I need to have the following list of questions answered for a customer.

Let me start by saying they didn't make sense to me when they asked them.

1.  Where do VAS mapping files exist? are they stored physically in AD?
2.  What version of LIB C is required for VAS client?
3.  Do group policy cron jobs get a kerb ticket?
4. Is group policy top down or bottom up enforcement?
5. When using mappings what, if any kerberos ticket do they get?
6.  Can VAS work if DNS reverse lookup is disabled?
6.  Can all group policies be managed from the command line?


  • > 1.  Where do VAS mapping files exist? are they stored physically in AD?
    This depends on the mode that has been configured.  Mapped User mode keeps the Unix user information local to the system, or in the native repository (like NIS) while Personality mode and Standard mode store the Unix user information in AD.
    In Mapped User mode the mappings from local accounts are typically local to the system but in the case of NIS and LDAP can often be stored in NIS and LDAP.  They can also be managed and stored in policy for local distribution.

    > 2.  What version of LIB C is required for VAS client?
    VAS is not tied to a specific version of libc because it is linked other key OS provided libraries that must also be compatible.  For a list of OS VAS supports, see the supported platform list.
    www.quest.com/.../VAS_Supported_Platforms.aspx

    > 3.  Do group policy cron jobs get a kerb ticket?
    Not specifically cron jobs managed by group policy, but group policy does when it executes.  To access policy information in AD the VAS enabled Unix system needs to authenticate and inherently has Kerberos credentials.
    It is possible to create service accounts associated with keytab files for cron jobs that need to have Kerberos credentials without entering passwords for use with automating connections to other systems etc.

    > 4. Is group policy top down or bottom up enforcement?
    ???
    I'm not sure.  Group Policy applies from AD to the local Unix system.  Most policies apply to files or configurations to the local system.  If someone has root access they can still modify these settings on the local system, but they will be clobbered when policy re-applies.  If you have a malicious root they could stop the group policy processes.
    Other policies, like password policies, lockout policies, and logon hours are all enforced from AD.

    > 5. When using mappings what, if any kerberos ticket do they get?
    The Kerberos ticket will always match the AD account.  For instance, my Unix login name could be kyler but my Kerberos ticket could be for kyle.robinson@example.com.

    > 6.  Can VAS work if DNS reverse lookup is disabled?
    Yes.  It will work normally.

    > 6.  Can all group policies be managed from the command line?
    The command line tools for group policy are basically for modification of policies that have already been established.  Typical policy manage should be done from the group policy management console.

  • Thanks Kyle.

    Perry Pinkley
    Quest Public Sector SSC
    Identity Management and Single Signon
    281.678.5338