Chat now with support
Chat with Support

We are currently experiencing issues on our phone support and are working diligently to restore services. For support, please sign in and create a case or email supportadmin@quest.com for assistance

Safeguard Authentication Services 6.0 LTS - Upgrade Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Upgrade Windows components Configure Active Directory Configure UNIX agent components Upgrade client components manually Getting started with Safeguard Authentication Services Troubleshooting

UNIX agent requirements

NOTE: To install Safeguard Authentication Services on UNIX, Linux, or macOS, you must have root access rights.

NOTE: With Safeguard Authentication Services 4.2 and later, Linux platforms require glibc 2.4 (or later).

The following table provides a list of supported UNIX and Linux platforms for Safeguard Authentication Services.

Table 4: UNIX agent: Supported platforms

Platform

Version

Architecture

Alma Linux

8, 9

x86_64, AARCH64, PPC64le, s390x

Amazon Linux

AMI, 2, AL2022

x86_64

Apple MacOS

12.0 and above

x86_64, ARM64

CentOS Linux

7, 8

s390x, PPC64, PPC64LE, x86, x86_64, AARCH64

CentOS Stream

8, 9

x86_64, AARCH64, PPC64LE, s390x

Debian

Current supported releases

x86_64, x86, AARCH64

Fedora Linux

Current supported releases

x86_64, x86, AARCH64, PPC64LE

FreeBSD

12.x, 13.x, 14.x

x86_64

HP-UX

11.31

IA-64

IBM AIX

6.1 TL9, 7.1 TL3, TL4, TL5, 7.2, 7.3

Power 4+

OpenSuSE

Current supported releases

x86_64, x86, AARCH64, PPC64LE, s390x

Oracle Enterprise Linux (OEL)

7, 8, 9

x86_64, AARCH64

Oracle Solaris

10 8/11 (Update 10), 11.x

SPARC, x64

Red Hat Enterprise Linux (RHEL)

7, 8, 9

s390x, PPC64, PPC64LE, x86, x86_64, AARCH64

Rocky Linux

8, 9

x86_64, AARCH64, PPC64LE, s390x

SuSE Linux Enterprise Server (SLES)/Workstation

12, 15

s390x, PPC64, PPC64LE, x86, x86_64, AARCH64

Ubuntu

Current supported releases

x86_64, x86, AARCH64

NOTE: For maximum security and performance, before you begin the installation, make sure that you have the latest patches for your operating system version. One Identity recommends that you run the Preflight utility to check for supported operating systems and correct operating system patches.

UNIX components

Safeguard Authentication Services includes the following UNIX components.

Table 5: UNIX components
UNIX component Description

vasd

The Safeguard Authentication Services agent background process that manages the persistent cache of Active Directory information used by the other Safeguard Authentication Services components. vasd is installed as a system service. You can start and stop vasd using the standard service start/stop mechanism for your platform. vasd is installed by the vasclnt package.

vastool

The Safeguard Authentication Services command line administration utility that allows you to join a UNIX host to an Active Directory Domain; access and modify information about users, groups, and computers in Active Directory; and configure the Safeguard Authentication Services components. vastool is installed at /opt/quest/bin/vastool. vastool is installed by the vasclnt package.

vasgmsaupdate

Service to keep gMSA passwords always up to date

vgptool

A command line utility that allows you to manage the application of Group Policy settings to Safeguard Authentication Services clients. vgptool is installed at /opt/quest/bin/vgptool. vgptool is installed by the vasgp package.

oat (Ownership Alignment Tool)

A command line utility that allows you to modify file ownership on local UNIX hosts to match user accounts in Active Directory. oat is installed at /opt/quest/libexec/oat/oat. oat is installed by the vasclnt package.

LDAP proxy

A background process that secures the authentication channel for applications using LDAP bind to authenticate users without introducing the overhead of configuring secure LDAP (LDAPS). The LDAP proxy is installed by the vasproxy package.

NIS proxy

A background process that acts as a NIS server which can provide backwards compatibility with existing NIS infrastructure. The NIS proxy is installed by the vasyp package.

SDK package

The vasdev package, the Safeguard Authentication Services programming API.

Permissions matrix

The following table details the permissions required for full Safeguard Authentication Services functionality.

Table 6: Required permissions
Function Active Directory permissions Local client permissions

Safeguard Authentication Services Application Configuration: creation

Location in Active Directory with Create Container Object rights

N/A

Safeguard Authentication Services Application Configuration: changes

  • UNIX Global Settings

  • Licensing

  • Schema Attributes, including UNIX Attributes

Update permission to the containers created above (no particular permissions if you are the one who created it)

N/A

Schema optimization

Schema Administrator rights

N/A

Display Specifier Registration

Enterprise Administrator rights

N/A

Editing Users

Administrator rights

N/A

Create any group policy objects

Group Policy Creator Owners rights

N/A

RFC 2307 NIS Import Map Wizard

Location in Active Directory with Create Container Object rights (you create containers for each NIS map)

N/A

UNIX Account Import Wizard

Administrator rights (you are creating new accounts)

N/A

Logging Options

Write permissions to the file system folder where you want to create the logs

N/A

vasd daemon

The client computer object is expected to have read access to user and group attributes, which is the default.

To have Safeguard Authentication Services update the host object operating system attributes automatically, set the following rights for "SELF" on the client computer object: Write Operating System, Write operatingSystemHotfix, and Write operatingSystemServicePack.

vasd must run as root

QAS/VAS PAM module

N/A (updated by means of vasd)

Any local user

QAS/VAS NSS module

vastool nss

N/A (updated by means of vasd)

Any local user

vastool command-line tool

Depends on which vastool command is run

Any local user for most commands

vastool join

vastool unjoin

Computer creation or deletion permissions in the desired container

root

vastool configure

vastool unconfigure

N/A

root

vastool search

vastool attrs

Read permission for the desired objects (regular Active Directory user)

Any local user

vastool setattrs

Write permissions for the desired object

Any local user

vastool cache

N/A

Run as root if you want all tables including authcache

vastool create

Permissions to create new users, groups, and computers as specified

Any local user; root needed to create a new local computer

vastool delete

Permissions to delete existing users, groups, or computers as specified; permissions to remove the keytab entry for the host object created (root or write permissions in the directory and the file)

Any local user

vastool flush

The client computer object is expected to have read access to user and group attributes, which should be the default

root

vastool group add

vastool group del

Permission to modify group membership

Any local user

vastool group hasmember

Read permission for the desired objects (regular Active Directory user)

Any local user

vastool info { site | domain | domain -n | forest-root | forest-root -dn | server | acl }

N/A

Any local user

vastool info { id | domains | domains -dn | adsecurity | toconf }

Read permission for the desired objects (regular Active Directory user)

Any local user

vastool isvas

vastool inspect

vastool license

N/A

Any local user

vastool kinit

vastool klist

vastool kdestroy

Local client needs permissions to modify the keytab specified; default is the computer object, which is root.

Any local user

vastool ktutil

N/A

root if you are using the default host.keytab file

vastool list (with -l option)

Read permission for the desired objects (regular Active Directory user)

Any local user

vastool load

Permissions to create users and groups in the desired container

Any local user

vastool merge

vastool unmerge

N/A

root

vastool passwd

Regular Active Directory user

Any local user

vastool passwd <AD user>

Active Directory user with password reset permission

Any local user

vastool schema list

vastool schema detect

Regular Active Directory user

Any local user

vastool schema cache

Regular Active Directory user

root (to modify the local cache file)

vastool service list

Regular Active Directory user

Any local user

vastool service { create | delete }

Active Directory user with permission to create/delete service principals in desired container

N/A

vastool smartcard

N/A

root

vastool status

N/A

root

vastool timesync

N/A

root, if you only query the time from Active Directory, you can run as any local user

vastool user { enable | disable }

Modify permissions on the Active Directory Object

Any local user

vastool user { checkaccess | checkconflict }

N/A

Any local user

vastool user checklogin

Access to Active Directory users password

Any local user

vasgmsaupdate service

On the Windows Domain Controller, the host machine must be set to be able to access gMSA user

Service must be started as root

Encryption types

The following table details the encryption types used in Safeguard Authentication Services.

Table 7: Encryption types
Encryption types Specification Active Directory version Safeguard Authentication Services version

KERB_ENCTYPE_DES_CBC_CRC

CRC32

RFC 3961

All

All

KERB_ENCTYPE_DES_CBC_MD5

RSA-MD5

RFC 3961

All

All

KERB_ENCTYPE_RC4_HMAC_MD5

RC4-HMAC-MD5

RFC 4757

All

All

KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96

HMAC-SHA1-96-AES128

RFC 3961

Windows Server 2008 +

3.3.2+

KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96

HMAC-SHA1-96-AES256

RFC 3961

Windows Server 2008 +

3.3.2+

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating