Users are not loading from a domain with a one-way trust. Vastool status is reporting the following error:
FAILURE: 412 vas_host_services entry for domain <domain.com> keytab </etc/opt/quest/vas/trust.keytab> missing entry for <trust/host.domain@domain.com>
Check that the following setting is correctly configured in "/etc/opt/quest/vas/vas.conf"
[vas_host_services]
trusted.com = {
krb5name = keytab/server.domain@domain.com
}
The krb5name should match the spn in the keytab for the trusted domain. Run the following against the keytab to confirm:
#vastool ktutil -k /etc/opt/quest/vas/trust.keytab list
See the vas.conf man page for details on this setting.
If the entry is missing from the keytab list, it can be aliased into the keytab. For example:
/opt/quest/bin/vastool ktutil -k /etc/opt/quest/vas/trust.keytab alias account-vasoneway@DOMAIN.COM vasoneway/host.domain@domain.com
In the above example the account-vasoneway@DOMAIN.COM is any existing entry from the list command and the account-vasoneway@DOMAIN.COM is the missing entry reported from vastool status in the 412 error.
Run vastool status again to confirm the error is resolved.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center