Quantcast
Channel: All Centrify Express posts
Viewing all 1833 articles
Browse latest View live

Re: user account differences

February 15, 2018, 3:42 pm
$
0
0

,

 

Welcome to the Centrify forums.

 

To interesting differences here:

  • One server is using an EOL version of Centrify software (5.1).
  • As it relates to the user "fake" - you can spot the difference in the UNIX identity shell.
    Good server:
    fake:x:1234:101:fake user:/home/fake:/bin/csh
    "Bad" server (notice the double-quotes):
    fake:x:1234:101:fake user:/home/fake:/sbin/nologin
    In the Good server, the user has a valid role assignment that is still effective (hence the the C shell: /bin/csh), in the "bad" server, the user has an expired role assignment (looks like someone did the right thing and did not assign user fake a permanent role), when the role expired, they were switched to the Nologin (/sbin/nologin).  This will prompt the user to have a message like "This account is currently not available" (or some other custom message).

 

Ultimately, the use is not allowed to log in to the bad server, (turns out it's not bad, it's actually doing the right thing by denying access to the system and protecting the asset).

 

You can further verify this by using the "dzdo dzinfo fake" on both systems.  Alternatively, you can use Access Manager's "User Effective Rights"  or even PowerShell to see this.

 

To fix this (if the intent is for user fake to access the "now discovered not bad server") is to be granted a role assignment that allows him to log in, and to make things fast, run the adobjectrefresh or adflush commands in the target system.

 

I hope this helps.

Search

Re: user account differences

February 15, 2018, 9:40 pm
$
0
0
Thanks for the reply.
Your little confused though.
Good Server which is RH 5.8 running the 5.1 centrify client version - which is EOL.Thanks for that info.
# adinfo -v
adinfo (CentrifyDC 5.1.0-497)
The query on the good system shows
# adquery user faker
faker:x:1234:101:Faker:/home/cdunn:/bin/csh
========================================================
Bad Server which is RH 5.11 and 7.2 has centrify client version 5.3.4
# adquery user faker
faker:x:1234:101:Faker:/home/cdunn:/bin/nologin
========================================================

I understand the purpose of nologin been a unix admin for too years. As I stated all system are joined to the same DC.
This is strange because faker user is on the same dc but query not coming back with the same results obviously something is wrong.
But I get what your saying and will follow up with that.

Phillip


Re: user account differences

February 16, 2018, 5:53 am
$
0
0

,

 

Perhaps I should have asked for a bit of clarification.

 

I am answering the question based on the assumption of "Why can user faker log in to good server but can't to bad server?"   If this is not what you wanted answered, please rephrase the question.

 

Keep in mind (back to basics):

 

In a system joined to a Centrify Zone, two conditions must be in place for the user to access the system:

  • The user must have an identity defined in the zone  (faker does).
  • The user must have a role (assigned directly or via AD group membership)  that allows him to log in  (here is the issue that I see).

There are two reasons why fakers' line shows like that in the "bad" server, and the two of them are expected behaviors:

  • The user once had a valid role assignment and it was assigned temporarily that expired.
    tac-css.PNG
  • The user has been assigned the "listed" role.
    This type of role and assignment is usually done in systems working as filers (NFS or Samba) because you want the user to be "known" by the system, but you don't want to allow the user to log in.
  • The user may have a poorly constructed role  (e.g. a role missing a PAM right) - long shot but possible.

 

The best way to confirm/dismiss this is to look at the output of the "dzinfo faker"  command in both systems (this has to be run with privilege).

 

The domain controller that they are communicating with is irrelevant (unless you just made the change and want it to be effective).

 

Let's hope this clarifies a bit, but if you outline (without technical details)  the behavor exhibited  (faker can't log in to bad server, but can log in to good server) and the behavior expected (I want faker to be able to log in to both systems).

 

R.P

Centrify Connector 18 on Windows 10

February 16, 2018, 6:29 pm
$
0
0

In my organization, we are using the Centrify Connector 17.10 on a Windows 10 Professional machine to link to Active Directory. However, when trying to upgrade to version 18.2, I now get an error stating that the connector only runs on Windows Server. Our Active Directory environment is Linux (Samba4) based, and we have no Windows Server systems on our network, and no plans to purchase any (it is outside of our budget). This is going to become a problem as soon as the connector version 17.10 is no longer supported. Is it possible to link our Active Directory setup to Centrify without using a Centrify Connector, or will there be a version of the connector available for Windows 10 in the future? Thank you.

