-
Title
Errors in vasproxyd after upgrade -
Description
After an upgrade to QAS 4.0, users are denied access to vasproxyd services that they used to be able to access in VAS 3.5
-
Cause
In VAS 3.5, if either the <service>.allow or <service>.deny service-level access control file was missing, then the corresponding users.allow or users.deny file would be used.
In QAS 4.0, any missing service-level access control file is treated as an empty file and thus treated as though there were no corresponding allow or deny rules for that service. -
Resolution
Run the following commands, where service-name is the name of the service defined in the [vasproxyd] stanza of the vas.conf file, and user-name is an account that should be allowed to use that service. If you see something like the DENIED line in the second case, investigate /etc/opt/quest/vas/users.allow and users.deny and the files in /etc/opt/quest/vas/access.d/ to be sure that the user is allowed to access the service. See the man pages for vasproxyd and pam_vas for more details.
$ sudo /opt/quest/bin/vastool user checkaccess user-name
ALLOWED [user=user-name] [service=login]$ sudo /opt/quest/bin/vastool user checkaccess -s service-name user-name
Access policy denial. User is not authorized to access this host.
DENIED (access denied) [user=user-name] [service=service-name]
Access Rule = [Only Allow rules defined, user does not match any allow rule]