Is it Vintela authentication system or Quest authentication system or Dell or Quest again or One Identity or Safeguard authentication service? I think it depends what version you run and/or when you started using it. Its quite a mess for people who have used the software for last 15+ years but luckily different versions have one thing in common – vastool command-line utility which typically is installed into /opt/quest/bin/vastool. I suggest to verify do you have /opt/quest/bin in your PATH environment variable. This page may be too long to be a cheat-sheet but you can always use search. In some places you might find also comparisons with alternative AD/LDAP integration tool SSSD.
vastool has a lot of sub-commands, you can see them just by running vastool without any parameters as below. Some vastool sub-commands have also their own sub-sub-commands.
LDAP Injection Cheat Sheet What is LDAP Injection? LDAP injection is the technique of exploiting web applications that use client-supplied data in LDAP statements without first stripping potentially harmful characters from the request. When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter. Open Web Application Security Project Cheat Sheets # The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These Cheat Sheetss were created by various application security professionals who have expertise in specific topics. This page may be too long to be a cheat-sheet but you can always use search. In some places you might find also comparisons with alternative AD/LDAP integration tool SSSD. Vastool has a lot of sub-commands, you can see them just by running vastool without any parameters as below. Some vastool sub-commands have also their own sub.
You can always specify user and password in vastool command with -u username and -p password but you can also use a principal host/ if your host is already joined to AD.
NB! USE links below, in the main vastool usage info to jump to relevant command. If there is no link, its not covered…. at least not yet.
If you need help for specific vastool command you can run it with -h command e.g. vastool -h status but it does not work with all commands (like inspect).
View status about the operating environment. Really useful to see whats going on like are you joined and so on.
Show basic status information
Flush cached client daemon information. Run it to avoid anomalies after config changes. Can flush by cache or all if you omit command.
Flush all caches:
Hint: vastool flush is same as sss_cache -E if you are using SSSD.
Join the computer to the domain. Joining to domain can be done with username /password or username and pre-generated keytab. Username must have join/write privileges in AD so I suggest to generate keytab instead of password and safeguard the keytab as much as possible. Deleting keytab from host right after joining is a good idea and also regular password changes along with the keytab re-generation. It is also possible to implement centralized joining solution so that host-being-joined never sees the credentials, just gets the host keytab.
join host to domain. Command below will join host to domain example.com and creates the computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com”.
“join” host to domain with pre-generated keytab. useful with centralized joining solution where you actually perform most of the joining actions (create computer object in AD, generate host keytab add SPN-s) on different server. This also means that you don’t need to have high privilege credentials (for AD modifictaions) on target host. Generally this kind of “joining” means only that vastool will generate configuration file vas.conf and configures nsswitch and pam.
Same as previous – define a site and static domain controllers for already joined host. This is useful when you move host to the network where domain controllers cant be located with DNS lookup (SRV record query) and might be also read-only.
AS previous example, this command will also just generate vas.conf and do nsswitch/pam config. This will add following into vas.conf (in addition to the previous config if domain remains the same)
So if you don’t want to run command above, you could just add manually this content to vas.conf and restart the vasd.service assuming nsswitch and pam are already configured.
Remove the local computer from the domain. Removes the computer object and disconnects from domain. Also useful to run in the beginning of re-joining if needed.
Unjoin localhost from domain
Perform LDAP searches. You can search by any attribute and filter out attributes as you need in the result. Only limitation will be your LDAP query making capability.
Searching user/account attributes, if account is found lists all attributes:
Search account/user group memberships, displays only memberOf attributes:
Note that first line in the search result is account DN, so if you need to calculate number of groups user belongs to, you can send result trough wc and decrease by one or just pipe it trough grep like this
Search account/user by UNIX USER/GROUP ID and list all attributes if found:
Search objects what user is “owning”
Search user mobile / cellphone number
Search users who’s password never expires and filter out account names.
Search group by group name and list all info – essentially searching groups is done by same sAMAccountName attribute as searching for users.
Search group and display all group members:
Note that first line in the search result is account DN, like the user search few block above.
List an objects attribute(s). This is a bit similar to vastool search but I guess that you are limited with showing attributes only for one object and cant run any advanced LDAP search queries.
Get GROUP attributes
Get USER attributes
Get COMPUTER attributes (must know DN)
List users or groups and their attributes.
List unix-enabled users and groups. Without -l option your query will be run against local cache only and might not reflect very recent changes. As you query local cache you don’t need to use any credentials to run this query.
List all users or groups, including the ones which are not unix-enabled – which do not have user / group ID defined in AD. With -a option you can list also non unix-enabled users but this only seems to work together with -l option. Be careful when using -al – in large environments as its slow and might result in hundreds of thousands lines in result.
List users allowed to log in … or denied. -l option here is not supported. -a option should show you also non-unix-enabled users which somehow e.g. trough group membership should have access to your host (or not with users-denied). I have not tested it but if it works, its a good way to detect login issues like user group access but someone forgot to unix-enable user’s account. Note that users-denied query might have thousands of results in large environments but as it runs against local cache its pretty fast.
User account tools. Useful for managing users including checking is user allowed to log in and what configuration e.g. AD group membership grants the access.
Check is user allowed to log in and if it is, what grants it with the sample response
Hint: vastool user checkaccess johndoe is same as sss_ctl user-checks johndoe if you are using SSSD.
Manage entries in a keytab. Useful for listing, adding and removing principals in keytab.
list keytab principals. If you don’t specify keytab file with -k option, you get principals list from hosts default keytab.
add host fqdn as alias to short name into keytab. This is very useful to get login with kerberos ticket working. If you have any CNAME-s in the DNS for the host, you need to add them as alias to host keytab and into servicePrincipalName (multi-value) attribute in LDAP.
Modify group membership. Adding/removing accounts & computer objects to/from groups.
add localhost to LDAP group
Delete a user, group, computer, service or AD object.
delete computer object with sample output.
Create a user, group, computer, or service object in AD.
create computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com” with sample output.
Change your password, or set another user’s password
reset computer object password and generate host keytab with sample output. This allows you to join other hosts in centralized way without having to spread credentials. It generates new keytab with random password .
View information about the operating environment
generate kerberos config file with vastool info toconf
Get the value of a configuration setting. Useful to verify contents of the vasd config file /etc/opt/quest/vas/vas.conf and then modify it with vastool configure if needed.
inspect vasd configuration. Below are commands to inspect different configuration parameters in vasd section.
Update configuration files to use the QAS components
configure pam. This configures pam. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).
configure nss. This adds vas into the list of passwd and group services. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).
configure vas. This allows configuring main vasd configuration parameters online, without manually configuring them in the vas.conf and restarting the service. A good way to learn about the different configuration parameters is man vas.conf
vastool configure vas vas_auth perm-disconnected-users. list of groups or users able to log in even if AD connection is lost, separated by spaces.
vastool configure vas vasd perm-disconnected-update. minutes between updating cached users credentials.
vastool configure vas vasd timesync-interval. hours between timesync. Setting it to -1 makes timesync to run in every 30 seconds and setting it to 0 disables timesync with vasd – useful if you use ntpd or chrony to sync your time.
vastool configure vas vasd user-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.
vastool configure vas vasd group-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.
Set object attribute(s)
add servicePrincipalName to computer object. This is quite useful if you have CNAMES defined for your host and you want kerberos to work with them. Note that ServicePrincipalName is multi-value attribute and when you want to update it with some new value, you should specify also the existing ones which are retrievable with attrscommand.
Manage daemons – this is just a wrapper for service command. You can use it to manage also other daemons, not just the ones related to QAS like vastool. This could be potentially also security issue.
Although the help suggest that you can run only start/stop/status actions against damones like vasd and ipmon, you can run all actions supported by service command against all daemons:
Authenticate a user to a service and optionally extract Kerberos authentication data. When run, the command must be run as a user that has access to the service
principal’s corresponding keytab file.
As I have not used this command so much that I could provide usage examples, better turn to some other cheat-sheet for examples or run man vastool and scroll/search to “vastool auth”. It has pretty good explanation what it does along with the examples.
Check to see if a given user is an Active Directory user.
Few examples:
-p prints out same info as you get with getent passwd.
Obtains and caches tickets
You can either authenticate with password:
Or authenticate with keytab:
To verify that you got a ticket, use vastool klist shown below.
List Kerberos tickets stored in a user’s credentials cache.
If you managed to authenticate yourself successfully and get a ticket with vastool kinit then you can list your tickets cache as follows:
Delete tickets from a user’s credential cache.
It drops your ticket cache file along with the tickets inside it. Example would be useless.
View currently installed licenses or add new ones.
Feel free to run it to see license info. Also reports how many Unix-enabled users are in use.
If you found this useful, say thanks, click on some banners or donate, I can always use some beer money.
If you like to learn vi/vim macros, how to use tabs, 30+ copy-paste buffers instead of just one – look at my vi&vim cheat-sheet