The US goverment is our customer, and since Express is just a subset of what we provide, they have support for the full version.
How about trying to contact support?
Please remember that RH7.4 and derivatives are supported with Infrastructure Services 2017.2 (5.4.2).
R.P
I have a Ubuntu 16.04 server I'm testing Centrify Express with; I've set up the service (version CentrifyDC 5.4.2-668) with the --express flag and can join the domain successfully (confirmed by adinfo). However, no AD users can log in. With debug turned on, I'm seeing these errors. Same if I include domain in username.
Nov 09 14:23:38 sshd[2774] DEBUG: -> getpwnam_centrifydc_r user="sshd"
Nov 09 14:23:38 sshd[2774] DEBUG: User="sshd" str2ent=(nil) result=0x7f63365a2d80, buffer=0xbc8a16dce0
Nov 09 14:23:38 sshd[2774] DEBUG: User 'sshd' is not an override user
Nov 09 14:23:38 sshd[2774] DEBUG: getpwnam: User 'sshd' is in 'pam.ignore.users' list
Nov 09 14:23:38 sshd[2774] DEBUG: <- getpwnam_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 09 14:23:41 sshd[2774] DEBUG: Failed to open logging connection to adclient through '/var/centrifydc/daemon2': Socket error
Nov 09 14:23:41 sshd[2774] DEBUG: -> getpwnam_centrifydc_r user="steve-admin"
Nov 09 14:23:41 sshd[2774] DEBUG: User="steve-admin" str2ent=(nil) result=0x7f63365a2d80, buffer=0xbc8a16dce0
Nov 09 14:23:41 sshd[2774] DEBUG: User 'steve-admin' is not an override user
Nov 09 14:23:41 sshd[2774] DEBUG: Failed to open connection to adclient through '/var/centrifydc/daemon2' Socket error (No such file or directory)
Nov 09 14:23:41 sshd[2774] DEBUG: <- getpwnam_centrifydc_r, result=NSS_UNAVAIL(-1)
Nov 09 14:23:41 sshd[2776] DEBUG: Failed to open logging connection to adclient through '/var/centrifydc/daemon2': Socket error
Nov 09 14:23:41 sshd[2776] DEBUG: -> pam_sm_authenticate
Nov 09 14:23:41 sshd[2776] DEBUG: PAM Options: (none)
Nov 09 14:23:41 sshd[2776] DEBUG: PAM Flags: DISALLOW_NULL_AUTHTOK
Nov 09 14:23:41 sshd[2776] DEBUG: Failed to open connection to adclient through '/var/centrifydc/daemon2' Socket error (No such file or directory)
Nov 09 14:23:41 sshd[2776] DEBUG: All local users are APU.
Nov 09 14:23:41 sshd[2776] INFO: Authentication for user 'steve-admin': access allowed in emergency mode.
Nov 09 14:23:41 sshd[2776] DEBUG: pam_sm_common() failed 9
Nov 09 14:23:41 sshd[2776] DEBUG: Can't open /usr/share/centrifydc/lib64/libatda.so (/usr/share/centrifydc/lib64/libatda.so: cannot open shared object file: No such file or directory).
Nov 09 14:23:41 sshd[2776] INFO: AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authentication granted|5|user=steve-admin pid=2776 utc=1510255421000 DASessID=N/A DAInst=N/A status=GRANTED service=sshd tty=ssh client=192.168.65.27 reason=User is always permitted to login
Also: I have done the following and rebooted the server, before the above result...
UsePAM and ChallengeResponseAuthentication are set to YES in the /etc/ssh/sshd_config
We're really close!
We have authentication working. Users are able to login and get mapped to their home directories. When trying to access Samba shares, the logs identify the users correctly. But it won't allow them to access shares, sadly. Here's what we see in the smbd log:
[2017/11/09 15:18:19.023461, 2] ../source3/smbd/service.c:862(make_connection_snum) [computername] (ipv4:[ipaddress]:49438) connect to service department initially as user [domain]\[username] (uid=819220300, gid=817889793) (pid 32376) [2017/11/09 15:18:19.024516, 3] ../source3/smbd/service.c:198(set_current_service) chdir (/export/department) failed, reason: Permission denied
When doing an adquery on the username, the UID matches what shows in that log. When doing an adquery on the group Domain Users, we the GID matches what shows in that log.
