Quantcast
Channel: All Centrify Express posts
Viewing all 1833 articles
Browse latest View live

Re: domain trust not working all the time

February 28, 2017, 10:58 am
$
0
0

,

 

I'm sorry I did not get an update on this thread.

 

I'm not sure I understand, are you saying that the issue went away or not?

If the issue has not been resolved, then we need to debug.  Are you a commercial customer?

 

And yes, I was looking at an earlier version of the RELNOTES and gave you inaccurate information.

The credential cache is renewed when the cache.flush.interval is hit or when there's a negative response;  restarting the client does not imply an automatic flush.

 

Can you please provide the de-identified output of the domain map?  (adinfo -y domain)

Can you provide the ouptut of adinfo -y health?

 

Thanks!!

 

 

R.P

Search

Re: domain trust not working all the time

February 28, 2017, 11:24 am
$
0
0

I'm sorry I did not get an update on this thread.

 

No problem.

 

I'm not sure I understand, are you saying that the issue went away or not?

 

The adflush fixed the problem, not the centrify update.

 

If the issue has not been resolved, then we need to debug. 

 

I found another system that has the same behaviour.

 

Are you a commercial customer?

 

No, using centrify express.

 

The credential cache is renewed when the cache.flush.interval is hit or when there's a negative response;  restarting the client does not imply an automatic flush.

 

Ok, good to know.

 

Can you please provide the de-identified output of the domain map?  (adinfo -y domain)

 

# adinfo -y domain
System Diagnostic
========Domain info map========
DC=domain2,DC=lan
    CN              = DOMAIN2.LAN
    SID             = S-1-5-21-2808170103-917183174-659996841
    TRUST_ATTRS     = 0x20
    TRUST_DIRECTION = 3
    TRUST_TYPE      = 2
    NTLM NAME       = DOMAIN2
    LOCAL FOREST    = YES
CN=domain1.lan,CN=System,DC=domain2,DC=lan
    CN              = DOMAIN1.LAN
    SID             = S-1-5-21-3214971259-2964318432-211451886
    TRUST_ATTRS     = 0x8
    TRUST_DIRECTION = 3
    TRUST_TYPE      = 2
    NTLM NAME       = DOMAIN1
    LOCAL FOREST    = NO

 

Can you provide the ouptut of adinfo -y health?

 

# adinfo -y health
System Diagnostic
===============System Health===================
        HealthStatus:   Healthy
        SubSystem:      HostAuth
        ErrCount:       1
        LastSet:        Mon Jan 30 10:05:56 2017
        LastReset:      Mon Jan 30 10:06:29 2017
        LastCode:       1019
        LastReason:     KDC refused skey: Cannot resolve network address for KDC in requested realm
        LastOperation:  Host authenticate

Thanks.

Re: domain trust not working all the time

March 4, 2017, 6:09 am
$
0
0

The only thing I can suggest from the output is that you want to make sure your DNS settings are correct on all systems and that cross forest name resolution is consistent. 

 

Notice the last KDC error.

 

Although you're talking about a 2-way trust, this article outlines all the things that need to be in place for proper functionality:

 

http://community.centrify.com/t5/TechBlog/A-Primer-on-Centrify-and-Active-Directory-External-One-Way/ba-p/21327

 

trust-layer-approach.jpg

 

P.S:  Apologies again for our responses being late.  We had an issue with the DL that lets us know if there are new threads or responses lately, but that has been resolved.

centrify express user principal

March 4, 2017, 7:09 am
$
0
0

I've configured centrify express for AD/Linux integration. I was able to login to linux machine using windows credentials. I had setup one way trust between AD & Local MIT KDC.

 

 

[root@master2 ~]# ssh rvchinta@master2

Red Hat Enterprise Linux Server release 6.4 (Santiago)

Kernel 2.6.32-358.el6.x86_64 on an x86_64

Password:

Last login: Sat Mar 4 07:22:34 2017 from 192.168.56.22

[rvchinta@master2 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_cdc201327698_saYNYF

Default principal: rvchinta@CHRSV.COM

Valid starting Expires Service principal

03/04/17 10:02:32 03/04/17 20:02:32 krbtgt/CHRSV.COM@CHRSV.COM

renew until 03/11/17 10:02:32

[rvchinta@master2 ~]$

 

when i access hadoop components it thinks my user name is rvchinta@CHRSV.COM.

 

Any idea how to handle this? it should be rvchinta but not rvchinta@CHRSV.COM.

 

thanks

Re: centrify express user principal

March 4, 2017, 3:55 pm
$
0
0

,

 

Welcome to the Centrify Express forums.

 

Moderation Notice:  When posting to the forums always make sure you include the type and version of your UNIX, Linux or Mac Platform as well as the version of adclient you're using (adinfo -v).

 

Several things to note:

 

  • Each Hadoop distribution has its own implementation path.  For information, please review the Centrify integration documentation for Cloudera, Hortonworks or MapR
  • You're using Centrify Express;  this freemium version does not support AD one-way trusts.

 

Now to your question.

 

Note the Kerberos ticket cache file name:  /tmp/krb5cc_cdc201327698_saYNYF  (the cdc means Centrify DirectControl); this means that your system has been automatically configured to work with your AD Kerberos realm.  In order for you to work with multiple configurations, you need to follow the guidance from this post:

 

http://community.centrify.com/t5/TechBlog/HOWTO-Use-Centrify-in-Mixed-Kerberos-Environments/ba-p/21326

 

Hopefully you'll understand that there's an assumption that your realm will be AD, but that you can use both configuration (joined to AD and using a MIT Kerberos as well) by redirecting the location of the krb5.conf file to an alternative location; this way the system can be joined to both realms.

 

HOWEVER;  why would you stand-up an independent MIT Kerberos if with Centrify software you can make your Hadoop deployment work with AD?  Less complexity, easier path from test to production.

 

This is a non-trivial task and my advice is that you use Centrify Standard Edition + our Award-winning PS if this a commercial organization.

 

R.P

Re: centrify express user principal

March 5, 2017, 5:38 am
$
0
0
I was able to resolve this issue by myself by adding RULE:[1:$1@$0](.*@
CHRSV.COM)s/@.*// in hadoop.seucirty.auth.local in hdfs.
thanks for taking time and responding to my post.

Re: centrify express user principal

March 5, 2017, 5:38 am
$
0
0
I was able to resolve this issue by myself by adding RULE:[1:$1@$0](.*@
CHRSV.COM)s/@.*// in hadoop.seucirty.auth.local in hdfs.
thanks for taking time and responding to my post.

linux joined domain but username saved as number

March 5, 2017, 5:44 am
$
0
0

We have ubunto 16.04 , we could join Domain using centrify express .

When I went to gdm windows  ,  users could authenticate  correctly .but some usernames appeared as numbers not names.

 

Example;

 

after joining the domain  , I went to gdm windows to let users authenticate

 

username : john

Password :  xxxxxxx

 

John could authenticate ,but his name appeared as  6400 ,and saved  his home directory  with 6400

 

 

Kindly advice 

Search

OATH Hardware Token for Multi-factor authentication

March 5, 2017, 10:51 pm

Re: linux joined domain but username saved as number

March 6, 2017, 4:15 am
$
0
0
Ubuntu 16.04 , sorry for mistyping

Re: linux joined domain but username saved as number

March 6, 2017, 6:32 am
$
0
0

,

 

Welcome to the Centrify Express forum.

 

Can you please let me know what is the Centrify Express (DirectControl) version?

In a terminal, type adinfo -v

 

In addition, can you please show me the output of:

a) John exists as a local user in the /etc/passwd file

grep john /etc/passwd

b) What is the identity being generated?

adquery user john

 

Thanks,

 

R.P

AD group is not synced to O365

March 6, 2017, 11:50 pm
$
0
0

Hello Centrify experts,

  

We use AD groups to provide O365 licenses to our users. I mean that in Centrify Admin Portal – Roles – Office 365 – Members page I put an AD group, not individual users. It usually works fine but yesterday I got strange issue with this. Some users were unable to login to their O365 apps. O365 portal shows those users as ‘unlicensed’… Looks like AD group is not synced to O365 anymore. I have quickly fixed it by manually adding individual users to Centrify Admin Portal – Roles – Office 365 – Members page.

 

How can I troubleshoot this issue?

 

Thanks for your help.

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

March 9, 2017, 7:00 pm
$
0
0

Was there any resolution to this issue? I have a Sierra Macbook that we just imaged that is having the same exact issues.

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

March 9, 2017, 11:55 pm
$
0
0

Hi dciciora,

 

Welcome to Centrify.

 

We are waiting for a diagnostic log to understand better what the issue is and how to solve it. If you are seeing the same, could you refer to Ivan's comment above and collect us a set of diagnostic log? Please also help to provide the type of card and the version of smartcard assistant that you are using. Thank you!

 

Best Regards,

Albert

Re: AD group is not synced to O365

March 10, 2017, 8:11 am
$
0
0

 Hello  and welcome back to the Centrify Community...

 

We recently implemented a change which prevents use of Domain local or Distribution groups for Role use. Could it be the group you are using is a Domain local? This would have continued to work, if so, despite us no longer allowing these type of groups to be selected when chosing to add as a member to the role, up until a few days ago.

 

Please check the group you are referring to and if a domain local or a distribution group, please convert it. 

 

This KB not only explains the changes, why and when they were made, but also how to correct it. 

 

https://centrify.force.com/support/Article/KB-6906-How-to-convert-a-distribution-group-to-a-security-group

 

Please let me know if this does not help, and we may need to dig deeper (perhaps open a Support case if possible?)

 

I hope this is a qucik fix for you.

 

Have a great weekend!!

 

Ryan V. 

Search

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

March 10, 2017, 9:03 am
$
0
0

I have the logs, but where do I upload them too? Or do I just paste it here?

 

I am using a DoD Military CAC, GEMALTO DLGX4-A.

 

I am using CentrifyDC 5.4, and whatever smart card assistantant goes with it.

Not able to login to my unix machine via AD id

March 11, 2017, 1:17 pm
$
0
0

Hi Team,

 

I am new to centify, its my first time when I am using centrif. 

I have configured centrify express in my cluster also integreated with AD. I am not able to login into only one servers with ad user though I am able to login into other centrified agent installed servers.

So can someone please help me to figure out this issue. Thnaks in advance.

 

Thnaks

Saurabh 

Re: Not able to login to my unix machine via AD id

March 11, 2017, 1:51 pm
$
0
0

Also I checked adclient and found it not running. 

 

[root@m2 ~]# /etc/init.d/centrifydc status

Centrify DirectControl is stopped

[root@m2 ~]# /etc/init.d/centrifydc start

Starting Centrify DirectControl:

  Failed: machine is not joined.

 

So can anyone help me why I am not able to start it. 

 

Re: Not able to login to my unix machine via AD id

March 11, 2017, 2:16 pm
$
0
0

,

 

Welcome to the Centrify Express forums.

I moved the thread to the appropriate forum since Server Suite forums is for users of the commercial versions.

 

Please note that for us to be able to give you the help you need, we need to know 3 basic pieces of information:

a) Are you running Express or commercial?  (Express)

b) What is the Operating System and version  (e.g. Red Hat Enterprise Linux 7.2)

c) What is the version of Centrify you're running  (you can run the "adinfo -v" command to see this).  The current supported community version is 5.4.x

 

Please understand the following basic concepts.

 

a) Centrify Express for UNIX/Linux allows ALL add users to log in to the systems.

b) Installing the software alone does not do the job, you have to join Active Directory like you would a Windows system.  This means that you have to provide the credentials of a user with the proper rights to do this.

c) Once you join succesfully, the client will be active and running; however, if you had any local users (e.g. /etc/passwd) that are named the same as AD users, you have to consolidate them.  If you try to log in, you have to supply the AD password instead.

 

 

That being said, it seems you have succesfully installed the client, but you have NOT joined AD.

 

To join AD, you need to run the adjoin command (as root or with sudo) and supply the credentials of an AD user that is authorized to join systems in the target OU.

 

For example, if I want to join  in express/workstation mode (-w) the domain called corp.contoso.com with the user (-u) called fred with verbose (-V) output, and I have privileges via sudo I would run:

 

$ sudo adjoin -w -u fred -V corp.contoso.com

 

This command will prompt you for your sudo password, and then for fred@CORP.CONTOSO.COM's password.  Provided that Fred can join systems to the default Computers container, you'll be fine.

 

For more information about adjoin, please review the man page or the Cheat Sheet below.

