Chat now with support
Chat with Support

Safeguard Authentication Services 4.2.3 - Release Notes

One Identity Authentication Services 4.2.3

One Identity Authentication Services 4.2.3

Release Notes

August 2020

These release notes provide information about the One Identity Authentication Services 4.2.3 release.

About this release

Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Authentication Services 4.2.3 is a minor release that includes:

  • SMB 3.1.1 support

  • Explicit mapping of users to valid certificates (smart card) (198067)

CAUTION: You must upgrade all Windows components on all Windows systems to Authentication Services 4.2.1 or higher before modifying the QAC (Quest Authentication Configuration) in Active Directory using Control Center from QAS 4.2.0 or higher. For more information, please see the KB Article 314330. This is related to issue 198991 (TFS 800254) that was resolved in QAS 4.2.1 and is identified in this release in Known issues.

New features

New features in Authentication Services 4.2.3:

  • SMB 3.1.1 support
    The user can use wireshark / tcpdump to verify that Authentication Services is operating with the highest level of security possible for an SMB connection.
  • Explicit mapping of users to valid certificates (smart card) (198067)
    Mapping certificates to users can be done implicitly or explicitly. Authentication Services supports mapping one cert to one user or mapping multiple certs to one user. Mapping one cert to multiple users is not supported.

See also:

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues
Resolved Issue DevOps Issue ID

TFS Issue ID

vgp: Added support for SMB 3.1.1. Increase the default smb-dialect-range from 1-2.0.2 to 1-3.1.1.

198127

804169

scripts: Added /etc/default/passwd to the snapshot script.

198153

806797

vastool: The join -c option will now auto-expand. For example:

/opt/quest/bin/vastool ... join ... -c ou=Unix,ou=Servers ... <domain> ...

is valid and will auto-fill in the joining domain's dn.

198163

806308

vgp: Fixed an issue with using SMB3 with the new heimdal library.

198166

804186

nss: Now, on initgroups_dyn calls, if it times out, try again.

198257

765022

docs: Clarified how the netgroup-mode setting works.

198298

738488

docs: Now mentions in man page that workstation-mode-users-preload needs an fqdn for cross forest domains.

198619

647672

api: Added gss_localname() to the exported symbols in libvas-gssapi.*.

198706

609864

vasd: Finished removal of groups-for-user-update-all-sids setting.

198845

308257

status: Added a test for the owner of /var/opt/quest/vas/vasd.

199524

794632

scripts: If deleted_check.sh is killed due to exceeding delusercheck-timeout, tmp files are cleaned up.

199534

799456

docs: Added reference to the ability to override a user's primary gid to user-override.sample.

199543

804383

vastool: If joining with delegated account permissions, the join is considered a success with notes, instead of a failure.

199552 806311

vastool: During join, msDS-SupportedEncryptionTypes is now set to 524319 to suppress cross forest sid compression for mixed forest levels.

199553

806313

status: Now, the system ignores test 402 if the UPN is empty, which iscommon for a delegated join. 199554

806318

vastool: Added better error message when running a flush without a valid license. 199555 806309

krb5: Fixed server referrals. This fixes joining 3+ domains away and cross forest logins.

199546,

199550

802683, 804855

smartcard: Added support for altSecurityIdentites mapping.

199717

806345

status: Added test for sshd_config DenyUsers AllowUsers DenyGroups AllowGroups settings.

199844

727882

vgp: Fixed segfault on HP-UX IA when using SMB 3+.

200925

none

nss: Fixed a segfault on Solaris under heavy usage with nscd.

200926

none

vastool: When override processing fails due to un-resolveable entries, a better message is returned.

215637

none

package: On freebsd, removed generated man files on uninstall.

218807

none

vasd: Finished removal of enable-nonroot-disconnected-cache setting.

218812

none

package: Added asn1 and gssapi _sym.h files to the vas-dev package.

218814

none

smartcard: Fixed the smart card authentication on RH 7.7 with SELinux enabled.

220524

none

vasd: Added better query for removing old srvinfo entries.

220988

none

smartcard: Fixed subsequent login issues on Redhat 7.7.

220995

none

vasd: When using UPN for username, and user-full-upn, fixed an issue logging in with simple name in certain configurations.

221192

none

vasd: Increased dispatcher's buffer size to better handle heavy auth systems.

221828

none

Known issues

The following is a list of issues, including those attributed to third-party products, known to exist at the time of release.

Table 2: Known issues
Known Issue Dev Ops Issue ID

TFS Issue ID

You must upgrade all Windows components on all Windows systems to Authentication Services 4.2.1 or higher before modifying the QAC (Quest Authentication Configuration) in Active Directory using Control Center from QAS 4.2.0 or higher. For more information, please see the KB Article 314330.

198991

(corrected in QAS 4.2.1)

800254

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents