When running vastool status you receive the error:
"FAILURE: 721 In-consistent access control ALLOW cache, check syslog for exact entry"
The failure 721 means the number of users.allow entries and the number of access_control database entries do not match.
Cause: Bad group name in the users.allow configuration in the respective GPOs, the user or group does not exist in AD but exists in the users.allow file or the users.allow group policy.
1- Tail the syslog file for the access control message and look for the offending group. On linux, the syslog facility we use to log the message is info . Be sure syslog.conf is configure to log the info messages. In Solaris we have the following setup in the syslog.conf:
In the below example we have a mistake in a group named "badgroupname", the error that results in the syslog file is the following:
May 22 13:23:57 stewie vasd: [ID 960898 daemon.warning] _create_rule_from_local_file: Cannot locate
2 - If you are using group policy to push out users.allow file, find the server's context in AD and open the respective GPO for that server. Go to Unix Settings | Access Control and verify/correct the offending group's name in the users.allow configuration. Verify/correct case-sensitivity.
Find the offending group in AD and open its configuration. Verify/correct the (pre-windows 2000) group name. Verify/correct case-sensitivity.
If you are not using the group policy method, verify the name in the /etc/opt/quest/users.allow file and in AD.
NEW LINUX SCRIPT FOR TROUBLESHOOTING 721 MESSAGE
Attached to this KB is a beta troubleshooting script for linux to compare what is in the files and what is in the cache to try and help identify missing entries
If the error still occurs after running the latest vas_status.sh scriipt, please open up a case with Tech Support and send the below information.
Please run the following commands when the error is occurring:
1 - /opt/quest/bin/vastool info acl
2 - /opt/quest/bin/vastool list users-allowed | wc -l
3 - /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "SELECT * FROM access_control" 2>&1 | tee /tmp/acl_db.txt
4- /opt/quest/bin/vastool list users-allowed 2>&1 | tee /tmp/users-allowed-cache.txt
5 - Tail the system's syslog noting the group name listed as problematic.
Then send a copy of the /tmp/acl_db.txt, /tmp/users-allowed-cache.txt, /etc/opt/quest/vas/users.allow file
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz