When AD users are added to local groups this does not function as expected.
The functionality to add QAS users to local groups has been implemented in Authentication Services as of version 4.1.0-21630.
The following KB article gives full details.
How to configure:
1) Check that your systems are configure for LAM authentication: /etc/security/login.cfg
auth_type = STD_AUTH
2) Set the following in vas.conf:
include-local-group-memberships = true
It can be set by running the following or manually:
/opt/quest/bin/vastool configure vas aix_vas include-local-group-memberships true
3) merge the users or user so that they are seen as local and the native user management commands will run.
/opt/quest/bin/vastool merge users
/opt/quest/bin/vastool merge user username
4) Add the user or users to the group using the native commands, for example:
"mkgroup -A localaix"
Modify local or merged user to be part of the local group:
usermod -G localaix aduser
5) make sure AD user is in the local group
6) unmerge the AD users, this will remove them from /etc/passwd
/opt/quest/bin/vastool unmerge users
7) Test that the system sees local and AD users as being in the same group:
WORKAROUND: (For versions of Authentication Services older than 4.1.0-21630.)
1 - Create Active Directory (AD) group and local group of the same name. This is also refferred to as mirroring in groups.
2 - Then add the put local users in local groups and AD users in AD groups. This will return the correct group membership.