Groups disappear/are not served from the NSS/NIS interface. The groups exist in the vas cache ( vastool list group <name> works ), but are not seen by the OS. ( vastool nss getgrnam group <name> fails )
OSes: Seen on Solaris and HP-UX for NSS, any OS for NIS.
On Solaris and HP, and in NIS, buffer structure that holds group information is of a fixed size. NIS limitation of 1024 bytes.
RESOLUTION 1:
One thing VAS does is for cross-domain users it fills out both name, and name@domain entries for matching.
This can take up additional space in the buffer.
To disable that, run:
/opt/quest/bin/vastool configure vas nss_vas cross-domain-user-full-upn false
and restart vasd.
RESOLUTION 2:
The other option is to split the groups, a popular option for NIS groups due to the small size limit.
Create multiple groups, grp, grp1, grp2, etc, that all have the original groups GID, and root name, then post-pend increasing numbers.
Split the members between the additional groups.
At the OS layer the memberships will show up as the root group due to it being resolved from the GID.
Both of these reduce the amount of information in a group, reducing its size so all information can fit in the buffer.
AIX and Linux do not have this issue for NSS, as they support dynamically sized buffers.
The buffer size on Solaris is about 8K, and allows for around 531 users of 8-character name length before failing.
Numbers for HP are not known, they are likely similar.
For NIS, it is 1024 bytes big.
Once the membership list is larger then can fit in the available space, VAS will stop serving that group to the OS through NSS/NIS.
For NIS and VASYPD an entry can be placed in vas.conf to automatically split groups into multiple responses so that all responses are returned during a ypcat. This setting can be applied to vas.conf manually, via vgp or by running '/opt/quest/bin/vastool configure vas vasypd split-groups true'
split-groups = <true> | <false>
Default value: false
NIS has a limitation of 1024 characters in a returned value. If a value is found to exceed this
limit it is not returned. For groups this means once a group exceeds a certain number of members it
will virtually disappear. This option splits the groups into multiple responses, so that all
memberships are returned during a ypcat. It will also allow the group to return from a ypmatch
call, minus the membership information.
[vasypd]
split-groups = true
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center