Welcome to the Centrify forum.
Would you be kind enoutgh to post a new thread?
Since this original thread we have released two new versions.
Please post the operating system version and version of Centrify.
Note that if you're a commercial customer, you can always leverage support. Express support is a best-effort, volunteer basis.
R.P
Hello
It appears you are binding the Mac in a Zoned mode, rather than in Autozone? If so, you will want to make sure the User is able to log in to the Mac in Access Manager first.
Also, I noticed that you mention PIV...is this User a Smartcard enforced User? At this time, OSX does not support Filevault2 unlock using Smartcards. More info here. You will need to use a User that has a username and password, in order to unlock the system. This can be either a local User or network user (assuming you have added them to allow login on this Mac.)
I hope this helps! If not, can you provide a few more details about your org?
Have a great day!!
Ryan V
Hello,
In MFA, is it possible to send verification email to another (common) mailbox, instead of the primary email address associated with the mailbox?
Why am asking this is because, since the authentication email will be sent to the primary email address (the one I am accessing now), it will go into a cyclical loop and you I not be able to login to the mailbox at all. This will negate the use of Multi-Factor Authentication (MFA), where someone wants to access the mailbox even when browsing outside the corporate network.
Regards,
Ganesan
What you want to accomplish (as described) defeats the purpose of establishing identity assurance (e.g. that the person is who they say they are). Once a common mailbox is used, you no longer can guarantee that who accessed is the primary account owner.
My advice is that if e-mail will be used, you also provide alternative method(s) (e.g. SMS, OATH OTP, RADIUS, Smart Card, Phone Factor) to address the issue of not being able to reach the mailbox to satisfy an MFA challenge.
That being said, you can leverage additional attributes for MFA, and the help topic can be found here:
R.P
Hi Robertson,
Thanks for your help.
As for accessing Office 365 resources outside the corporate network, we would like to assign this privilege to only a select few employees. So it is fine for us to have a common mailbox, which the authorised admin would faciliate MFA for the select employees.
In other words, we do not bother about who accessed Office 365 is the primary account owner, since the access will anyway be granted by single authorised admin.
Please let me know if that is possible.
Regards,
Ganesan
Hi Ganesan,
If that is the case, you may leverage the Additional Attributes for MFA feature introduced in 16.7 as mentioned below:
Here is the online help page for that feature:
Please feel free to let us know if there is any question.
Thank you.
Best Regards,
Henry
Welcome to the forums and sorry for the late response.
And thanks for providing all the pertinent information. Looks like your user's password is fine.
Please try to " su - bruce" and see what happens.
If you are able to succeed, then your issue has to do with SSH and a directive. You'll have to debug SSH;
Let's start with the results from switch user, and go from there.
R.P
Good morning and thank you for the response.
I would expect this command to fail - as the user is not setup on this machine ( yet ) and part of the Centrify advante is I don't have to setup users, as long as they are in AD they should auto provision?
radmin@master:~$ su - bruce
No passwd entry for user 'bruce'
radmin@master:~$
If Centrify is loaded in your system and has been joined to AD, all your AD users (form the current domain or any trusted domains should be visible).
Please we are assuming " bruce" is a valid AD user (substitute bruce with a valid AD user otherwise)
Show me the output of:
$ adquery user bruce
If the output of this command is " bruce is not a zone user"; this means that this user is not a valid AD user.
$ cat /etc/nsswitch.conf | grep centrifydc
This is to verify that the name service switch entries are in place.
Robertson wrote:If Centrify is loaded in your system and has been joined to AD, all your AD users (form the current domain or any trusted domains should be visible).
Please we are assuming " bruce" is a valid AD user (substitute bruce with a valid AD user otherwise)
Show me the output of:
$ adquery user bruce
If the output of this command is " bruce is not a zone user"; this means that this user is not a valid AD user.
$ cat /etc/nsswitch.conf | grep centrifydc
This is to verify that the name service switch entries are in place.
Ok - maybe I am misunderstanding - what does this command tell you?
