Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.6 - Release Notes

Release Notes

One Identity Authentication Services 4.1.6

Release Notes

June 2018

These release notes provide information about the One Identity Authentication Services 4.1.6 release.

About this release

Authentication Services extends the capabilities of UNIX, Linux and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Authentication Services 4.1.6 is a minor release. Support for Active Roles 7.3 was added and various defects have been resolved in this quarterly maintenance release.

New Features

Authentication Services, the solution that pioneered the "Active Directory Bridge" market continues to lead the way with powerful and innovative new capabilities that make heterogeneous identity and access management even more efficient, secure, and compliant.

Authentication Services 4.1 features include:

  • Upgrade Without Reboot: Authentication Services adds the functionality required so that future upgrades will no longer require a system reboot when upgrading as a local user. Some customer deployments of Authentication Services have been running on old versions for long periods of time because of the difficulties of scheduling sever down time. With Authentication Services 4.1 deployed as the foundation, future releases, under some circumstances, will allow you to deploy upgrades without impacting running services or rebooting.

    NOTE: Because of changes Apple makes to their operating system with new macOS releases, this is not always possible especially when upgrading as a mobile account.
  • IPv6 Support: Authentication Services now supports hosts running full IPv6 environments. Authentication Services automatically uses IPv6 when it is available; it uses IPv4 when IPv6 is not available or is significantly slower than IPv4. IPv6 is available in Authentication Services on most recent operating systems, but is operating system dependent. Run vastool info ipv6 to determine whether IPv6 is available on each client. Authentication Services operates in IPv4-only, IPv6-only or dual-stack environments; no special configuration is required. Active Directory severs must be running Windows 2008 or later for IPv6 communication.

    Authentication Services uses IPv6 when the operating system's DNS resolver correctly supports mapping of IPv4 addresses to IPv6 addresses. If a problem with address mapping is detected, Authentication Services operates in IPv4-only mode, even if an IPv6 address is assigned and other applications use IPv6.

  • Customizable Windows Components Installer: The Windows installer now allows you to install individual components. The granule install includes: core components, ADUC components, Group Policy Extensions, Documentation, and the Control Center. For example, you can install an individual MMC snap-in without installing the entire Control Center application. These components are also available as MSI packages for automated and configurable installation.

  • Group Policy Updates:
    • Ability to specify "merge" or "replace" several local file settings in the GPO. For example, you can configure users.allow to be delivered to every system with the contents overwriting any changes made to the local copy of users.allow.

    • A new preference manifest setting for MAC Group Policy called Apple Network Browser that allows you to deactivate AirDrop.

      NOTE: When upgrading Authentication Services, you must manually add this new preference manifest. Refer to the "Preference Manifest Settings" topic in the One Identity Authentication Services Mac OS X/macOS Administration Guide for the procedure "To add a Preference Manifest".
    • Ability to distribute trusted certificates through Group Policy.

  • Group Policy for Certificate Autoenrollment: Authentication Services Certificate Autoenrollment provides a quick and simple way to issue and renew certificates for Mac OS X, UNIX and Linux users and systems from Windows 2008 R2 Certificate Enrollment Services. In this release you can configure Certificate Autoenrollment with Group Policy. Certificate Autoenrollment includes the ability to:

    • Automatically enroll x509 Certificates based on Microsoft Certificate Enrollment Policy.

    • Renew certificates that are close to expiration according to policy.

    • Automatically install newly enrolled certificates into the appropriate system or user keychain.

    • Support both user and machine certificate policy.

    NOTE: In previous releases, Certificate Autoenrollment 1.0 was provided as an add-on and was only available for Mac OS X. Beginning with Authentication Services version 4.1.2, Certificate Autoenrollment 1.1 is included as a standard installable component, vascert, available for Mac OS X, UNIX and Linux.
  • Management Console for Unix 2.5 Updates:

    • Ability to manage Privilege Manager for Unix.

    • Ability to manage access control on a single host system.

    • Ability to add and remove Active Directory users or groups across multiple hosts.

    • Ability to rejoin hosts to Active Directory.

    • Ability to reset or change passwords for multiple local accounts across multiple hosts.

See also:

Resolved Issues

The following is a list of issues addressed in Authentication Services 4.1.6.

Table 1: api: resolved issue
Resolved Issue Issue ID

New option, [libvas] force-ipv, can be set to 4 or 6. Forces Authentication Services to use the given protocol.

NOTE: Should only be used for troubleshooting.

Table 2: ars: resolved issues
Resolved Issue Issue ID

Fix issue when using Active Roles 7.2 with Authentication Services.


Add support for Active Roles 7.3.


Table 3: auth: resolved issue
Resolved Issue Issue ID
Fix issue when using AES, users with expired accounts/password are denied login. 758700
Table 4: build: resolved issues
Resolved Issue Issue ID

Initial work for adding FreeBSD.


Remove OSX 10.7 package.


Increment to 4.1.6 for maintenance release.


Table 5: doc: resolved issues
Resolved Issue Issue ID

Stop building PDFs that are not included in the final package.


Reference the correct vas.conf in the pam_vas man page.


Mention that uid-check-limit might fail above 21483647 on some OS's.


Table 6: dnsupdate: resolved issue
Resolved Issue Issue ID
ipmon has been changed to ipmond to fix interference with existing process.  
Table 7: krb5: resolved issue
Resolved Issue Issue ID
Handle making an AES keytab entry when default_etypes is RC4. 774650
Table 8: lam: resolved issue
Resolved Issue Issue ID

New vas.conf option, [aix_vas] ext-attrs-window.

For heavy authentication systems, keeps disk usage lower during a lot of simultaneous authentications at the expense of login location for subsequent calls, like host_last_login.

Table 9: mcc: resolved issue
Resolved Issue Issue ID
Fix issue r-clicking for running the NIS Map Editor on a specific OU/CN. 772009
Table 10: nss/pam: resolved issues
Resolved Issue Issue ID

nss: Fix debug output to be more consistent.


nss/pam: Move all select() calls to poll() calls for anything nss/pam uses. This should mitigate possible segfaults from programs calling into Authentication Services with more than 1024 file descriptors open. 758694

nss: Initial support work for Solaris 11.4


pam: Initial support work for Solaris 11.4


pas_vas: Make sure the Authentication message has a reason when a passwordless login fails due to being locked out.


Table 11: osx: resolved issue
Resolved Issue Issue ID
Fix an issue where the system would freeze for a minute after a vastool flush. 735997
Table 12: package: resolved issues
Resolved Issue Issue ID

Always clean up generated upstart files.


Do not configure upstart on systems that do not have /lib/init/upstart-job.


On uninstall, make sure to remove vgp.conf.  
Fix an issue building vgp on AIX due to rebranding.  
Increment to 4.1.6 for maintenance release.  
Table 13: scripts: resolved issues
Resolved Issue Issue ID
Add system krb5 configuration to



In, use domain\sam instead of userprincipalname.


Fix an issue in on OSX about NSS library paths.

758965 Fix a temporary world writable file during install on Solaris.


init script: Look for being in an LPAR on AIX 7 as well as 6.

615447 Support aarch64's package.

NOTE: This is not support for the OS.


init script: Fix restart of ipmond on HP/OSX.


Table 14: snapshot: resolved issue
Resolved Issue Issue ID
Add rootDSE query to the snapshot. 647684
Table 15: status: resolved issues
Resolved Issue Issue ID
Warn when try_disauth_first is still set. 713222
Fix processing files in access.d with spaces in their names. 733918
Fixes for Solaris 11.4 772713
Test 502: Ignore cifs/ entries, they do not have to match Active Directory. 698858
Test 608: If password is not configured, just return INFO. 733917

Test 112: Ignore [plugins] section.


Test 720: Better match the vasd socket file.


Add new setting to vastool status.


Table 16: vasd: resolved issues
Resolved Issue Issue ID
vasd now runs after a fork when staring children. 755070
Add a lock file so on non-Linux systems vasd dispatcher dying should not vastly slow down the system. 769230
Fix an authentication issue with sshd_config PermitEmptyPasswords enabled preventing logins until a user checkaccess is ran. 770132
Auth daemon might not detect parent(dispatcher) death if it had not processed anything. 770133
Randomize the delusercheck-interval like lazy-cache-update, 1x - 2x of the configured value to keep systems started at the same time when hitting Active Directory for the query at the same time. 744285
If vasd is started in an unjoined state, do not ignore srvinfo requests. This should allow setups that do not join, like SAP, to continue to work. 715651
Table 17: vastool: resolved issues
Resolved Issue Issue ID

Fix failure to find servers tyring to timesnyc when out of timesync.


Fix an issue on some OS's when uid-check-limit was over 2147483648. 759447
During configure sudo, check for version 1.8.15+, and add always_query_group_plugin. 747413

New option, vastool (un)configure selinux. Run after join to install selinux policy for Authentication Services.


Honor site-only-servers for vastool info toconf.


Fix issues around AES salting when making a keytab during a password change.



When creating a cross-domain/forest keytab for a service, use the correct salt for AES keys.


If a value ends in a space, do not base64 encode the results. RFC 2849 suggests to do so, but Active Directory does not appear to.


Fix an issue with setting a user's password with a keytab.


When making an account or re-setting the account's password, handle unexpected keytab failures.


During info toconf, with site-only-servers set to true, better handle any domains with no in-site servers.


Fix an issue running vastool ktuil on Fedora 27+.


Table 18: vasypd: resolved issue
Resolved Issue Issue ID
Additional fixes for 747035 to stop a vasypd hang using netgroups. 747037
Table 19: vgp: resolved issue
Resolved Issue Issue ID
Fix issue with parsing visudo -c output. 766944
Table 20: vgptool: resolved issue
Resolved Issue Issue ID
Fix leaving temp files around if the file being modified was marked immutable. 647676
Table 21: General: resolved issues
Resolved Issue Issue ID
Updated branding.


Coverity fixes.


Known Issues

The following is a list of issues known to exist at the time of release.

Table 22: Change Auditor integration known issues
Known Issue Issue ID
After installing Authentication Services 4.1.0, the machine must be rebooted for Change Auditor to log "QAS GPO Setting Changed" events. 28008
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents