The configuration of the one-time passwords are applied periodically according to a configurable Group Policy refresh interval (by default every 90 minutes).
Note: Your machine must already be joined to the domain to force a Group Policy refresh.
To force a Group Policy refresh
The output from this command, when one-time passwords are successfully enabled, look similar to the following example:
root@testmachine:~# vgptool apply Group Policy Apply - CallType: REFRESH Updating VGP From Policy ------------------------ [vgp_vgpext.so] Accumulating Settings from GPOs ------------------------------- GPO: Defender DEMO CSE: vgp_defender.so GUID: 1EBC7D87-EFB7-4376-AA1E-3CE5850AC5E5 PTYPE: 786318DB-DE76-42F2-8A57-F1E0C3ACE113 Applying Settings Changes ------------------------- [vgp_licext.so] [vgp_vasext.so] [vgp_scecli.so] [vgp_sudoext.so] [vgp_dfc.so] [vgp_unixext.so] [vgp_sshcfg.so] [vgp_samba.so] [vgp_defender.so] Quest Defender Policy Adding Defender authentication module Current defender.conf (showing server information only) 10.5.37.22:1645 Current pam_radius_acl.conf *:testuser1 *:testuser2 *:testuser3 [vgp_qpm4u.so] [vgp_admext.so]
You can configure one-time password information manually. Manual configuration requires a machine running Authentication Services that has pam_defender installed. The machine must also be joined to an Active Directory domain. If an access node cannot be found that applies to the machine, no configuration changes are made.
To configure one-time passwords with vastool
/opt/quest/bin/vastool otp configure radius
The output from this command when one-time passwords are successfully enabled look similar to the following example:
root@testmachine:~vastool otp configure radius Configuring defender.conf Server: 10.5.37.22 Port: 1645 Configuring PAM Radius Access Control List testuser1 testuser2 testuser3
To configure pam for a specific service, such as gdm, run the following command as root:
/opt/quest/bin/vastool otp configure pam gdm
Note: When successful this command produces no output.
You can configure the pam_defender module to log debug information to a file.
To configure pam_defender to log debug information
Run the following command:
/opt/quest/bin/vastool otp configure trace <path to log file>
This creates the /tmp/pam_def.ini file that the defender pam module uses to determine whether it should log debug information and adds the necessary information to this file to configure full debug.