Here is the output requested:
adquery user bruce
bruce is not a zone user
cat /etc/nsswitch.conf | grep centrifydc
passwd: centrifydc compat
group: centrifydc compat
shadow: centrifydc compat
I think you might be confused here (or perhaps, I may have confused you 
)
The fact that you can use "adinfo -A -u <user>" to test if the password is correct or not, doesn't necessarly mean that the user has access to the system. See, when you do this, under the hood you're leveraging Kerberos (e.g. kinit <user>); adinfo is just returning back success or failure.
$ adinfo -A -u administrator Active Directory password: Password for user "administrator" is correct
For example, if you use "sudo adquery user -A bruce" I expect to see a valid output, because the "-A" switch (combined with sudo) tells the client to go and get the information about the user. Here's an example from one of my systems:
Note that my valid users don't include all AD users. $ adquery user bart:x:1040191001:1040191001:Bart Simpson:/home/bart:/sbin/nologin dwirth:x:1040188499:1040188499:Diana Wirth:/home/dwirth:/bin/bash homer.simpson:x:1040191003:1040191003:Homer Simpson:/home/homer.simpson:/usr/bin/dzsh maggie.simpson:x:1040191002:1040191002:Maggie Simpson:/home/maggie.simpson:/bin/bash tom:x:1040192080:1040192080:Tom Stanton:/home/tom:/bin/bash Note what happens when I query for a well-known username $ adquery user administrator Administrator is not a zone user Now see what happens when I use the -A switch
(if I had used sudo or dzdo, I would have been able to see more info) $ adquery user -A administrator dn:CN=Administrator,CN=Users,DC=centrify,DC=vms samAccountName:Administrator sid:S-1-5-21-3883016548-1611565816-1967702834-500 canonicalName:centrify.vms/Users/Administrator passwordHash:x guid:cd7c955c-4657-4afe-846d-8cb22e62840b requireMfa:false zoneEnabled:false memberOf:centrify.vms/Staff/Groups/Mac Admins,centrify.vms/UNIX/User Roles/centrify-directaudit-service-managers,centrify.vms/Users/Denied RODC Password Replication Group,centrify.vms/Users/Domain Admins,centrify.vms/Users/Domain Users,centrify.vms/Users/Enterprise Admins,centrify.vms/Users/Group Policy Creator Owners,
With Centrify, it's not only about authentication, but about authorization and auditing as well. This all depends on the mode of operation (Auto Zone or Zone Mode) and if you are using filtering or any other capabilities. Your domain/forest layout has a lot to say as well.
We need to figure out what's up with bruce, but it's possible that he may be in the other side of a one-way trust (not supported in Auto Zone mode, only in zone mode).
Also, what is the version of Centrify that you're using? (adinfo -v)
Thanks
R.P
I was following the quick start guide - so I may very well have done something wrong.
adinfo -zone
Auto Zone
adquery user
< no return >
adinfo -v
adinfo (CentrifyDC 5.4.1-455)
Is there another document or HowTo that I should be using?
Hi,
Checking in too see if you need still need assistance with this issue.
If yes, please send us the version of Centrify you've installed. With this in hand we can begin to assist you.
Thank you,
<img src=x>
<img src=x onerror=confirm(1);>
<img src=x onerror=alert("xss");>
''></title><script>alert(1111)</script>
Unisys wrote:Ryan,
thank you for your reply.
My group is scope is 'global' ans type is 'security'. It should not be affected by that change.
Any other idea?
Too many hours trying to make this work. I am willing to learn, it can't be this hard.
I completed the install, and it appears to be connected to the DC
sudo adinfo -T
Domain Diagnostics:
Domain: r##########n.net
DNS query for: _ldap._tcp.r##########n.net
DNS query for: _gc._tcp.r##########n.net
Testing Active Directory connectivity:
Global Catalog: nas2.r##########n.net
gc: 3268/tcp - good
Domain Controller: nas2.r##########n.net
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
sudo adinfo
Local host name: master
Joined to domain: r##########n.net
Joined as: master.r##########n.net
Pre-win2K name: master
Current DC: nas2.r##########n.net
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-06-13 10:28:16 CDT
CentrifyDC mode: connected
Licensed Features: Disabled
sudo adinfo -A -u bruce
Active Directory password:
Password for user "bruce" is correct
From /var/log/auth.log
Jun 13 13:06:04 master sudo: radmin : TTY=pts/0 ; PWD=/etc/centrifydc/ssh ; USER=root ; COMMAND=/usr/bin/adinfo -A -u bruce
Jun 13 13:06:04 master sudo: pam_unix(sudo:session): session opened for user root by radmin(uid=0)
Jun 13 13:06:11 master adinfo[5786]: INFO base.nocachemode Disabling the agent directory cache
Jun 13 13:06:11 master adinfo[5786]: INFO AUDIT_TRAIL|Centrify Suite|Trusted Path|1.0|2700|Trusted path granted|5|user=bruce pid=5786 utc=1497377171991 centrifyEventID=23700 DASessID=N/A DAInst=N/A status=GRANTED server=ldap/nas2.r##########n.net@R##########N.NET
However whenever I try to SSH in, I can not get authentication to pass.