The folder /export/department has 0770 permissions set, with the group set to an AD group with the GID of 819233074, quite different from the GID for Domain Users.
Now the adquery for the user shows that the user here is a member of the group on the folder. And an adquery on the group on the folder shows that the user is a member of that group.
My theory is that the user is getting Access Denied because Samba is only seeing the Domain Users group instead of the one that is assigned to the folder. I'm not sure entirely, and I have no idea how to get past this hurdle. I'm open to any ideas if someone has seen this before.
We got it all finished up finally!
Turns out that using the aforementioned "ad" backend for idamp in the smb.conf file is bad juju. I found someone mention (in the deep recesses of Google) that the "ad" backend will automatically use Domain Users as the primary gid unless you specify otherwise in the Unix Attributes in Active Directory.
Given that we don't have Domain Admin access, we opted to stray away from that and go back to the default backend. Once we did that, our groups came back up no problem.
We also found that if we disable Winbind, we lose our Group maps for some reason. My guess is it's related to NSSwitch.conf somewhere, but I'm good with leaving it enabled. I'm just happy to have something functional.
Thanks again for the advice
We have been building out an AD domain and joining Linux machines to it using centrifydc
Going pretty well for the most part.
One Linux box is disconnecting from the domain, for no obvious reason. (Not obvious to me, at any rate). After enabling centrifydc debugging, I found that the kerberos keytab was missing from this box.
I tried to use "adkeytab" but it failed with error:
# adkeytab -r verbose -K /etc/kb5.keytab
Error: Keytab file does not exists /etc/kb5.keytab
I then decided to start from scratch, and I ran "adleave". I got a weird "tatoo" error:
# adleave --user "${ADJOIN_USERNAME}" --password "${ADJOIN_PASSWORD}" --remove
Using domain controller: qadc01b.qa.example.com writable=true
Failed to clear tatoo in computer object, leave continue. Please advise the administrator of the failure to cleanup tatoo in operatingSystemServicePack attribute of the computer object "CN=batch01b,OU=Linux,OU=Servers,DC=iad1,DC=qa,DC=example,DC=com".
Left domain.
Centrify DirectControl stopped.
"Failed to clear tatoo in computer object, leave continue"
What on earth??? (I've since learned what "registry tattooing" is. As a long time Linux admin, I've never encountered this term)
In any case, the computer appeared to have left the domain. adinfo showed as much
# adinfo
Not joined to any domain
Licensed Features: Disabled
I then re-ran the centrifydc install script and it joined the domain and installed /etc/krb5.keytab, and adinfo shows it is joined and "getent passwd" shows AD users
QUESTIONS
Is this "tatoo" error anything I should be concerned about? How do I fix it?
How can I determine why this box became disconnected from the domain in the first place?
Why did the krb5.keytab disappear? Why didn't "adkeytab" work?
Thanks!
Welcome to the Centrify community forums.
Rapid fire answers:
Our apologies for the curious message, the simple explanation is that adleave attempted to clear thesperating system and version information for its AD computer object prior to disabling it and it could not.
This is due to the SELF conditional object not having the proper permissions to write those attributes.
The KB below explains some of the attributes that the computer object should be able to modify. KB is a benefit of all current commercial customers.
======================
Thanks!
For closure, here's what we determined
The /etc/krb5.keytab got deleted due to a mistake in our centrify migration process. i.e. Human error on our part. We ran a script that cleared out the old domain integration (was using sssd + freeipa) and as part of that script, krb5.keytab gets deleted. But that box was already configured for centrify + AD, so deleting the keytab broke its attachment to the domain.
This answered both the "where'd keytab go?" and "why'd this box drop from the domain?" questions.
And I think based on your answer about the "tatoo" error, that I can ignore that.
Thanks again!
Awesome job at cricling back!
Kudos!
most definitely. I hate internet posts that don't have a conclusion!
We've stopped using Centrify to sync Samanage with Azure AD since there is direct support now. I've removed all components locally but I'm still getting daily sync reports (which show failure of course) from Centrify. How can I eliminate this daily sync attempt?
Hi,
I am trying to download centrify express but the download links appear to be broken.
