When a AD user su's into a local user on AIX system using LAM, group membership isn't always obtained properly.
Pending fix in a future maintenance release.
1 - Upgrade to QAS 4.1.5 or higher
2 - Set groups-for-user-update = false by running the following command:
Information about the setting from the vas.conf MAN page:
groups-for-user-update= <true | false>
Default value: false
If it is necessary to get nested group information without a user logging in, you must enable "groups-for-user" updates from nss_vas. This will cause nss_vas to trigger vasd to perform a search for the given user which will update the local cache group memberships for groups that the user belongs to during a
getpwnam() call. Normally, this information is obtained from the Kerberos tickets during login through pam_vas. However, for logins through applications that do not use pam_vas, this nested group information will not be available without this option set to true.
Note that this does impact performance as it requires additional work to be done by nss_vas and vasd during a call to
getpwnam(). vasd looks up this information using the tokenGroups attribute for users. This is a constructed attribute that will return back the list of group SIDs that are usable in the Active Directory Domain where the user exists. Only enable this option if your infrastructure requires it and the performance impact is not too severe for your environment. Note there are limitations when using tokenGroups in a resource domain model, since Domain Local groups the user may be a member of will not be available in the computer's Domain.
Note: Quest recommends that you set
root-update-mode nss_vas setting to "force".
The following example shows how to turn on groups-for-user updates.
[nss_vas] groups-for-user-update = true root-update-mode = force