Chat now with support
Chat with Support

Safeguard Authentication Services 6.0 LTS - Release Notes

Safeguard Authentication Services 6.0 LTS

Release Notes

03 April 2024, 12:16

These release notes provide information about the Safeguard Authentication Services 6.0 LTS release. For the most recent documents and product information, see Safeguard Authentication Services - Technical Documentation.

About this release

Safeguard Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate UNIX identities with Active Directory Windows accounts.

Safeguard Authentication Services 6.0 LTS is a major release that includes various bug and stability fixes. For a list of fixes included in this release, see Resolved issues.

End of support notice

After careful consideration, One Identity ceased the development of Management Console for Unix (MCU). Therefore, MCU entered limited support for all versions on 01 April 2021, with support for all versions reached end of life on 01 November 2021. For the definitions of support, see the Software Product Support Lifecycle Policy.

As One Identity retired the MCU, its feature set has been built into modern platforms, starting with Software Distribution and Profiling. Customers that use MCU to deploy Safeguard Authentication Services and Safeguard for Sudo can now use the One Identity Ansible collections for those products. For the Ansible collections, see Ansible Galaxy.

New features

New features in version 6.0 LTS

The following features have been added:

  • Added a new Functionality Group Policy option to enable or disable Siri. If this option is disabled, Siri cannot be enabled on the client.


The following is a list of enhancements implemented in Safeguard Authentication Services 6.0 LTS.

Table 1: General enhancements
Enhancement Issue ID
The Windows Autorun tool has been updated so that it has the latest One Identity appearance. 245892

From now on, the client's DNS entries can be removed during unjoining from an Active Directory.

In /etc/opt/quest/dnsupdate.conf, a new configuration option (RemoveDnsRecordsAtUnjoinTime) allows removing the client's DNS entries when the client gets unjoined from an Active Directory.


RPM packages are now signed using the hash algorithm SHA-512 instead of SHA-256.


Previously, any modifications made to files in /usr/share/authselect/vendor/AuthenticationServices/ have been overwritten by vasclnt package install.

All files containing any modifications are now kept without being overwritten.


The vastool inspect command can now output configuration values in list format.

It is now possible to display the value of vasypd/nismaps, or the entries of the vasproxyd and vas_host_services configuration groups.


Previously, Sudoers Group Policy items have been added to the sudoers file without considering if the password field is required.

Now all Group Policy items not requiring a password are added after the others, therefore passwords are not required where they are not needed.


Resolved issues

The following is a list of issues addressed in this release.

Table 2: General resolved issues in version 6.0 LTS
Resolved Issue Issue ID

On macOS, some code signature-related files remained on the file system after uninstalling the product.

This issue is now fixed, and the files get removed.


On newer Linuxes (such as RHEL 9.2), the vasclnt package required installing the libxcrypt-compat package to work.

This dependency is not present anymore.


On macOS, PolicyRefreshRate did not work as described in the documentation, policy refresh was called more frequently.

PolicyRefreshRate now works as described in the documentation on macOS.

387219 has been extended with new checks.

From now on, the permissions on directory /bin and file /bin/sh will be checked. will report failure if the permissions are not acceptable.


Fixed an issue where the vastool timesync command did not list the time zone when showing the current time and date.


From now on, vasd logs a message when the grent or pwent flush takes a long time.


So far, the UNIX account import wizard tool has not picked a group name consistently while importing groups from a NIS server.

From now on, the tool will choose the shortest group name. If there is no single shortest name, it will choose the first one in lexicographical order.


Logging messages in pam_vas has been improved.

Previously, several error messages were logged at level debug. From now on, error messages will be logged at level err.


Previously, AIX version numbers sometimes had a 5-digit FixLevel value, which is considered invalid according to the AIX system documentation.

This issue is now fixed, the FixLevel value in the AIX version number has only 4 digits.


The vastool status command now issues a warning if default_etypes is only configured to insecure encryption algorithms, or smb-dialect-range limits Samba to use the old protocol.


The version number of the pamdefender package now follows the version of Safeguard Authentication Services.


When the Control Center was not able to bind an object in AD (for example, QAC), it displayed an error message that lacked any details.

From now on, the error message will contain the LDAP URL of the object.


From now on, Safeguard Authentication Services can handle if a computer object account is reset in Active Directory, just like a Windows client.

This issue was fixed by making sure that Safeguard Authentication Services changes the computer account's password as soon as it discovered that the password has been reset to its default value.


Fixed an issue where if is being used in a PAM file, vasd may be blocked from working properly.

vastool status now checks if is being used in any PAM file, and grabs files related to pam_access.


The existence of /usr/bin/startsrc will be checked only on AIX, therefore it will not interfere with optionally installed extra packages on non-AIX systems.


New vasclnt installs on Solaris 10 now add a user-override configuration line, which overrides the home directories of AD users stored under /export/home/<username>.

In previous versions, this override configuration was only created on Solaris 11.


/var/opt/quest/vas/vasd/.vasd_ipv4 and .vasd_ipv6 files should have been created by vasd with the same owner as the other files in the same directory. However, they were always created with the owner root.

This issue is now fixed.


Fixed an issue where vascert has shown the following exception when running on Oracle Java:

java.lang.SecurityException: JCE cannot authenticate the provider BC

Now vascert ships this cryptography extension as a signed jar, so the error should disappear. OpenJDK did not have this requirement, and therefore was not affected.


A new vas.conf option was added to control DNS resolve-retries in the case of resolve failures.

The default value is 3, which can be overridden by setting resolve-retries to the libvas section of vas.conf.


Previously, the vgptool could not apply script group policies if /tmp has been mounted with the noexec flag, and the script has been requested to run in the name of a specified user.

This issue is now fixed.


Fixed an issue where an unnecessary error message was displayed when a GPO containing a login script was applied with vgptool.

This error message is no longer displayed.


Fixed an issue where vgptool crashed when the KRB5_CONFIG environment variable was set to an empty string.


Previously, when multiple GPOs were configured, only one of them was applied on macOS.

Now all policies are written to file and applied.


The vastool status script now uses grep -E instead of egrep if supported, because egrep issues deprecation warnings on newer systems (for example, Fedora 38).


Previously, user logins in permanent-disconnected authentication mode could fail if the enrcyption type of the Kerberos ticket did not match the encryption type of the session for the cached material. This happened often if ARCFOUR and AES encryption types are both enabled in the KDC.


Previously, the pam_config utility crashed if the PAM configuration's directives specify an infinite recursion (for example, when two configuration files both include the other).

Now the tool reports an error instead.


macOS Profile Helper is now started automatically from launchd using spawn constraints to increase security and ensure working on the most recent macOS versions.


Fixed a vasd crash on HP-UX that could occur during user login.


Updated the error message shown when macOS version requirements are not met.


Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating