@samana what is the fastest way to get a full suite trail ?
↧
Re: Support for one way trusts?
↧
Re: Support for one way trusts?
Welcome to Centrify!
The fastest way is to fill out this form: https://www.centrify.com/free-trial/
What to expect?
A Sales lead will contact to determine what are your goals. Provided that the usual sales details (project, requirements, timeline for decision) are gathered and there's a good fit between your requirements and our capabilities, then you get assigned an SE that will help you in the evaluation process for 30 days.
R.P
↧
↧
Keychain issues with Mac OS 10.11
Greetings to all. I apologize, because I am a centrify end-user and not an administrator, so I don't know all the details on what exactly is installed on my machine. I do know that we now have a version of Centrify and require a government PIV card to log in to the machine. Here is my question:
Since the update, my keychain has never quite worked the way I think it should. I understand that the normal default keychain is gone, and there is now a token-protected keychain in it's place. Fair enough. Unfortunately, that keychain seems to be unmodificable, and continously asks me for a password, even though nothing I enter works. It is very frustrating, because I get a dialog box that I must keep clicking "deny" until it goes away, only to reappear a few minutes later.
There are other issues... disappearing Safari extensions, periodic loss of iCloud support, etc., but that "please enter the password for your token-protected keychain" message is the worst. Any idea about how to smooth out those bumps? Thank you VERY much!!
↧
Re: Signing forms-Express (Mac) for Smart Card
Hi
Welcome to Centrify Community!
I have done some research and found the following article that might be able to help you configure the Digital ID for Adobe:
https://helpx.adobe.com/acrobat/using/digital-ids.html
https://helpx.adobe.com/acrobat/using/certificate-based-signatures.html
As you mentioned the card is able to sign you into the machine and website with no problem, I would expect this should be a configuration issue on the Adobe side. Hope the document can shed some light on your issue. Thank you!
BR,
Ivan
↧
Re: Keychain issues with Mac OS 10.11
Hi
Welcome to Centrify Community!
According to your description, I believe you are having the following problems:
In OS X, the keychain is a central and secure location for saving passwords. One of the default keychains in OS X is the "login" keychain and when the user logs in, the login keychain is unlocked and made accessible to the user. The same password that is used for logging into the Mac is used for unlocking the login keychain. However if the password for logging into the Mac falls out of sync with the login keychain password, the unlock will fail. As a result, applications attempting to access the keychain will prompt the user for a password until it can be unlocked.
There are several scenarios where this may occur, for example:
- Migrating a home folder from a local to AD user, where the passwords for the local account is different than the password for the AD account.
- Changing the AD user's password from outside the Mac itself, such as directly in AD or through OWA.
- A user manually changes the login keychain password, or imports a new login keychain from another system.
The Keychain Access app can be used to re-sync the login keychain with the user's current AD password. If the password for the login keychain is not known, it may be necessary to delete the existing login keychain and create a new one, though this will delete all existing app passwords that were associated with the user's account. Once the passwords are synced, the login keychain will unlock automatically when logging in, and the messages asking for the password will stop.
This issue is not limited to Centrify and can occur when using Apple's native AD plugin. For further reading, please review Apple's document on troubleshooting the login keychain:
Hope it helps. Thank you!
BR,
Ivan
↧
↧
Re: sudo hanging for 10 minutes on Solaris 10
Hello Young,
If that is the case, Could you please try to upgrade the Centrify agent version to a supported and later version and see if there is any improvement on the delay issue?
If you still seeing the delay issue after the upgrade, you can enabled the debugging again and collect the debug file for further investigation.
Please do feel free to let me know if you have any further questions on this topic.
BR,
Andy
↧
How to remove all files after Agent uninstall.
Hi,
Am trying to remove all the installation files after the agent install on a test machine.
After Running "/bin/sh /usr/share/centrifydc/bin/uninstall.sh"
I Still got the below:
/etc/selinux/targeted/active/modules/400/centrify-krb5-2 /etc/selinux/targeted/active/modules/400/centrifyda /etc/selinux/targeted/active/modules/400/centrifydc-2 /etc/selinux/targeted/active/modules/400/centrify-krb5-2/cil /etc/selinux/targeted/active/modules/400/centrify-krb5-2/hll /etc/selinux/targeted/active/modules/400/centrify-krb5-2/lang_ext /etc/selinux/targeted/active/modules/400/centrifyda/cil /etc/selinux/targeted/active/modules/400/centrifyda/hll /etc/selinux/targeted/active/modules/400/centrifyda/lang_ext /etc/selinux/targeted/active/modules/400/centrifydc-2/cil /etc/selinux/targeted/active/modules/400/centrifydc-2/hll /etc/selinux/targeted/active/modules/400/centrifydc-2/lang_ext #/var/centrifydm /var/centrifydm/tmp /var/centrifydm/tmp/CentrifyInstall /var/centrifydm/tmp/adcheck-rhel5-x86_64.1010203237 /var/centrifydm/tmp/centrify-suite-2018-rhel5-x86_64.tgz.1010203237 /var/centrifydm/tmp/CentrifyInstall/CentrifyDA-3.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-curl-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-ldapproxy-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-nis-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-openldap-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-openssh-7.6p1-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/CentrifyDC-openssl-5.5.0-rhel5.x86_64.rpm /var/centrifydm/tmp/CentrifyInstall/adcheck-rhel5-x86_64 /var/centrifydm/tmp/CentrifyInstall/centrify-suite.cfg /var/centrifydm/tmp/CentrifyInstall/centrifydc-install.cfg /var/centrifydm/tmp/CentrifyInstall/install-express.sh /var/centrifydm/tmp/CentrifyInstall/install.sh /var/log/centrifydc-install.log
Marked into the tmp i believe i can just delete.. but re selinux, can I jsut delete or?
