Use the vastool utility to perform a command line join.
At the command line, enter vastool join to join the macOS system to an Active Directory domain.
Use the vastool utility to perform a command line join.
At the command line, enter vastool join to join the macOS system to an Active Directory domain.
You can access the same functionality that is available through the QAS Join application using the Safeguard Authentication Services command line utilities.
There are two ways to join your macOS system to an Active Directory domain:
Run the vasjoin.sh script.
$ sudo /opt/quest/libexec/vas/scripts/vasjoin.sh
This script prompts you for information needed to perform the join operation without requiring you to know the syntax of the vastool join command.
Run the vastool join command.
$ sudo /opt/quest/bin/vastool -u Administrator join -f example.com
To leave an Active Directory domain from a Terminal session, use the vastool unjoin command.
Note: For more information about the vastool join or vastool unjoin commands, see the vastool man page located in the docs directory of the installation media.
When joining an Active Directory domain, Safeguard Authentication Services automatically modifies the following system configurations:
Safeguard Authentication Services is added to the DirectoryService search path.
The Safeguard Authentication Services startup items are configured to start up automatically
The system Kerberos configuration file is configured to use the Active Directory servers that Safeguard Authentication Services detects.
Group Policies configured for the macOS system are applied by the Group Policy components if they are installed.
Once you have successfully completed the Safeguard Authentication Services join process, you are immediately able to log in to the macOS system through the macOS Login Window.
When leaving a domain, the Safeguard Authentication Services unjoin process reverts the above changes that were made by the Safeguard Authentication Services join process. Also, uninstalling Safeguard Authentication Services automatically reverts the above changes as well.
TIP: You can rejoin on top of existing computer accounts created with the macOS Active Directory plugin by default using the Safeguard Authentication Services Active Directory plugin. However, One Identity recommends disabling the macOS Active Directory plugin so that the domain will not appear in the Directory Servers window as not responding.
It is important to verify that your system is configured correctly to use the Active Directory account information provided by Safeguard Authentication Services.
To verify the Safeguard Authentication Services installation and configuration
Run the following shell commands.
To show a list of the available Unix-enabled Active Directory users, enter:
dscl /VAS list /Users
To show a list of the available Unix-enabled Active Directory groups, enter:
dscl /VAS list /Groups
To ensure that the system can read user information for Safeguard Authentication Services users, enter:
dscl /Search read /Users/<Username>
where <Username> is the username of a Safeguard Authentication Services user.
To perform an authentication for a Safeguard Authentication Services user, enter:
dscl /Search auth <Username>
where <Username> is the username of a Safeguard Authentication Services user.
If any of the previous commands do not work, capture debug information from the Safeguard Authentication Services Directory Service plugin.
Add the following items to the vas.conf [vas_macos] section:
[vas_macos] dslog-mode = /Library/Logs/vasds.log dslog-components = all
After adding those items, run the following shell command in a Terminal session to trigger the Safeguard Authentication Services Directory Services Plugin to reload its logger configuration:
$ sudo /opt/quest/libexec/vas/macos/vasdsreload
Run the previous verification commands that failed and send the contents of /Library/Logs/vasds.log to One Identity Support who will assist in resolving the problems.
© ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center