The first time a user logs in, they are prompted for their password. The first authentication will always fail. The second one succeeds. If they log out, and log right back in, the first password challenge will succeed. Same for sudo, the first password challenge will fail, the second will succeed. When they are challenged again later on, the first challenge will succeed. This is happening for both regular and permanently cached users.
This issue happened in a oneway trust configuration. Also the access control groups being domain local groups in forest 1 and the users are in forest 2.
Here is what the vas.conf looked like:
[vasd]
workstation-mode = true
[domain_realm]
myhost.forest1.com = FOREST1.COM
[libdefaults]
default_realm = FOREST1.COM
[vas_host_services]
FOREST2.com = {
krb5name = vastrust/qas-auth-svc@forest2.com
keytab = /etc/opt/quest/vas/qas-auth-svc.keytab
use-for-auth = true
password-change-interval = 0
}
1 - Edit the /etc/opt/quest/vas/vas.conf file and changed the setting use-for-auth = true to use-for-auth = false.
Here is some information about the setting from the vas.conf man page.
2 - We receive information for access control groups from a few sources, two in particular are the PAC and token groups. Because the user isn't in the cache, for the initial login we use the PAC to determine group memberships.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center