semodule -r centrify libsemanage.semanage_direct_remove_key: Unable to remove module centrify at priority 400. (No such file or directory). semodule: Failed! --- semodule -r centrifydc libsemanage.semanage_direct_remove_key: Unable to remove module centrifydc at priority 400. (No such file or directory). semodule: Failed! ------- semodule -r centrifyda libsemanage.semanage_direct_remove_key: Removing last centrifyda module (no other centrifyda module exists at another priority).
Remaing:
/etc/selinux/targeted/active/modules/400/centrify-krb5-2 /etc/selinux/targeted/active/modules/400/centrifydc-2 /etc/selinux/targeted/active/modules/400/centrify-krb5-2/cil /etc/selinux/targeted/active/modules/400/centrify-krb5-2/hll /etc/selinux/targeted/active/modules/400/centrify-krb5-2/lang_ext /etc/selinux/targeted/active/modules/400/centrifydc-2/cil /etc/selinux/targeted/active/modules/400/centrifydc-2/hll /etc/selinux/targeted/active/modules/400/centrifydc-2/lang_ext
↧
Re: How to remove all files after Agent uninstall.
Hello Pizu ,
May I know if you can provide the exact OS version and confirm if you were using Cetnrify DirectControl version 5.5.0?
Thanks,
Andy
↧
Re: macOS Sierra 10.12.2 DOD CAC Access Issues
It should be a simple matter of changing "DisabledTokens" to "EnableTokens".
↧
↧
Where can I obtain PIV.tokend?
I had been using my VA PIV card to for remote access until last year when it stopped working. I don't remember if it was due to changes made to the VA's remote access architecture or upgrades to my Mac OS. I didn't need remote access much back then, so I didn't put forth much time troubleshooting the problem. Now I could benefit from using remote access again, so I've started doing some troubleshooting.
When I examine the following folder, the contents are empty: System > Library > Security > tokend
It appears that I need the PIV.tokend fild. I've reinstalled the Centrify drivers and verified that my mac connects to my SCR3310 reader. Any idea how I can get the PIV.tokend file again--I assume I had it when I previously was able to use the VA's CAG.
↧
Re: Where can I obtain PIV.tokend?
Hello Christopher,
Welcome to Centrify!
I've opened a support ticket for you to follow up this smart card issue.
May you please check your mailbox and see if you receive my email?
Best Regards,
Alan Ho
↧
Re: macOS Sierra 10.12.2 DOD CAC Access Issues
to reenable, you need "EnabledTokens", thus:
sudo defaults write /Library/Preferences/com.apple.security.smartcard EnabledTokens -array com.apple.CryptoTokenKit.pivtoken
↧
DirectControl - need to obtain UID before provisioning
Hi all,
I have a situation where I need to know what the UID for a user is going to be, before they are actually provisioned in the zone.
I know DirectControl assigns a unique UID for a user.
Wondering if this UID value is deterministic.
any help is appreciated
Greg
↧
↧
Re: DirectControl - need to obtain UID before provisioning
Welcome back. Happy to help!
Excellent question. We have discussed these topics in the past in this series: https://community.centrify.com/t5/TechBlog/Basics-Centrify-Zone-schemas-UNIX-identity-data-sourcing-and/ba-p/23947
When using DirectControl, the UID/GID values are based on the user's (or group) SID - this provides the assurance that the UNIX identity generated will not collide. Good info on SIDs here.
Most importantly, we support different algorithms (schemes) to facilitate migrations. The most common example is the Apple Scheme. We support this scheme to generate UID/GID to facilitate large migrations from the AD Apple Plugin to Centrify DirectControl.