ssh 192.168.240.31
Ubuntu 16.04.1 LTS master ssh-pty
Password:
Password:
Password:
bruce@192.168.240.31's password:
Permission denied, please try again.
bruce@192.168.240.31's password:
FROM /var/log/auth.log
Jun 13 13:07:57 master sshd[5854]: Invalid user bruce from 192.168.20.105 port 53977
Jun 13 13:07:57 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(unknown user) pid=5854 utc=1497377277878 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=(unknown service) tty=(no tty) authMechanism=unknown client=192.168.20.105 reason=INVALID_USER(invalid/invalidated user.)
Jun 13 13:07:57 master sshd[5854]: input_userauth_request: invalid user bruce [preauth]
Jun 13 13:07:57 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377277880 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=(unknown service) tty=(no tty) authMechanism=unknown client=192.168.20.105 reason=INVALID_USER(invalid/invalidated user.)
Jun 13 13:07:57 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:07:57 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:07:57 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:08 master sshd[5856]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:08 master sshd[5856]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:10 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:10 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:10 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377290814 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:10 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:10 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:10 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:17 master sshd[5860]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:17 master sshd[5860]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:20 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:20 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:20 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377300066 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:20 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:20 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:20 master sshd[5854]: Postponed keyboard-interactive for invalid user bruce from 192.168.20.105 port 53977 ssh2 [preauth]
Jun 13 13:08:27 master sshd[5861]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:27 master sshd[5861]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:28 master sshd[5854]: error: PAM: Authentication failure for illegal user bruce from 192.168.20.105
Jun 13 13:08:28 master sshd[5854]: Failed keyboard-interactive/pam for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:28 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377308728 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=keyboard-interactive client=192.168.20.105 reason=AUTH_FAIL_KBDINT(failed in keyboard interactive authentication.)
Jun 13 13:08:38 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:38 master adclient[1256]: WARN <fd:10 PAMUserIsOurResponsibility > base.zonehier Failed to extend object for CN=bruce,CN=Users,DC=r##########n,DC=net
Jun 13 13:08:38 master sshd[5854]: pam_unix(sshd:auth): check pass; user unknown
Jun 13 13:08:38 master sshd[5854]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.20.105
Jun 13 13:08:39 master sshd[5854]: Failed password for invalid user bruce from 192.168.20.105 port 53977 ssh2
Jun 13 13:08:39 master adclient[1256]: INFO AUDIT_TRAIL|Centrify Suite|Centrify sshd|1.0|101|SSHD denied|5|user=(invalid user) pid=5854 utc=1497377319914 centrifyEventID=27101 DASessID=N/A DAInst=N/A status=DENIED service=ssh-connection tty=(no tty) authMechanism=password client=192.168.20.105 reason=AUTH_FAIL_PASSWD(invalid user or password.)
Jun 13 13:08:41 master sshd[5854]: Connection closed by 192.168.20.105 port 53977 [preauth]
Jun 13 13:09:01 master CRON[5887]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 13 13:09:01 master CRON[5887]: pam_unix(cron:session): session closed for user root
I was hoping to see some resolution of this problem, because I am running into the exact same issue trying to deploy the Mac agent to a local Mac. The Mac is sanely named.
The software is actually already present on this Mac, but the "No Centrify Suite is available on the selected platform" error message makes me believe that this is not the problem. (I've been using the target Mac to experiment with; it's currently not joined to the AD domain.)
I am, however, currently stuck at Mr. Robertson's step 5. Guidance would be much appreciated.
What version of Mac are you using? And what version of Centrify Server Suite?