Quantcast
Channel: All Centrify Express posts
Viewing all 1833 articles
Browse latest View live

CentrifyDC Mode Down

March 23, 2017, 1:09 am
$
0
0

Hello

 

After Installing Centrify 5.4 for Debian 8.7 .Everyting looks to be ok.  Once I restart, I am unable to login with domain accounts.  Logging in with a local account I notice that CentrifyDCMode is down .  This is not the case after the initial install, only happens after a restart. It takes like 5 mins to the centrfiydc mode to change to connected then i can login with the AD users.

 

just when i boot the PC:

 

adinfo
Local host name: user
Joined to domain: domain.local
Joined as: user.domain.local
Pre-win2K name: user
Current DC: serveur-active-directory.domain
Preferred site: Default-First-Site-Name
Zone: Auto Zone
CentrifyDC mode: down
Licensed Features: Disabled

 

then after some mins of waiting:

 

 When i type adinfo :

Joined to domain: s**.**a
Joined as: user.domain.local
Pre-win2K name: user

 

then it take 3 or 5 mins to show this informations:

 

Current DC: serveur-active-directory.domain.local
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-03-22 21:51:32 CET

CentrifyDC mode: connected
Licensed Features: Disabled

 

 

i have  uninstalled and reinstalled centrify, and still the same issue. 

I clarified that there are no network issues, and dns is operating correctly.

I receive no error when joining the domain.

 

 

Any help would be greatly apprectiated.

 

Search

adbindproxy not working

March 23, 2017, 5:18 am
$
0
0

Hello

 

Today I installed the latest CentOS 7 and the latest Centrify Express. I then installed the latest Adbindporxy using the link below

 

http://community.centrify.com/t5/TechBlog/Server-Suite-2016-Samba-with-adbindproxy/ba-p/24052

 

I am to browse to the samba-test share that was created during the above link through windows explorer. however when I double try to enter the share I get a message stating I do not have permissions. 

 

My smb.conf is as follows. Its pretty much the default file and any modifications were done during the installation of adbindproxy.

 

Thanks

 

 

 

 

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
security = ADS
realm = BANDS.BROTHERSANDSISTERS.CO.UK
workgroup = BANDS
netbios name = bass11

auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab


#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
# client use spnego principal = true

#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
# send spnego principal = Yes

# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = auto

client ntlmv2 auth = yes
client use spnego = yes


template shell = /bin/bash

winbind use default domain = Yes

winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes

idmap cache time = 0

# ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0

[samba-test]
path = /samba-test
public = yes

# if set public = No, we should set parameter valid users .
# and when the user or group is in AD , the setting syntaxes is:
# valid users = BANDS\user +BANDS\group

writable = yes

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775

Re: adbindproxy not working

March 23, 2017, 5:34 am
$
0
0

What are the filesystem permissions on /samba-test?

Re: CentrifyDC Mode Down

March 23, 2017, 5:39 am
$
0
0

In the previous output that you posted  (now deleted), adinfo --diag showed many environmental issues around DNS and unreachable Domain controllers.  Have those been fixed?

 

Also, is this a very large AD environment?  Remember that the Express method (Auto Zone) does have limits;  the behaviour you are describing sounds like adclient is talking time to build the cache which is expected if you have a large environment;  that is why for commercial organizations, Standard Edition is the way to go.

Re: macOS Sierra 10.12.2 DOD CAC Access Issues

March 23, 2017, 5:38 am
$
0
0

I found this Apple developer forum post that seems to solve my issues:

 

https://forums.developer.apple.com/thread/63476

 

The workaround in this post disables Apple's CryptoTokenKey PIV support which was conflicting with Centrify's tokend support when using Chrome/Safari vs. Outlook. The former preferred the CTK, the latter tokend. Both cannot be used simultaneously since they require exclusive access to the card. Disabling CTK pivtoken allows Chrome/Safari to fall-back to using Centrify's tokend support.

Re: adbindproxy not working

March 23, 2017, 5:38 am
$
0
0
Hi Roberston

The current permissions are as below, thanks


[root@BASS11 ~]# getfacl /samba-test/
getfacl: Removing leading '/' from absolute path names
# file: samba-test/
# owner: root
# group: sec-users
user::rwx
group::rwx
group:sec-users:rwx
mask::rwx
other::---

Re: adbindproxy not working

March 23, 2017, 5:47 am
$
0
0

Looks like share permissions (public) are inconsistent with filesystem permissions

 

Is the AD user in question (accessing from Windows) part of sec-users?

Can you run "adquery group sec-users" and paste the output? 

If there's no output or you get (sec-users is not a zone group), then if it's local (/etc/group), then the AD user must be part of that group.

 

To retest by logging off/back in and trying to map the drive BY short name or FQDN.

Re: adbindproxy not working

March 23, 2017, 5:56 am
$
0
0
Hi Robertson

yes the AD user is part of sec-users. Below is the out put. There is no FQDN at the moment, I will update DNS now

Thanks

[root@BASS11 ~]# getfacl /samba-test/
getfacl: Removing leading '/' from absolute path names
# file: samba-test/
# owner: root
# group: sec-users
user::rwx
group::rwx
group:sec-users:rwx
mask::rwx
other::---

