Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - One Identity Authentication Services 4.1.5 Release Notes

Release Notes

One Identity Authentication Services 4.1.5

Release Notes

January 2018

These release notes provide information about the One Identity Authentication Services 4.1.5 release.

About this release

Authentication Services extends the capabilities of UNIX, Linux and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Authentication Services 4.1.5 is a minor release. Various defects have been resolved and updated in this quarterly maintenance release.

New Features

Authentication Services, the solution that pioneered the "Active Directory Bridge" market continues to lead the way with powerful and innovative new capabilities that make heterogeneous identity and access management even more efficient, secure, and compliant.

Authentication Services 4.1 features include:

  • Upgrade Without Reboot: Authentication Services adds the functionality required so that future upgrades will no longer require a system reboot when upgrading as a local user. Some customer deployments of Authentication Services have been running on old versions for long periods of time because of the difficulties of scheduling sever down time. With Authentication Services 4.1 deployed as the foundation, future releases, under some circumstances, will allow you to deploy upgrades without impacting running services or rebooting.

    NOTE: Because of changes Apple makes to their operating system with new macOS releases, this is not always possible especially when upgrading as a mobile account.
  • IPv6 Support: Authentication Services now supports hosts running full IPv6 environments. Authentication Services automatically uses IPv6 when it is available; it uses IPv4 when IPv6 is not available or is significantly slower than IPv4. IPv6 is available in Authentication Services on most recent operating systems, but is operating system dependent. Run vastool info ipv6 to determine whether IPv6 is available on each client. Authentication Services operates in IPv4-only, IPv6-only or dual-stack environments; no special configuration is required. Active Directory severs must be running Windows 2008 or later for IPv6 communication.

    Authentication Services uses IPv6 when the operating system's DNS resolver correctly supports mapping of IPv4 addresses to IPv6 addresses. If a problem with address mapping is detected, Authentication Services operates in IPv4-only mode, even if an IPv6 address is assigned and other applications use IPv6.

  • Customizable Windows Components Installer: The Windows installer now allows you to install individual components. The granule install includes: core components, ADUC components, Group Policy Extensions, Documentation, and the Control Center. For example, you can install an individual MMC snap-in without installing the entire Control Center application. These components are also available as MSI packages for automated and configurable installation.

  • Group Policy Updates:
    • Ability to specify "merge" or "replace" several local file settings in the GPO. For example, you can configure users.allow to be delivered to every system with the contents overwriting any changes made to the local copy of users.allow.

    • A new preference manifest setting for MAC Group Policy called Apple Network Browser that allows you to deactivate AirDrop.

      NOTE: When upgrading Authentication Services, you must manually add this new preference manifest. Refer to the "Preference Manifest Settings" topic in the One Identity Authentication Services Mac OS X/macOS Administration Guide for the procedure "To add a Preference Manifest".
    • Ability to distribute trusted certificates through Group Policy.

  • Group Policy for Certificate Autoenrollment: Authentication Services Certificate Autoenrollment provides a quick and simple way to issue and renew certificates for Mac OS X, UNIX and Linux users and systems from Windows 2008 R2 Certificate Enrollment Services. In this release you can configure Certificate Autoenrollment with Group Policy. Certificate Autoenrollment includes the ability to:

    • Automatically enroll x509 Certificates based on Microsoft Certificate Enrollment Policy.

    • Renew certificates that are close to expiration according to policy.

    • Automatically install newly enrolled certificates into the appropriate system or user keychain.

    • Support both user and machine certificate policy.

    NOTE: In previous releases, Certificate Autoenrollment 1.0 was provided as an add-on and was only available for Mac OS X. Beginning with Authentication Services version 4.1.2, Certificate Autoenrollment 1.1 is included as a standard installable component, vascert, available for Mac OS X, UNIX and Linux.
  • Management Console for Unix 2.5 Updates:

    • Ability to manage Privilege Manager for Unix.

    • Ability to manage access control on a single host system.

    • Ability to add and remove Active Directory users or groups across multiple hosts.

    • Ability to rejoin hosts to Active Directory.

    • Ability to reset or change passwords for multiple local accounts across multiple hosts.

See also:

Resolved Issues

The following is a list of issues addressed in Authentication Services 4.1.5.

Table 1: package: resolved issues
Resolved Issue Issue ID

Add support for OSX 10.13.

 

Re-work systemd support.

692831

492563

Copy systemd service file over, instead of linking it.

735010

Table 2: vasd: resolved issues
Resolved Issue Issue ID

Full buffer timeout now scales with vascache-ipc-timeout. This provides better handling of heavy loads and reduces kernel load under those situations.

724526

Provide better handling of password changes through the DS plugin on OSX.

727833

During the ipc connect, handle possible signal interruption.

737912

During Native AC processing, fixed a potential status 224/225 error.

727683

Fixed handling of possible EINTR response.

737912

Fixed an issue with mapped non-Unix user changing their password, introduced by Issue ID 730816 changes. 754277
Table 3: vastool: resolved issues
Resolved Issue Issue ID

Change order of operations during DS configuration.

Change restart and configuration order during DS configuration.

729789

Restart odmodule in the correct order depending on OS version.

733966

733967

Table 4: osx: resolved issues
Resolved Issue Issue ID

Fix a potential segfault in DS plugin.

726969

Potential fix for DS plugin crash.

734097

On 10.13.2+, send messages to /var/log/vasd instead of syslog. This should stop vasd hanging on calling syslog. Any messages from vasd, from default to [vasd] debug-level=*, now go to this file.

NOTE: If you are using Authentication Services on 10.13.2+, upgrade to this version or later.
752224
Table 5: auth: resolved issues
Resolved Issue Issue ID

During a password login, cache the user's pwdLastSet from their PAC. This prevents the user from being asked to change their password when vasd can not read the correct pwdLastSet value from Active Directory.

Set pwdLastSet when expired.

730816

Table 6: api: resolved issues
Resolved Issue Issue ID

In vas_ipc_connect, move from select() to poll().

740839

Table 7: status: resolved issues
Resolved Issue Issue ID

Test 719; fix false positive in global zone.

615449

Add test 724; detect if not in a site. 597853

Test 225; return WARNING if no actual Native AC set.

Test 225; change the output to better explain the issue.

727684

Test 112; add latest MIT libdefaults settings. 641373
Add text 725; verify computerFQDN has a full name. 752251
Table 8: krb5: resolved issues
Resolved Issue Issue ID

Fix truncating long port number used for getaddrinfo.

751187

Table 9: vasypd: resolved issues
Resolved Issue Issue ID

Fix a potential vasypd hang when providing netgroups and services map.

747035

Table 10: ldapsearch: resolved issues
Resolved Issue Issue ID

Add disabling of paged results by setting pr=-1. This allows -f to work for multiple requests.

752215

Table 11: docs: resolved issues
Resolved Issue Issue ID

Removed ReleaseNotes.pdf from the build; all documentation will be kept online, available at: https://support.oneidentity.com/authentication-services/technical-documents

 

Known Issues

The following is a list of issues known to exist at the time of release.

Table 12: Change Auditor integration known issues
Known Issue Issue ID
After installing Authentication Services 4.1.0, the machine must be rebooted for Change Auditor to log "QAS GPO Setting Changed" events. 28008
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents