In a oneway trust setup environment, vastool status reports: FAILURE: 418 vas_host_services principal is unusable revoked credential
When vastool flush is run the following is seen:
Caching Users ... ERROR: Error receiving IPC buffer from server: Connection timed out ERROR: Failed to send/recv User Flush IPC request, payload_err=110 Failed ERROR: Failed to send Users Flush IPC, error=110
RESOLUTION:
1 - Change the password on the account and sync it to the keytab
2 - Set the password never expires flag on the service account.
TROUBLESHOOTING COMMANDS:
1 - Verify what service account name and keytab file is being used for the oneway trust. Check the vas_host_service setting in the /etc/opt/quest/vas/vas.conf file
2 - View the attributes of the service account and note the Service Principal name that is set:
/opt/quest/bin/vastool -u host/ attrs -q / sAMAccountName
3 - Validate that you can auth as the service account ad that we can get tickets.
/opt/quest/bin/vastool -u -k kinit -S sevice/
/opt/quest/bin/vastool ktutil -k list
5 - You can change the password on the service account and storing a hash of it in the keytab file.
-r says to create a random password.
6 - If you need to recreate the keytab file review this KB 122644
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center