Installation and Configuration Guide. Version 2.6.47

Installation and Configuration Guide Version 2.6.47

Copyright c 2003-2005 Vintela, Inc. All Rights Reserved. Legal Notice Vintela documents are protected by the copyright laws of the United States and International Treaties. PERMISSION TO COPY, VIEW, AND PRINT VINTELA DOCUMENTS IS AUTHORIZED PROVIDED THAT: 1. It is used for non-commercial and information purposes. 2. It is not modified. 3. The above copyright notice and this permission notice is contained in each Vintela document. Notwithstanding the above, nothing contained herein shall be construed as conferring any right or license under the copyright of Vintela, Inc. RESTRICTED RIGHTS LEGEND When licensed to a U.S., State, or Local Government, all Software produced by Vintela is commercial computer software as defined in FAR 12.212, and has been developed exclusively at private expense. All technical data, or Vintela commercial computer software/documentation is subject to the provisions of FAR 12.211 - Technical Data, and FAR 12.212 - Computer Software respectively, or clauses providing Vintela equivalent protections in DFARS or other agency specific regulations. Manufacturer: Vintela Inc., 333 South 520 West, Lindon, Utah 84042. DISCLAIMER THE VINTELA DOCUMENTS ARE PROVIDED AS IS AND MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. VINTELA, INC. RESERVES THE RIGHT TO ADD, DELETE, CHANGE OR MODIFY THE VINTELA DOCUMENTS AT ANY TIME WITHOUT NOTICE. THE DOCUMENTS ARE FOR INFORMATION ONLY. VINTELA MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS OR WARRANTIES OF ANY KIND. TRADEMARKS Vintela and the Vintela logo are trademarks or registered trademarks of Vintela, Inc. in the U.S.A. and other countries. Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows 2000, Windows 2003, Windows XP, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. All other brand and product names are trademarks or registered marks of the respective owners.

CONTENTS PREFACE 4 1 INTRODUCTION 6 1.1 What is VAS?......................................... 6 2 WINDOWS INSTALLATION AND CONFIGURATION 8 2.1 Extending The Active Directory Schema.......................... 8 2.2 Installing the VAS Administrative Tools.......................... 10 2.3 Upgrading the VAS Administrative Tools......................... 11 2.4 Registering VAS Administrative Tools with Active Directory.............. 11 2.5 Enabling Unix User and Group properties......................... 13 2.5.1 Enabling Unix Groups................................ 13 2.5.2 Enabling Unix Users................................. 14 3 INSTALLING LINUX CLIENTS 16 3.1 VAS Client Components................................... 16 3.2 Hardware Requirements................................... 16 3.3 Software Requirements.................................... 16 3.4 Installing the Linux Client.................................. 17 3.4.1 VAS Client Package Types.............................. 17 3.4.2 Installing the VAS client rpm............................ 17 3.5 Upgrading the Linux Client................................. 18 3.6 Uninstalling the Linux Client................................ 20 4 INSTALLING SOLARIS CLIENTS 21 4.1 VAS Client Components................................... 21 4.2 Hardware Requirements................................... 21 4.3 Software Requirements.................................... 21 4.4 Installing the Solaris Client................................. 22 4.4.1 VAS Client Package Types.............................. 22 4.4.2 Installing the vasclient pkg............................. 23 4.5 Upgrading the Solaris Client................................. 23 4.6 Uninstalling the Solaris Client................................ 24 5 INSTALLING HP-UX CLIENTS 25 5.1 VAS Client Components................................... 25 5.2 Hardware Requirements................................... 25 2

5.3 Software Requirements.................................... 26 5.4 Installing the HP-UX Client................................. 26 5.4.1 VAS Client Package Types.............................. 26 5.4.2 Installing the vasclient depot............................ 27 5.5 Upgrading the HP-UX Client................................ 28 5.6 Uninstalling the HP-UX Client............................... 28 6 INSTALLING AIX CLIENTS 29 6.1 VAS Client Components................................... 29 6.2 Hardware Requirements................................... 29 6.3 Software Requirements.................................... 29 6.4 Installing the AIX Client................................... 30 6.4.1 VAS Client Package Types.............................. 30 6.4.2 Installing the VAS client AIX package....................... 30 6.5 Upgrading the AIX Client.................................. 31 6.6 Uninstalling the vasclient AIX package.......................... 32 7 LICENSING AND CONFIGURING THE VAS CLIENT 33 7.1 Installing Licenses....................................... 33 7.2 VAS Client Configuration.................................. 34 7.2.1 vastool join Modifications.............................. 34 7.2.2 vastool join and DNS................................. 35 A TROUBLESHOOTING COMMON INSTALLATION PROBLEMS 36 A.1 Problems with Windows MMC Extensions........................ 36 A.1.1 Unix Account Tab is Not Displayed for User and Group Properties...... 36 A.2 Time Synchronization Errors................................. 36 A.3 Domain Discovery Errors.................................. 37 A.4 Permissions and Authentication Errors........................... 38 A.4.1 Authentication Errors................................ 38 A.4.2 Permissions Errors.................................. 38 A.5 Using syslog.......................................... 39 3

PREFACE Why VAS? System administrators today must support heterogeneous platforms and applications for their users business needs and requirements. When providing users with the best network accessibility and state of the art applications, system administrators are left with an integration and security nightmare. Critical to the security of any network is the authentication and verification of user identities. Adopting Microsoft Active Directory solves some issues with authentication and identity management. However, this introduces significant problems for the organization that additionally runs business-critical applications on Unix and Linux platforms. When system administrators maintain multiple user authentication systems, users must often remember multiple passwords. System administrators might be clever enough to devise script-based password synchronization tools but this solution can become hard to support, maintain, and train additional staff to use. Vintela Authentication Services (VAS) provides the solution for integrating Unix and Linux systems with Active Directory. It supplies the discipline and controls necessary to ensure the security and integrity demanded in business environments. VAS allows administrators to provide a secure environment where users have the same user name and password for Windows, Unix, and Linux logins without having to maintain password synchronizers or perform user administration tasks on multiple systems. VAS users can log in and authenticate to Active Directory from their Unix servers and workstations the same way they do from Windows XP and Windows 2000/2003. VAS makes it possible to manage all users from within the standard Active Directory management environment. Audience and Scope This guide is intended for Windows, UNIX, and Linux system administrators who will be installing VAS for the first time. By following the instructions presented in this guide a system administrator will be able to configure new or existing UNIX/Linux systems so that they authenticate user logins against user and group accounts stored in Windows Active Directory. 4

Conventions Used in this Guide The following notation conventions are used throughout this guide: Directories and filenames appear in mono font. For example, /etc/pam.conf. Executable names are bolded. For example, vascd. Specific file and packaging formats appear in bold. For example, the RPM package. Shell commands appear in mono font. For example, # vastool configure pam Within text, commands are bolded for readability. For example, using vastool you can create users, delete users, and list user information. Menu items and buttons appear in bold. For example, click Next. Selecting a menu item is indicated as follows: Programs -> Administrative Tools -> Active Directory Users and Computers VAS supports a number of different implementations of UNIX R that include Solaris R, HP-UX R, Linux R, and AIX R. To refer to all of these platforms, the term Unix will be used for conciseness and consistency. 5

Chapter 1 INTRODUCTION 1.1 What is VAS? Vintela Authentication Services (VAS) unifies Windows, Unix and Linux authentication and identity management so that regardless of which platform you want to access, you can log in using your Windows Active Directory user name and password. The VAS product securely and conveniently eliminates the need for manual per-system identity administration, User and Group NIS maps, and password synchronization scripting. Above all, VAS eliminates the need to layer third-party software on top of the critical security components of Windows 2000/2003. Instead, VAS provides fully compatible client libraries and utilities that transparently and securely redirect the core Unix authentication and identity management functionality to Windows domain controllers using interoperable protocols (such as Kerberos v5 and LDAP). Other identity management solutions layer additional software on top of Active Directory or replace it altogether. In either case, solutions that interrupt the core Windows 2000/2003 services to provide a gateway for Unix interoperability, add to the Windows management complexity and create dangerous security vulnerabilities that affect overall enterprise security and stability. Figure 1.1 shows how a user named JD with a password of Hockey logs into a Unix or Linux system while authenticating against Active Directory. The core protocol interaction between the Windows domain controller and the Unix/Linux system is the same as that of a Windows XP client. JD can now use the same user name and password to log into either the Windows or Unix systems. 6

Figure 1.1. User authentication against Active Directory from both Windows and Unix. 7

Chapter 2 WINDOWS INSTALLATION AND CONFIGURATION Installing VAS is extremely easy and takes only a few short steps. Administrators should first install and configure the necessary Windows components for VAS before installing or configuring any of the Unix components. This chapter contains the following steps that should be followed to install and configure the VAS Windows components: Extending the Active Directory Schema Registering VAS Administrative Tools with Active Directory Installing the VAS Administrative Tools Upgrading the VAS Administrative Tools Enabling Unix Group properties Enabling Unix User properties 2.1 Extending The Active Directory Schema VAS uses Active Directory as the central repository for all Unix account information for your network. In order for Unix account information to be associated with users and groups, the Active Directory schema definitions must support storing Unix attributes with user and group objects. Microsoft Windows 2003 R2 contains the full RFC 2307 schema extension, and VAS will work out of the box with an R2 installation without the the need for any additional schema extensions. If you are already using Windows 2003 R2, you do not need to extend your schema. If you are not yet using Windows 2003 R2 and do not have a suitable schema extension already installed, you will need to extend your Active Directory schema. You only need to extend the schema once on the Schema Master domain controller of each Active Directory forest. Since extending the Active Directory schema is typically a permanent action, you should ensure that you are comfortable with the schema extensions being installed. Also, you should be sure to follow the standard Active Directory administrative steps, such as ensuring your data is backed up, any time you modify configuration information that impacts the entire AD forest. The instructions here document how to install the default schema extensions shipped with VAS. The default schema extension used is the subset of the R2 schema extensions needed to support 8

VAS. Using this schema extension will simplify your eventual upgrade to R2. Note that if you are using Windows 2000, you must use the R2 subset for Windows 2000. Also, if you have extended the Active Directory schema with SFU 2.0, you must apply the Microsoft SFU hotfix described in Microsoft Knowledge Base article 293783. You can view this KB article at http://support.microsoft.com/kb/293783. VAS does support other schema extensions such as the Microsoft SFU schema extensions. For instructions on working with alternative schema extensions, see the VAS Admininistrators Guide. In order to extend the schema, log on locally to the Schema Master as an Active Directory user that has been granted Schema Admin privileges. If you don t have Schema Admin privileges, you can not extend the schema. To extend the Active Directory schema complete the following: 1. Insert the product CD into the CDROM drive of the Schema Master Domain Controller. 2. Browse to the schema\win32 folder on the CD. 3. Double-click the schemext.exe file to initiate the VAS Schema Extension Utility. 4. The following dialog appears: 5. You have the option of applying one or more of the following schema extensions: Windows 2003 R2 Schema Subset for VAS on Windows 2000 Windows 2003 R2 Schema Subset for VAS on Windows 2003 VAS NIS Map Schema (optional) Select the schema extension you want to apply and click Extend Schema. A Schema Information dialog window appears. 6. Click Yes to indicate that you want to apply the schema extension. An hour glass appears as it applies the schema extensions. A dialog window appears indicating that the schema extension has been successfully applied. 7. To install another schema extension, repeat steps 3, 4, 5, and 6. If desired, you can skip using the Schema Extender and just use the Windows ldifde utility to install the schema extension. The VAS Schema Extender Utility simply provides a GUI interface 9

to ldifde itself, and automatically sets the registry required to enable a schema extension. See your ldifde documentation for more information on how to use ldifde. Here is a typical ldifde commandline that you would use when logged into the schema master: ldifde -i -f vas_schema_r2subset_for_win2k.ldif -c DC=X <forest DN> IMPORTANT Only the R2 Subset is required for VAS. Only apply the VAS NIS Map schema extension if you have NIS Map data to migrate to Active Directory and are planning to use the VAS NIS components, and you do not want to use the RFC 2307 NIS Map schema definitions available in R2. IMPORTANT You do not need to install the schema extender utility or extend the schema on any workstations. This only needs to be done once on the Schema Master for your Active Directory forest. If you see any errors similar to: Add error on line 21: Already Exists - or - Add error on line 78: Unwilling To Perform (during nismap extension) It is likely that the schema extension has already been installed. 2.2 Installing the VAS Administrative Tools Installing the VAS Administrative Tools on an administrative workstation allows the administrator to manage Unix user and group properties when using the Active Directory Users and Computers Snap-In. You can install the VAS Administrative Tools on any workstation that has the Active Directory Users and Computers Snap-In installed - even the Schema Master. Note that you must have the appropriate administrative rights to install software in order to install the VAS Administrative Tools. To install the VAS Administrative Tools, complete the following: 1. Insert the product CD into the CDROM drive. 2. Browse to the admintools\win32 folder on the CD. 3. Double-click the VAS MSI file to initiate the Setup Wizard. 4. Click Next on the Welcome screen. 5. Read the license agreement and click I Accept to accept the license agreement; then click Next. 10

6. The VAS Administrative tools install in Program Files\Vintela\VAS. Click Next to begin the install. 7. Click Finish. NOTE You can not install the MSI file from network file share. If you are using a network share for installation instead of a CD, you must copy the VAS.msi file to the local machine first. 2.3 Upgrading the VAS Administrative Tools The process for upgrading the VAS Administrative Tools from older VAS versions to VAS 2.6 is identical to the installation process. The VAS Administrative Tools installer will automatically detect older versions of the VAS Snapin and automatically upgrade them. The next time you launch the Active Directory Users and Computers, it will use the updated VAS Administrative Tools. 2.4 Registering VAS Administrative Tools with Active Directory If you plan to use the VAS NIS compatibility features you must register the VAS Administrative Tools with Active Directory. This allows for rich support of VAS NIS map objects in Active Directory. The registration process configures display specifier objects for user, group and VAS NIS map object classes. Even if you are not planning to use NIS compatibility, Vintela recommends that you perform this step because it will allow the Unix Account tabs to be accessible in more contexts such as the Find User and Group dialog. This step requires Enterprise Admin rights in Active Directory. The VAS product CD contains a utility called the VAS Display Specifier Registration Wizard which you can use to configure the appropriate display specifiers. To register the VAS Administrative Tools complete the following: 1. Log in to any Windows machine on the domain as a user with Enterprise Admin rights. 2. Insert the VAS product CD into the CDROM drive. 3. Browse to the schema\win32 folder. 4. Double click the DSREG32.EXE file to initiate the VAS Registration Wizard. The Welcome Screen displays. 5. Click Next on the Welcome Screen. 6. The Provider Selection screen is displayed: 11

Check the box for each management console that you will be using to manage Unix objects. In most cases this will be Active Directory Users and Computers (LDAP), checked by default. NOTE: If you see a message indicating that display specifiers are already installed, click Cancel to exit the wizard. You need only register display specifiers once. 7. Click Next to continue. 8. Registration results display: Examine the results to be sure that all objects were registered successfully. If any errors are present, make sure that you are able to contact the domain controller and that you have Enterprise Admin rights, and then run the wizard again. 12

2.5 Enabling Unix User and Group properties Once you apply the schema extensions, register the VAS Administrative Tools with Active Directory, and install the VAS Administrative Tools package, you can Unix enable user and group accounts. A Unix-enabled user or group is an Active Directory user or group that has Unix attributes such as a Unix UID or Unix GID. Only users and groups that have been Unix-enabled in Active Directory are available on the VAS clients. 2.5.1 Enabling Unix Groups Before creating Unix-enabled user accounts we recommend you create at least one Unix-enabled group account you can use for the primary group (GID) of Unix-enabled users. To create a group, do the following: 1. From the Start menu, click Programs -> Administrative Tools -> Active Directory Users and Computers. 2. Right-click on the Users folder. 3. Select New -> Group. 4. Enter the Group name. 5. Make sure that Group type is set to Security (default) and click OK. To Unix enable a group, do the following: 1. Right click on an existing group and select Properties. 2. Click the Unix Account tab in the group properties dialog. (The Unix Account tab is provided by the VAS Administrative Tools MMC extensions.) If you do not see this tab, refer to Section A.1.1 in this guide. The following properties dialog appears: 3. Click the Enable Unix Group check box. Make sure the group has an appropriate GID. If there are no other Unix-enabled groups in the current Organizational Unit (OU or commonly referred to as a container ), the first group receives a suggested GID of 1000. 13

This is a default which you can change. If there are other Unix-enabled groups in the group s container, an unused GID which is higher than the lowest allocated GID in the container is suggested as a default. On most Unix and Linux operating systems the (local) system groups are assigned GIDs between 0 and 500. To avoid conflicts with local group accounts, we recommend that you do not set any Active Directory group GID s less than 1000. 4. When you have finished editing the group information, click OK to save the changes. 2.5.2 Enabling Unix Users To enable Unix and Linux user accounts, complete the following: 1. From the Start menu click Programs -> Administrative Tools -> Active Directory Users and Computers. 2. Open the Users folder. 3. Right-click on an existing user and select Properties to view the properties associated with that user s account. 4. Click the Unix Account tab in the User Properties dialog (The VAS Administrative Tools MMC extensions provide a Unix Account). If you do not see this tab, refer to Section A.1.1 in this guide. The following properties dialog appears: 5. Click the Enable Unix Account check box. 14

6. Modify the suggested defaults as necessary. To select a different Primary group, click on the group selection button labeled with... next to the Primary Group ID edit box, and select a group from the presented list. If there are no other Unix-enabled users in the user s Organizational Unit (OU, or commonly referred to as a container ), the first user receives a suggested UID of 1000. This is a default which you can change. If there are other Unix-enabled users in the user s container, an unused UID which is higher than the lowest allocated UID in the container is suggested as a default. On most Unix and Linux operating systems the (local) system users are typically assigned UIDs between 0 and 100. To avoid conflict with local user accounts, we recommend that you do not set any Unix-enabled User UIDs in Active Directory below 1000. IMPORTANT The default value for Login Shell is /bin/bash. If you do not have this shell on the systems the user is logging into, you must change this setting to the location of a valid login shell or make symlinks on systems so that the shell location is valid. 15

Chapter 3 INSTALLING LINUX CLIENTS This chapter describes how to install and remove the VAS client for Linux R operating systems. The following information is included: VAS Client Components Hardware Requirements Software Requirements Installing the Linux Client Uninstalling the Linux Client 3.1 VAS Client Components The VAS client is packaged in RPM format and is made up of the following components: A client daemon, vascd An NSS module, nss vas A PAM module, pam vas A command line administrative tool, vastool A shared library, libvas Man pages 3.2 Hardware Requirements There are no additional hardware requirements for running the VAS client beyond the operating system requirements. 3.3 Software Requirements The VAS client supports the following Linux distribution and architecture combinations: 16

RedHat R Linux 7.3, 9.0; RedHat Enterprise Linux AS, ES, and WS for 2.1, 3.0, and 4.0 (x86); RedHat Enterprise Linux 3.0 and 4.0 (x86 64) Suse R Linux 8.0, 8.1, 8.2, 9.1, 9.2, 9.3 (x86), 9.3 (x86 64) Suse R Linux Enterprise Server 8.1, 9.0 (ppc, x86), 9.0 (x86 64) It is recommended that each platform be kept up to date with the recommended patches and updates for that platform. 3.4 Installing the Linux Client This section details how to install the VAS client on supported Linux platforms. 3.4.1 VAS Client Package Types There are two different types of VAS client packages: Site Licensed (site) The VAS site package does not require any licensing and has no user limit. User Licensed (licensed packages) The software in the user-licensed package requires a license file to be installed on the system. This license will contain both an expiration date and a User limit. VAS evaluations will require an evaluation license that will be set to expire. Standard licenses will not have an expiration date. For more information on licensing the VAS client, see Chapter 7, Licensing and Configuring the VAS Client Your installation media has the appropriate version of the client software. IMPORTANT You cannot directly upgrade from the site packages to the licensed packages, or vice-versa. If you are changing the type of VAS client you install, you must uninstall the old one and install the new one. 3.4.2 Installing the VAS client rpm To install the VAS client rpm perform the following: 1. Log in and open a root shell. 2. Mount the installation CD, go to the appropriate linux client directory, and run the necessary rpm command. For Suse x86 platforms, do the following: 17

# mount /media/cdrom # cd /media/cdrom/client/linux-x86 # rpm -ivh vas-client-2.6.47-26.i386.rpm For Redhat x86 platforms, do the following # mount /mnt/cdrom # cd /mnt/cdrom/client/linux-x86 # rpm -ivh vas-client-2.6.47-26.i386.rpm For SLES 8 PowerPC platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-libc22-ppc64 # rpm -ivh vas-client-glibc22-2.6.47-26.ppc64.rpm For SLES 9 PowerPC platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-libc23-ppc64 # rpm -ivh vas-client-glibc23-2.6.47-26.ppc64.rpm For Redhat x86 64 platforms, do the following: # mount /mnt/cdrom # cd /mnt/cdrom/client/linux-x86_64 # rpm -ivh vas-client-2.6.47-26.x86_64.rpm For Suse x86 64 platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-x86_64 # rpm -ivh vas-client-2.6.47-26.x86_64.rpm Note - the x86 64 VAS rpm contains both 64-bit and 32-bit libraries, and has an RPM dependency on both the 32-bit libpam library and the 64-bit libpam library. If the 64-bit Linux OS you are installing on does not have any 32-bit supporting libraries installed, you will need to use the --nodeps RPM flag to force the installation and avoid error messages about missing dependencies. 3. If you are installing the site-licensed version, the RPM name begins with vas-client-site instead of vas-client. For information on configuring the VAS Client, see Chapter 7, Licensing and Configuring the VAS Client. 3.5 Upgrading the Linux Client This section details how to upgrade the VAS client on supported Linux platforms. You will need to upgrade the same VAS client RPM that you previously installed. For example, the vasclient-site RPM can only upgrade an older vas-client-site RPM. To upgrade the VAS client RPM, perform the following: 1. Log in and open a root shell. 18

2. Mount the installation CD, go to the appropriate linux client directory, and run the necessary RPM command. For Suse x86 platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-x86 # rpm -Uvh vas-client-2.6.47-26.i386.rpm For Redhat x86 platforms, do the following: # mount /mnt/cdrom # cd /mnt/cdrom/client/linux-x86 # rpm -Uvh vas-client-2.6.47-26.i386.rpm For SLES 8 PPC platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-glibc22-ppc64 # rpm -Uvh vas-client-glibc22-2.6.47-26.ppc64.rpm For SLES 9 PPC platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-glibc23-ppc64 # rpm -Uvh vas-client-glibc23-2.6.47-26.ppc64.rpm For Redhat x86 64 platforms, do the following: # mount /mnt/cdrom # cd /mnt/cdrom/client/linux-x86_64 # rpm -Uvh vas-client-2.6.47-26.x86_64.rpm For Suse x86 64 platforms, do the following: # mount /media/cdrom # cd /media/cdrom/client/linux-x86_64 # rpm -Uvh vas-client-2.6.47-26.x86_64.rpm Note - the x86 64 VAS rpm contains both 64-bit and 32-bit libraries, and has an RPM dependency on both the 32-bit libpam library and the 64-bit libpam library. If the 64-bit Linux OS you are installing on does not have any 32-bit supporting libraries installed, you will need to use the --nodeps RPM flag to force the installation and avoid error messages about missing dependencies. If you are upgrading the site-licensed version, the RPM name begins with vas-client-site instead of vas-client. During the upgrade, the vascd cache will be flushed and reloaded to ensure that any new database formats are setup correctly. As part of the flush, the vascd daemon will be restarted. You do not need to make any other configuration changes. 3. In version of VAS earlier than 2.6.47, you will need to reinstall your VAS license after upgrading using the vastool license command. VAS versions 2.6.47 and later use a different licensing mechanism that does not require you to reapply your license. 19

3.6 Uninstalling the Linux Client This section details how to uninstall the VAS client from supported Linux platforms. To uninstall the VAS client RPM perform the following: 1. Log in and open a root shell. 2. If using the licensed VAS client, use rpm to remove the package as follows: # rpm -e vas-client If using the site-licensed VAS client, use rpm to remove the package as follows: # rpm -e vas-client-site 20

Chapter 4 INSTALLING SOLARIS CLIENTS This section describes how to install and remove the VAS client for Solaris R operating systems. The following information is included: VAS Client Components Hardware Requirements Software Requirements Installing the Solaris Client Uninstalling the Solaris Client 4.1 VAS Client Components The VAS client is packaged in pkg format, and is made up of the following components: A client daemon, vascd An NSS module, nss vas A PAM module, pam vas A command line administrative tool, vastool A shared library, libvas 64 bit versions of the libraries and modules Man pages 4.2 Hardware Requirements There are no additional hardware requirements for running the VAS client beyond the operating system requirements. 4.3 Software Requirements The VAS client supports the following versions of Solaris: 21

Solaris R 2.6, 2.7, 8, 9, and 10 (Sparc) Solaris R 8 and 9 (x86) It is recommended that each platform be kept up to date with the recommended patch set for that platform. 4.4 Installing the Solaris Client This section details how to install the VAS client on supported Solaris platforms. With the VAS client components installed, your Solaris system can become a member of the Active Directory domain. NOTE Before you begin the installation make sure that you have the latest patches for your version of Solaris from http://www.sun.com/ bigadmin/patches/. Solaris 8 for SPARC requires that you have at least patches 110934-05 and 110380-04. 4.4.1 VAS Client Package Types There are two different types of VAS client packages: Site Licensed (site) The VAS site package does not require any licensing and has no user limit. User Licensed (licensed packages) The software in the user-licensed package requires a license file to be installed on the system. This license will contain both an expiration date and a User limit. VAS evaluations will require an evaluation license that will be set to expire. Standard licenses will not have an expiration date. For more information on licensing the VAS client, see Chapter 7, Licensing and Configuring the VAS Client Your installation media has the appropriate version of the client software. IMPORTANT You cannot directly upgrade from the site packages to the licensed packages, or vice-versa. If you are changing the type of VAS client you install, you must uninstall the old one and install the new one. 22

4.4.2 Installing the vasclient pkg To install the VAS client package, perform the following: 1. Log in and open a root shell 2. Insert the installation CD. It is mounted automatically. 3. If installing on Solaris 8, 9, or 10 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris8-sparc # pkgadd -d vasclient_sunos_5.8_sparc-2.6.47.26.pkg vasclient If installing on Solaris 8, 9, or 10 for x86 platforms, perform the following commands: # cd /cdrom/cdrom0/client/solaris8-x86 # pkgadd -d vasclient_sunos_5.8_i386-2.6.47.26.pkg vasclient If installing on Solaris 2.6 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris26-sparc # pkgadd -d vasclient_sunos_5.6_sparc-2.6.47.26.pkg vasclient If installing on Solaris 2.7 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris27-sparc # pkgadd -d vasclient_sunos_5.7_sparc-2.6.47.26.pkg vasclient In the above steps, replace /cdrom/cdrom0 with the path to your CDROM device. If you are installing the site-licensed version, the name of the client pkg is vasclient SunOS 5.8 sparc-2.6.47.26-site.pkg. NOTE In certain situations pkgadd requests additional information. Respond appropriately for your system configuration. Initialization scripts that are part of the vasclient package run during installation to help configure the system. For information on configuring the VAS Client, see Chapter 7, Licensing and Configuring the VAS Client. 4.5 Upgrading the Solaris Client This section details how to upgrade the VAS client on supported Solaris platforms. To upgrade the VAS client package, perform the following: 1. Log in and open a root shell 2. Insert the installation CD. It is mounted automatically. 23

3. If upgrading on Solaris 8, 9, or 10 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris8-sparc # pkgadd -a../solaris-upgrade-defaults \ -d vasclient_sunos_5.8_sparc-2.6.47.26.pkg vasclient If upgrading on Solaris 8 or 9 for x86 platforms, perform the following commands: # cd /cdrom/cdrom0/client/solaris8-x86 # pkgadd -a../solaris-upgrade-defaults \ -d vasclient_sunos_5.8_i386-2.6.47.26.pkg vasclient If upgrading on Solaris 2.6 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris26-sparc # pkgadd -a../solaris-upgrade-defaults \ -d vasclient_sunos_5.6_sparc-2.6.47.26.pkg vasclient If upgrading on Solaris 2.7 for SPARC, perform the following commands: # cd /cdrom/cdrom0/client/solaris27-sparc # pkgadd -a../solaris-upgrade-defaults \ -d vasclient_sunos_5.7_sparc-2.6.47.26.pkg vasclient In all of the above examples, replace /cdrom/cdrom0 with the appropriate path to your mounted CD. If you are upgrading the site-licensed version, the name of the client pkg is vasclient SunOS 5.8 sparc-2.6.47.26-site.pkg. The -a vasclient-defaults option specifies an alternative default file for pkgadd administrative options that allows pkgadd to overwrite an existing pkg with a new pkg. pkgadd does not support the concept of upgrading a pkg, so this allows you to upgrade without having to rejoin your machine to the Active Directory domain, or uninstalling the old version first. 4. A post installation script will automatically run vastool flush which will restart vascd and rebuild the VAS caches. 5. If you are using the licensed version of the VAS client earlier than 2.6.47, then reinstall your user license with the vastool license command. VAS versions 2.6.47 and later use a new licensing technology that does not require you to reinstall your license as part of an upgrade. 4.6 Uninstalling the Solaris Client This section details how to uninstall the VAS client from supported Solaris platforms. To uninstall the VAS client pkg, perform the following: 1. Log in and open a root shell. 2. Use pkgrm to remove the package as follows: # pkgrm vasclient 24

Chapter 5 INSTALLING HP-UX CLIENTS This section describes how to install and remove the VAS client for HP-UX R operating systems. The following information is included: VAS Client Components Hardware Requirements Software Requirements Installing the HP-UX Client Uninstalling the HP-UX Client 5.1 VAS Client Components The VAS client is packaged in depot format for both PA-RISC and the IA-64 platforms and is made up of the following components: A client daemon, vascd An NSS module, nss vas A PAM module, pam vas A command line administrative tool, vastool A shared library, libvas 64-bit versions of the libraries and modules (the IA-64 package has 32 bit PA-RISC libraries as well). Man pages 5.2 Hardware Requirements There are no additional hardware requirements for running the VAS client beyond the operating system requirements. 25

5.3 Software Requirements The VAS client supports the following versions of HP-UX: HP-UX 11 (HP-UX B.11.0 / PA-RISC) HP-UX 11i v1 (HP-UX B.11.11 / PA-RISC) HP-UX 11i v1.6 (HP-UX B.11.22 / IA-64) 5.4 Installing the HP-UX Client This section details how to install the VAS client on supported HP-UX platforms. With the VAS client components installed, your HP-UX system becomes a member of the Active Directory domain. IMPORTANT Before you begin the installation make sure that you have the latest support plus patches for your version of HP-UX from http://www.software.hp.com/support PLUS/index.html or at http: //www.hp.com. HP-UX 11 (B.11.0) requires the following patch: Quality Pack QPK1100 (B.11.00.62.4) HP-UX 11i v1 (B.11.11) requires the following patches: Bundle 11i (B.11.11.0306.1) Quality Pack GOLDQPK11i (B.11.11.0306.4) HP-UX 11i v1.6 (B.11.22) requires the following patch: Maintenance Pack (MAINTPACK version E0306) 5.4.1 VAS Client Package Types There are two different types of VAS client packages: Site Licensed (site) The VAS site package does not require any licensing and has no user limit. User Licensed (licensed packages) The software in the user-licensed package requires a license file to be installed on the system. This license will contain both an expiration date and a User limit. VAS evaluations will require an evaluation license that will be set to expire. Standard licenses will not have 26

an expiration date. For more information on licensing the VAS client, see Chapter 7, Licensing and Configuring the VAS Client Your installation media has the appropriate version of the client software. IMPORTANT You cannot directly upgrade from the site packages to the licensed packages, or vice-versa. If you are changing the type of VAS client you install, you must uninstall the old one and install the new one. 5.4.2 Installing the vasclient depot To install the VAS client depot, perform the following: 1. Log in and open a root shell. 2. Mount the installation CD by executing the following commands: # mkdir /cdrom # mount -F cdfs -o rr /dev/dsk/c0t0d0 /cdrom Where /dev/dsk/c0t0d0 is the name of the device for your CDROM drive. 3. If installing on HP-UX 11i v1.6, use swinstall to install the IA-64 depot by executing the following command: # swinstall -s \ /cdrom/client/hpux-ia64/vasclient_ia64-2.6.47.26.depot vasclient If installing on a HP-UX 11i v1 or 11.0, use the following command line to install the depot for PA-RISC machines: # swinstall -s \ /cdrom/client/hpux-pa/vasclient_9000-2.6.47.26.depot vasclient If you are installing the site-licensed version, the depot name is vasclient 9000-2.6. 47.26-site.depot or vasclient ia64-2.6.47.26-site.depot. IMPORTANT VAS requires that the Unix client s system clock be synchronized with the Active Directory server s system clock. By default, HP-UX uses xntpd for time services. To properly synchronize the system clocks either configure xntpd to sync with a Domain Controller, or disable xntpd to allow VAS to synchronize the system time. Consult the xntpd documentation for information on disabling xntpd and configuring the xntpd client. 27

For information on configuring the VAS Client, see Chapter 7, Licensing and Configuring the VAS Client. 5.5 Upgrading the HP-UX Client This section details how to upgrade the VAS client on supported HP-UX platforms. To upgrade the vasclient depot, perform the following: 1. Log in and open a root shell. 2. Mount the installation CD by executing the following commands: # mkdir /cdrom # mount -F cdfs /dev/dsk/c0t0d0 /cdrom Where /dev/dsk/c0t0d0 is the name of the device for your CDROM drive. 3. If upgrading on HP-UX 11i v1.6, use swinstall to upgrade the IA-64 depot by executing the following command: # swinstall -s \ /cdrom/client/hpux-ia64/vasclient_ia64-2.6.47.26.depot vasclient If upgrading on HP-UX 11i v1 or 11.0, use the following command line to upgrade the depot for PA-RISC machines: # swinstall -s \ /cdrom/client/hpux-pa/vasclient_9000-2.6.47.26.depot vasclient If you are upgrading the site-licensed version, the depot name is vasclient 9000-2.6. 47.26-site.depot or vasclient ia64-2.6.47.26-site.depot. 4. Reboot the HP-UX machine to ensure that all of the new files are installed. HP-UX does not allow you to overwrite files that are in use this is done as part of the boot sequence. 5. If you are using a licensed version of the VAS client earlier than 2.6.47, reinstall your user license with the vastool license command. VAS version 2.6.47 and later use a new licensing technology that does not require the license to be reinstalled as part of the upgrade. 5.6 Uninstalling the HP-UX Client This section details how to uninstall the VAS client from supported HPUX platforms. To uninstall the VAS client depot, perform the following: 1. Log in and open a root shell 2. Use swremove to remove the package as follows: # swremove vasclient The HP-UX swremove command will not clean up the empty directories that the vasclient package used. In order to clean these up, manually remove the /opt/vas directory after uninstallation. 28

Chapter 6 INSTALLING AIX CLIENTS This section describes how to install and remove the VAS client for AIX R operating systems. The following information is included: VAS Client Components Hardware Requirements Software Requirements Installing the AIX Client Uninstalling the AIX Client 6.1 VAS Client Components The VAS client is packaged in installp format, and is made up of the following components: A client daemon, vascd An Loadable Authentication Module, VAS A PAM module, pam vas (for AIX 5.1, 5.2, and 5.3) A command line administrative tool, vastool A shared library, libvas Man pages 6.2 Hardware Requirements There are no additional hardware requirements for running the VAS client beyond the operating system requirements. 6.3 Software Requirements The VAS client supports the following versions of AIX: 4.3.3 (32-bit only - requires at least maintenance level 11 (4330-11)) 29

5.1 (32 and 64 bit - requires at least maintenance level 4 (5100-04)) 5.2 (32 and 64 bit - requires at least maintenance level 4 (5200-04)) 5.3 (32 and 64 bit - requires at least maintenance level 1 (5200-01)) You can check your current maintenance level with the command: oslevel -r 6.4 Installing the AIX Client This section details how to install the VAS client on supported AIX platforms. 6.4.1 VAS Client Package Types There are two different types of VAS client packages: Site Licensed (site) The VAS site package does not require any licensing and has no user limit. User Licensed (licensed packages) The software in the user-licensed package requires a license file to be installed on the system. This license will contain both an expiration date and a User limit. VAS evaluations will require an evaluation license that will be set to expire. Standard licenses will not have an expiration date. For more information on licensing the VAS client, see Chapter 7, Licensing and Configuring the VAS Client Your installation media has the appropriate version of the client software. IMPORTANT You cannot directly upgrade from the site packages to the licensed packages, or vice-versa. If you are changing the type of VAS client you install, you must uninstall the old one and install the new one. 6.4.2 Installing the VAS client AIX package To install the VAS client installp package, perform the following: 1. Log in and open a root shell. 2. Mount the installation CD by executing the following commands: # mkdir /cdrom # mount -o ro -v cdrfs /dev/cd0 /cdrom Where /dev/cd0 is the name of the device for your CDROM drive. 30

