I've followed the instructions, but when I reach step 3:

Step 3: Configure

Download the DOD intermediate certificates from https://militarycac.com/maccerts/MacAllCerts.p7b, then open the MacAllCerts.p7b file.
The Add Certificates window appears.
In the Keychain dropdown menu, select System if you have admin privileges, or login if you do not have admin privileges, then click Add.

The "Add Certificates Window" does not appear.  I've tried the last step selecting system, but it looks like its for modfying keychain rater than adding a certificate.

I've followed the instructions, but when I reach step 3:

Step 3: Configure

Download the DOD intermediate certificates from https://militarycac.com/maccerts/MacAllCerts.p7b, then open the MacAllCerts.p7b file.
The Add Certificates window appears.
In the Keychain dropdown menu, select System if you have admin privileges, or login if you do not have admin privileges, then click Add.

The "Add Certificates Window" does not appear.  I've tried the last step selecting system, but it looks like its for modfying keychain rater than adding a certificate.

Hi, I am having trouble getting my smartcard to show up in keychain access.

I am using SCR3310V2 and have downloaded centrify smartcard assistant v5.2.4 and all the certificates.

I am on Mac El Capitan v10.11.4.

My cac reader has the green light come on for a couple seconds and then it goes off and the card never shows up in keychains.

Please help! I can't figure it out. I went through the cleanup, uninstalled and reinstalled centrify, and now I'm at a loss.

Please Help,

I'm unable to access web.mail.mil or us.army.mil (AKO) via CAC/PIV. 

Common error I receive is "Safari can't establish secure connection to the server 'certificate.us.army.mil'  or safari can't open page because the server unexpectedly dropped the connection (server busy...try again...etc)

Same thing for https://jkodirect.jten.mil/ 

My CAC shows up in my Keychains as CACNG and I can read the info on the CAC (The reader LED light is solid green when CAC is inserted).

I added the SystemCACertificates into keychains as well as into System

I added MacAllCerts and MacRootCert 2,3, and 4 into System and Login

DOD Root CA 2 certificate was modified to always trust (I read on one thread to delete this cert but haven't yet)

I have run the Centrify diagnostic tool and saved a copy of the log.

I'm running a new

MacBook Pro (Retina, 15-inch, Mid 2015)

   macOS Sierra 10.12.2

CAC Reader:

    SCR33xx v2.0 USB SC Reader:  Version: 6.01

Centrify Express for Smart Card 5.3.3

I am a single persona user and have not installed any other CAC enablers other than Centrify and have un/reinstalled multiple times clearing out the tokends as directed on this forum as well as militaryCAC.

I'm simply trying to access these CAC enabled DOD websites to be able to check .mil emails and to complete required training courses as a satellite employee working from home.

I'm computer savvy enough to be dangerous but can follow your instructions (i.e., I'm 'dumb' but trainable ;))

Thanks in advance for your help

I am testing a Ubuntu 16.04.01 64-bit Samba server with Centrify Express for Windows AD integration.

Here are my package versions:

Centrify Express - 5.3.1

Adbindproxy - 5.3.0

Samba - 4.3.11-Ubuntu

I have Centrify configured to work with SSH, Sudo, and Samba.  I have tested caching with SSH and Sudo by disconnecting the main network from my testing switch and they are working as expected.  However, I cannot connect to the Samba server shares from my laptop using the UNC path to server (\\xxx.xxx.xxx.xxx) after disconnecting the test switch from the main network.  Windows explorer will attempt to connect to the server for ~3 minutes and then return that the server is unavailable. 

Is this working as designed?  I was under the impression that I should be able to authenticate to the Samba shares using the cached credentials. 

Below is my smb.config file:

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
    security = ADS
    realm = MY.FDQN
    workgroup = MY
    netbios name = bly1

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb

    #
    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
    # with "kerberos method".  The directive "kerberos method = secrets and keytab"
    # enables Samba to honor service tickets that are still valid but were
    # created before the Samba server's password was changed.
    #
    kerberos method = secrets and keytab


    #
    # Setting "client use spnego principal" to true instructs SMB client to
    # trust the service principal name returned by the SMB server. Otherwise,
    # client cannot be authenticated via Kerberos by the server in a different
    # domain even though the two domains are mutually trusted.
    #
  #  client use spnego principal = true

    #
    # Setting send spnego principal to yes .
    # Otherwise, it will not send this principal between Samba and Windows 2008
    #
  #  send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.
    server signing = mandatory

    client ntlmv2 auth = yes
    client use spnego = yes

template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    idmap cache time = 0

  #  ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false
    #  Disable Logging to syslog, and only write log to Samba standard log files.
    #syslog = 0


[homes]
    comment = Home directories
    read only = No
    browseable = No


[data]
        create mode = 770
        valid users = @my_windows_user_group
        directory mode = 770
        force directory mode = 770
        force create mode = 770
        writeable = yes
        write list = @my_windows_user_group
        path = /home/data

Any help is appreciated.

Hello

I am a Ubuntu Linux user who prefers the light-weigth LXDE interface hence Lubuntu. While on my server I run Ubuntu server version. If I install centrifydc and then join the AD domain I can then install lubuntu over the top and all is well.

If one attempt this in the wrong order it fails and one is tempted to remove the installed centrifydc it is no longer possible to get back to the Lightdm login screen. However it is possible to login in a character mode Ctrl-Alt-F1 way.

Having done this on one major machine I am now locked out of all my GUI applications and a re-install would cause MAJOR heartache. So what I am in need of is advice and guidance to recover from this failed install/removal of centrifyfdc package.

It appears to methat on other deskop only machines one hast install Ubuntu desktop install centrifydc join domain and then install lubuntu-deskup. It ios a bit of a pain but one can expect centrify to support/ test every combination of distros.

Also asking in https://ubuntuforums.org/showthread.php?t=2348906

Hi guys,

New post for an issue you can find here

I installed centrifiy on Ubuntu 16.04 for R&D prupose. I dont get the version (told you tomorow morning) but its the lastest for Unbuntu  16.04

My user cant access Windows shared directorie without the password promt, i use nautilus to open it.

Regarding from the thread i link, the problem could be related to Kerberos not working with Nautilus but after 6 years i'm suprise to not find more solution or informations about this. I think i could miss something maybe ?

Did you have a solution or an other file explorer to try ?

Ty for the help,

Regards

RLT

I have a newly installed Ubuntu Xenaial 16.04 server running LXD with a fresh LXC container using the ubuntu:xenial image.

I used the centrify-suite-2016.1-deb7-x86_64.tgz download, unpacked and installed it joined to the domain with no reported errors. I have installed the Centrify SSHD. I can getent passwd and group with no problems.

The problem is when I SSH to the LXC container I get the login prompt, and on entering the username the SSH session disconnects with "Network error: Software caused connection abort". In the container auth.log I see a fatal error: initgroups: Invalid argument. The group causing the fatal error is the User Private Group.

Some system info:

root@osm:/etc/pam.d# uname -a

Linux osm 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:50:32 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

root@osm:/etc/pam.d# cat /etc/*release

DISTRIB_ID=Ubuntu

DISTRIB_RELEASE=16.04

DISTRIB_CODENAME=xenial

DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

NAME="Ubuntu" VERSION="16.04.1 LTS (Xenial Xerus)"

ID=ubuntu ID_LIKE=debian

PRETTY_NAME="Ubuntu 16.04.1 LTS"

VERSION_ID="16.04"

HOME_URL="http://www.ubuntu.com/"

SUPPORT_URL="http://help.ubuntu.com/"

BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

VERSION_CODENAME=xenial

UBUNTU_CODENAME=xenial

root@osm:/etc/pam.d# adinfo -v

adinfo (CentrifyDC 5.3.1-398)

root@osm:/etc/pam.d# adinfo -m

connected

root@osm:/etc/pam.d# adinfo --sysinfo zone

System Diagnostic

======== Zone Information ========

Auto zone

root@osm:/etc/pam.d# adquery user i87000

i87000:x:851444974:851444974:DTR:/home/i87000:/bin/bash

The auth.log output:

Jan 13 11:35:43 osm sshd[2118]: Authorized to i87000, krb5 principal I87000@MYDOMAIN.COM (krb5_kuserok)

Jan 13 11:35:43 osm sshd[2118]: Accepted gssapi-with-mic for i87000 from 192.168.0.10 port 61199 ssh2

Jan 13 11:35:43 osm adclient[383]: INFO AUDIT_TRAIL|Centrify Suite|PAM|1.0|300|PAM account management granted|5|user=i87000(type:ad,i87000@MYDOMAIN.COM) pid=2118 utc=1484307343515 centrifyEventID=24300 status=GRANTED service=sshd tty=ssh client=192.168.0.10