Re: Centrify Connector 18 on Windows 10

February 17, 2018, 7:13 am

Centrify Desktop and CISCO AnyConnect

February 16, 2018, 11:36 am
$
0
0

Hello

 

I work in a team thet usese centrify mobile APP to get a token that works as a "second password" to connect with CISCO AnyConnet to a remote server. So... longstoryshort, I have a very old a outdated smarthphone and I do not have space to download de APP, so, I dowload the Centrify desktop trial and I'm trying to configure it to get this token number to login to AnyConnect.

 

Any Ideas or Help?

 

Screens:

 

https://i.imgur.com/v8t05f7.jpg

https://i.imgur.com/9kiPaHu.jpg

 

Regards

 

 

Re: Centrify Desktop and CISCO AnyConnect

February 19, 2018, 12:00 pm
$
0
0

Hi Pablo,

 

Centrify offers other methods for MFA such as SMS text message, e-mail, phone call, etc. Please talk to your Centrify administrator to check what is the better way to offer you second factor authentication.

 

Regards,

 

Israel Biscaia

Re: Problem with local account ssh access

February 21, 2018, 12:44 pm
$
0
0

The link provided no longer works.  I have the same issue how do I resolve?

Search

Re: Problem with local account ssh access

February 21, 2018, 2:01 pm
$
0
0

Hi ,

 

I've fixed the link in Fel's post. Can you please try again?

 

Thanks,

Adding Ad UserAccount into local Group

February 26, 2018, 7:45 am
$
0
0

 

hello guys

 

I need your help, i'm not a linux guru but time to time i need to work with it, and i would like to improve it. And the same one user asked me to add his account to a dialout local group in oder to connect to his arduino.

 

In this linux box the user is authenticated through and Centrify. If i had to add this account to some local group i saw that i cannot use the usermod command but i have to write his account manually in the correct group in the file /etc/group.

 

The Question is i have also to modify the configuration files as i read in this post Add AD User to Local Group

 

 /etc/centrifydc/centrifydc.conf, uncomment and change the following paramter to true

 

adclient.local.group.merge: true

 

Because our new SysAdmin have added only the user to the Local Group in /etc/group without editing the centrifydc.conf file.

 

So basically when we need to set the adclient.local.group.merge to  true?

 

 

Re: Adding Ad UserAccount into local Group

February 26, 2018, 8:03 am
$
0
0

,

 

Welcome back.

Note that it's always better if you tell us what you want to accomplish without any implementation details.

 

For example, "I'd like to add an AD user from a Centrified system to a LOCAL UNIX secondary group"

This way the answer is very evident.  (e.g. "usermod -a -G oracle jane.user")

 

Now to your post

"If i had to add this account to some local group i saw that i cannot use the usermod command but i have to write his account manually in the correct group in the file /etc/group."

Why can't you just use usermod; it should just work.

 

The Question is i have also to modify the configuration files as i read in this post Add AD User to Local Group

Tip:  anything older than 3 years may have changed.

 

So basically when we need to set the adclient.local.group.merge to  true?

This parameter is used for a very specific use case (most likely related to the commercial version).

 

adclient.local.group.merge

Scenarios to be addressed:  Identity duplication, migrations, etc.

Description:  In your design, you want to control primary and secondary UNIX group memberships using AD security groups.   In your enviroment you have several JBOSS servers that have the secondary group jboss.  In the middle of your migration, you have not done all users (typically done in phases), therefor there will be local users and AD users in this group.     You still need to be able to add both, but want to still maintain control for AD users.  

How do you work this out?

 

  1. Maintain the local jboss group in your servers with the yet-to-be-migrated local users.
    the local entry has 3 users:  jboss:x:505:jane,bob,michael
  2. Create a UNIX-enabled group in AD, and name it jboss.
  3. Add your UNIX-enabled AD users to the jboss group in the corresponding zone (matching the same GID)
    the ad group entry has 3 users too:  jboss:x:505:tetsu,fel,aurora
  4. Set the adclient.local.group.merge and run adreload
  5. Do an adquery group (or getent group)
    the group presents members from the two sources  jboss:x:505:jane,bob,michael,tetsu,fel,aurora

Now apps looking at that group can account for local an AD identities.

 

 

I hope this helps.

 

You have a UNIX-enabled AD group called "jboss"

Re: Adding Ad UserAccount into local Group

February 26, 2018, 9:04 am
$
0
0

 

For the moment i would be happy to understand Centrify just for basic troubleshouting. we have a very simple Active Directory Infrastracture. 

