Safeguard Authentication Services 5.1
Release Notes
13 October 2022, 20:38
These release notes provide information about the Safeguard Authentication Services 5.1 release. For the most recent documents and product information, see Safeguard Authentication Services - Technical Documentation.
About this release
Safeguard Authentication Services extends the capabilities of UNIX, Linux, and Mac systems to seamlessly and transparently join Active Directory and integrate Unix identities with Active Directory Windows accounts.
Safeguard Authentication Services 5.1 is a minor release that includes various bug and stability fixes. See Resolved issues for a list of fixes included in this release.
End of support notice
After careful consideration, One Identity has decided to cease the development of the Management Console for Unix (MCU). Therefore, the MCU will enter limited support for all versions on April 1, 2021. Support for all versions will reach end of life on Nov 1, 2021. For definitions of support, see the Software Product Support Lifecycle Policy.
As One Identity retires the MCU, we are building its feature set into modern platforms starting with Software Distribution and Profiling. Customers that use the MCU to deploy Authentication Services and Safeguard for Sudo can now use our Ansible collections for those products, which can be found at Ansible Galaxy.
New features in version 5.1
Safeguard Authentication Services now supports the following operating systems:
The following features have been added:
-
Now [libdefaults] / default_etypes can be configured by Group Policy.
-
New Group Policy Object has been added for custom service configuration.
-
Added vasgmsaupdate service which can be used to keep gMSA keytabs up to date.
-
DMG is notarized and stamped, it can be installed without security warnings even in an offline environment.
-
You can enable enhanced log mode. With enhanced log mode, all messages are written as key-value pairs. It can be enabled by setting the enhanced-log-mode = true in the [vasd] section of vas.conf.
-
Sudoers Group Policy Object now supports specifying custom path for sudoers. When changing the path, the old sudoers is moved to the new place with configurations applied. This feature requires sudo version 1.8.12 or later. For older sudo versions the value of the option is ignored.
The following upgrades have been made:
The following is a list of issues addressed in this release.
Table 1: General resolved issues in version 5.1
|
Now [libdefaults] / default_etypes can be configured by Group Policy. |
198285 |
|
Adding a license with Protect from Accidental Deletion checked caused the QAC to go to schemaless mode.
So far, the program has worked like this: if any part of the QAC changed, the entire QAC was deleted and re-created. Because of this, changes to the License section may have affected the Schema section. From now on, the Schema section will be deleted and re-created on if any part of Schema was modified. |
222905 |
|
Fixed the issue where vascert pulse fails on macOS due to insufficient rights to fetch identites from the certificate store.
The certstore-mac.sh script now gives right to extract the needed identities from the certificate store for newly enrolled certificates. If there is no right given (for certificates enrolled before the fix), the script falls back to fetching their public part only (without the private key), and attempta certificate re-enroll instead of renewal if it is expired or close to expiration. |
257242 |
|
Expired certificates caused endless certificate renewals resulting in lots of certificates in the certificate store slowing down login and anything using them.
vascert can now identify that a certificate already exists for a group policy and attempts to remove the old certificate from the certificate store on a successful re-enroll or renewal. The list of old certificates caused by the issue are also cleaned up, which can result in slow performance during the first pulse (for example, login). For deleting a certificate, vascert uses the previously unused API delete-user-cert / delete-machine-cert have changed: they get the SHA fingerprint of the certificate as a parameter instead of the certificate path. In case of using custom scripts, they need to be updated accordingly. |
258137 |
|
Creating an invalid sudoers group policy object resulted in restoring it to the default sudoers file. After the fix, the previous good version of sudoers gets restored. |
292488 |
|
Added support for Redhat Enterprise Linux 9. |
300172 |
|
When using LAM on AIX, passwordless login did not create home directory. After the fix it will create it. |
300594 |
|
vasd could crash when a unix enabled user's userPrincipalName contained only the @domain part.
If a unix enabled user's userPrincipalName attribute value contained only the @domain part, the username part was missing (which is an invalid value) and the username-attr-name option in vas.conf was set to userPrincipalName and the lowercase-names option in vas.conf was set to true, vastool list -f user username resulted in a segmentation fault in vasd. After the fix vasd will not crash. |
301115 |
|
If vastool configure selinux failed, the reason of failure was written to the console only on debug level 3 or above.
If vastool configure selinux failed, only the following message was written to the console: Adding vasd SELinux Policy ... Failed
The reason of failure was written to the console only on debug level 3 or above. After the modification, the reason of failure will be written to the console even on debug level 0. |
301253 |
|
vastool configure selinux failed on RHEL 9.
vastool configure selinux failed on RHEL 9 because it assumed that both /etc/rc.d/init.d/vasd and /etc/init.d/vasd exist. However, on RHEL 9 only the latter exists. |
301254 |
|
Better support for systemd.
