Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.3 - macOS Administration Guide

Privileged Access Suite for UNIX Installation Safeguard Authentication Services macOS components Safeguard Authentication Services client configuration Special macOS features Limitations on macOS Group Policy for macOS Certificate Autoenrollment Glossary

Command line join

Use the vastool utility to perform a command line join.

At the command line, enter vastool join to join the macOS system to an Active Directory domain.

Using Terminal.app to join and unjoin

You can access the same functionality that is available through the QAS Join application using the Safeguard Authentication Services command line utilities.

There are two ways to join your macOS system to an Active Directory domain:

  • Run the vasjoin.sh script.

    $ sudo /opt/quest/libexec/vas/scripts/vasjoin.sh

    This script prompts you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command.

  • Run the vastool join command.

    $ sudo /opt/quest/bin/vastool -u Administrator join -f example.com

To leave an Active Directory domain from a Terminal session, use the vastool unjoin command.

NOTE: For more information about the vastool join or vastool unjoin commands, see the vastool man page located in the docs directory of the installation media.

System changes made by the join process

When joining an Active Directory domain, Safeguard Authentication Services automatically modifies the following system configurations:

  • Safeguard Authentication Services is added to the DirectoryService search path.

  • The Safeguard Authentication Services startup items are configured to start up automatically

  • The system Kerberos configuration file is configured to use the Active Directory servers that Safeguard Authentication Services detects.

  • Group Policies configured for the macOS system are applied by the Group Policy components if they are installed.

Once you have successfully completed the Safeguard Authentication Services join process, you are immediately able to log in to the macOS system through the macOS Login Window.

When leaving a domain, the Safeguard Authentication Services unjoin process reverts the above changes that were made by the Safeguard Authentication Services join process. Also, uninstalling Safeguard Authentication Services automatically reverts the above changes as well.

TIP: You can rejoin on top of existing computer accounts created with the macOS Active Directory plugin by default using the Safeguard Authentication Services Active Directory plugin. However, One Identity recommends disabling the macOS Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding.

Verifying the installation and configuration

It is important to verify that your system is configured correctly to use the Active Directory account information provided by Safeguard Authentication Services.

To verify the Safeguard Authentication Services installation and configuration

  1. Run the following shell commands.

    • To show a list of the available UNIX-enabled Active Directory users, enter:

      dscl /VAS list /Users
    • To show a list of the available UNIX-enabled Active Directory groups, enter:

      dscl /VAS list /Groups
    • To ensure that the system can read user information for Safeguard Authentication Services users, enter:

      dscl /Search read /Users/<Username>

      where <Username> is the username of a Safeguard Authentication Services user.

    • To perform an authentication for a Safeguard Authentication Services user, enter:

      dscl /Search auth <Username>

      where <Username> is the username of a Safeguard Authentication Services user.

    If any of the previous commands do not work, capture debug information from the Safeguard Authentication Services Directory Service plugin.

  2. Add the following items to the vas.conf [vas_macos] section:

    [vas_macos]
    dslog-mode = /Library/Logs/vasds.log
    dslog-components = all
  3. After adding those items, run the following shell command in a Terminal session to trigger the Safeguard Authentication Services Directory Services Plugin to reload its logger configuration:

    $ sudo /opt/quest/libexec/vas/macos/vasdsreload
  4. Run the previous verification commands that failed and send the contents of /Library/Logs/vasds.log to One Identity Support who will assist in resolving the problems.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating