Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.3 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac Certificate Autoenrollment

Using to join and unjoin

You can access the same functionality that is available through the Authentication Services Directory Utility Plugin through the Authentication Services command line utilities.

There are two ways to join your Mac OS X system to an Active Directory domain:

  • Run the script.

    $ sudo /opt/quest/libexec/vas/scripts/

    This script prompts you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command.


  • Run the vastool join command.

    $ sudo /opt/quest/bin/vastool -u Administrator join -f

To leave an Active Directory Domain from a Terminal session, use the vastool unjoin command.

Note: See the vastool man page located in the docs directory of the installation media for more information about the vastool join or vastool unjoin commands.

System changes made by the join process

When joining an Active Directory Domain, Authentication Services automatically modifies the following system configurations:

  • Authentication Services is added to the DirectoryService search path.
  • The Authentication Services startup items are configured to startup automatically
  • The system MIT Kerberos configuration file is configured to use the Active Directory servers that Authentication Services detects.
  • The system authorization rules contained in /etc/authorization are modified to use the VASMechanism for Authentication Services logins.
  • Group Policies configured for the Mac OS X system are applied by the Group Policy components if they are installed.

Once you have successfully completed the Authentication Services join process, you are immediately able to log into the Mac OS X system through both the Mac OS X Login Window and remotely through SSH.

When leaving a domain, the Authentication Services unjoin process reverts the above changes that were made by the Authentication Services join process. Also, uninstalling Authentication Services automatically reverts the above changes as well.

Note: You can re-join on top of existing computer accounts created with the Mac OS X Active Directory Plugin by default using the Authentication Services Active Directory plugin, but we recommend disabling the Mac OS X Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding.

Verify the installation and configuration

It is important to verify that your system is configured correctly to use the Active Directory account information provided by Authentication Services.

To verify the Authentication Services installation and configuration

  1. Run the following shell commands.

    • To show a list of the available Unix-enabled Active Directory users, enter

      dscl /VAS list /Users
    • To show a list of the available Unix-enabled Active Directory groups, enter

      dscl /VAS list /Groups
    • To ensure that the system can read user information for Authentication Services users, enter

      dscl /Search read /Users/<Username>
      where <Username> is the username of a Authentication Services user.
    • To perform an authentication for a Authentication Services user, enter

      dscl /Search auth <Username>
      where <Username> is the username of a Authentication Services user.

    If any of the previous commands do not work, capture debug information from the Authentication Services Directory Service plugin.

  2. Add the following items to the vas.conf [vas_macos] section:
       dslog-mode = /Library/Logs/vasds.log
       dslog-components = plugin,auth
  3. After adding those items, run the following shell command in a Terminal session to trigger the Authentication Services Directory Services Plugin to reload its logger configuration:
    $ sudo /opt/quest/libexec/vas/macos/vasdsreload
  4. Execute the previous verification commands that failed and send the contents of /Library/Logs/vasds.log to One Identity Support who will assist in resolving the problems.

Logging in with Active Directory accounts

Authentication Services for Mac OS X allows you to authenticate to your Mac OS X system, but before you can use any given account for authentication, you can prepare it for Mac OS X authentication from a Windows Administrative Console through a process called Unix-enabling. However, if you do not have access or permissions to modify user account information in Active Directory, you can join and specify that you want the Authentication Services client to locally generate Unix identity information.

To locally generate Unix identity information, select the Generate Unix Identity Attributes option when you join (or, if you are joining using the command line utility, specify the --autogen-posix-attrs flag). This allows you to use all the features of the Authentication Services client, without requiring any modification to user information in Active Directory. If you plan to manage identity data in Active Directory globablly, proceed to the Unix-enable a User section.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating