.

If you are not using DNS and instead just using /etc/hosts entries, you will need to spec-ify the hostnames of your domain controllers on the vastool join command line. Do this with the following:

# vastool -u admin join example.com server1.exam-ple.com

where example.com is the domain you are joining, and server1.example.com is the hostname of a domain con-troller for the example.com domain.

It is important that you have an entry for server1.example.com in /etc/hosts. It is possible to configure multiple servers by putting multiple servers on the vastool join command line after the domain name.

Permissions and Authentication Errors

Authentication Errors

In order to successfuly run vastool join, you must supply a user name and password to authenticate to Active Directory. If you see this message:

Could not authenticate, error = Preauthentication failed.


you have supplied an incorrect password. Try the command again with the correct pass-word.

If you see this message:

Could not authenticate, error = KDC has no support for encryption type.

you have tried to authenticate as a user that does not have a Kerberos User Principal Name (UPN). This is common with the Active Directory Administrator account-- it does not have a UPN by default. In order to authenticate as the Active Directory Administrator account, you must give that user a user principal name and reset the pass-word. You can do this by using the Active Directory Users and Computers Snapin, viewing the properties page for the Administrator user, and setting the User logon name fields on the Account tab.

If you see this message:

Could not authenticate, error = Client not found in Kerberos database.

the user you supplied to authenticate does not exist in Active Directory. Try again with a user that does exist in Active Directory.

Permissions Errors

The user you use to authenticate when running vastool join must have the appropriate permissions in Active Directory to create a computer object. If the user does not have the right permissions, you will see this error message:

Adding host/[email protected] to the Domain..... ERROR: Adding to domain failed, error = Access denied

You must give the user the appropriate access rights in Active Directory. You can do this by adding the user to the Domain Admins group or by delegating computer creation access to the computers container. For more information on delegating access rights for

Using syslog 49

computer creation see the VAS Administration Guide.

Using syslogWhen experiencing problems with the VAS client, it is helpful to view the syslog mes-sages that the VAS client produces. The location of these log files varies between Linux/UNIX versions and according to how the administrator has configured the sys-logd. They are commonly located in /var/adm, /var/log, or /var/adm/syslog. Of the dif-ferent types of syslog messages, VAS uses auth syslog messages from it's authentication components, and daemon syslog messages from vascd.

The syslog auth message type is commonly not enabled in syslogd. In order to enable these, you must configure /etc/syslog.conf to have entries for the auth and daemon sys-log messages. There are many ways to configure /etc/syslog.conf to accomplish this. This is one example:

*.debug /var/adm/messages

Refer to your system's syslogd documentation for information on advanced configura-tion for syslogd. Remember to restart syslogd after making any changes to /etc/sys-log.conf.


Documents

Vintela Authentication from SCO Release 2.2 Installation Guidesco.com/support/docs/vintela/InstallGuide.pdf · client, refer to the Installation and Configuration Guide. Conventions