Users from groups added to the users.allow file are not allowed to login. (4349599)

Users from groups added to the users.allow file are not allowed to login.

Checking the QAS cache shows the group is missing its Security Identifier (SID).

E.g.:

# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "select * from access_control"
A|G|YOURDOMAIN.COM\admgroup||2||LOCAL    

The correct output should be similar to the following:

# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/vasd/vas_ident.vdb "select * from access_control"
A|G|YOURDOMAIN.COM\admgroup|S-1-5-21-2861478782-3709729629-1788112043-1123|2||LOCAL  

When using "vastool user checklogin", the user is shown as not allowed even though the account is a member of the group within users.allow:

# /opt/quest/bin/vastool user checklogin js01 
Password for js01@YOURDOMAIN.COM:
Access for service login by js01 is not allowed, access service denied.
Access Rule = [Only Allow rules defined, user does not match any allow rule]

The following errors may be seen in the syslog log after the user unsuccessfully tries to authenticate:

"sshd[10197]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[17] while authenticating: User account has expired"
"vascache_user_check_access_pac: access check using access_mode=LOCAL unauthorized user: js01@YOURDOMAIN.COM attempted to log into this computer through service sshd"
"pam_vas: pam_sm_authenticate: checking account status for user js01 failed with 2509"

The initial population of the access control table is missing the SIDs.

There are several ways to force QAS to reload the access control table; either of the following should work:

1. Edit the users.allow (or users.deny) file, by changing the order of the lines or by adding a blank line, then wait 60 seconds and the next user login should succeed.

2. Rename the the users.allow and users.deny files (say, to users.allow.sav and users.deny.sav) and restart vasd.  Rename the files back to their proper names and restart vasd again.

To verify that the access control table has been fixed, run the following command as root:

/opt/quest/libexec/vas/sqlite3 var/opt/quest/vas/vasd/vas_ident.db "select * from access_control;"

You should see a list of groups with their SIDs.

This issue is resolved in the most recent versions of QAS.  Please download and install the latest version of QAS from the Downloads & Updates section of the Quest website https://support.quest.com/SUPPORT/index?page=downloads