-
Title
How to test Unix host where time is set to the future -
Description
You need to test Unix servers with the system date set for a date in the future. How can this be accomplished?
-
Resolution
RESOLUTION 1:
Change the "Maximum tolerance for computer clock syncronization" in Active Directory.
http://technet.microsoft.com/en-us/library/cc779260.aspx
RESOLUTION 2:You can add the permanent disconnect users by adding a setting into the vas.conf. Then put QAS into disconnected mode.
QAS does perm-disconnected auth by treating the user account as a service account, and aquiring a service ticket ( credential ) for that account. Then the password can be used in a disconnected situation to try and decrypt the credential. These tickets are all gathered the first time by the /opt/quest/libexec/vas/vasd/vasdis_helper binary, along with the users pwdlastset. After they are stored, for updates the pwdLastSet of the individual users are checked, and a new ticket only downloaded when the password is changed. The tickets can be viewed by running /opt/quest/bin/vastool klist -c /var/opt/quest/vas/authcache/.krb5cc_auth_ust
To set permanent disconnect users you can run the command: vastool configure vas vas_auth perm-disconnected-users jdoe@example.com, unixAdmins
For more information on this setting see the vas.conf Man page included with the product download in the docs folder.
Please also read the KB article titled How current are the passwords for permanent disconnected users and how can we verify that the accounts have been cached? https://support.quest.com/Search/SolutionDetail.aspx?id=SOL41025
RESOLUTION 3:Set the disauth expiring date to huge date past the future time that has been set.
You can accomplish this with the password-cache-age setting.
password-cache-age = <integer (days)>
Default value: 30QAS allows disconnected mode authentication with locally cached password hashes. These hashes are cached anytime a user logs in, but they are only good for a limited amount of time. Every 24 hours vasd will check all hashes in the authentication cache. If any of these hashes have a time stamp older than the password-cache-age, they are removed from the authentication cache and disconnected authentication will fail for that user. The password-cache age is specified in days. For example, to change the password-cache age to 5 days, change the option as follows:
[vas_auth]
password-cache-age = 5The idea being that anyone that needs to use the system logs in so they have that cached, then stop vasd, increase the machine's time, and go from there.
Logins/lookups should still work if the cache doesn't expire them.