立即与支持人员聊天
与支持团队交流

Safeguard Authentication Services 5.1 - Release Notes

Safeguard Authentication Services 5.1

Release Notes

13 October 2022, 20:38

These release notes provide information about the Safeguard Authentication Services 5.1 release. For the most recent documents and product information, see Safeguard Authentication Services - Technical Documentation.

About this release

Safeguard Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.

Safeguard Authentication Services 5.1 is a minor release that includes various bug and stability fixes. See Resolved issues for a list of fixes included in this release.

End of support notice

After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021. For definitions of support, see the Software Product Support Lifecycle Policy.

As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.

New features

New features in version 5.1

Safeguard Authentication Services now supports the following operating systems:

  • Redhat Enterprise Linux 9

The following features have been added:

  • Now [libdefaults] / default_etypes can be configured by Group Policy.

  • New Group Policy Object has been added for custom service configuration.

  • Added vasgmsaupdate service which can be used to keep gMSA keytabs up to date.

  • DMG is notarized and stamped, it can be installed without security warnings even in an offline environment.

  • You can enable enhanced log mode. With enhanced log mode, all messages are written as key-value pairs. It can be enabled by setting the enhanced-log-mode = true in the [vasd] section of vas.conf.

  • Sudoers Group Policy Object now supports specifying custom path for sudoers. When changing the path, the old sudoers is moved to the new place with configurations applied. This feature requires sudo version 1.8.12 or later. For older sudo versions the value of the option is ignored.

The following upgrades have been made:

  • SQLite has been upgraded to version 3.38.4.

  • Vascert package is now compatible with Java version 1.8 or later.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: General resolved issues in version 5.1
Resolved Issue Issue ID

Now [libdefaults] / default_etypes can be configured by Group Policy.

198285

Adding a license with Protect from Accidental Deletion checked caused the QAC to go to schemaless mode.

So far, the program has worked like this: if any part of the QAC changed, the entire QAC was deleted and re-created. Because of this, changes to the License section may have affected the Schema section. From now on, the Schema section will be deleted and re-created on if any part of Schema was modified.

222905

Fixed the issue where vascert pulse fails on macOS due to insufficient rights to fetch identites from the certificate store.

The certstore-mac.sh script now gives right to extract the needed identities from the certificate store for newly enrolled certificates. If there is no right given (for certificates enrolled before the fix), the script falls back to fetching their public part only (without the private key), and attempta certificate re-enroll instead of renewal if it is expired or close to expiration.

257242

Expired certificates caused endless certificate renewals resulting in lots of certificates in the certificate store slowing down login and anything using them.

vascert can now identify that a certificate already exists for a group policy and attempts to remove the old certificate from the certificate store on a successful re-enroll or renewal. The list of old certificates caused by the issue are also cleaned up, which can result in slow performance during the first pulse (for example, login). For deleting a certificate, vascert uses the previously unused API delete-user-cert / delete-machine-cert have changed: they get the SHA fingerprint of the certificate as a parameter instead of the certificate path. In case of using custom scripts, they need to be updated accordingly.

258137

Creating an invalid sudoers group policy object resulted in restoring it to the default sudoers file. After the fix, the previous good version of sudoers gets restored.

292488

Added support for Redhat Enterprise Linux 9.

300172

When using LAM on AIX, passwordless login did not create home directory. After the fix it will create it.

300594

vasd could crash when a unix enabled user's userPrincipalName contained only the @domain part.

If a unix enabled user's userPrincipalName attribute value contained only the @domain part, the username part was missing (which is an invalid value) and the username-attr-name option in vas.conf was set to userPrincipalName and the lowercase-names option in vas.conf was set to true, vastool list -f user username resulted in a segmentation fault in vasd. After the fix vasd will not crash.

301115

If vastool configure selinux failed, the reason of failure was written to the console only on debug level 3 or above.

If vastool configure selinux failed, only the following message was written to the console:

Adding vasd SELinux Policy ... Failed

The reason of failure was written to the console only on debug level 3 or above. After the modification, the reason of failure will be written to the console even on debug level 0.

301253

vastool configure selinux failed on RHEL 9.

vastool configure selinux failed on RHEL 9 because it assumed that both /etc/rc.d/init.d/vasd and /etc/init.d/vasd exist. However, on RHEL 9 only the latter exists.

301254

Better support for systemd.

If systemd is running as an init system, all service management is now done through it. This fixes some issues when systemd could not track the status of the services. rc.d runlevel directory symlinks won't be created by the installer packages, because they caused install errors when the sysv compatibility package was not installed. Distributions using sysv init systems are not effected and remain supported.

301580

If a cached user has a name length longer than Solaris OS would accept, vastool status will warn about it.

Solaris can have a user name length issue. If a cached user has a name length longer than Solaris OS would accept, vastool status will warn about it.

302499

A new disk speed test has been added to vastool status.

A new test has been added to vastool status, which checks if we can write to the normal filesystem in a reasonable amount of time.

304457

ktutil was not working on FreeBSD 13.x

ktutil and vastool status showed 'libncurses.so.8 not found, required by "ktutil"' error message. The vasclnt package will now create the necessary symlinks to fix that issue.

305037

vastool configure pam has been fixed on SLES systems, now it modifies /etc/pam.d/common files correctly.

SLES has separate auth, account, password and session PAM common files. The vastool configure pam adds the session, password and auth items in the right common file.

308578

The command vastool configure sudo failed to add the line Defaults always_query_group_plugin to sudoers file if sudo's version was higher than 1.8.14.

311037

As of QAS 4.0 vastool license output has been confusing: 'Number of Licensed Unix Enabled Users' always remained zero. The confusing line has been removed.

As of QAS 4.0 there are no longer any user limits in QAS. All valid licenses allow for an unlimited number of users. However, when the license model was changed to server based the output of vastool license became confusing: the entry under 'Number of Licensed Unix Enabled Users' always remained zero. The confusing line has been removed.

311610

install.sh now calls dnf to install RPM packages on RPM based Linux distributions and zypper on SuSE to ensure dependencies are also installed.

313569

Windows 10 and Windows 11 have been added to the Supported Windows Platfrom list.

314172

AIX vasclnt packages now contain 64 bit sudo modules (libsudo_vas64.so).

64 bit versions of sudo modules were added to use them instead of the default 32 bit modules that use /opt/quest/lib/libsudo_vas64.so path instead of the default /opt/quest/lib/libsudo_vas.so.

317769

Supported platforms

The following table provides a list of supported Unix and Linux platforms for Safeguard Authentication Services.

CAUTION: In Safeguard Authentication Services version 5.1, support for the following Linux platforms and architectures has been deprecated:

  • Linux platforms

    • CentOS Linux 5

    • Oracle Enterprise (OEL) Linux 5

    • Red Hat Enterprise Linux (RHEL) 5

    • Suse Linux Enterprise (SLES) 11

  • Linux architectures

    • IA-64

    • s390

Make sure that you prepare your system for an upgrade to a supported Linux platform and architecture, so that you can upgrade to Safeguard Authentication Services version 5.1 when it is released.

Table 2: Unix agent: Supported platforms

Platform

Version

Architecture

Alma Linux

8, 9

x86_64, AARCH64, PPC64le

Amazon Linux

AMI, 2, AL2022

x86_64

Apple MacOS

10.15, 11.x, 12.x, 13.x

x86_64, ARM64

CentOS Linux

6, 7, 8, 9

Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64

CentOS Stream

8, 9

x86_64

Debian

Current supported releases

x86_64, x86, AARCH64

Fedora Linux

Current supported releases

x86_64, x86, AARCH64

FreeBSD

12.x, 13.x

x32, x64

HP-UX

11.31

PA, IA-64

IBM AIX

6.1 TL9, 7.1 TL3, TL4, TL5, 7.2, 7.3

Power 4+

OpenSuSE

Current supported releases

x86_64, x86, AARCH64

Oracle Enterprise Linux (OEL)

6, 7, 8, 9

Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64

Oracle Solaris

10 8/11 (Update 10),

11.x

SPARC, x64

Red Hat Enterprise Linux (RHEL)

6, 7, 8, 9

Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64

Rocky Linux

8, 9

x86_64, AARCH64

SuSE Linux Enterprise Server (SLES)/Workstation

12, 15

Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64

Ubuntu

Current supported releases

x86_64, x86, AARCH64

自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级