vastool cheat-sheet

Is it Vintela authentication system or Quest authentication system or Dell or Quest again or One Identity or Safeguard authentication service? I think it depends what version you run and/or when you started using it. Its quite a mess for people who have used the software for last 15+ years but luckily different versions have one thing in common – vastool command-line utility which typically is installed into /opt/quest/bin/vastool. I suggest to verify do you have /opt/quest/bin in your PATH environment variable. This page may be too long to be a cheat-sheet but you can always use search. In some places you might find also comparisons with alternative AD/LDAP integration tool SSSD.

Basic stuff

vastool has a lot of sub-commands, you can see them just by running vastool without any parameters as below. Some vastool sub-commands have also their own sub-sub-commands.

You can always specify user and password in vastool command with -u username and -p password but you can also use a principal host/ if your host is already joined to AD.

NB! USE links below, in the main vastool usage info to jump to relevant command. If there is no link, its not covered…. at least not yet.

# /opt/quest/bin/vastool 
Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED.
Protected by U.S. Patent Nos. 7,617,501, 7,895,332, 7,904,949, 8,086,710, 8,087,075, 8,245,242. Patents pending.
Usage: vastool [-vsq] [-h [command]] [-u username] [-w password] [-k filename] [-d integer] [-e integer] command [args]
-h [command] Display this message, or help for a given command
-v           Display vastool version and exit
-u username  User or principal to perform commands as (Default is to use the current user)
-w password  Password used to authenticate (Default is to prompt for password)
-k filename  Keytab used to authenticate
-s           Read passwords from stdin
-d integer   Debug verbosity level 0-6 (Default is 0)
-e integer   Error verbosity level 0-9 (Default is 4)
-q           Silence output to stdout
Available commands:
   auth:          Auth tools
   attrs:         List an objects attribute(s)
   configure:     Update configuration files to use the QAS components
   create:        Create a user, group, computer, or service object in AD
   daemon:        Start, stop or restart a daemon
   delete:        Delete a user, group, computer, service or AD object
   flush:         Flush cached client daemon information
   group:         Modify group membership
   info:          View information about the operating environment
   inspect:       Get the value of a configuration setting
   isvas:         Check to see if a given user or group belongs to QAS
   join:          Join the computer to the domain
   kinit:         Obtains and caches tickets
   kdestroy:      Destroys all cached tickets
   klist:         Show credentials cache
   ktutil:        Manage entries in a keytab
   license:       View currently installed licenses
   list:          List users or groups and their attributes
   load:          Import users and groups from a file
   merge:         Merge QAS users and groups into /etc/passwd and /etc/group
   nss:           Execute NSS functions
   otp:           Configure two-factor authentication using Defender
   passwd:        Change your password, or set another user's password
   schema:        Detect and show supported schemas
   search:        Perform LDAP searches
   service:       Manage service principals
   setattrs:      Set object attribute(s)
   smartcard:     Manage smartcard authentication
   status:        View status about the operating environment
   timesync:      Synchronize the system clock with an SNTP server
   unconfigure:   Update configuration files to not use the QAS components
   unjoin:        Remove the local computer from the domain
   unmerge:       Remove QAS users and groups from /etc/passwd and /etc/group
   user:          User account tools

If you need help for specific vastool command you can run it with -h command e.g. vastool -h status but it does not work with all commands (like inspect).

vastool status

View status about the operating environment. Really useful to see whats going on like are you joined and so on.

# vastool -h status
Usage: vastool status [-vqc]
-v        Verbose output
-q        Quick check
-c        CSV output

Show basic status information

# vastool status
Host:   <host01, Linux x86_64>
Date:   <Fri Dec  4 10:31:57 CET 2018>
QAS:    <4.1.5.23233>
Domain: <example.com>
INFO: SELinux enabled (Enforcing)
Result: <No tests failed> (2 seconds)(v0.7.8)

vastool flush

Flush cached client daemon information. Run it to avoid anomalies after config changes. Can flush by cache or all if you omit command.

# vastool -h flush
Usage: vastool flush [-rlx] [command]
Commands:
   keytab
   statedir
   ccaches
   accounts
   auth
   srvinfo
   users
   groups
   netgroup
   ns
   negcache
   pwdpolicies [domain1 domain2 ...]

-r Don't reload the caches after flushing them
-l Reload caches even if vasd isn't running (Deprecated)
-x Used with auth, only clear expired password hashes from authcache

Flush all caches:

# vastool flush
Caching Users ... OK
Mapping mapped users ... OK
Processing user overrides ... OK
Caching Groups ... OK
Caching Nested Memberships ... OK
Processing group overrides ... OK
Caching Srvinfo ... OK
Caching Netgroups ... OK
Clearing Negative Cache ... OK

Hint: vastool flush is same as sss_cache -E if you are using SSSD.

vastool join

Join the computer to the domain. Joining to domain can be done with username /password or username and pre-generated keytab. Username must have join/write privileges in AD so I suggest to generate keytab instead of password and safeguard the keytab as much as possible. Deleting keytab from host right after joining is a good idea and also regular password changes along with the keytab re-generation. It is also possible to implement centralized joining solution so that host-being-joined never sees the credentials, just gets the host keytab.

# Usage: vastool join [-flwUG] [-h string] [-n computer] [-c container] [-r string] [-u string] [-g string] [-s string] [-p string] [--skip-config] [--preload-nested-memberships] [--site-only-usn] [--site-only-servers] [--no-timesync]
   [--autogen-posix-attrs] domain_name [domain_controllers]
-n computer                   Specify name of computer object
-c container                  LDAP DN of the container where the computer will be created
-f                            Overwrite existing computer object
-l                            Don't apply Group Policy Settings (if Group Policy is installed)
-w                            Enable workstation mode - users will not be cached until they
                                 login
-U                            Load all users from the global catalog
-G                            Load all groups from the global catalog
-r string                     Comma-separated list of cross forest domains (cross-forest-domains)
-u string                     Specify an alternate search path from which to populate the
                                 users cache
-g string                     Specify an alternate search path from which to populate the
                                 groups caches
-s string                     Specify the site name for this machine
-p string                     Specify the path of the Primary Personality Container
--skip-config                 Skip automatic configuration of PAM, NSS, LAM and SIA
--preload-nested-memberships  After loading users and/or groups, query tokenGroups for all cached users. NOTE: This is deprecated, the default is enabled
--site-only-usn               Deprecated, use the "--site-only-servers" option.
--site-only-servers           Restricts all LDAP searches to servers in this machine's site (no out of site failover).
--no-timesync                 Skip automatic time synchronization
--autogen-posix-attrs         Automatically generate POSIX IDs for Active Directory users

join host to domain. Command below will join host to domain example.com and creates the computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com”.

# vastool -u adminuser -k admin.user.keytab join -n host01 -c 'OU=Servers,DC=example,DC=com' example.com

“join” host to domain with pre-generated keytab. useful with centralized joining solution where you actually perform most of the joining actions (create computer object in AD, generate host keytab add SPN-s) on different server. This also means that you don’t need to have high privilege credentials (for AD modifictaions) on target host. Generally this kind of “joining” means only that vastool will generate configuration file vas.conf and configures nsswitch and pam.

# vastool -u host/ -k pre-generated-host.keytab join -f -n host01.example.com

Same as previous – define a site and static domain controllers for already joined host. This is useful when you move host to the network where domain controllers cant be located with DNS lookup (SRV record query) and might be also read-only.

vastool -u host/ -k pre-generated-host.keytab join -f -n host01.example.com -s READ-ONLY-SITE example.com dc1.example.com dc2.example.com

AS previous example, this command will also just generate vas.conf and do nsswitch/pam config. This will add following into vas.conf (in addition to the previous config if domain remains the same)

.....
[libvas]
 site-name-override = READ-ONLY-SITE
 use-dns-srv = false

[realms]
 EXAMPLE.COM = {
  kdc = dc1.example.com dc2.example.com
  kpasswd_server = dc1.example.com dc2.example.com
 }
.....

So if you don’t want to run command above, you could just add manually this content to vas.conf and restart the vasd.service assuming nsswitch and pam are already configured.

vastool unjoin

Remove the local computer from the domain. Removes the computer object and disconnects from domain. Also useful to run in the beginning of re-joining if needed.

# vastool -h unjoin
Usage: vastool unjoin [-fl] [-n computer] [--skip-config]
-f             Force unjoin if computer object does not exist
-l             Leave the computer object in AD after an unjoin
-n computer    Name of computer object
--skip-config  Skip automatic unconfiguration of PAM, NSS, LAM and SIA

Unjoin localhost from domain

# vastool -u adminuser -k admin.user.keytab unjoin

vastool search

Perform LDAP searches. You can search by any attribute and filter out attributes as you need in the result. Only limitation will be your LDAP query making capability.

# vastool -h search
Usage: vastool search [-aq] [-s searchScope] [-b searchBase] [-h hostname] [-p port] [-U uri] [--binary-string] {filter} [attributes...]
-s searchScope   Search scope: base, one, or sub
-b searchBase    Base DN to perform search from
-h hostname      Server name to perform search against
-p port          Port to connect to
-a               Perform anonymous bind
-U uri           URI of server name to perform search against 
-q               Quiet output -- attribute names not printed
--binary-string  Convert known binary values into string formats (SID, objectGUID)

Searching user/account attributes, if account is found lists all attributes:

# vastool -u host/ search 'samaccountname=johndoe'

Search account/user group memberships, displays only memberOf attributes:

# vastool -u host/ search 'samaccountname=johndoe' memberof

Note that first line in the search result is account DN, so if you need to calculate number of groups user belongs to, you can send result trough wc and decrease by one or just pipe it trough grep like this

# vastool -u host/ search 'samaccountname=johndoe' memberof|grep -iv "^dn:"|wc -l

Search account/user by UNIX USER/GROUP ID and list all attributes if found:

# vastool -u host/ search 'uidNumber=1000'
# vastool -u host/ search 'gidNumber=1000'

Search objects what user is “owning”

# vastool -u host/ search 'samaccountname=johndoe' directReports
# vastool -u host/ search 'samaccountname=johndoe' managedObjects

Search user mobile / cellphone number

# vastool -u host/ search 'samaccountname=johndoe' mobile

Search users who’s password never expires and filter out account names.

# vastool -u host/ search -q "(&(objectCategory=person)(useraccountcontrol>=65536)(useraccountcontrol<=131072))" samAccountname

Search group by group name and list all info – essentially searching groups is done by same sAMAccountName attribute as searching for users.

# vastool -u host/ search 'samaccountname=usergroup77'

Search group and display all group members:

# vastool -u host/ search 'samaccountname=usergroup77' member

Note that first line in the search result is account DN, like the user search few block above.

Search user password expiration:

Following command will search user johndoe password expiration date from LDAP and translate Microsoft / LDAP largeinteger date to human readable format. Originally this date is in format number of 100-nanosecond intervals since Jan 1, 1601 UTC. Script below discards 7 places from the end of the date which represent franction of seconds.

FIELD="msDS-UserPasswordExpiryTimeComputed"; USER="johndoe";LDAP_TIME=$(sudo vastool -u host/ search "samaccountname=${USER}" ${FIELD}|grep "${FIELD}"|cut -d' ' -f2) && sec=${LDAP_TIME:0:-7};date '+%d.%b.%Y %T' --date="1601-01-01 00:00:00 UTC + ${sec} seconds"

Search is user account locked out

Following command will check is johndoe account locked out or not. lockouttime attribute is 0 when account is not locked and contains timestamp if it is locked.

FIELD="lockouttime"; USER="johndoe"; LDAP_TIME=$(sudo vastool -u host/ search "samaccountname=${USER}" ${FIELD}|grep "${FIELD}"|cut -d' ' -f2) && if [ $LDAP_TIME -eq 0 ]; then echo "Account is unlocked"; else echo -n "Account locked at "; sec=${LDAP_TIME:0:-7};date '+%d.%b.%Y %T' --date="1601-01-01 00:00:00 UTC + ${sec} seconds";fi

Search when user password was changed:

FIELD="msDS-UserPasswordExpiryTimeComputed"; USER="johndoe";LDAP_TIME=$(sudo vastool -u host/ search "samaccountname=${USER}" ${FIELD}|grep "${FIELD}"|cut -d' ' -f2) && sec=${LDAP_TIME:0:-7};date '+%d.%b.%Y %T' --date="1601-01-01 00:00:00 UTC + ${sec} seconds"

In similar fashion you can convert any MS AD timestamps to human radable format. Just replace user and field names in command above.

vastool attrs

List an objects attribute(s). This is a bit similar to vastool search but I guess that you are limited with showing attributes only for one object and cant run any advanced LDAP search queries.

# vastool -h attrs
Usage: vastool attrs [-dgsucqb] [-U uri] {objectname} [attribute...]
-d      Interpret the objectname as an LDAP DN
-g      Interpret the objectname as a group name
-s      Interpret the objectname as a Kerberos service principal name
-u      Interpret the objectname as a user name
-c      Get attributes from a Global Catalog
-U uri  URI of server name to perform search against 
-q      Quiet output -- attribute names not printed
-b      Convert known binary values into string formats (SID, objectGUID, sidHistory)

Get GROUP attributes

# vastool -u host/ attrs -g 'usergroup77'

Get USER attributes

# vastool -u host/ attrs -u 'johndoe'

Get COMPUTER attributes (must know DN)

# vastool -u host/ attrs -d 'CN=host01,OU=Servers,DC=example,DC=com'

Verify does host belong to a group

# vastool -u host/ attrs -g "<group name in AD>" member |grep "member: CN=host01"

vastool list

List users or groups and their attributes.

# vastool -h list
Usage: vastool list [-alcsptgnfuo] {command}
Commands:
   users
   users-allowed
   users-denied
   user {username}
   groups
   group {groupname}
   netgroup {netgroup name}
   netgroups
   negcache

-a List all groups/users (including non-Unix enabled ones)
-l Bypass vasd cache and use ldap lookups
-c Read straight from cache without updating from Active Directory
-s Print the objectSid in the group output
-p Print primaryGroupID in the user output
-t Print primaryGroupToken in the group output
-g Print objectGUIDs associated with this object in the form <objectinfo>:<guid:posix_guid>
-n Print userAccountControl value in user output
-f Force vasd to update its cache
-u When used with a group, unroll the group's memberships
-o Process override information

List unix-enabled users and groups. Without -l option your query will be run against local cache only and might not reflect very recent changes. As you query local cache you don’t need to use any credentials to run this query.


# vastool list users
# vastool list user johndoe
# vastool list groups
# vastool list group usergroup77

List all users or groups, including the ones which are not unix-enabled – which do not have user / group ID defined in AD. With -a option you can list also non unix-enabled users but this only seems to work together with -l option. Be careful when using -al – in large environments as its slow and might result in hundreds of thousands lines in result.

# vastool -u host/ list -al users
# vastool -u host/ list -al groups

List users allowed to log in … or denied. -l option here is not supported. -a option should show you also non-unix-enabled users which somehow e.g. trough group membership should have access to your host (or not with users-denied). I have not tested it but if it works, its a good way to detect login issues like user group access but someone forgot to unix-enable user’s account. Note that users-denied query might have thousands of results in large environments but as it runs against local cache its pretty fast.

# /opt/quest/bin/vastool list users-allowed
# /opt/quest/bin/vastool list -a users-allowed
# /opt/quest/bin/vastool list users-denied
# /opt/quest/bin/vastool list -a users-denied

vastool user

User account tools. Useful for managing users including checking is user allowed to log in and what configuration e.g. AD group membership grants the access.

# vastool -h user
Usage: vastool user {command}
Commands:
   [-d] disable {user}
   checklogin [-s service] {user}
   [-d] enable {user}
   checkaccess [-s service] [-w password (for disconnected auth emulation)] {user}
   checkconflict {user}
   [-d] getgroups [-lps] {user}

-d [dn]      Specify user as a distinguishedName
-s [service] checklogin/checkaccess: Specify service for access
-s           getgroups: Include the sid in output
-l           Query LDAP directly
-p           Output 1 group per line

Check is user allowed to log in and if it is, what grants it with the sample response

# vastool user checkaccess johndoe
ALLOWED [user=johndoe] [service=(any)]
Access Rule = [Allow Group - EXAMPLE.COM\usergroup77 (users.allow)]

Hint: vastool user checkaccess johndoe is same as sss_ctl user-checks johndoe if you are using SSSD.

vastool ktutil

Manage entries in a keytab. Useful for listing, adding and removing principals in keytab.

# vastool -h ktutil
Usage: vastool ktutil [-k keytab_name ] [-v] {command}
Commands:
   alias {principal} {alias}
   list [--keys] [--timestamp]
   remove {-p principal} [-V kvno] [-e enc_type]

-k keytab_name      Specify the keytab path
-v                  Display verbose output
--keys              Include keys in output
--timestamp         Include timestamp in output
-p principal        Specify the principal to remove
-V kvno             Specify the kvno to remove
-e enc_type         Specify the enc_type to remove

list keytab principals. If you don’t specify keytab file with -k option, you get principals list from hosts default keytab.

# vastool ktutil list
# vastool ktutil -k /etc/opt/quest/vas/host.keytab list

add host fqdn as alias to short name into keytab. This is very useful to get login with kerberos ticket working. If you have any CNAME-s in the DNS for the host, you need to add them as alias to host keytab and into servicePrincipalName (multi-value) attribute in LDAP.

# vastool ktutil -k /root/host01.example.com.keytab alias host01@EXAMPLE.COM host/host01.example.com

vastool group

Modify group membership. Adding/removing accounts & computer objects to/from groups.

# vastool -h group
Usage: vastool group [-s] [-f file] {group_name} {command}

Commands:
   add {user...}
   del {user...}
   hasmember {user...}

-s       Read user names from stdin
-f file  Read user names from a file

add localhost to LDAP group

# vastool -u adminuser -k admin.user.keytab group "Linux Servers" add host/$(hostname)

vastool delete

Delete a user, group, computer, service or AD object.

# vastool -h delete
Usage: vastool delete {command}

Commands:
    [--delete-tree] user {user name}
    [--delete-tree] group {group name}
    [--delete-tree] computer {computer name}
    [--delete-tree] dn {distinguishedName}
    [--delete-tree] -g {group name}
    [--delete-tree] -d {distinguishedName}
--delete-tree    Enable LDAP_SERVER_TREE_DELETE_OID control to delete all children of object (Use with caution)

delete computer object with sample output.

# vastool -u adminuser -k admin.user.keytab delete computer host01
Successfully deleted computer host01.

vastool create

Create a user, group, computer, or service object in AD.

# vastool -h create
Usage: vastool create {command}
Commands:
   [-eSx] [-c container] [-p password] [-i name:x:uid:gid:gecos:homedir:shell] [-d name] user {userName} [alternate-upn]
   [-e] [-c container] [-i name:x:gid:user_list] [-t grouptype] [-s samacc] group {groupName}
   [-o] [-c container] [-p password] computer {computerName}

-c container  LDAP DN of the container where the object will be created
-d name       Display Name of user to create
-e            Unix-enable an existing user/group only, -i flag and passwd/group info required
-i info       passwd/group style string, will unix enable if creating user/group
-o            Create computer object only, don't attempt to join it
-p password   Password for created user or computer
-s samacc     sAMAccountName of group to create
-S            Read the new user's password from stdin
-t grouptype  Created group type: "universal", "domain_local", "global" (Default)
-x            Don't make user change password during initial login

create computer object in ldap container/path which has DN “OU=Servers,DC=example,DC=com” with sample output.

# vastool -u adminuser -k admin.user.keytab create -c "OU=Servers,DC=example,DC=com" -o computer host01
Computer host01 created at 'OU=Servers,DC=example,DC=com'

vastool passwd

Change your password, or set another user’s password

# vastool -h passwd
Usage: vastool passwd [-bBcropxe] [-k filename] [principal_name]
-b           Bypass the VASD auth daemon when running the passwd command.
-B           Use the VASD auth daemon when running the passwd command.
-c           Set a user's cached password (not valid with other options)
-k filename  Save the new password in a keytab
-r           Use random password value (requires -k or -o)
-o           Output new password value to stdout (needed with -r if not using -k)
-p           Direct the password change to the PDC
-x           Password must be changed at next login
-e           Generate DES keys in keytab

reset computer object password and generate host keytab with sample output. This allows you to join other hosts in centralized way without having to spread credentials. It generates new keytab with random password .

# vastool -u adminuser -k admin.user.keytab passwd -rk /root/host01.example.com.keytab host01
adminuser@EXAMPLE.COM setting password for host01@EXAMPLE.COM...
Saving new key in keytab file: /root/host01.example.com.keytab
Password for host01@EXAMPLE.COM was successfully set

vastool info

View information about the operating environment

# vastool -h info
Usage: vastool info {command}
Commands:
   id [-d dn] [-g group] [-s service] [-u user]
   site
   domain
   domain-dn
   forest-root
   forest-root-dn
   domains
   domains-dn
   filelocks
   servers [-b] [-s site] [-d domain] [-t type]
   toconf {file}
   adsecurity [-d domain] [-u user]
   acl [-f]
   cldap {server}
   ipv6
   processes

-d  dn       Specify the DN of the object being queried
-g  group    Specify the group name to query
-s  service  Specify the service name to query
-u  user     Specify the user name to query servers
-s  site     Specify the site to query for servers
-d  domain   Specify the domain to query for servers
-t  type     Specify the type (DC, PDC, or GC)
-u  username Find the specific password policy that applies to this user
-d  domain   List all password policies in the specified domain
-f           Force unrolling all Access Control groups
-b           Bypass vasd, do the cache/DNS queries directly

generate kerberos config file with vastool info toconf

# vastool -u host/ info toconf ./krb5.conf

vastool inspect

Get the value of a configuration setting. Useful to verify contents of the vasd config file /etc/opt/quest/vas/vas.conf and then modify it with vastool configure if needed.

# Usage: vastool inspect {section} {setting}

inspect vasd configuration. Below are commands to inspect different configuration parameters in vasd section.

# vastool inspect vasd timesync-interval
# vastool inspect vasd cross-forest-domains
# vastool inspect vasd user-search-path 
# vastool inspect vasd group-search-path

vastool configure

Update configuration files to use the QAS components

# vastool -h configure
Usage: vastool configure [-f file] {command}
Commands:
   realm {realm} [servers...]
   extra-realm {realm} {servers...}
   ad [-d domain] [parent container DN]
   nss
   pam [service...]
   vas {section} {key} [value]
   vas {section} stanza { {stanza_name} [ [key=value]... ] }...
   vas remove {section}
   mit
   sudo [-V visudo] [-f sudoers]

-f file  Specify an alternate file to modify. Defaults to /etc/opt/quest/vas/vas.conf.

configure pam. This configures pam. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).

# vastool configure pam

configure nss. This adds vas into the list of passwd and group services. It is not needed to run it after join as its executed automatically within the join process (but you can skip it during joining).

# vastool configure nss

configure vas. This allows configuring main vasd configuration parameters online, without manually configuring them in the vas.conf and restarting the service. A good way to learn about the different configuration parameters is man vas.conf

vastool configure vas vas_auth perm-disconnected-users. list of groups or users able to log in even if AD connection is lost, separated by spaces.

# vastool configure vas vas_auth perm-disconnected-users bob johndoe usergroup77

vastool configure vas vasd perm-disconnected-update. minutes between updating cached users credentials.

# vastool configure vas vasd perm-disconnected-update

vastool configure vas vasd timesync-interval. hours between timesync. Setting it to -1 makes timesync to run in every 30 seconds and setting it to 0 disables timesync with vasd – useful if you use ntpd or chrony to sync your time.

# vastool configure vas vasd timesync-interval 0

vastool configure vas vasd user-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.

# vastool configure vas vasd user-search-path "OU=unix,DC=example,DC=com; OU=unix,DC=sub,DC=example,DC=com"

vastool configure vas vasd group-search-path. Set this to your users OU as best as you can because by default entire AD domain is searched and limiting the scope increases performance especially in the large environments. Configure multiple search paths in same way, just separate them with semicolon.

# vastool configure vas vasd group-search-path "OU=unix,DC=example,DC=com; OU=unix,DC=sub,DC=example,DC=com"

vastool setattrs

Set object attribute(s)

# vastool -h setattrs
Usage: vastool setattrs [-dgsumrfi] [-U uri] {objectname} [attribute] [value]
-d      Interpret the objectname as an LDAP DN
-g      Interpret the objectname as a group name
-s      Interpret the objectname as a Kerberos service principal name
-u      Interpret the objectname as a user name
-m      Set a multi-valued attribute. Arg format: [attr value...]
-r      Remove the listed attributes. Arg format: [attr...]
-U uri  URI of server name to perform search against 
-f      Objectname is the path of a file that contains DN's to modify
-i      Read attribute value from stdin (invalid with -m and -r). Arg format: {attr}

add servicePrincipalName to computer object. This is quite useful if you have CNAMES defined for your host and you want kerberos to work with them. Note that ServicePrincipalName is multi-value attribute and when you want to update it with some new value, you should specify also the existing ones which are retrievable with attrs command.

# vastool -u adminuser -k admin.user.keytab setattrs -m host/ servicePrincipalName spn1 spn2 ... spnx

vastool daemon

Manage daemons – this is just a wrapper for service command. You can use it to manage also other daemons, not just the ones related to QAS like vastool. This could be potentially also security issue.

# vastool -h daemon
Usage: vastool daemon (start | stop | restart) {daemon}

Although the help suggest that you can run only start/stop/status actions against damones like vasd and ipmon, you can run all actions supported by service command against all daemons:

# vastool daemon restart vasd                                                                                                                                                                                 
Restarting vasd (via systemctl):  [  OK  ] 
# vastool daemon restart sshd
Redirecting to /bin/systemctl restart sshd.service
# vastool daemon edit sshd
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.

vastool auth

Authenticate a user to a service and optionally extract Kerberos authentication data. When run, the command must be run as a user that has access to the service
principal’s corresponding keytab file.

# vastool -h auth
Usage: vastool auth [-ps] [-S service] [-k keytab] {command}

Commands:
   member {group}
   groups
   dumppac

-S service  Name of service (defaults to host/ if not specified)
-k keytab   Path to service keytab
-p          Print one group name per line
-s          Print out groups sids

As I have not used this command so much that I could provide usage examples, better turn to some other cheat-sheet for examples or run man vastool and scroll/search to “vastool auth”. It has pretty good explanation what it does along with the examples.

vastool isvas

Check to see if a given user is an Active Directory user.

# vastool -h isvas
Usage: vastool isvas [-fp] {user | group} {name}
-f Force immediate cache update
-p Print userinfo

Few examples:

# vastool isvas user myuser
myuser is a QAS user.
# vastool isvas user root

-p prints out same info as you get with getent passwd.

vastool kinit

Obtains and caches tickets

# vastool -h kinit
Usage: vastool kinit [-R] [-S service_principal] [client_principal]
-S service_principal  Get a ticket for a service other than krbtgt
-R                    requests renewal of the ticket-granting ticket.

You can either authenticate with password:

# vastool kinit myuser
Password for myuser@EXAMPLE.COM:

Or authenticate with keytab:

# vastool -k my.keytab kinit myuser

To verify that you got a ticket, use vastool klist shown below.

vastool klist

List Kerberos tickets stored in a user’s credentials cache.

# vastool -h klist
Usage: vastool klist [-vd] [-c cache]
-v        verbose output
-c cache  ticket cache to list
-d        print b64 encoded ccache to stdout

If you managed to authenticate yourself successfully and get a ticket with vastool kinit then you can list your tickets cache as follows:

# vastool klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: myuser@EXAMPLE.COM

  Issued           Expires          Principal
Dec 22 14:35:10  Dec 23 00:35:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM

vastool kdestroy

Delete tickets from a user’s credential cache.

# vastool -h kdestroy
Usage: vastool kdestroy

It drops your ticket cache file along with the tickets inside it. Example would be useless.

vastool license

View currently installed licenses or add new ones.

# vastool -h license
Usage: vastool license [-qisd] [optional command]
Commands:
   add {filename} (Add a license in the application configuration using a local license file)

-q Print out usage and license totals
-i Print out individual license information
-s Report if this is a site-licensed build
-d Search AD application configuration for licenses (requires root or AD credentials)

Feel free to run it to see license info. Also reports how many Unix-enabled users are in use.

If you found this useful, say thanks, click on some banners or donate, I can always use some beer money.

If you like to learn vi/vim macros, how to use tabs, 30+ copy-paste buffers instead of just one – look at my vi&vim cheat-sheet

BashPi

Bash-oriented external memory