Info on Apple Scheme here: https://docs.centrify.com/en/centrify/macadmin/index.html#page/macadmin/adm_generate_UID_and_GID_for_mac_users.html
The key here is that you must understand what is the current scheme being used before you can try to determine the user's identity. Note that by default, the Centrify scheme is used and this can be set in different places:
- Locally at the client level: (highly undesirable because you have to touch each system) and ideally facilitated by a tool like Chef, Puppet, Ansible, etc.
This means, that you could pre-determine the UID for a user, but if the scheme is overriden at the client level (e.g. in the case of Mac OS X), the UID will not match. Should you bump into this issue, make sure you check the auto.schema.apple_scheme parameter. By default it is false or commented.
- At the zone level: Zones provide maximum flexibility and capabilities for Centrify customers. Each zone can be configured do use a different scheme if needed (again, this is highly-undesirable because the same user may need access to multiple zones, and if the zones are using different schemes, this causes a mess and create challenges, especially with Muti-protocol Network Filers). This is why during the design sessions, this is one of the most important topics to discuss. Basically, picking (and sticking) to a consistent scheme will guarantee a collision-free future and less need to use chown.
At the zone level, with Access Manager, this is set on the Zone Properties > User Defaults (or Group Defaults)
Also, keep in mind that utilities like Zone Provisioning Agent (ZPA) will respect this setting.
Determining the UID/GID Manually
Requirements: Access Manager and the "Add users to the zone" delegated right. Or ADUC with the Centrify extension.
- Open Access Manager.
- Go to the target zone > UNIX Data > Users, right click the whitespace on the right pane and select "Add user to zone"
- Type the name of the user in the dialog box and, voila!
- Now you can write down the UID/GID data and cancel.
Note: You could even save the user, and since they may not have a role assingment, the user may not even become visible to the target system (this highly depends on your access model).
With Active Directory Users and Computers
If you have extended the Centrify plugin for ADUC, you can do this by leveraging the Centrify Profile tab.
Programmatically (PowerShell)
Requirements: You need the Centrify DirectControl PowerShell module from the suite installation image or zip.
This method requires that you write the user to the zone temporarily and then you can delete the profile.
$zone = Get-CdmZone -Name 'Global' $profile = New-CdmUserProfile -Zone $zone -User joe.doe@centrify.vms -UseAutoUid -AutoPrivateGroup Write-Host -Nonewline "The UID for" $profile.user "is" $profile.Uid Remove-CdmUserProfile -Profile $profile
The output of this quick script is:
The UID for joe.doe@centrify.vms is 1040192047
Note that my usage of New-CdmUserProfile is malformed (it's missing key data), but ultimately gives me what I need which is a preview of the user's future UID based on that zone's scheme settings.
Workstation or Express Mode
Since all users are UNIX-enabled and have login rights to the systems, all you need to do is run the adquery user command. Funny enough, since an Express system does this automatically, this can be used if you don't have access to AM, ADUC or even PowerShell. All you need to do is join a UNIX/Linux or Mac System to AD in workstation mode (e.g. sudo adjoin -w -u user example.com) and after the cache is build run the adquery user [username] command. This will display the user's unique UID/GID using the default Centrify scheme.
I hope this helps.
R.P
↧
Ubuntu 18.04 login issue
Hello,
I am not able to login in Ubuntu 18.04 from active directory user.
Ubuntu 18.04 successfully join in AD of windows server 2008. I am able to login from ssh in Ubuntu 18.04 but it fails in GDM3 i.e not able to login from Ubuntu GUI
↧
Re: Ubuntu 14.04 Centrify Not able to login through GDM
it is also creating problem of login in Ubuntu 18.04 with GDM3. I tried many tricks but fails. It allows to login with local user but AD user fails to login in GDM3.
anyone kindly help
↧
Re: Ubuntu 14.04 Centrify Not able to login through GDM
Moderation notice: Please don't add to a post that:
a) It's from years ago
b) It's irrelevant to your issue (newer version of the OS, newer version of GDM).
Note that if you're a customer with a current subscription, the fastest way for you to get a response is to engage support.
↧
↧
Re: Ubuntu 18.04 login issue
Welcome to the Centrify forums.
Please outline:
a) Version of Centrify DirectControl (adinfo -v) - only current versions are community supported (5.5.x)
b) 5.5.x is the version that is confirmed to work with Ubuntu 18.04.
That being said, please make sure:
a) That the GDM PAM configuration files contain the Centrify Stanzas (or include the system stanzas)
b) That you have restarted.
Note that things work well over SSH, so you may have to engage your GDM support lifeline for this.
R.P
↧
Re: "Error executing /var/centrifydm/tmp/adjoin.cmd.501. DC: 5.3.0-220 Login successfull
nbona,
Have you found a solution to this problem?
I having the same issue as well.
↧
Re: Ubuntu 18.04 login issue
Hello,
I have downloaded the latest software from Centrify deploment manager before deploying pakages on Ubuntu 18.04.
Can you help me to check or verify GDM3 PAM configuration?
↧