Unix Access Management

AIX Vas user-override user issue

Using old OS(AIX5.3) and VAS client 3.5.2 and having an issue on our AIX servers with one user(pgg081) out of over 7500 where the user-override attributes(GID and shell) fail to actually override the attributes cached from AD.

 

We are trying to override the shell to /usr/bin/ksh for this user but it remains /home/ghem/ghem_access.

 # lsuser -f pgg081 | grep shell

        shell=/home/ghem/ghem_access

# grep -i pgg081 user-override

pgg081@.com:::1042460071::/home/pgg081:/usr/bin/ksh

Tried running the vastool flush and vastool flush accounts to clear the cache and reload but still get the same result.

 

Noticed the locally cached  vas_ident.vdb output doesn't seem to match between the user_posix and user_ovrd tables for user pgg081.

/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT * FROM user_posix" |grep -i pgg08

7651|1386540765|10000||||||||/home/pgg081|/bin/bash||131274612000000000|131199900244278587|0|1|1|1|1|1|

 

Portion of the user-override table showing what should be row 7651 as row 732:

/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT *FROM user_ovrd" | tail -45

7648|mjd232@.com|||1756051095||/home/mjd232|/home/ghem/ghem_access|user-override

7649|cdm070@.com|||640221255||/home/cdm070|/home/ghem/ghem_access|user-override

732|pgg081@.com|||1042460071||/home/pgg081|/usr/bin/ksh|user-override

7650|mmm259@.com|||758601807||/home/mmm259|/home/ghem/ghem_access|user-override

7652|v_jss452@.com|||1756051095||/home/v_jss452|/home/ghem/ghem_access|user-override

 

Could this be why the attributes don't get over ridden for pgg081? If so, how to correct this?

 This user was removed from AD and brought back several months later with the same UID.

Thanks in advance!

Parents
No Data
Reply
  • Thank you Stanley,

    The specific VAS Version has proved helpful. I think you are running into a defect in that version. Based on the description and sequence of events it looks like this one might be responsible.

    3.5.2.33

    Bug 20516:
    * override: When an overridden user is deleted from the cache, then re-added,
    their override no longer applied. This has been fixed.

    The workaround for this would be to unjoin, ensure the caches are removed and then rejoin.

    Please let me know if you have any additional questions.

    Leigh Grant
Children
No Data