Unix Access Management

AIX Vas user-override user issue

Using old OS(AIX5.3) and VAS client 3.5.2 and having an issue on our AIX servers with one user(pgg081) out of over 7500 where the user-override attributes(GID and shell) fail to actually override the attributes cached from AD.

 

We are trying to override the shell to /usr/bin/ksh for this user but it remains /home/ghem/ghem_access.

 # lsuser -f pgg081 | grep shell

        shell=/home/ghem/ghem_access

# grep -i pgg081 user-override

pgg081@.com:::1042460071::/home/pgg081:/usr/bin/ksh

Tried running the vastool flush and vastool flush accounts to clear the cache and reload but still get the same result.

 

Noticed the locally cached  vas_ident.vdb output doesn't seem to match between the user_posix and user_ovrd tables for user pgg081.

/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT * FROM user_posix" |grep -i pgg08

7651|1386540765|10000||||||||/home/pgg081|/bin/bash||131274612000000000|131199900244278587|0|1|1|1|1|1|

 

Portion of the user-override table showing what should be row 7651 as row 732:

/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT *FROM user_ovrd" | tail -45

7648|mjd232@.com|||1756051095||/home/mjd232|/home/ghem/ghem_access|user-override

7649|cdm070@.com|||640221255||/home/cdm070|/home/ghem/ghem_access|user-override

732|pgg081@.com|||1042460071||/home/pgg081|/usr/bin/ksh|user-override

7650|mmm259@.com|||758601807||/home/mmm259|/home/ghem/ghem_access|user-override

7652|v_jss452@.com|||1756051095||/home/v_jss452|/home/ghem/ghem_access|user-override

 

Could this be why the attributes don't get over ridden for pgg081? If so, how to correct this?

 This user was removed from AD and brought back several months later with the same UID.

Thanks in advance!

  • Hi Stanley,

    In the time frame that this user account was removed from AD and then added again did the override entry remain in place?

    I am thinking if that is the case then the override entry is there from the last time the account properly existed. If that is the case could you try removing the override entry. Leave it out until the override cache reflects the change, meaning there is not entry in the cache. Then add in the entry to the override file again and see if that clears the issue.

    Leigh Grant
  • Thanks for the reply Leigh!
    In trying your suggestion, removing the override entry and allowing the override cache to update did remove the 732 line entry for pgg081 so looked good at this point. However, once I added the entry back and allowed the cache to update it brought it back as 732 again, same as before.

    I also tried to remove the override entry and run a flush, but it came back the same 732 again.

    Another interesting thing with this user ID only is once a flush is run it comes back with a different primary group and groups than what is set in AD. I found that running a vastool checkaccess user will update it to the correct info that is set in AD.
    root@inghem01:/etc/opt/quest/vas # /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT *FROM user_ovrd" | grep -I pgg081
    732|pgg081@.com|||1042460071||/home/pgg081|/usr/bin/ksh|user-override
    root@inghem01:/etc/opt/quest/vas # lsuser pgg081
    pgg081 id=1386540765 pgrp=Unix Users groups=Unix Users home=/home/pgg081 shell=/bin/bash gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=VAS SYSTEM=VAS OR FILES logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=131072 core=2097151 rss=65536 nofiles=10000 roles=
    root@inghem01:/etc/opt/quest/vas # vastool user checkaccess pgg081
    Access for service login by pgg081 is allowed.
    Access Rule = [Allow User - pgg081@.com (users.allow)]
    root@inghem01:/etc/opt/quest/vas # lsuser pgg081
    pgg081 id=1386540765 pgrp=tss_west groups=server-hac-inghem01,server-hac-inghem02,server-hac-inghem03,server-hac-inghem04,server-hac-inghem05,server-hac-inghem06,server-hac-waghem01,server-hac-waghem02,server-hac-waghem03,server-hac-waghem04,server-hac-waghem05,server-hac-waghem06,tss_west,Unix Users,Employee Remote Access,Wireless Network Users,tss_west home=/home/pgg081 shell=/home/ghem/ghem_access gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=VAS SYSTEM=VAS OR FILES logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=131072 core=2097151 rss=65536 nofiles=10000 roles=

    Any further help in sorting this out is greatly appreciated.
    Stan

  • A couple of thoughts.

    That seems like there is a second identity somewhere for this users. Any chance this account exists in the passwd file as well?

    The other thought I had, is there more than one domain? Could this user account exist in a second domain that has a trust established?

    Another question I was curious about, if you query the cache again but find user_posix entry for 732 is that an entirely different user? Anything similar about the two accounts?

    It might be worth running a query as well to make sure we don't have duplicate UID's in the cache as well. This should show a count if there is more than one.

    /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT uidNumber FROM user_posix GROUP BY uidNumber HAVING ( COUNT(uidNumber) > 1 )"

    Leigh Grant
  • Thank you Leigh for the correspondence and new to the forum so to change it is unclear.

    There are no entries for this user in the passwd file and I have had our AD team quadruple check this account for correctness, so all I can do at this point is trust it.

    There is not 732 entry in the user_posix table.

    There is one duplicate uidnumber but a query on that shows neither ID is pgg081.
    /etc/opt/quest/vas # ser_posix GROUP BY uidNumber HAVING ( COUNT(uidNumber) > 1 )"<
    30000085
    root@inghem01:/etc/opt/quest/vas # nt.vdb "SELECT * FROM user_posix WHERE uidNumber=30000085" <
    5559|30000085|10000||||||||/home/jjj862|/bin/bash||9223372036854775807|131213536173544342|0|1|1|1|1|1|
    5562|30000085|10000||||||||/home/cff281|/bin/bash||9223372036854775807|131189318796259727|0|1|1|1|1|0|

    Thanks in advance for all the help!
    Stan
  • Stanley,

    Another thing that's worth trying is upgrading the client to the newest version. 3.5.2 is an older release and isn't currently supported.  There has been many enhancements made throughout the product since that release.  Our most recent release is 4.1.0.22726 and can be downloaded from the QAS download site.

    -T