We are running CentrifyDC 5.3.1-391, the PCI scan failed due to vulnerable OPENSSH version in Centrify.
↧
CentrifyDC 5.3.1-391 failed PCI scan
↧
"Error executing /var/centrifydm/tmp/adjoin.cmd.501. DC: 5.3.0-220 Login successfull
Keep getting "Error executing /var/centrifydm/tmp/adjoin.cmd.501.
DC: 5.3.0-220
Login authentication for user 'localadmin' successful."
The machine I'm trying to add is on Yosemite, I've tried downgrading the software from the most recent Centrify version to earlier versions with no luck.
↧
↧
domain trust not working all the time
Hello,
We have 2 domains with a trust both ways and normally the authentification works correctly wether we have a user from a domain1 or from domain2. However, sometimes for some unknow reason the authentication doesn't work for some users.
From what we've seen, this only seems to happen a user from domain2 is trying to log to a machine connected on domain1. It doesn't happen all the time but when it does even restarting centrify doesn't fix the issue. I checked with adinfo that it is connected, adinfo -T doesn't show any problem and adinfo -g in the domain info map I see both domains. All seems to indicate that it should be working but it's only working on the « local » domain.
I activated the centrify debugging and rand the id command:
/usr/share/centrifydc/bin/addebug on
/usr/share/centrifydc/bin/addebug clear
id qwertyuiop
/usr/share/centrifydc/bin/addebug off
adinfo -v
adinfo (CentrifyDC 5.3.1-398)
I'm including some of the logs. Any idea what's going on?
Thanks for your help.
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> -> getpwnam_centrifydc_r user="qwertyuiop"
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> User="qwertyuiop" str2ent=(nil) result=0x7f713a67f260, buffer=0x14d0060
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:18 id(20730)> User 'qwertyuiop' is not an override user
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <main> daemon.ipcserver Accepted new lrpc2 client on <fd:21> with flags 0x00000802
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 executing request 'NSSGetPasswdDataByName' in thread 139758834870016
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 Getting passwd data for 'qwertyuiop'
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent Find GUID: 72136703214c4d24ab8ce0806e949adb (7)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findObject ADNames: qwertyuiop#012name: qwertyuiop type=SAM domain=domain1.lan
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(sAMAccountName=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=sAMAccountName
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(displayName=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(displayName=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=displayName
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(cn=qwertyuiop)), attrs 2 (cacheOps=7, GC=0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(cn=qwertyuiop)), attrs 1e (cacheOps=7, GC=1)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper age 25, expire age 3600, cutoff time 0, refresh 5, negative=true, cacheOps 7
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findByAttr: Not Found:qwertyuiop category:user attr=cn
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.adagent findObject: NotFound:qwertyuiop Category:user
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > base.objecthelper 'qwertyuiop' is not a canonical name
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > util.except (NotFound) : No such unix user 'qwertyuiop' (reference ipcclient2.cpp:936 rc: 0)
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 No user data: No such unix user 'qwertyuiop'
Feb 22 09:42:19 dantzig07 adclient[20276]: DEBUG <fd:21 NSSGetPasswdDataByName > daemon.ipcclient2 request 'NSSGetPasswdDataByName' complete
↧
admin test, please ignore
test
↧
Admin Test, please ignore
test message
↧
↧
centrify express user principal
I've configured centrify express for AD/Linux integration. I was able to login to linux machine using windows credentials. I had setup one way trust between AD & Local MIT KDC.
[root@master2 ~]# ssh rvchinta@master2
Red Hat Enterprise Linux Server release 6.4 (Santiago)
Kernel 2.6.32-358.el6.x86_64 on an x86_64
Password:
Last login: Sat Mar 4 07:22:34 2017 from 192.168.56.22
[rvchinta@master2 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_cdc201327698_saYNYF
Default principal: rvchinta@CHRSV.COM
Valid starting Expires Service principal
03/04/17 10:02:32 03/04/17 20:02:32 krbtgt/CHRSV.COM@CHRSV.COM
renew until 03/11/17 10:02:32
[rvchinta@master2 ~]$
when i access hadoop components it thinks my user name is rvchinta@CHRSV.COM.