Search

Re: adbindproxy not working

March 23, 2017, 5:59 am
$
0
0
sorry here is the correct output

[root@BASS11 ~]# adquery group sec-users
sec-users:x:125830770:aaron,abdul,al,alex,ali,alison,amanda,amy,andy,andy.e,anne -sophie,bands,carlos,caroline,chris,chris.g,chris.p,christian,dan,dan.f,didz,ed, editsuite1,fcp,finance_scan,freelance,gonza,hannah.w,harriet,jamie,jemma,jen,jez ,jonny.h,jonty,jorge,jules,kate,katie,kevin,kirsty,lance,laura.g.e,lloyd,lois,lo uise,manu,marcio,mark.m,matilda,matt,max,mirry,nadine,natalie,nicola,olly,paul,p hil,phoebe,rebecca,reception,rena,richard.h,robbie,rory,scan,seb,steve,tayjan,ti m,toby,tom.c,tracy,wande,wayne,wds,will

Re: CentrifyDC Mode Down

March 24, 2017, 8:50 am
$
0
0
Hello Robertson, i removed the unreachble DNS (used for vpn) from /etc/network/interfaces and resolv.conf still same problem .Also centrify express is working fine on ubuntu 14 on the same AD , wht do you mean by large AD environment?

Push applications silently to DEP iOS devices in Supervised mode

March 25, 2017, 12:40 pm
$
0
0

Is there any way to prevent the message on iOS devices which asks users to sign in to iTunes in order to allow the device to be managred. The message reads "App Installation. Sign in to iTunes to allow "*.my.centrify.com" to manage and install apps."

 

Pre-populate password for active sync e-mail account in iOS policies

March 25, 2017, 12:42 pm
$
0
0

Is it possible to pre-populate the password when creating an exchange setting under policies - mobile device policies - ios settings - exchange settings?

Change URL in notification on iOS

March 25, 2017, 12:50 pm
$
0
0

Is it possible to change the “aaXXXXX.my.centrify.com is about to install and manage the app…” to i.e. mypreferred.my.centrify.com? I've added a custom one in settings - tennant urls and made it default, but it doesn't change. I've also re-created the APNs and DEP certificates.

Re: Pre-populate password for active sync e-mail account in iOS policies

March 25, 2017, 7:34 pm
$
0
0

,

 

Welcome to the Centrify forums.

As far as I know, you can't do this due to the nature of the protocol (ActiveSync).

 

Alternatively, you could use certificate-based authentication.

 

However, I have not looked at this in a while (and there are newer clients and methods like derived credentials) so if any other community members want to share, we are all open to be (re)educated.

 

R.P

Re: CentrifyDC Mode Down

March 26, 2017, 4:13 am
Search

Re: Change URL in notification on iOS

March 31, 2017, 10:28 am
$
0
0

Hello matseg! Welcome back to the Community Portal!

At the Centrify Admin Portal > Settings page, you have the option to enter a custom ‘Welcome Text’ under the Device Enrollment Options.

 

Here is where you can specify your Tenant ID alias URL (mypreferred.my.centrify.com).

However, at the installation warning prompt for Mobile Device Management, this page cannot be modified.

Hope this helps!

Kequa

Mac Sierra: CAC "The Site Cannot Be Reached" Error

April 3, 2017, 4:31 pm
$
0
0

hello,

 

I'm trying to use my cac to logon to .mil websites and when I go to sign in with my cac then I pic my DOD Email CA-43 certificate and then enter my PIN it consistently brings up a error that says 

"This site can’t be reached

The webpage at https://mypay.dfas.mil/Smartcheck/SmartCheck.aspx might be temporarily down or it may have moved permanently to a new web address.

ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED"
 
 
This is on Chrome but I've tried it on Safari as well and got the same error. I've always gotten the same error on different CAC enabled websites not just one. Any idea? I've made sure all my keychain stuff was downloaded from militarycac.com, i've installed this software, it pulls up my certifactes so obviously the cac reader is working. Not sure what the issue it.

Re: Mac Sierra: CAC "The Site Cannot Be Reached" Error

April 4, 2017, 3:27 am
$
0
0

Hi MrB,

 

Thanks for your inquiry and welcome to Centrify.

 

From the description, it seems like the problem is complaining about the token/certificate itself. Could you try the below and see if it will help?

 

The following steps needs to be done on the Centrified Mac as root or sudo:

1) #cd /System/Library/Security/tokend/ (10.10 or below)

    #cd /Library/Security/tokend/ (10.11 or above)

2) #sudo mkdir tmp

3) #sudo mv CAC* tmp/

4) The Smart card must be removed and re-inserted again.

 

5) Please try again with Chrome


Note: In case, if you wanted to revert back to CAC profile, to undo the changes to tokend as follows:

sudo mv /System/Library/Security/tokend/tmp/CAC* /System/Library/Security/tokend/ (10.10 or below)

sudo mv /Library/Security/tokend/tmp/CAC* /Library/Security/tokend/ (10.11 or above)

 

Thank you.

 

Best Regards,

Albert

Enable the ability for users to add other email accounts

April 4, 2017, 6:54 am
$
0
0

I have Centrify pushing out an Exchange Email auto config, which works just fine.

One the iPhone however, the ability to add other accounts seems to be locked down. I do not see a setting in any of the iOS configuration settings that would "enable" or "disable" adding more email accounts.

How can I allow through MDM policy the ability to allow users to add other email accounts?

 

Slamdance

Connector unavailable error

April 4, 2017, 7:03 am
$
0
0

We have setup connectors for two domains for authentication via Centrify. We have recently setup Fortigate firewall.

 

In a computer that is part of DOMAIN A, Centrify connector is able to connect to the internet.

 

In a computer that is part of DOMAIN B, Centrify connector is unable to connect to the internet. It says "Connector is not available". This is inspite of an user in that computer able to browse successfully.

 

Is there an option to specify firewall IP address in Centrify connector settings for it to connect successfully?

Viewing all 1833 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>