Quantcast
Channel: Centrify Express topics
Viewing all 473 articles
Browse latest View live

API Permissions

November 15, 2016, 9:00 am
$
0
0

Hello,

 

We are working to integrate centrify with out main public website. Our developer is having trouble using API calls as specified here http://developer.centrify.com/site/global/documentation/api_guide/using_the_api/index.gsp. I have created a centrify cloud account that is a full system administrator. However making API calls results in a 401 unauthorized error. The purpose of the API calls is to sync user accounts into the website database. If it matters, we are syncing centrify to our local on-premise AD with the cloud connector, which is working fine.

 

Is there another permission or setting I am missing?

 

Thanks!

Mike

Search

Splunk Authentication App

November 15, 2016, 11:01 am
$
0
0

In the installation notes for the Centrify Auth app for Splunk, it says:

 

NOTE: You may also map an Active Directory group to a splunk role using group overrides in Centrify Express. For more information consult the Centrify Express admin guide.

 

There is nothing in the Centrify Express admin guide that mentions "group overrides".  Do I map AD groups to local linux groups and then name my Splunk roles the same as the local linux group?

Office 365 external access restriction

November 15, 2016, 11:24 pm
$
0
0

Hello,

 

We use on premise Exchange and use federated accounts via Centrify for our Office 365 access for our employees.

 

Currently, the Office 365 restriction (when accessed from external) is achieved by defining the IP addresses in the Corporate IP range. After that, it will prompt for MFA.

 

If we move Exchange on premise to Exchange Online, how best to restrict Office 365 access when accessed from external network other than corporate network?

 

Is there any option apart from Corporate IP range? How do we go about it?

 

Regards,

Ganesan

Server does not support diffie-hellman-group1-sha1 for keyexchange

November 16, 2016, 1:20 pm
$
0
0

Getting this error "Server does not support diffie-hellman-group1-sha1 for keyexchange" when trying to analyze a new macbook pro which has El Capitan.

Can't find any reference to this error in forums or elsewhere.

 

I have installed Centrify express for mac with OS X 10.10 and can't see PIV card reader in keychain

November 22, 2016, 1:16 pm
$
0
0

have installed Centrify express for mac with OS X 10.10 and can't see PIV card reader in keychain but not sure where to look for it.

 

I am also trying to login to DHS site and have downloaded the correct certificates but cant see to associate it with the url link. In safari, it is asking me to select the cert and gives me 2 apple certs. 

after some time I loose my sudo abilities

November 23, 2016, 2:47 am
$
0
0

I have not done a time test, but after I reboot and log on to my machine I have sudo access, but after some period of time, I lose that access and get this message:

 

Sorry, user <domain_user> is not allowed to execute 'something' as root on <domain_name>.

 

It is late right now, but if anyone has seen this let me know.  if I do an adquery group -D I get this:

 

CN=Allowed RODC Password Replication Group,CN=Users,DC=angbertent,DC=lan
CN=Cert Publishers,CN=Users,DC=angbertent,DC=lan
CN=Denied RODC Password Replication Group,CN=Users,DC=angbertent,DC=lan
CN=DnsAdmins,CN=Users,DC=angbertent,DC=lan
CN=DnsUpdateProxy,CN=Users,DC=angbertent,DC=lan
CN=Domain Computers,CN=Users,DC=angbertent,DC=lan
CN=Domain Controllers,CN=Users,DC=angbertent,DC=lan
CN=Domain Guests,CN=Users,DC=angbertent,DC=lan
CN=Domain Users,CN=Users,DC=angbertent,DC=lan
CN=Enterprise Read-only Domain Controllers,CN=Users,DC=angbertent,DC=lan
CN=Group Policy Creator Owners,CN=Users,DC=angbertent,DC=lan
CN=RAS and IAS Servers,CN=Users,DC=angbertent,DC=lan
CN=Read-only Domain Controllers,CN=Users,DC=angbertent,DC=lan
CN=Schema Admins,CN=Users,DC=angbertent,DC=lan

 

What I see missing is Domain Admins, and Enterprise Admins, both of which I am a part of, and if I restart the computer and log back in again, they will be there.  So something is timing out, and I am losing access to those two groups, which takes away my sudo powers.

 

Let me know if you have seen this before, and if you have maybe a script I can run in cron to make sure this stays refreshed, so those groups do not disapear.  Thanks in advance.

 

Chris

How do you disable keyboard intercative authentication in Centrify?

November 28, 2016, 11:34 am
$
0
0

What line should I set in /etc/ssh/sshd_config ?

Better way to update AD+FV passwd when CentrifyDC is enforcing Yubikey PIV smart card login

November 29, 2016, 8:18 am
$
0
0

Our policy enforces disk encryption and PIV logon. Users can initiate a adpasswd command in terminal but it doesn't take a new password. They can try to change passwd in System Prefs but that also does not take the current password. I have to move them into an OU that does not enforce yubikey then let them change their password and reboot so it changes the FileVault password too. Last, I move them back into PIV group. Is there faster way? Our concern is that each user will need to visit the helpdesk to update FV password, which is unreasonable for remote users.

Search

Centrify Express 2016.1, CentrifyDC-openssh vs. stock sshd questions

November 29, 2016, 11:50 am
$
0
0

I have some questions regarding the use of CentrifyDC-openssh vs. stock ssh with Centrify Express 2016.1 on a CentOS 6.8 system:

1. I noticed that if I install the CentrifyDC-openssh package, new ssh keys are created in /etc/centrifydc/ssh. Does that mean existing stock ssh keys in /etc/ssh are not used by CentrifyDC-openssh? I'm trying to avoid annoying users with the "man in the middle attack" message if they have already accepted stock ssh keys.

2. Does CentrifyDC-openssh have support for tcp_wrappers-enabled xinetd?

3. If I decide to use the stock sshd package in CentOS 6.8, is there a way to enable SSO?

4. If I decide to use the stock sshd package in CentOS 6.8, is AllowGroups and/or AllowUsers the best way to restrict access to ssh logins?

Centrify Express and DeepFreeze

November 30, 2016, 5:22 pm
$
0
0

Having an issue with Express and possiby DeepFreeze.  After running for a few weeks, the systems show that the machine password has changed and is disconnected from A/D.  If I do the following: 

sudo adkeytab -r -u <domain-admin>

Then log out, I can login with a domain account.  However, if I reboot, I cannot login again.  That is why I suspect an issue with DeepFreeze.  We are going to try and thaw the machines, do the above command again, then freeze them again to see if that solves it shore term.  Is there a long term solution? 

SystemCACertificates.keychain cannot be found on MAC

December 1, 2016, 2:42 pm
$
0
0

I received the following prompt in Terminal when trying to locate my SystemCACertificates:

 

chflags: SystemCACertificates.keychain: No such file or directory

Also, 'SystemCACertificates (Read Only)' appears in Keychains grayed out and I have tried to add a new keychain and add the necessary certificiates to no avail. I am using macOS Sierra and version 5.3.3 Smartcard Asisstant.

 

Can someone please assist me with this issue?

Apple OS Sierra - Bound Via Centrify but does not show up in Directory Utility

December 7, 2016, 10:37 am
$
0
0

Hi All,

 

After struggling with joining a MacBook Air (Sierra OS) to our corporate domain using

  1. System Prefs >> Users & Groups >> Login Options >> Join (fail, unspecified error)
  2. Terminal >> dsconfigad >> dsconfig -force -add "domain.fqdn" -username "domain/un.fqdn" -password "" -computer "short.name" -mobile disable -localhome -disable -useuncpath disable -shell /bin/bash -ou "fn=,ou=,DC=FQDN" (fail, error 5202)
  3. JAMF Pro Configuration Profile with similar settings above (fail, unspecified error)

 

I stumbled across the Centrify Express app and was able to immediately bind the laptop. I was also able to sign in using a network account.

 

I did notice that while Centrify tells me the device is bound, "dsconfigad --show" results in no results and according to login options, the machine is not bound.

 

I gather Centrify Express has replaced the Directory Utility app? Is that correct?

adbindproxy.pl stuck at enter a valid domain controller

December 11, 2016, 6:14 pm
$
0
0

Hi,

The issue I have is that some users can access samba shares and others can't. This also happened last week and I just re-ran the adbindproxy.pl which fixed the problem. It has happened again this week but when I run adbindproxy.pl it stops at the "enter a valid domain controller" step, it just shows "using (name of domain controller).

I did notice above that it says "could not initialise lsa pipe" and "Get Domain SID Failed"

I have tried removing and reinstalling Centrify but adbindproxy.pl still stops at the same step.