3. Change to the platform specific client directory at the root of the mounted CDROM. If installing on AIX 5.1 or 5.2, do the following: # cd /cdrom/client/aix-51 If installing on AIX 4.3.3, change to the AIX 4.3.3 directory as follows: # cd /cdrom/client/aix-43 If installing on AIX 5.3, change to the AIX 5.3 directory as follows: cd /cdrom/client/aix-53 4. Use installp to install the vasclient package. For AIX 5.1 and 5.2, run: # installp -ac -d vasclient.aix_5_1.2.6.47.26.bff all For AIX 4.3.3, run: # installp -ac -d vasclient.aix_4_3.2.6.47.26.bff all For AIX 5.3, run: # installp -ac -d vasclient.aix_5_3.2.6.47.26.bff all If you are installing the site-licensed version, the depot name is vasclient.aix 4 3-site.2. 6.47.26.bff for AIX 4.3.3, vasclient.aix 5 1-site.2.6.47.26.bff for AIX 5.1 and 5.2, or vasclient.aix 5 3-site.2.6.47.26.bff for AIX 5.3. For information on configuring the VAS Client, see Chapter 7, Licensing and Configuring the VAS Client. 6.5 Upgrading the AIX Client This section details how to upgrade the VAS client on supported AIX platforms. To upgrade the VAS client installp package, perform the following: 1. Log in and open a root shell. 2. Mount the installation CD by executing the following commands: # mkdir /cdrom # mount -o ro -v cdrfs /dev/cd0 /cdrom Where /dev/cd0 is the name of the device for your CDROM drive. 3. Change to the platform specific client directory at the root of the mounted CDROM. If upgrading on AIX 5.1 or 5.2, do the following: # cd /cdrom/client/aix-51 If upgrading on AIX 4.3.3, do the following: # cd /cdrom/client/aix-43 If upgrading on AIX 5.3, do the following: # cd /cdrom/client/aix-53 31

4. Use installp to upgrade the package appropriate for your version of AIX. For AIX 5.1 and 5.2, run: # installp -ac -d vasclient.aix_5_1.2.6.47.26.bff all For AIX 4.3.3, run: # installp -ac -d vasclient.aix_4_3.2.6.47.26.bff all For AIX 5.3, run: # installp -ac -d vasclient.aix_5_3.2.6.47.26.bff all If you are upgrading the site-licensed version, the depot name is vasclient.aix 4 3- site.2.6.47.26.bff for AIX 4.3.3, vasclient.aix 5 1-site.2.6.47.26.bff for AIX 5.1 and 5.2, or vasclient.aix 5 3-site.2.6.47.26.bff for AIX 5.3. 5. If you are using a licensed version of the VAS client earlier than 2.6.47, then reinstall your user license with the vastool license command. VAS versions 2.6.47 and later use a new licensing technology that does not require you to reinstall your license after upgrading. vascd will be restarted and the vascd caches will be flushed as part of the upgrade process. You do not need to make any other configuration changes while upgrading. 6.6 Uninstalling the vasclient AIX package This section details how to uninstall the VAS client from supported AIX platforms. To uninstall the VAS client installp package, perform the following: 1. Log in and open a root shell. 2. Use installp to uninstall the package appropriate for your version of AIX. # installp -u vasclient 32

Chapter 7 LICENSING AND CONFIGURING THE VAS CLIENT There are two types of VAS client packages - the site version and the licensed version. The site version does not require any installed licenses. The licensed version requires a Vintela license file(s) to be installed in the /etc/opt/vas/.licenses directory. For VAS evaluations, an evalutation Vintela license file which will have an expiration date is required. Each license file for VAS is good for a certain number of users. There is no limit on the number of users that can be used on the Unix host through VAS, but if the license limit is exceeded, warning messages will be sent through the syslog interfaces. If you are not using the site version of the VAS client, you should ensure that you have the licenses correctly installed before vascd starts up. 7.1 Installing Licenses There are two ways to manage your license information - through manual installation on each Unix host, or centrally in Active Directory through Group Policies using the Vintela Group Policy (VGP) utilities. To manually install a license file, simply copy the file to the /etc/opt/vas/.licenses directory and make sure that the permissions on the file are set to 0644. You must not modify the license file in any way, as any modifications will invalidate the license signature, and the license will be considered invalid. You can install multiple licenses in the licensing directory, and each valid, unexpired license will be used in calculating the user limit. When the VGP utilities are installed alongisde the VAS client, the vastool join command will automatically use the vgptool utility to apply the VAS specific policies during the join process. For more information on using VGP and configuring the Vintela Licensing Policy, refer to the VGP Administrator s Guide. Note that when no license is installed, vastool will operate correctly, but the rest of the VAS components will not work. If all licenses expire, then vascd will exit and cease to function. 33

7.2 VAS Client Configuration In order for the VAS client to work correctly, the UNIX/Linux system that you installed the VAS client on must be joined to the Active Directory domain. This is done by using the vastool join command. IMPORTANT Before you join the VAS client to the Active Directory domain, make sure you have the following information: The name of the Active Directory domain of which you want the VAS client to be a member. The user name and password of a user that has sufficient administrative privileges to create computer objects in Active Directory. Normally this user is a member of the Domain Admins group. To run vastool join, do the following as the root user at a shell prompt: # /opt/vas/bin/vastool -u matt join example.com Where matt is the username of an Active Directory user with sufficient administrative privileges to create a computer object in Active Directory (normally a user who is a member of the Domain Admins group), and example.com is the name of the Active Directory domain to which you are joining the computer. When prompted for the user s password, type it on the command line. The results of vastool join will be shown on the shell s standard out. 7.2.1 vastool join Modifications vastool join makes the following modifications to your UNIX/Linux system: The system s configuration files for user and group account information backends are modified to include VAS. This is done by modifying /etc/nsswitch.conf to include vas as an entry for the passwd and group entries. The vas entry will be inserted after the files entry. The system s configuration files for authentication are updated to use VAS as an authentication backend. This is done by modifying the PAM configuration file(s) located at /etc/pam.conf or in the /etc/pam.d directory. These modifications will allow the VAS authentication modules to authenticate Active Directory users while allowing the native system authentication modules to continue to authenticate system users. The /etc/opt/vas/vas.conf configuration file is configured with information to enable the VAS libraries to use Kerberos authentication against Active Directory. 34