I am trying to access thi page: https://www.centrify.com/express/server-suite-form/
From the link on this page: https://www.centrify.com/express/linux-unix/unix-and-linux/
Thanks,
Ewan
Thank you for bringing this to our attention. We will look into it ASAP. Our apologies for the inconvenience this may have caused.
Regards,
Alan,
Thank you for your response to my problem. I apoligize for taking so long to get back to this.
Here I respond to each of your questions.
(1)The three packages mentioned should be installed together with CentrifyDC (5.3.0), could you verify from:
pkginfo | grep -i centrify?
samba system
root@library # pkginfo | grep -i centrify
system CentrifyDC Centrify DirectControl Agent
system CentrifyDC-adbindproxy CentrifyDC support for Samba
non samba system
-bash-3.2# pkginfo|grep -i centrify
system CentrifyDC Centrify DirectControl Agent
Installed 5.3 on all my SOlaris 10 and 11 systems using pkgadd, and joined AD without issue. They all work correctly.
It is only the samba systems that don't work.
We are fully licensed
(2)Have you installed the CentrifyDC from install.sh?
CentrifyDC was installed using pkgadd
CentrifyDC-adbindproxy was installed using pkgadd
The Samba script adbindproxy.pl fails to accept input on Solaris 10 samba server.
(3)A side note that for the version of Samba (4.4) we would suggest to use newer version of CentrifyDC and adbindproxy (5.4.0)
The 5.4.0 that I got from our internal software repositary is what is missing these;
CentrifyDC-openssl
CentrifyDC-openldap
CentrifyDC-curl
Could I have access to download these newer files directly from your site ?
We are fully licensed under either USGS or DOI, not sure which one.
centrify-suite-2017-sol10-sparc.tgz
centrify-adbindproxy-5.4.0-sol10-sparc.tgz
However adbindproxy is not offered in Express version. May I know if you are Express customer purely or you have licensed account which allow you to download the software?
Yes, we are licensed
Thanks for your help. Please let me know if I can have access to those two files.
Bill
This issue has been resolved. Once again our apologies for the inconvenience this may have caused.
Regards,
We're having trouble updating Centrify Express. We're on Version: 5.4.2.648. When I click on Download Software, it goes to download, then nothing happens.
The following analysis tools will be downloaded:
- Centrify adcheck for Mac 10.10 Intel, Mac 10.11 Intel, Mac 10.12 Intel, Mac 10.13 Intel
- Centrify adcheck for Mac 10.6 Intel, Mac 10.7 Intel, Mac 10.8 Intel
- Centrify adcheck for Mac 10.7 Intel, Mac 10.8 Intel, Mac 10.9 Intel, Mac 10.10 Intel
- Centrify adcheck for Mac 10.8 Intel, Mac 10.9 Intel, Mac 10.10 Intel
- Centrify adcheck for Mac 10.9 Intel, Mac 10.10 Intel, Mac 10.11 Intel
The following packages will be downloaded:
- Centrify Infrastructure Services 2017.2 for Mac 10.10,10.11,10.12,10.13 Intel
Click Finish to start downloading software from Centrif
Centrify is Deployed on a Windows Server 2008 R2 Standard machine.
Any Ideas?
Hi
Welcome to Centrify Community!
As Suite 2017.2 is the same as version 5.4.2. Therefore, may we know what is the issue you are having?
Also, may we know what version of Centrify Deployment Manager you are running with?
You can find that out from: Help -> About DirectManage Deployment Manager...
Please keep us posted with the information above. Thank you!
BR,
Ivan
Hi ,
One of my linux server running oracle linux 6.9 OS and centrify client is installed on it to integrate with AD . AD intergration is done and all my users are login to server with AD credentials . No issues in login .
As a additional security i want to implement two factor authentication with pam-radius . I have installed the pam-raidus rpm and point the server to secureauth server . I have enabled usepam=yes in ssh config file and restarted the machine. After reboot 2 factor authentication is not working. I'm able to login with normal ssh . Need help on configruing radius client . I had seen many online doc but it didn't help me.
Welcome back.
As you know, Centrify provides MFA for UNIX, Linux, Windows, our Vault and more (all you need is a tenant, sign-up using the "Try it now" button.
If you need help on PAM chaining, we suggest you check with the PAM_RADIUS maintainer or your MFA provider.
Here are a few references (you may be able to infer what to do from here):
R.P