Does any one know how to query the email of a user's manager from the Manger attribute in Active Directory?
I am using the Provisioning script editor. By using manager = source.Get('manager'); I am able to get the Manger's CN (CN=Manger's LastName\, FirstName,OU=SomeOU,OU=DOMAIN,DC=com). Is there a way to query the email of the manager?
Welcome to the forums
From the Smart Card Guide:
"Before you configure smart card authentication
To use a smart card to log on to a Red Hat Linux or CentOS computer,
verify that the computers meet these requirements:
https://docs.centrify.com/en/css/suite2017.1/centrify-linux-smartcard.pdf
Note: Don't confuse the CAC/PIV utility for Mac with our Smart Card support for RHEL and CentOS.
I hope this works,
R.P
I'm not sure you posted in the right forum, are you inquiring about our UNIX/Linux/Mac AD integration?
Hello JacobT! Welcome to the Centrify Community Portal.
We currently do not have the syntax available that will allow you to query and provision the Manager's attribute e-mail address for a user account.
If there is a particular application you are attempting this for, it would helpful to provide the name of the app and screenshot of the user's account in the application. With this information we could try to provide a workaround to query the e-mail address of the Manager and have it provisioned under the user's account.
Let me know if this works for you.
Thanks,
Kequa
hi,
I am trying to connect our Ubuntu laptops to an AD instance running on the cloud. Currently it is "Simple AD".
http://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_simple_ad.html
While checking and joining the domain are all fine, it is not able to recognize the user and not able to login as an AD user. In some other posts I saw it may not work with non-MS ADs and hence let me first check if Centrify Express is compatible with Simple AD.
If it is compatible, please see what the problem is. Here are some details.
# adinfo
Local host name: xxx-ltp-178
Joined to domain: simplead.xxx.xxx
Joined as: xxx-ltp-178.simplead.xxx.xxx
Pre-win2K name: xxx-ltp-178
Current DC: aws-xxx.simplead.xxx.xxx
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-07-12 11:02:16 IST
CentrifyDC mode: connected
Licensed Features: Disabled
# adquery user vikram
vikram is not a zone user
# adquery user vikram -A
returns lots of lines which show it is a valid AD user. Some lines are
samAccountName:vikram
accountExpires:Never
passwordExpired:false
passwordExpires:Fri Oct 6 21:02:09 2017
passwordWillExpire:86
nextPasswordChange:Tue Jul 11 21:02:09 2017
lastPasswordChange:Sat Jul 8 21:02:09 2017
accountLocked:false
accountDisabled:false
requireMfa:false
zoneEnabled:false
So as you can see, its a valid AD user and the laptop is clearly connected to AD. So not sure why it doesnt recognize the user. Also su does not work
# su - vikram
No passwd entry for user 'vikram'
# su - vikram@simplead.xxx.xxx
No passwd entry for user 'vikram@simplead.xxx.xxx'
Please let me know what could be wrong.
Thanks,
Vikram
By the way, laptop is running Ubuntu 16.04 and adinfo -v returns
adinfo (CentrifyDC 5.4.1-455)
Welcome to the Centrify forums.
Although SimpleAD (Samba4, based on Windows Server 2008 R2 AD) is not "officially supported"; there are ways for you to make this work.
Just edit the /etc/centrifydc/centrifydc.conf and enable the parameter adclient.excluded.domains; set the value to exclude your DOMAINDNSZONES.<yoursimplead> and FORESTDNSZONES.<yoursimplead>; in my case I have a SimpleAD called corp.workspaces.demo, therefore my line looks like this:
adclient.excluded.domains: DOMAINDNSZONES.corp.workspaces.demo FORESTDNSZONES.corp.workspaces.demo
After you make this change, make sure you either restart the client or issue the adreload command.
Here's a sanity check sequence:
Installation
# apt install centrifydc Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: centrifydc-curl centrifydc-openldap centrifydc-openssl The following NEW packages will be installed: centrifydc centrifydc-curl centrifydc-openldap centrifydc-openssl 0 upgraded, 4 newly installed, 0 to remove and 36 not upgraded. Need to get 30.9 MB of archives. After this operation, 81.4 MB of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 https://repo.centrify.com/deb stable/main amd64 centrifydc-openssl amd64 5.4.1-455 [2,382 kB] Get:2 https://repo.centrify.com/deb stable/main amd64 centrifydc-openldap amd64 5.4.1-455 [2,160 kB] Get:3 https://repo.centrify.com/deb stable/main amd64 centrifydc-curl amd64 5.4.1-455 [345 kB] Get:4 https://repo.centrify.com/deb stable/main amd64 centrifydc amd64 5.4.1-455 [26.0 MB] Fetched 30.9 MB in 7s (4,229 kB/s) Selecting previously unselected package centrifydc-openssl. (Reading database ... 51032 files and directories currently installed.) Preparing to unpack .../centrifydc-openssl_5.4.1-455_amd64.deb ... Unpacking centrifydc-openssl (5.4.1-455) ... Selecting previously unselected package centrifydc-openldap. Preparing to unpack .../centrifydc-openldap_5.4.1-455_amd64.deb ... Unpacking centrifydc-openldap (5.4.1-455) ... Selecting previously unselected package centrifydc-curl. Preparing to unpack .../centrifydc-curl_5.4.1-455_amd64.deb ... Unpacking centrifydc-curl (5.4.1-455) ... Selecting previously unselected package centrifydc. Preparing to unpack .../centrifydc_5.4.1-455_amd64.deb ... Unpacking centrifydc (5.4.1-455) ... Processing triggers for systemd (229-4ubuntu17) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for man-db (2.7.5-1) ... Setting up centrifydc-openssl (5.4.1-455) ... Setting up centrifydc-openldap (5.4.1-455) ... Setting up centrifydc-curl (5.4.1-455) ... Setting up centrifydc (5.4.1-455) ...
Platform check and adcheck
# uname -a
Linux ip-172-31-29-29 4.4.0-1020-aws #29-Ubuntu SMP Wed Jun 14 15:54:52 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux# /usr/share/centrifydc/bin/adcheck corp.workspaces.demo
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PORTMAP : Verify that portmap or rpcbind is installed : Warning
: Could not install CentrifyDC-nis package.
: PORTMAP not installed. Please install required
: portmap or rpcbind package, which CentrifyDC-nis
: depends on
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 172.31.26.34 : Pass
DNSPROBE : Probe DNS server 172.31.40.69 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016.
:
: This version of OpenSSH does not seem to be configured for PAM,
: ChallengeResponse and Kerberos/GSSAPI support.
: To get Active Directory users to successfully login,
: you need to configure your OpenSSH with the following options:
: (display the ones we identified were not set)
: ChallengeResponseAuthentication yes
: UsePAM Yes
:
: Centrify provides a version of OpenSSH that's configured properly
: to allow AD users to login and provides Kerberos GSSAPI support.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC aws-d2b29d34ca.corp.workspaces.demo : Pass
ADPORT : Port scan of DC aws-d2b29d34ca.corp.workspaces.demo 172.31.26.34: Pass
ADDC : Check Domain Controllers : Pass
ADDNS : DNS lookup of DC aws-d2b29d34ca.corp.workspaces.demo : Pass
GCPORT : Port scan of GC aws-d2b29d34ca.corp.workspaces.demo 172.31.26.34: Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in corp.workspaces.demo : Pass
SITEUP : Check DCs for corp.workspaces.demo in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
ADSYNC : Check domains all synchronized : Pass
2 warnings were encountered during check. We recommend checking these before proceeding
Joining AD
Notice the use of the -n switch to get around the name resolution issue; nowever, note the messages at the end, the client is unable to get some info about the domain.
# adjoin -w -V corp.workspaces.demo Error: computer name should not be localhost or localhost.localdomain Please edit /etc/hosts or your DNS server to set your hostname correctly or use the --name option # adjoin -w -V -n ubuntu01 corp.workspaces.demo Administrator@CORP.WORKSPACES.DEMO's password: Options ------- Precreate: no Compatible with 2.x/3.x: no Enable Apple Scheme to generate UID/GID: no domain: corp.workspaces.demo user: Administrator@CORP.WORKSPACES.DEMO container: null computer name: ubuntu01 Pre-Windows 2000 name: ubuntu01 DNS Host Name used for dNSHostName attr: null zone: Auto Zone server: null zoneserver: null gc: null upn: null noconf: no set time: yes force: no forceDeleteObj: no trust: no des: no self-serve: no use ldap to create computer object: no license type: null Setting time Initializing domain settings file to corp.workspaces.demo Attempting bind to corp.workspaces.demo(site:) as Administrator@CORP.WORKSPACES.DEMO on any server Using domain controller: aws-d2b29d34ca.corp.workspaces.demo writable=true Initializing forest settings file to CORP.WORKSPACES.DEMO Using global catalog server: aws-d2b29d34ca.corp.workspaces.demo Search for object by samName: filter=(samAccountName=ubuntu01$) root=DC=corp,DC=workspaces,DC=demo Searching for well known container for computers Well known container not found, using default Using cn=computers,dc=corp,dc=workspaces,dc=demo container for computer object Saving zone settings Zone name: DC=corp,DC=workspaces,DC=demo Zone version: Zone schema: NULL_AUTO Zone GUID: 00112233445566778899aabbccddeeff Using RPC to create the computer account Searching for newly created computer account: DC=corp,DC=workspaces,DC=demo Search for object by samName: filter=(samAccountName=ubuntu01$) root=DC=corp,DC=workspaces,DC=demo Found existing computer object: CN=ubuntu01,CN=Computers,DC=corp,DC=workspaces,DC=demo Attempting to update computer dns name... Update succeeded! Searching for SPNs in GC... Attempting to update computer service principal names... Update succeeded! Update Computer's Security Descriptor to allow computer object to read/write operating system and operating system version properties as well as reset password. Looking for ntSecurityDescriptor for object CN=ubuntu01,CN=Computers,DC=corp,DC=workspaces,DC=demo .... Checking if the required permissions exist. Not all of the required permissions exist, will add them. Add Allowed ACE to Read and Write operatingSystemVersion for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read and Write operatingSystem for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read and Write operatingSystemServicePack for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Reset Password for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Read userAccountControl for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Validate write to servicePrincipalName for S-1-5-21-755964034-531226104-3608840157-1112. Add Allowed ACE to Validate write to dNSHostName for S-1-5-21-755964034-531226104-3608840157-1112. Unset "Trust for delegation" bit. Unset "Use Des Key Only" bit. Set operatingSystemVersion to "6.1:16.04", so that KDC will issue service ticket using AES enctypes. Set also msDS-supportedEncryptionType to "24" Update OS information. This requires computer object update rights... Update OS information succeeded Update License Type: workstation Update Encryption Types Setting machine password... Setting get init cred callback before set password (rc=0). Password change succeeded Samba interoperability is disabled in centrifydc.conf: Skipped synchronizing machine password with Samba Save kerberos join data... Using Win 2003 key version 2 Writing kerberos keytab Updating settings files Join to domain:corp.workspaces.demo, zone:Auto Zone successful Starting daemon Centrify DirectControl started. Waiting for adclient to startup ...... Adclient startup completed! Loading domains and trusts information ............................... .............................Could not get the domain prefix map in allotted time. If there are conflicts it could cause two or more users to have the same UID. You can increase the parameter "adjoin.adclient.wait.seconds" to wait longer. See /etc/centrifydc/centrifydc.conf. Initializing cache . You have successfully joined the Active Directory domain: corp.workspaces.demo in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users.
Adinfo and adquery user
Note that adinfo comes out fine, but nothing is yielded by adinfo
ubuntu@ip-172-31-29-29:~$ adinfo Local host name: ip-172-31-29-29 Joined to domain: corp.workspaces.demo Joined as: ubuntu01.corp.workspaces.demo Pre-win2K name: ubuntu01 Current DC: aws-d2b29d34ca.corp.workspaces.demo Preferred site: Default-First-Site-Name Zone: Auto Zone CentrifyDC mode: connected Licensed Features: Enabled ubuntu@ip-172-31-29-29:~$ adquery user
Fixing the issue
ubuntu@ip-172-31-29-29:~$ sudo vi /etc/centrifydc/centrifydc.conf ubuntu@ip-172-31-29-29:~$ sudo adreload ubuntu@ip-172-31-29-29:~$ adquery user administrator:x:2113929716:2113929716:Administrator:/home/administrator:/bin/bash aws_workspaces:x:2113930322:2113930322:AWS_WorkSpaces:/home/aws_workspaces:/bin/bash awsadmind-9067260db9:x:2113930319:2113930319:AWSAdminD-9067260DB9:/home/awsadmind-9067260db9:/bin/bash diana:x:2113930324:2113930324:Diana Wirth:/home/diana:/bin/bash lisa:x:2113930325:2113930325:Lisa Simpson:/home/lisa:/bin/bash
Testing with switch user
ubuntu@ip-172-31-29-29:~$ su - administrator Password: Created home directory
Testing with SSH access
$ ssh lisa@localhost Permission denied (publickey). # need to fix SSH server (most likely Passwordauthentication is set to no)
$ sudo vi /etc/ssh/sshd_config
$ sudo service sshd restart
$ ssh lisa@localhost
lisa@localhost's password:
Created home directory
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-1020-aws x86_64)
[trucated]
Thanks a lot
I made those changes on my laptop and was able to get it to work. So I think this is all good.
Just a quick question. Even now, though it is working, I see entries like following in /var/log/centrifydc.log if addebug is on.
==
Jul 13 06:09:51 viz-ltp-178 adclient[15957]: DEBUG <fd:25 PAMUserIsOurResponsibility > base.bind.cache Skipping vikram since the object is not enabled in the current zone
Jul 13 06:09:51 viz-ltp-178 adclient[15957]: DEBUG <fd:25 PAMUserIsOurResponsibility > base.adagent findByAttr: Not Found:vikram category:user attr=sAMAccountName
.
.
Jul 13 06:09:51 viz-ltp-178 adclient[15957]: DEBUG <fd:25 PAMUserIsOurResponsibility > base.adagent findObject: NotFound:vikram Category:user
Jul 13 06:09:51 viz-ltp-178 adclient[15957]: DEBUG <fd:25 PAMUserIsOurResponsibility > base.objecthelper 'vikram' is not a canonical name
Jul 13 06:09:51 viz-ltp-178 adclient[15957]: DEBUG <fd:23 compiz(17689)> Authentication for user 'vikram': skipping because user has no Active Directory account.
==
Also "adquery user vikram" still says "vikram is not a zone user" whereas with a -A it returns proper entries.
But I was able to do a "su - vikram" successfully and there is no local user called vikram. Also within the su session, "hostname -d" shows I am on the right domain. So I think its all working fine. But just thought of checking about above logs to be sure.
Thanks again,
Vikram
You should be fine now. This looks like normal chatter.
Make sure addebug is off
You can also dial down the debug options in the config file.
R.P
<img/	  src=`~` onerror=prompt('aaaaaaaaaaaaaa')>
/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>/*iframe/src*/<iframe/src="<iframe/src=@"/onload=prompt(1) /*iframe/src*/>
<imgsrc=x> <imgsrc=x> <imgsrc=xonerror=confirm(1);> <imgsrc=xonerror=alert("xss");>
Great! Thanks again for all the help.
Hopefully one last query on this thread. This may not be related to Simple AD as such. What I noticed is once I am off VPN and not connected to the AD, I am not able to login and auth.log says it is trying to connect to the DC and timing out etc. Specifically pam_sss says "Authentication service cannot retrieve authentication info"
On Windows, we have seen it uses cached credentials when it is disconnected from AD. Anyway to do that here? Please let me know
Thanks,
Vikram
You should be able to log in with cached credentials provided the user has logged into the system successfully before.
pam_sss is not our module, I suggest you clean-up so there are no conflicts.
You should be looking at events from adclient.
HELLO
<input type="text" value=``<div/onmouseover='alert(999)'>X</div>
://jsfiddle.net/XLE63/ "> 23) 24) click 25) 26
`OPENBUGBOUNTY`>//textarea>">">
javascript:alert("helloxword is soo cool")<"';alert(String.fromCharCode(88,83,83