Cross-forest user's secondary groups do not show. Configuring Access Control using Nested Groups does not work. (4295548)

Run the command which will edit the /etc/opt/quest/vas/vas.conf and set the setting:

/opt/quest/bin/vastool configure vas nss_vas groups-for-user-update true

Please note: If you use group policy to push out your vas.conf settings you should add the setting to your policy to set it. 

Information about the setting from the vas.conf MAN page:

groups-for-user-update = <true | false>

Default value: false

If it is necessary to get nested group information without a user logging in, you must enable "groups-for-user" updates from nss_vas. This will cause nss_vas to trigger vasd to perform a search for the given user which will update the local cache group memberships for groups that the user belongs to during a getpwnam() call. Normally, this information is obtained from the Kerberos tickets during login through pam_vas. However, for logins through applications that do not use pam_vas, this nested group information will not be available without this option set to true.

Note that this does impact performance as it requires additional work to be done by nss_vas and vasd during a call to getpwnam(). vasd looks up this information using the tokenGroups attribute for users. This is a constructed attribute that will return back the list of group SIDs that are usable in the Active Directory Domain where the user exists. Only enable this option if your infrastructure requires it and the performance impact is not too severe for your environment. Note there are limitations when using tokenGroups in a resource domain model, since Domain Local groups the user may be a member of will not be available in the computer's Domain.

Note: Quest recommends that you set root-update-mode nss_vas setting to "force".

The following example shows how to turn on groups-for-user updates.

[nss_vas]
 groups-for-user-update = true
 root-update-mode = force