Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Upgrade Guide

One Identity Privileged Access Suite for Unix Introducing One Identity Authentication Services What's new in Authentication Services 4.1 Upgrade from 3.5 to 4.1 considerations Upgrade the web console Upgrade Authentication Services Windows components Configure Active Directory for Authentication Services Configure Unix agent components Upgrade Authentication Services client components manually Getting started with Authentication Services Troubleshooting

User identity specification changes

Authentication Services 4.x uses new user name formats for identifying users and groups in configuration files.

Authentication Services daemon changes for upgrade

vasd Caching and vasgpd Group Policy Daemons

Note: The changes made in Authentication Services 4.x may affect any monitoring scripts that you created for watching the vasd or vasgpd daemons.

In VAS 3.xvasd and vasgpd (Group Policy update daemon) were separate processes delivered in separate packages. In Authentication Services 4.x, the functionality of vasgpd has been absorbed into vasd, eliminating vasgpd.

However, please note:

  • you must still install the vasgp package in order to utilize Group Policy on the Unix host; and
  • vastool no longer stops vasd during a flush operation to allow the daemon to supply Name Service data.
vasd Changes

To improve the stability and integrity of the local identity cache in Authentication Services 4.x, One Identity updated vasd to provide better isolation of the processes responsible for accessing the local identity cache.

In a typical 3.x environment, vasd was split into a parent process, with a single child process, whose sole responsibility was to maintain the local cache and respond to all update requests from the Name Service and Authentication modules.

Authentication Services 4.x changed the process hierarchy and now uses five separate but related vasd processes which allow vasd to ensure cache integrity, as well as maintain responsiveness from all requests. It also removes the need to start additional processes to handle legacy password hash and netgroup data requests.

One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.

Authentication Services configuration file changes

Authentication Services 4.x has extended the syntax of many of the host configuration files to allow you to specify users and groups by the more commonly used DOMAIN\sAMAccountName identifier.

The following configuration files are affected:

  • Account overrides

    /etc/opt/quest/vas/user-override
    /etc/opt/quest/vas/group-override
  • Access control

    /etc/opt/quest/vas/users.allow
    /etc/opt/quest/vas/users.deny
  • Client configuration

    /etc/opt/quest/vas/vas.conf

The extended syntax does not affect configuration entries that were configured and working under previous versions of Authentication Services. The new syntax provides an optional format that you can use in the future. Group Policy settings use the new format if configured with the Group Policy object editor.

Account overrides

User Account Overrides

Entries in the user-override file have the form:

<identifier>:<Unix name>:<uid>:<primary gid>:<gecos>:<home directory>:<login shell>
Table 10: User Account Override Identifiers
Identifier Description
localuser@example.com For backwards compatibility with previous versions of Authentication Services, any identifier in the file that contains an '@' character is interpreted as the LDAP userPrincipalName of an Active Directory user.
localgroup For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group.
EXAMPLE\localuser or EXAMPLE\localgroup In previous versions of Authentication Services, the agent assumed that this identifier was only used for Active Directory groups. In Authentication Services, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. That object may be either a user or a group.
Group Account Overrides

Entries in the group-override file have the form:

<identifier>:<Unix name>:<gid>:<member list>
Table 11: Group Account Override Identifiers
Identifier Description
localgroup For backwards compatibility with previous versions of Authentication Services, any simple name in the file is interpreted as the name of an Active Directory group of the joined domain.
EXAMPLE\localgroup In Authentication Services, any identifier that contains an '\' character is interpreted as the DOMAIN\sAMAccountName of an Active Directory object. In this file, that object is always a group.

One Identity designed Authentication Services 4.1 to be backwards compatible. There are no configuration changes you need to make to take advantage of this improvement.

Related Documents