Welcome to the Centrify Express forums.
To help you better, can you tell us the Operating system and version and the version of adclient (adinfo -v).
Sounds like you're getting started with Centrify. Centrify has two operating modes:
- Auto Zone mode: in this mode, all users from the local domain or any trusted domains will be visible and will be able to authenticate to your system. This mode is very well suited for a regular end-user system, where any valid user should be able to log in. Auto zone mode is the only mode supported by Centrify Express; this mode does not support one-way trusts.
- Zone mode: in this model, users not only need to have a UNIX identity defined in the zone, but to access a system, must have an RBAC role that at least allows them to log in. This mode is supported by the commercial versions Centrify Infrastructure. This mode supports all kinds of AD architectures.
A simple methodology to test authentication is this:
Assumptions: Centrify is installed and the system is joined. No tool like chef/puppet has rolled-back the changes done to the NSS, PAM and Kerberos configuration envionments.
If Express, the user is not in the trusting side of a one-way-trust (not supported).
- Check if your system is connected
$ adinfo -m connected
This test is to make sure there are no network issues that impair the communication with AD Domain Controllers.
If the output is "disconnected" or not joined to any zone, you have work to do. - Check if Kerberos is working
# Authenticate via Kerberos $ /usr/share/centrifydc/kerberos/bin/kinit lisa.simpson Password for lisa.simpson@CENTRIFY.VMS: # Verify Kerberos TGT $ /usr/share/centrifydc/kerberos/bin/klist Ticket cache: FILE:/tmp/krb5cc_1040188499 Default principal: lisa.simpson@CENTRIFY.VMS Valid starting Expires Service principal 08/25/2017 21:57:25 08/26/2017 07:57:25 krbtgt/CENTRIFY.VMS@CENTRIFY.VMS renew until 08/26/2017 21:57:21When you join a system to AD via Centrify, we include optimized versions of MIT Kerberos tools, and we configure the Kerberos environment to work with Microsoft AD (regardless of the complexity).
When testing, you can go from the "lower level" layers to the "upper level" apps (referencing the OSI model), therefore, since all modern AD authentication happens over Kerberos, his is a useful test, because it allows you to isolate the Identity, Centrify authorization components and the access service (e.g. SSH). - Check to see if the user is known to the system and test with Switch User
$ id dwirth uid=1040188499(dwirth) gid=1040188499(dwirth) groups=1040188499(dwirth) $ getent passwd dwirth dwirth:x:1040188499:1040188499:Diana Wirth:/home/dwirth:/bin/cdax/bash $ adquery user dwirth dwirth:x:1040188499:1040188499:Diana Wirth:/home/dwirth:/bin/bash
$ su dwirth Password: [dwirth@engcen6]$
The first test with getent, id or adquery will yield the identity of the user; in express mode it will be any user from the local domain or any trusted domains; in zone mode, the user MUST have an identity and be authorized in the zone that the system lives.
The second test, uses switch user (su) to elevate to the user; as long as you don't do this with sudo or as root, you'll be challenged with the AD user's password. If you know it, you can verify not only the underlying technology (Kerberos), but you are testing the Name Service Switch and Pluggable Authentication Modules subystems for the computer. This still allows the isolation of a terminal protocol like SSH. - Test Terminal Access (e.g. SSH)
During this test you attempt to log in via SSH; if you can log in, your're fine; but if you can't, for sure (unless you're running an older version of the agent with filtering enabled) you have an SSH directive (or configuration) stopping you from logging in. - Optional - Test a Graphical Interface
Remember that when dealing with graphical interfaces, since they are long-running daemons, you are likely to have to reboot the system after installing Centrify. After reboot, you should be able to type-in (or select an AD user from a list) and use the AD password to authenticate.
Now, after you read this, reassess and determine if the issue is that you may be dealing with a one-way trust or config issue.
This is a good place to get started: http://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/bc-p/25707
R.P