Using old OS(AIX5.3) and VAS client 3.5.2 and having an issue on our AIX servers with one user(pgg081) out of over 7500 where the user-override attributes(GID and shell) fail to actually override the attributes cached from AD.
We are trying to override the shell to /usr/bin/ksh for this user but it remains /home/ghem/ghem_access.
# lsuser -f pgg081 | grep shell
# grep -i pgg081 user-override
Tried running the vastool flush and vastool flush accounts to clear the cache and reload but still get the same result.
Noticed the locally cached vas_ident.vdb output doesn't seem to match between the user_posix and user_ovrd tables for user pgg081.
/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT * FROM user_posix" |grep -i pgg08
Portion of the user-override table showing what should be row 7651 as row 732:
/opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT *FROM user_ovrd" | tail -45
Could this be why the attributes don't get over ridden for pgg081? If so, how to correct this?
This user was removed from AD and brought back several months later with the same UID.
Thanks in advance!
In reply to Leigh Grant:
Thanks for the reply Leigh! In trying your suggestion, removing the override entry and allowing the override cache to update did remove the 732 line entry for pgg081 so looked good at this point. However, once I added the entry back and allowed the cache to update it brought it back as 732 again, same as before. I also tried to remove the override entry and run a flush, but it came back the same 732 again. Another interesting thing with this user ID only is once a flush is run it comes back with a different primary group and groups than what is set in AD. I found that running a vastool checkaccess user will update it to the correct info that is set in AD. root@inghem01:/etc/opt/quest/vas # /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT *FROM user_ovrd" | grep -I pgg081 732|pgg081@.com|||1042460071||/home/pgg081|/usr/bin/ksh|user-override root@inghem01:/etc/opt/quest/vas # lsuser pgg081 pgg081 id=1386540765 pgrp=Unix Users groups=Unix Users home=/home/pgg081 shell=/bin/bash gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=VAS SYSTEM=VAS OR FILES logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=131072 core=2097151 rss=65536 nofiles=10000 roles= root@inghem01:/etc/opt/quest/vas # vastool user checkaccess pgg081 Access for service login by pgg081 is allowed. Access Rule = [Allow User - pgg081@.com (users.allow)] root@inghem01:/etc/opt/quest/vas # lsuser pgg081 pgg081 id=1386540765 pgrp=tss_west groups=server-hac-inghem01,server-hac-inghem02,server-hac-inghem03,server-hac-inghem04,server-hac-inghem05,server-hac-inghem06,server-hac-waghem01,server-hac-waghem02,server-hac-waghem03,server-hac-waghem04,server-hac-waghem05,server-hac-waghem06,tss_west,Unix Users,Employee Remote Access,Wireless Network Users,tss_west home=/home/pgg081 shell=/home/ghem/ghem_access gecos= login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=VAS SYSTEM=VAS OR FILES logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=131072 core=2097151 rss=65536 nofiles=10000 roles= Any further help in sorting this out is greatly appreciated. Stan
In reply to stanley.bostik:
Another thing that's worth trying is upgrading the client to the newest version. 3.5.2 is an older release and isn't currently supported. There has been many enhancements made throughout the product since that release. Our most recent release is 22.214.171.12426 and can be downloaded from the QAS download site.
Understand, we have many customers that are using the product in mission critical environments. One note, is that AIX 5.3 is supported with the newest clients. That list can be found by going to the Authentication Services site and then Specifications --> Unix Agents - supported platforms.