If systemd is running as an init system, all service management is now done through it. This fixes some issues when systemd could not track the status of the services. rc.d runlevel directory symlinks won't be created by the installer packages, because they caused install errors when the sysv compatibility package was not installed. Distributions using sysv init systems are not effected and remain supported. |
301580 |
|
If a cached user has a name length longer than Solaris OS would accept, vastool status will warn about it.
Solaris can have a user name length issue. If a cached user has a name length longer than Solaris OS would accept, vastool status will warn about it. |
302499 |
|
A new disk speed test has been added to vastool status.
A new test has been added to vastool status, which checks if we can write to the normal filesystem in a reasonable amount of time. |
304457 |
|
ktutil was not working on FreeBSD 13.x
ktutil and vastool status showed 'libncurses.so.8 not found, required by "ktutil"' error message. The vasclnt package will now create the necessary symlinks to fix that issue. |
305037 |
|
vastool configure pam has been fixed on SLES systems, now it modifies /etc/pam.d/common files correctly.
SLES has separate auth, account, password and session PAM common files. The vastool configure pam adds the session, password and auth items in the right common file. |
308578 |
|
The command vastool configure sudo failed to add the line Defaults always_query_group_plugin to sudoers file if sudo's version was higher than 1.8.14. |
311037 |
|
As of QAS 4.0 vastool license output has been confusing: 'Number of Licensed Unix Enabled Users' always remained zero. The confusing line has been removed.
As of QAS 4.0 there are no longer any user limits in QAS. All valid licenses allow for an unlimited number of users. However, when the license model was changed to server based the output of vastool license became confusing: the entry under 'Number of Licensed Unix Enabled Users' always remained zero. The confusing line has been removed. |
311610 |
|
install.sh now calls dnf to install RPM packages on RPM based Linux distributions and zypper on SuSE to ensure dependencies are also installed. |
313569 |
|
Windows 10 and Windows 11 have been added to the Supported Windows Platfrom list. |
314172 |
|
AIX vasclnt packages now contain 64 bit sudo modules (libsudo_vas64.so).
64 bit versions of sudo modules were added to use them instead of the default 32 bit modules that use /opt/quest/lib/libsudo_vas64.so path instead of the default /opt/quest/lib/libsudo_vas.so. |
317769 |
The following table provides a list of supported Unix and Linux platforms for Safeguard Authentication Services.
|
|
CAUTION: In Safeguard Authentication Services version 5.1, support for the following Linux platforms and architectures has been deprecated:
-
Linux platforms
-
CentOS Linux 5
-
Oracle Enterprise (OEL) Linux 5
-
Red Hat Enterprise Linux (RHEL) 5
-
Suse Linux Enterprise (SLES) 11
-
Linux architectures
Make sure that you prepare your system for an upgrade to a supported Linux platform and architecture, so that you can upgrade to Safeguard Authentication Services version 5.1 when it is released. |
Table 2: Unix agent: Supported platforms
|
Alma Linux |
8, 9 |
x86_64, AARCH64, PPC64le |
|
Amazon Linux |
AMI, 2, AL2022 |
x86_64 |
|
Apple MacOS |
10.15, 11.x, 12.x, 13.x |
x86_64, ARM64 |
|
CentOS Linux |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
CentOS Stream |
8, 9 |
x86_64 |
|
Debian |
Current supported releases |
x86_64, x86, AARCH64 |
|
Fedora Linux |
Current supported releases |
x86_64, x86, AARCH64 |
|
FreeBSD |
12.x, 13.x |
x32, x64 |
|
HP-UX |
11.31 |
PA, IA-64 |
|
IBM AIX |
6.1 TL9, 7.1 TL3, TL4, TL5, 7.2, 7.3 |
Power 4+ |
|
OpenSuSE |
Current supported releases |
x86_64, x86, AARCH64 |
|
Oracle Enterprise Linux (OEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Oracle Solaris |
10 8/11 (Update 10),
11.x |
SPARC, x64 |
|
Red Hat Enterprise Linux (RHEL) |
6, 7, 8, 9 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Rocky Linux |
8, 9 |
x86_64, AARCH64 |
|
SuSE Linux Enterprise Server (SLES)/Workstation |
12, 15 |
Current Linux architectures: s390x, PPC64, PPC64le, x86, x86_64, AARCH64 |
|
Ubuntu |
Current supported releases |
x86_64, x86, AARCH64 |
