End up, I did a "vas merge" to get all the vas cache load into the /etc/passwd and /etc/group. That's pain. But, It works temporarily.
Here are the bunch of vas command for troubleshooting.
1. To check on the user access
vastool user checkaccess
2. To get the vastool status result
ftp://ftp.vintela.com/vas/support/vas_status.sh.gz
To get the vastool snapshot
/opt/quest/libexec/vas/scripts/vas_snapshot.sh
3. To flush the cache
vastool flush
4. To check is vas
vastool isvas user [account name]
5. Test AD connection and user password
vastool kinit [account_name]
6. Test VAS service access control (assuming your using sshd)
vastool user checkaccess -s sshd [acount_name]
7. Check authentication logs
1) Add the words "debug" and "trace" to the end of all pam_vas lines in /etc/pam.d/system-auth
2) Add "*.debug /var/log/debug" to /etc/syslog.conf
3) Restart syslog daemon
4) Attempt login
5) Look at output in /var/log/debug for indication/reason of failure
8. You can also turn on vasd debug if desired
1) vastool configure vas vasd debug-level 3
No comments:
Post a Comment