I ran "net rpc getsid -S servername -U username" and it said

"Failed to open /var/lib/samba/private/secrets.tdb"

"Can't store domain SID"

Any idea where to go from here ?

 

UPDATE: just built a new Ubuntu 16.04 server and went to run adbindproxy.pl and the same thing happened

 

Ubuntu version is 16.04

Centrify Express version is 5.3.1-398

Adbindproxy version is 5.3.0

Samba version is 4.3.11-Ubuntu

 

thanks,

 

John

NetApp Clustered Ontap

December 12, 2016, 1:38 pm
$
0
0

I am trying to find documentation on how to integrate NetApp Clustered OnTap with Centrify DirectControl.  The documentation that i've found so far references 7-Mode and not Clustered OnTap.

install Linux Centrify agent noninteractive

December 13, 2016, 8:02 am
$
0
0

I am using ./install-express.sh to install centrify agent in Linux. HOw can I automate via script either dirently from the command prompt or creating a file to respond over the installation process.

Search

Managing Primary GID for Centrify Express

December 14, 2016, 8:23 am
$
0
0

Hello,

 

I'm trying to change the primary GID of my user but without success.

At the moment the userid is : 

# id pr7

uid=641760211(pr7) gid=641760211(pr7) groupes=641760211(pr7) ,641760243(linux_account)

But the primary group of pr7 from Active Directory side is linux_account.

 

It works for my other user : 

# id pr7_c
uid=641760247(pr7_c) gid=641760243(linux_account) groups=641760243(linux_account),641760238(linux)

 

Is that possible to modify the gid of the user pr7 now ? Or do I have to delete/create again the user pr7 ? Or maybe reinstall centrify ?

 

I'tried adreload && adflush and centrifydc restart, but whithout success.

 

Kind regards,

 

Pierre

lubuntu centrifydc

December 14, 2016, 10:00 am
$
0
0

hello (for the second time of writting)

 

I am trying to connect my lubuntu computer to a Windows Active Directory. I install Lubuntu 16.04 and then do Software updates. Then I install from centrify-suite-2016.1-deb7-x86_64.tgz the package centrifydc-5.3.1-deb7-x86_64.deb. Then if I reboot I do not get to the lightdm screen to login to the gui system.

 

Can someone please help?

download

December 14, 2016, 10:18 am
$
0
0

where is the download and what is the file name for Linux 64b Lubuntu?

Add AD group to local group

December 14, 2016, 10:45 am
$
0
0

Hello,

 

I'm trying to add an Active Directory named "ADGroup1" to a local group named "LocalGroup1" with a GID of 31909.  I've tried these two posts:

How to add AD user to local group

Map AD group to local Linux group with Centrify Express and make it the user's primary group

 

Attempt 1

I added this line to /etc/group:

localgroup1:x:31909:adgroup1

 

Then added this line to /etc/centrifydc/centrifydc.conf:

adclient.local.group.merge: true

 

Then ran sudo adreload; sudo adflush to reload everything.  To test if I was successful, I ran adquery group and id -a and I don't see localgroup1 in the results.

 

Attempt 2

I added this to /etc/centrifydc/group.ovr:

+adgroup1:localgroup1::31909:
+domain admins:nwweb::31909:
+::::

 

Then ran sudo adreload; sudo adflush to reload everything.  To test if I was successful, I ran adquery group and id -a and I don't see localgroup1 in the results.

 

Attempt 3

I added this to /etc/centrifydc/passwd.ovr:

+@adgroup1:localgroup1:::31909:::
+:::::::

 

Then ran sudo adreload; sudo adflush to reload everything.  To test if I was successful, I ran adquery group and id -a and I don't see localgroup1 in the results.

 

 

I'm guessing I missed something, but I can't seem to figure it out.  Would anyone be able to slap me up side the head and point to my mistake?

 

Thanks for your help!

*** URGENT *** LOST ACCESS TO MY TENANT

December 14, 2016, 2:31 pm
$
0
0

Hi Community.

Can someone help me ASAP?

I had a change at my AD on the admin groups, and i lost completely access to my tenant aam0736.

I need someone to help me inserting my admin user back friedmann@mykaefer.com, or delete the entire tenant so i will be able to create a new one and reuse my 2 domain prefix (mykaefer.com and kaefer.com).

 

Hope someone can read this today yet.

 

Best Regards

Eugenius

Viewing all 473 articles
Browse latest View live
Search