Chat now with support
Chat with Support

Safeguard Authentication Services 5.0.6 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment Integrating with other applications Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Using VASTOOL to configure SELinux

vastool can automatically update the SELinux configuration files on your system.

To modify the SELinux configuration

  1. To configure SELinux to use the SELunix module, run the following command as root:
    vastool configure selinux
  2. To remove the SELinux module configuration, run the following command as root:
    vastool unconfigure selinux

Enabling diagnostic logging

Debug logging configuration depends on your platform and the subsystem you are troubleshooting. Some issues can span multiple subsystems.

Safeguard Authentication Services vasd daemon

To enable Safeguard Authentication Services daemon debug output, set the debug-level setting in the [vasd] section of vas.conf. Unless instructed otherwise by Technical Support, the recommended level is 5 for investigating issues. Refer to the vas.conf man page for details on debug log settings.

vasd logs events to syslog using the DAEMON facility. vasd dynamically picks up the change for both enabling and disabling without requiring a restart.


Note: For both PAM and LAM, regardless of debug level, Safeguard Authentication Services outputs a success or failure message to AUTH (AUTHPRIV on Linux or macOS), for example:

<syslog prefix>: pam_vas: Authentication <succeeded> for <Active Directory> user: <user1> account: <> service: <sshd> reason: <N/A> Access Control Identifier(NT Name):<EXAMPLE1\user1>

The message indicates if the authentication was successful or failed, was disconnected, what type of account, if failed a general message as to why, what service if PAM, and the NT style name of the account used to authenticate against.


To enable PAM debug output, you must set the debug option for the Safeguard Authentication Services PAM module in the pam.conf file. This consists of adding debug trace to each pam_vas3 line in the appropriate files for the system. For more information, refer to the pam.conf man page for your platform.

When you enable debug output, Safeguard Authentication Services logs PAM output authentication events to syslog using the AUTH facility (AUTHPRIV on macOS and Linux). Normally this does not require a restart of an application to start debugging.

Note: On HP-UX, Oracle Solaris, and AIX, you can obtain additional PAM debug information by running touch /etc/pam_debug. This enables PAM library level debugging. To disable it, remove the "touched" file.


If you are using LAM for authentication on AIX, you can enable authentication debug output by running:

touch /var/opt/quest/vas/.qas_auth_dbg

When you enable this debug option, Safeguard Authentication Services logs LAM authentication events to /tmp/qas_module.log.


This includes debugging NSS on Linux, HP-UX, and Oracle Solaris and LAM identification on AIX. To enable full debugging of the Safeguard Authentication Services identity library for the operating system, run the following:

touch /var/opt/quest/vas/.qas_id_dbg

This enables debug globally for the system. Disable it by removing the "touched" file. Enabling and disabling applies within 30 seconds.

You can also enable debugging for a single application to send output to stderr by defining the environment variable QAS_ID_DBG_STDERR. For example, in a Bourne shell, enter:

QAS_ID_DBG_STDERR=1 getent passwd

The output includes a line that lists input, result, and time spent in the call. Enable only this line by running:

touch /var/opt/quest/vas/.qas_id_call

You can also use the environment variable, QAS_ID_CALL_STDERR to log the result line of the above debug.

This output is useful for profiling the volume/type of calls the Safeguard Authentication Services identity interface is receiving.

Output is written to the /tmp/qas_module.log file for both options.

Note: The /tmp/qas_module.log file is world writable making it possible for any user to write output to it. Thus, One Identity recommends that you change the permissions once debug is disabled.


Safeguard Authentication Services command line tools accept a -d parameter to indicate the level of debug output (1-5) you want to print to the console. To see more output, specify a higher value to the -d parameter. For example, to see extra diagnostic information when you join the domain, enter:

/opt/quest/bin/vastool -u administrator -d5 join

Note: When you have debug enabled, it can affect performance.

Working with netgroups

With the Windows 2003 R2 schema, you can access netgroup data based on RFC 2307 stored in Active Directory through the Safeguard Authentication Services name service module. Safeguard Authentication Services caches the netgroup information locally. This netgroup support is built in to the name service module and does not require the Safeguard Authentication Services LDAP proxy service to be running.

Note: Netgroup data through the Safeguard Authentication Services name service module is only supported on Linux, Oracle Solaris, HP-UX, and AIX.

Configuring netgroup support with name service

To configure Safeguard Authentication Services to resolve netgroup data from the name service module

  1. Run the following command as root to configure Safeguard Authentication Services for netgroup support:

    vastool configure vas vasd netgroup-mode NSS
  2. Run the following command as root to configure the Safeguard Authentication Services name service module:

    1. On Linux, Oracle Solaris, or HP-UX:

      vastool configure nss netgroup
    2. On AIX:
      vastool configure irs netgroup

      Note: To create a netgroup map, if needed, you can enter the following at the command line:

      nisedit -u <admin> add -m netgroup -f an /etc/netgroup style file>

      For more information about the nisedit tool, see Using NIS map command line administration utility.

  3. Load the netgroup caches by running the following command as root:

    vastool flush netgroup
  4. To test the netgroup configuration run the following command:

    vastool nss getnetgrent <netgroup name>
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating