-
Title
What does a vastool flush do? -
Description
What does a vastool flush do?
What happens during a flush?
How does Authentication Services interact with Active Directory?
How does the cache work?
-
Resolution
vastool flush goes out to Active Directory and reloads the cache. It caches information about the Active directory environment such as schema, site, domain controllers, global catalogs, along with users and groups.
Here is the syntax of some options that can be used with the command:
Usage: vastool flush [-rlx] [command]Commands:
keytab
statedir
ccaches
accounts
auth
srvinfo
users
groups
netgroup
ns
negcache
pwdpolicies [domain1 domain2 ...]-r Don't reload the caches after flushing them
-l Reload caches even if vasd isn't running (Deprecated)
-x Used with auth, only clear expired password hashes from authcache
-bash-3.00#
Here is the information from the vastool man page concerning vastool flush:vastool flush can be used to clear the vasd cache. This command must be run as root.
vastool [vastool options] flush [-r] [-l] [-x]
vastool [vastool options] flush [-r] [-x] keytab
vastool [vastool options] flush [-r] [-x] statedir
vastool [vastool options] flush [-r] [-x] ccaches
vastool [vastool options] flush [-r] [-x] accounts
vastool [vastool options] flush [-r] [-x] auth
vastool [vastool options] flush [-r] [-x] srvinfo
vastool [vastool options] flush [-r] [-x] users
vastool [vastool options] flush [-r] [-x] groups
vastool [vastool options] flush [-r] [-x] netgroup
vastool [vastool options] flush [-r] [-x] ns
vastool [vastool options] flush [-r] [-x] pwdpolicies [domain list]
vastool [vastool options] flush negcache
Flushing the accounts cache will remove all cached user, group and NIS Map information. This will force vasd to do complete lookups the next time it receives any requests from the NSS module. Flushing the auth cache will remove all cached user passwords. These are stored as SHA1 hashes in a secure file that is only accessible by root. Flushing the users cache will delete all cached user account information, flushing the groups cache will delete all cached group information, and flushing the netgroup cache will delete all cached netgroup information. Flushing the keytab will delete the QAS host keytab file. Flushing the statedir will delete all of the QAS state information. Flushing the keytab and statedir will not recreate their respective information, and should only used during uninstallation of the QAS client. Flushing the srvinfo cache will clear out the known servers and a new server will be picked for communication. Flushing ccaches will cause every ccache with a name/location matching the default_cc_name (or optionally if the renewal-patterns option has been specified in the /etc/opt/quest/vas/vas.conf, ccaches matching the renewal patterns will be affected), to either have all renewable tickets renewed or, if the cache contains no valid unexpired tickets, to be removed.
The caching daemon maintains a cache of users and groups that could not be found when searching the directory. This cache is referred to as the negative cache. Once an item is in the negative cache no further attempts will be made to find the user/group in the directory until the negative cache entry has expired. The default negative cache lifetime is very short (10 seconds), but it can be increased to suit environmental needs. If entries need to be removed from the negative cache before their lifetime has expired, the contents of this cache can be cleared by running vastool flush negcache.
Flushing password policy cache information should not be necessary except on Windows 2008 domains. In Windows 2008 domains, the password policy cache should only be flushed using administrator privileges. The fine-grained password polices introduced in Windows 2008 are stored in the system password settings container. The default ACLs on this container prevent non-administrative users from reading the contents. This means that if a non-administrative user flushes the password policy cache, only the default domain password policy will be reloaded (nothing else can be read). Password policies are loaded at join time using the credentials provided for joining.
vasd will attempt to update password policies every 6 hours using the host credentials, so an alternative to flushing password policies every time they change is to modify the ACLs in Active Directory to allow Unix host objects the ability to read the contents of the password settings container.
If your password policy information is out of date, the Domain controller will still enforce all password policies when tickets are requested. The only time the domain controller won't be able to enforce these policies is during a type of authentication where a ticket is not requested such as SSH key authentication. Additionally password policy information is used to generate password age information returned from the shadow interface. This shadow information can naturally be out of date if the password policy information is not up to date.
The users and groups cache will be regenerated after being flushed, unless the -r option is specified. When in workstation mode, the users that have previously logged in will be reloaded as well, unless -r is specified.
The ns command will flush all name service caches: users, groups, and netgroups.
The netgroup cache will also be regenerated after being flushed, as long as the [vasd] netgroup-mode configuration option is set, otherwise the netgroup entries will be removed. The -r option does apply to netgroups, and if specified, the netgroup cache will not be rebuilt, regardless of whether it is configured or not.
If the -l option is specified, the caches are reloaded even if vasd isn't running. This option has been deprecated as of QAS 4.0.
If the -x option is specified in conjunction with the auth cache option, the password hashes from the authcache will only be removed if they are older than the configurable max password age. There is no max password age by default. See the /etc/opt/quest/vas/vas.conf man page documentation for the password-cache-age [vas_auth] section for information on modifying the maximum password age.
If you do not specify an argument to vastool flush, then the accounts and auth arguments will be implied, and all user/group account information, NIS Map information, and cached passwords will be deleted.