1. To determine how current the password is when connected or disconnected and how soon the list will be updated the man page for vas.conf states:
perm-disconnected-update = <integer (minutes)>
Default value: 1440
When using persistent disconnected authentication vasd will periodically check the configured list of users who can use persistent disconnected authentication to see if their cached credentials need to be updated. For example, if they have changed their password since the last time vasd updated the persistent disconnected authentication cache, vasd will obtain a new Kerberos service ticket for the user. See the perm-disconnected-users option for the [vas_auth] vas.conf section for more information on persistent disconnected authentication. This check is done every 24 hours by default. This option value represents the number of minutes used as the check interval. The following example shows how to configure vasd to check every 2 days for updates.
NOTE: This value is read once during vasd start-up. Any changes to this value require you to restart vasd before changes take effect.
[vasd]
perm-disconnected-update = 2880
2. To get the list of users, you would use the command below to be able to view the tickets of users:
# /opt/quest/bin/vastool klist -c /var/opt/quest/vas/authcache/.krb5cc_auth_ust
To manually update it, run the following:
# /opt/quest/libexec/vas/vasd/vasdis_helper -f
In detail, this is how it works with perm disconnected auth:
VAS does perm-disconnected auth by treating the user account as a service account, and aquiring a service ticket ( credential ) for that account. Then the password can be used in a disconnected situation to try and decrypt the credential. These tickets are all gathered the first time by the /opt/quest/libexec/vas/vasd/vasdis_helper binary, along with the users pwdlastset. After they are stored, for updates the pwdLastSet of the individual users are checked, and a new ticket only downloaded when the password is changed. The tickets can be viewed with:
# /opt/quest/bin/vastool klist -c /var/opt/quest/vas/authcache/.krb5cc_auth_ust
The update can be run manually with:
# /opt/quest/libexec/vas/vasd/vasdis_helper -f
The most common issue is some versions of Windows ( domain functional level ), require that the user have a servicePrincipalName value set in order to give out a serivce ticket for them. Anything can be set, <name>/vas will work, a/b will as well, but since it's an indexed value it's better to make it unique.