To configure Safeguard Authentication Services to resolve netgroup data from the name service module
- Run the following command as root to configure Safeguard Authentication Services for netgroup support:
vastool configure vas vasd netgroup-mode NSS
- Run the following command as root to configure the Safeguard Authentication Services name service module:
- On Linux, Oracle Solaris, or HP-UX:
vastool configure nss netgroup
- On AIX:
vastool configure irs netgroup
Note: To create a netgroup map, if needed, you can enter the following at the command line:
nisedit -u <admin> add -m netgroup -f an /etc/netgroup style file>
For more information about the nisedit tool, see Using NIS map command line administration utility.
- Load the netgroup caches by running the following command as root:
vastool flush netgroup
-
To test the netgroup configuration run the following command:
vastool nss getnetgrent <netgroup name>
To prevent Safeguard Authentication Services from resolving netgroup data from the name service module
- Run the following command as root to remove name service netgroup support:
vastool configure vas vasd netgroup-mode
- Run the following command as root to configure the Safeguard Authentication Services name service module:
- On Linux, Oracle Solaris, or HP-UX:
vastool unconfigure nss netgroup
- On AIX:
vastool unconfigure irs netgroup
- Run the following command as root to configure the Safeguard Authentication Services name service module:
- On Linux, Oracle Solaris, or HP-UX:
vastool configure nss
- Flush the netgroup caches by running the following command as root:
vastool flush netgroup
To minimize network traffic and load on Active Directory, Safeguard Authentication Services maintains a local cache of user and group data.
You can force Safeguard Authentication Services to immediately reload the cache by running the following command as root:
vastool flush
Note: When you run vastool flush the entire user and group cache database is reloaded from Active Directory. This can generate a significant amount of network traffic so use this command sparingly.
It is not uncommon for systems to generate hundreds of user and group lookup requests per second. Because of this, Safeguard Authentication Services enforces a "blackout period" during which all name service requests are resolved from the local cache. By default, the blackout period is set to 10 minutes. This means that changes to Unix account information in Active Directory may take up to 10 minutes to propagate to Safeguard Authentication Services clients.
There are two events that cause Safeguard Authentication Services to update the local cache:
- A user logs in
- The blackout period expires
You can adjust the blackout period by changing the update-interval setting in the [vasd] section of vas.conf. For an example, refer to the vas.conf man page. See Using manual pages (man pages) for information about accessing the vas.conf man page. In small installations (less than 100 hosts or less than 100 users) you can safely reduce the blackout period. In larger installations it is recommended that the blackout period remain at the default value or set to 30 minutes or 1 hour.
Regardless of the blackout period, you can reset the blackout period timer by signaling vasd with SIGHUP, using the vasd init script to restart vasd, or by executing vastool flush.
To force Safeguard Authentication Services to update the cache immediately regardless of the blackout period, run this command:
vastool flush -f {users|groups}