Jan 13 11:35:43 osm sshd[2118]: fatal: initgroups: i87000: Invalid argument

I notice that the primary gid for the user doesn't exist in getent group output.

root@osm:/etc/pam.d# getent passwd | grep i87000

i87000:x:851444974:851444974:DTR:/home/i87000:/bin/bash

root@osm:/etc/pam.d# getent group | grep 851444974

root@osm:/etc/pam.d#

Checking the groups output for the user shows the User Private Group, but it doesn't appear in the getent group output:

root@osm:/etc/pam.d# groups i87000

i87000 : i87000 all_employees all_users centrify_mobile_users desktop_administrators domain_admins domain_users

root@osm:/etc/pam.d# getent group | grep ^i87000

root@osm:/etc/pam.d#

This has always been the case for previous installs of Centrify Express on other containers, but this is the first install I have done using with the latest Centrify insaller using OpenSSH version 7

OpenSSH_7.2p2 (CentrifyDC build 5.3.1-391) , OpenSSL 1.0.2g 1 Mar 2016

Any ideas why sshd is giving the 'invalid argument' error?

Hi everyone,

Infos :

Ubuntu 16.04 x86_64

Centrify 3.5.1 express

Zone: Auto Zone

CentrifyDC mode: connected

Licensed Features: Disabled

For start centrify is working well with ly AD environment. After install and connect it, i can connect my users on the ubuntu without any issue.

But ! My problem is the follow.

When i lock a user in AD, i cant log into the ubuntu (normal), but when i unlock him, ubuntu dont sync the AD and "think" the user is still block.

Second problem, when i change tha password of my user, If i try to log with the new one, login failed. I need to log with the old one before the new password is sync.

In both scenario my AD is not sync before the user involved is connected.

Did i miss an option ? There is a ways to force the sinc ? They is a config file to edit ?

Thx for the reply

We are joining linux machines to a windows domain. nslookup and ping of windows machines in the domain fail unless I use the FQDN of the windows machines. I am sure it is just a config issue, however I have not been able to resolve. Any help would be appreciated!

Hello,

I try to migrate mailboxes from my Exchange 2010 to Office 365 / Exchange Online in a hybrid environment. For some mailboxes it fails with the following error message:

Error: MigrationPermanentException: The target mailbox doesn‎'t have an SMTP proxy matching 'domain.mail.onmicrosoft.com‎'.

From quick googling, "Automatically update e-mail addresses based on email address policy" checkbox is disabled for failing mailbox. So I enable the checkbox, but it does not solve the issue... migration still fails.

How can I fix it?

Any help much appreciated.

Hi there,

We want to add in our company our Macbook's and iMac's to our Active Diretory.

By looking for a solution I had found your services & products and would be interst to a standad licence from the active diretory intregration.

I need to configure at our company in the next days all macintosh's.

I had download the express version to test centrify. And this would work better than the standard directory utility from apple.

So I had write some Mails to the support that I'm interest to your product.
Also we want to purchase this to get some support.

First we want to bind 6 Macbooks to our Active Diretory.

All accounts should only use network home folders.

With your mac agent from the download side this was not a big problem to set this up.

But after this we have problems with Microsoft Office 2016.

Excel / Word /Outlook can be open by a local account, but on a network account with a network home dir we will get erros  and at the first time office will be open, after a restart not. 
I hope there could be a way to solve this.

This is an important part for our work.

We have also an Exchange Server in our company, so that we're looking for a working solution.
If someone could contact me to request an price and a way to purchase your product would be fine.

so best Regards,

David Faller

We have employee owned macs that need to access our remote access PulseSecure Web portal (RDP mode) using our provided smart cards and smart card readers from home for teleworking.  Our windows client ork fine but MAC is hit or miss and does not work at all with 10.12.2 so far.  We also have a few macs that run on vmware for testing that also dont work.  Is Centrify Express right products?  We don't need to mange the macs just make PIV cards work properly.   Any help on getting either one of these use cases to work?

Thanks...

Hi guys,

After a lot of test, i think that apparently centrify and pam_mount (PM) cant work together.

That a problem for me cause PM anebla me to acces some samba shared files at logon.

Problem is the follow :

When i installed PM, its working well, mounting the file has i request him to do with my user (same nickname/login has AD user)

When i install centrify, and then PM

Centrify work but PM dont mount at login. But it's working when i go to terminal and enter su (user) he ask me password and passwod for PM, and its work.

When i install PM, then centrify, i cant login with AD user. Only local AND no AD user (maining if i have a local user that have the same nick has AD user its fail). But PM and centrify working if i go to terminal and su (user)@(domain).

I think the problem may be in pam/* files. Maybe a specific order is needed ?

Did you have any idea ?

Thx for the help, tel me if you need more infos about this problem.

Dear Centrify experts,

I usually go to Centrify Admin Portal – Roles – Office 365 – Members to add AD users and provide O365 licenses. And usually the users appear on Users page of Centrify Admin Portal. But some of my AD users are not shown there. 

How can I fix it? Any help would be really appreciated.

For a few linux boxes I have installed centrifydc-5.3.1-deb7-x86_64.deb via Ansible and adjoin'd sucessfully. I can adinfo different users and id them. Am I missing something? Why are the doc for the Chef recipe so ... "rich": 

http://community.centrify.com/t5/TechBlog/HOWTO-Orchestration-Basics-Using-a-Chef-recipe-to-deploy/ba-p/22023

I'm trying to configure SmartCart(PIV) authentication for our Palo Alto GlobalProtect VPN client on our Mac laptops.  We are currently able to successfully use our PIV readers and SmartCards with Centrify Express to authenticate to different services through the Safari so I know Centrify Express is, at least, installed and configured somehwat correclty. 

The issue that we have is that when the GlobalProtect client prompts for a cert to use for authentication, we are never prompted to enter a PIN.  Instead, we are repeatedly prompted to pick which cert on the SmartCard we want to use and after selecting a cert we are prompted again. This process repeats indefinitely until the process is cancled instead of selecting a cert.I know that the system is able to read the SmartCard as the only certs that show are the ones I know to be on the SmartCard but I'm not sure why I do not get prompted to enter a PIN.  I've worked with PaloAlto support which has informed me that they do not make calls for the certs/PIN and that's handled by a 'middle man' which in our case is Centrify.

Has anyone had success using Centrify Express for Smart Cards  on their Mac for VPN authentication via a client and not web browser?  More specifically, has anyone been able to configure this for use with Palo Alto's GlobalProtect VPN?  Lastly, is the information Palo Alto support is providing correct regarding 'middle man' handling of certs? 

macOS version: 10.12.3

Centrify Express for Smart Card version: 5.3.3

GlobalProtect Client version: 3.1.3-21

Hello,

MacOs 10.12.3

ID type: G&D FIPS 201 SCE

Reader type:SAICOO Reader (no known drivers identified)

The computer USB clearly recognizes the reader, centrify express is installed and all the drivers (that I know of) are up to date (listing: 40596).

In the diagnostics panel, one clicks "OpenKeychain" andwhenitopens, theSystemCACertificatesshowmultiplecertificates, butnot the smart card.

HowdoIgetthesmartcardtoshowupinKeychainAccess?

Thanks in advance,
-user.

p.s. (If it's any help) I've completely installed/uninstalled it and still got the same solution. Additionally, in the solution stated on another thread (Create a new folder at: /System/Library/Security/tokend/tmp/) for some reason I am unable to do so.

When I add the Office 365 app to Centrify and login in with an Office 365 administrator, only two of our three domains listed in Office 365 show up on the list of available domains in Centrify. Our primary domain, "domain.com", doesn't show, but our Microsoft domain "company.onmicrosoft.com" and a subdomain of our primary domain "subdomain.domain.com" however both do show up. I have checked in the Office 365 admin and made sure it is fully verified and functional, I have tried multiple admin accounts in Centrify, and I also checked the settings in Azure AD. I'm at a loss as to what could be the reason why it is not showing up in Centrify. Any suggestions on how to fix this? Thank you!

Hello everyone.

I am currently trying to encrypt the home folder using domain credentials.

The computer is already bounded successfully through our active directory. I am able to login with employee accounts on this computer via AD.

I am trying to encrypt the home folder for a user through the admin account.

We were essentially following steps through http://www.howtogeek.com/116032/how-to-encrypt-your-home-folder-after-installing-ubuntu/

I run into an issue where it is not accepting the password.

We tried to encrypt with:

sudo ecryptfs-migrate-home -u user

Then we get asked to enter the password and we receive this error:

ERROR: Your login passphrase is incorrect

We had tried multiple accounts with the correct passphrase but it is still having the same error.

I feel as if this issue has to do with the encrytion talking to the domain to get the AD credentials.

Thanks for your time reading this post!