When troubleshooting an application or service which makes NSS calls, to the NSS layer, through the vas_nss module, it is often useful to see what exactly is being returned by the associated NSS C runtime library (libc/glilbc) function call.
VAS provides a method, through vastool, to execute specific NSS queries and see exactly is being returned. The below information pertains to the command usage and the associated descriptions of the NSS calls.
Usage: vastool nss
{ getpwnam ... | getpwuid ... | getpwent | getspnam | getspent | getgrnam ... | getgrgid ... | getgrent}
getpwnam() - function returns a pointer to a structure containing the broken out fields of a line from /etc/passwd for the entry that matches the user name "name".
getpwuid() - function returns a pointer to a structure containing the broken out fields of a line from /etc/passwd for the entry that matches the user uid "uid".
getpwent() - function returns a pointer to a structure containing the broken out fields of a line from /etc/passwd. The first time it is called it returns the first entry; thereafter, it returns successive entries.
getspnam() - function returns a pointer to a structure containing the broken out fields of a line from /etc/shadow for the entry that matches the user name "name".
getspent() - function returns a pointer to the next entry in the shadow password file. The position in the input stream is initialized by setspent(). When done reading, the program may call endspent() so that resources can be deallocated.
getgrnam() - function returns function returns a pointer to a structure containing the group information from /etc/group for the entry that matches the group name "name".
getgrgid() - function returns a pointer to a structure containing the group information from /etc/group for the entry that matches the group gid "gid".
getgrent() - function returns a pointer to a structure containing the group information from /etc/group. The first time it is called it returns the first entry; thereafter, it returns successive entries.
Another useful way to gain additional information, when debugging NSS, is to set the environment variable NSS_VAS_STDERR_DEBUG to 1. This will cause the nss_vas module to log debug information, which can be used in conjunction with the aforementioned vastool nss commands to gain great insight into the specific issue.
Finally, to globally enable NSS debug information, from nss_vas, to a file: you can set the "enable-debug" entry in the [nss_vas] stanza of /etc/opt/vas/vas.conf to "true", this can be done either with a text editor or by using the following command:
# /opt/quest/bin/vastool configure vas nss_vas enable-debug true
This will cause the NSS debug information to be logged to the /tmp/nss_vas.log file.
To stop the logging simply remove the entry from vas.conf or run the command again without the word "true" at the end.
# /opt/quest/bin/vastool configure vas nss_vas enable-debug
Please note that this debug setting is depricated in newer versions of Authentication Services, the proper way to enable debug is to run
# touch /var/opt/quest/vas/.qas_id_dbg
then follow the output of /tmp/qas-module.log.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center