 

If you are new to Centrify, here are a few resources:

Centrify Express Documentation:  https://docs.centrify.com/en/css/suite2016/centrify-express-unix-agent-guide.pdf

Centrify commands cheat sheet:  http://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/ba-p/22568

My personal blog:  http://centrifying.blogspot.com/search/label/Start%20Here

 

R.P

Re: Not able to login to my unix machine via AD id

March 11, 2017, 11:02 pm
$
0
0

Hi ;

 

Thanks for your help, I have resolved the issue by adding client to domain manually.

Also please find the following command output or result of adjoin command. But still I have a one quick question, when I installed agnet via DirectManager console then why it was not added to domain only on this server and how it was added to other server and I did not get any error during deployment steps. 

 

a) Are you running Express or commercial?  (Express)

Answer:  Yes I am using Express version. 

 

b) What is the Operating System and version  (e.g. Red Hat Enterprise Linux 7.2)

Answer : I am on centos 6 OS. 

c) What is the version of Centrify you're running  (you can run the "adinfo -v" command to see this).  The current supported community version is 5.4.x

Answer: I am using adinfo (CentrifyDC 5.4.0-286). 

 

 

[root@m2 ~]# adjoin -w -u saurkuma -V ad.com

saurkuma@AD.COM's password:

Options

-------

Precreate: no

Compatible with 2.x/3.x: no

Enable Apple Scheme to generate UID/GID: no

domain: ad.com

user: saurkuma@AD.COM

container: null

computer name: m2

Pre-Windows 2000 name: m2

DNS Host Name used for dNSHostName attr: null

zone: Auto Zone

server: null

zoneserver: null

gc: null

upn: null

noconf: no

set time: yes

force: no

forceDeleteObj: no

trust: no

des: no

self-serve: no

use ldap to create computer object: no

license type: null

 

Setting time

Using settings from previous join (under previous dir) to same domain

Initializing domain settings file to ad.com

Attempting bind to ad.com(site:) as saurkuma@AD.COM on any server

Using domain controller: adserver.ad.com writable=true

Initializing forest settings file to AD.COM

Using global catalog server: adserver.ad.com

Search for object by samName: filter=(samAccountName=m2$) root=DC=ad,DC=com

Found existing computer object: CN=m2,CN=Computers,DC=ad,DC=com

Using cn=computers,dc=ad,dc=com container for computer object

Saving zone settings

Zone name:    DC=ad,DC=com

Zone version:

Zone schema:  NULL_AUTO

Zone GUID:    00112233445566778899aabbccddeeff

Searching for SPNs in GC...

Update Computer's Security Descriptor to allow computer object to read/write

operating system and operating system version properties as well as reset password.

Looking for ntSecurityDescriptor for object CN=m2,CN=Computers,DC=ad,DC=com ....

Checking if the required permissions exist.

Unset "Trust for delegation" bit.

Unset "Use Des Key Only" bit.

Set operatingSystemVersion to "6.1:6.6", so that KDC will issue service ticket using AES enctypes.

Update OS information.  This requires computer object update rights...

Update OS information succeeded

Update Encryption Types

Setting machine password...

Setting get init cred callback before set password (rc=0).

Password change succeeded

Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba

Save kerberos join data...

Using Win 2003 key version 5

Writing kerberos keytab

Updating settings files

Join to domain:ad.com, zone:Auto Zone successful

Starting daemon

 

Centrify DirectControl started.

Waiting for adclient to startup ......

Adclient startup completed!

Loading domains and trusts information

 

Initializing cache

.

You have successfully joined the Active Directory domain: ad.com

in the Centrify DirectControl zone: Auto Zone

 

 

You may need to restart other services that rely upon PAM and NSS or simply

reboot the computer for proper operation.  Failure to do so may result in

login problems for AD users.

 

 

Removing directory '/var/centrifydc/previous'

[root@m2 ~]# /etc/init.d/centrify

centrifyda     centrifydc     centrify-kcm   centrify-sshd 

[root@m2 ~]# /etc/init.d/centrifyd

centrifyda  centrifydc 

[root@m2 ~]# /etc/init.d/centrifyd

centrifyda  centrifydc 

[root@m2 ~]# /etc/init.d/centrifydc status

Centrify DirectControl (pid 10185) is running...

Viewing all 1833 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>