Hmmm... seems to be something we can help you with by enhancing the way we are doing things (on the long run), but perhaps....
...did you try changing the umask on the target directory as a potential workaround? (or, alternatively, you can change the runmapper script -the script that runs to perform the GPO action-).
If these things sound foreign to you, let me know.
Robertson
I did actually have an open ticket with Centrify to work on that issue with the back end way of doing thing. But you are right about the long run. It may not be impemented until later in the year. I didn't really get a timeframe on completion. Hoping to have a quicker temporary solution to help with the constant problems we are seeing now.
The options you suggest do sound foregin to me so I may need a little more walkthrough steps to test that.
I feel like I'm close with the script I'm using now if I can just figure out how to get the /CentrifyDC item back in keychain for the machines it has been removed on without having to do a manual unbind and then rebind again.
I was able to replicate a cause of /CentrifyDC being removed for testing. If on a Centrify Bound machine you go into terminal and type "sudo systemkeychain -vfcC" it blows away the keychain and recreates everying and then adgpupdate brings all the certs back and everything. But the /CentrifyDC object is missing after that.
I have 5 node RH clluster & 1 AD. I used centrify express to integrate with AD.
HW distribution.
enabled kerberos and stored all SPN's on AD by creating a seperate OU.
when i try with UPN it just works fine:
[rvchinta@mas1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh
Default principal: rvchinta@CHRSV.COM
Valid starting Expires Service principal
05/12/17 10:32:30 05/12/17 20:32:30 krbtgt/CHRSV.COM@CHRSV.COM
renew until 05/19/17 10:32:30
[rvchinta@mas1 ~]$ hdfs dfs -ls /
Found 11 items
drwxrwxrwx - yarn hadoop 0 2017-05-08 21:14 /app-logs
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:16 /apps
drwxr-xr-x - yarn hadoop 0 2017-05-08 21:01 /ats
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:02 /hdp
drwxr-xr-x - mapred hdfs 0 2017-05-08 21:02 /mapred
drwxrwxrwx - mapred hadoop 0 2017-05-08 21:02 /mr-history
drwxr-xr-x - hdfs hdfs 0 2017-05-09 13:17 /ranger
drwxrwxrwx - spark hadoop 0 2017-05-12 10:53 /spark-history
drwxrwxrwx - spark hadoop 0 2017-05-12 10:52 /spark2-history
drwxrwxrwx - hdfs hdfs 0 2017-05-12 08:44 /tmp
drwxr-xr-x - hdfs hdfs 0 2017-05-09 10:05 /user
issue is with SPN
[root@mas1 rvchinta]# su hdfs
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$ kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hwhc@CHRSV.COM
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$
how do i address this issue?
That's exactly the reason. The Kerberos ticket cache is a file and the user running klist needs to have access to the credential cache or better yet from a security perspective, the users that need tickets for a principal should have read access to the keytab. These users can then kinit with the keytab.
I currently am using Centrify express with DirectManage Deployment Manager installed on Server 2012 R2 linked to my Domain controller. I am trying to update the agents on my Mac computers (Currently 5.3.0-214) but I am getting a error about my OS revision.
Unknown OS revision 10.12.4
Is there a updated agent that supports this version of Mac OS? if so how do I get it?
Hi Alov,
Yes we support Mac OS 10.12 in our latest version (5.4.0). You can find the download page from below link after filling out the form. You can find both DirectManage (for Deployment Manager) and Agents (including Mac agent) from there. Hope this helps and feel free to let me know if you have any question.
https://www.centrify.com/express/identity-service/mac-download/
Regards,
Alan
I've had all the same problems and am hoping to disable the built-in Sierra smart card support as well but don't understand what this link is telling me to do. I found that referenced file but am not sure how to use that to disable the support, please help!
Hi Alov,
Can you try to import the "centrify-product-catalog-offline" to the Deployment Manager (DM)?
1. On DM select the top node from left panel - "Centrify DirectManage Deployment Manager", right click and choose "Import Centrify Product Catalog..."
2. Click Browse and locate the centrify-product-catalog-offline.xml file:
<Download package>\Centrify-DirectManage-Express-5.4.0-win64\centrify-product-catalog-offline.xml
3. Click Next to import
Hope this helps. Please let me know if you find any question.
Regards,
Alan
Hi
I believe the root cause is due to the current Centrify version that is installed on the Mac is 5.3.0 and it does not support OS X 10.12.x When the Deployment Manager tries to run the adcheck with 5.3.0, it will fail with the unsupported version error.
This situation will occur when end users upgrade the OS before upgrading the agent. As we always suggest customers to upgrade the the agent first before upgrade the OS to avoid this kind of incident from occuring.
Can you check if the issue only occur on Mac with 5.3.0, if they are please consider to perform a manually upgrade on the Mac to either at least versoin 5.3.3 or 5.4.0 and above directly in order for Deployment Manager to work.
Please keep us posted with the result and update. Thank you!
Best regards,
Ivan
I am trying to figure out how to do GPO's with Centrify Express. Is this possible?
I am only looking for a policy that can help with password requirements/expiration.
Thank you,
Jay
Welcome to the forums.
You need at least Centrify Standard Edition to be able to use Centrify-provided group policies.
Account, Kerberos, Lockout and other GPOs are processed automatically, so you should be fine.
Robertson
Does it generally take awhile for the lockout/other gpos to propagate to the machine running Centrify Express?
The ones that are enforced in Express should be effective immediately after you join (e.g. Account, Kerberos, Lockout), unless you're making changes to them, in that case you can use the adgpupdate command to force an update and the adgpresult command to review them.
Hi
According to the Apple post, you can achieve the same by the below steps:
1. Login as local admin
2. Bring up terminal (which you can search "terminal" to get it)
3. In the terminal session, please copy and paste the below command exactly (or you can type for it):
sudo defaults write /Library/Preferences/com.apple.security.smartcard DisabledTokens -array
com.apple.CryptoTokenKit.pivtoken
4. After that it should be disabled. Which you can logout and try again.
Hope this helps.
Best Regards,
Albert
Trying to use a CAC card on my mac. I've been through all the steps on militarycac.com and I still get the error code in the subject line of this message when I try to use it with chrome. Also getting error codes with Firefox and Safari. Please help.
Hi
Welcome to Centrify community!
Please try to perform the following steps and see if that would help resolve the issue:
CAC and CACNG tokend must be removed.
The following steps needs to be done on the Centrified Mac as root or sudo:
Open up terminal on the Mac and run the following:
1) #cd /System/Library/Security/tokend/
2) #sudo mkdir tmp
3) #sudo mv CAC* tmp/
4) The Smart card must be removed and re-inserted again.
5) Keychain Access must be opened. The card should appear as "PIV-*".
6) site.mail.xxx web site should be accessible now.
a) (If using Safari browser, the credential association must be removed for site.mail.xxx, so that the right certificate can be selected.)
Please keep us posted with the result and udpate. Thank you!
BR,
Ivan
How do I get the agent to do a manual install on the mac? Once that it is installed I assume I do a analyze to see if it is updated and checking in correctly?