 

However if i remember well the usermod failed and we need it to add the user account directly to the file /etc/group.

But frankly when  the user run arduino there was a pop up(throught the GUI) asking the password for the local admin account in order to add the user to the dialout group and we had a usermod failure..

 

I tried also useradd via bash, but also that command has failed

 

 

Tanks for the link, i need start to learn from from the basics...

 

 

 

 

 

 

Re: Adding Ad UserAccount into local Group

February 26, 2018, 10:05 am
$
0
0

Adding another domain

March 12, 2018, 12:47 pm
$
0
0

I have a server in production that I'm trying going to eventually move to another domain.  I was wondering if it is possible to have centrify connected to a second domain to start setting things up to test before removing it from the 1st domain?

Re: Adding another domain

March 12, 2018, 12:52 pm
$
0
0

,

 

Are you using the product in zone mode (commercial) or in workstation/express  (Auto Zone) mode (or a mix)?

 

R.P

 

Search

Re: Adding another domain

March 12, 2018, 1:17 pm
$
0
0

I only have the express version.

Re: Adding another domain

March 12, 2018, 1:42 pm
$
0
0

In that case a 10,000 foot view:

  • Nothing is stopping you from doing your testing once the new domain is installed.
  • If there will be a trust between the old and new domains, remember that Express only supports 2-way trusts.  The commercial version supports one-way trusts.
  • Identity Namespace:  Note that this is automatically genereated for you by the client (unlike the commercial version, that you have control over):
    • login - > user's samaccountname
    • group name -> group's samaccountame
    • UID and GID - > uniquely generated based on the domain's SID
    • GECOS -> the user's display name (or group's display name)
    • Home & Shell - > based on platform settings.

      What does this mean to you?
      When if you don't plan to use a trust to connect the old and the new, this means that you must plan for a migration.  Once you join the new domain, although the login or display names for users may be the same, since that domain will have it's unique SID, all uid/gids will change, therefore users will lose ownership of their files.

If this will be a brand-new Windows 2016 AD, make sure you are using the latest and greatest version of adclient to enjoy benefits.

Re: Adding another domain

March 13, 2018, 5:25 am
$
0
0

I can not find the windows app to run this.  Also, I'm not able to find install-express.sh on my linux server.   This was setup back 2012.  I think there was some house cleaning.  How do I go about adding the second domain?  Can I just edit /etc/centrifydc/centrifydc.conf?  Then run adjoin?

Re: Adding another domain

March 13, 2018, 6:37 am
$
0
0

The very last suggestion was to download the latest and greatest versions of the sofware. 

Go go the download center and download the bits you need.

 

https://www.centrify.com/express/linux/download/

 

If you are doing a new domain, keep in mind that your option most likely will be do do it in Windows Server 2016 since Windows 2012 R2 is out of mainsteam support.

The clients from the year 2012 will not work with a Windows 2016-based Active Directory domain.  There is also the need to keep software up-to-date becasue of security due-diligence.

 

Just in case you used this, also remember that our Samba support changed significantly 2 years ago.  We went from distributing a "Centrified"  version of Samba to only providing an Identity Mapper.

 

Finally - you don't need the Windows app to distribute software.  We provide all the native packages, so if you're using a DevOps solution like Chef, Puppet or Ansible, that would probably be the better way to go.

 

To install and join:

- Use the native package manager to install  (e.g.  sudo yum install CentrifyDC) or with DevOps  (package CentrifyDC)

- Run the adjoin command  (e.g. sudo adjoin -w -c ou=your,ou=container -u your-user  domain.name).

Re: Adding another domain

March 13, 2018, 7:26 am
$
0
0

Thanks for the download link and additional information.   A new company has purchased us and we are moving to their domain.  They only have windows 2012 R2 domain controller and told me that I can only use windows 2012 r2 DC for now.  Also, there is no trust between the old domain and the new domain.    What problems is this going to cause?

 

The usernames will be the same on the new domain, but with a different domain name.  

I would like to add the new domain to the production server and then have the users login.  I assume they will have different id and not have permission on their files/directories.   But once they login and I see what they new ids are then I can change the files/directories to their new accounts.  I'm hoping this is the best way to accomplish this in express?

 

I've downloaded the new version as suggested.  When I run it will it overwrite the old settings or will it just give me the option to add the additional domain?

 

Regards,

Jeff

Viewing all 1833 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>