Any idea how to handle this? it should be rvchinta but not rvchinta@CHRSV.COM.
thanks
↧
linux joined domain but username saved as number
We have ubunto 16.04 , we could join Domain using centrify express .
When I went to gdm windows , users could authenticate correctly .but some usernames appeared as numbers not names.
Example;
after joining the domain , I went to gdm windows to let users authenticate
username : john
Password : xxxxxxx
John could authenticate ,but his name appeared as 6400 ,and saved his home directory with 6400
Kindly advice
↧
AD group is not synced to O365
Hello Centrify experts,
We use AD groups to provide O365 licenses to our users. I mean that in Centrify Admin Portal – Roles – Office 365 – Members page I put an AD group, not individual users. It usually works fine but yesterday I got strange issue with this. Some users were unable to login to their O365 apps. O365 portal shows those users as ‘unlicensed’… Looks like AD group is not synced to O365 anymore. I have quickly fixed it by manually adding individual users to Centrify Admin Portal – Roles – Office 365 – Members page.
How can I troubleshoot this issue?
Thanks for your help.
↧
Not able to login to my unix machine via AD id
Hi Team,
I am new to centify, its my first time when I am using centrif.
I have configured centrify express in my cluster also integreated with AD. I am not able to login into only one servers with ad user though I am able to login into other centrified agent installed servers.
So can someone please help me to figure out this issue. Thnaks in advance.
Thnaks
Saurabh
↧
↧
Constantly Asking for CAC Pin
I am currently trying to bring a new apple product to our DOD Network. When i installed centrify express for CAC authentication, everything seemed to work great, it could see the CAC and everything. The seond I try to go to my secure email, it goes to the website, but it constantly like very second asks for my PIN number. Its not caching my pin, so about every second i get a prompt to type my pin, and it is very hard to get anywork done. any suggestions?
↧
Centrify cannot login after reboot
Hello, i have a problem with centrify . After reboot , i cannot login with AD user , it keep telling me wrong password or login.So i have to login with a local user and then logoff and connect with the AD user . Sometimes i have to run adleave then adjoin again.
[Output Truncated]
↧
Invalid Profile
I have no idea what board I should post this on. Its in regards to getting a MDM policy downloaded onto a new iPhone.
I configured Apple DEP with Centrify. I turn on the iphone for the first time, and it can see that there is a configuration profile to download because it prompts for Active Directory credentials. I put my credentials in, and it says "The configuration for your iPhone could not be downloaded. Invalid Profile"
Help please!
Slamdance
↧
Active Directory Aliases not syncing to Office 365 via Centrify
Hi,
Hoping you guys can help, The problem seems to be Office 365 is not picking up aliases that are added in Active Directory > Proxy Attributes.
The main domain, @maindomain.com for example, this is fine and is added in 365, and the main SMTP:firstname.lastname@maindomain.com is syncing.
All aliases have stopped - Any ideas why?
They are all still in the proxy attributes section in AD, I've tried removing one and re-adding then forcing a Centrify sync via the user outbound provisioning in Centrify, but they are still not going through.
The old domain (as the aliases are for the companies old domain) is added in 365 and showing as no problems, yet some users have 9-10 email aliases and none are showing in office 365 yet all show in AD > Proxy attributes
Any ideas? Any help would be hugely appreciated.
Thanks you
Aaron
↧
↧
adbindproxy and centrify express
Hello
Just wondering if I am using Centrify Express will adbindproxy work? or does adbindproxy only work with Centrify suite?
Thanks, Abdul
↧
CentrifyDC Mode Down
↧
adbindproxy not working
Hello
Today I installed the latest CentOS 7 and the latest Centrify Express. I then installed the latest Adbindporxy using the link below
http://community.centrify.com/t5/TechBlog/Server-Suite-2016-Samba-with-adbindproxy/ba-p/24052
I am to browse to the samba-test share that was created during the above link through windows explorer. however when I double try to enter the share I get a message stating I do not have permissions.
My smb.conf is as follows. Its pretty much the default file and any modifications were done during the installation of adbindproxy.
Thanks
#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
security = ADS
realm = BANDS.BROTHERSANDSISTERS.CO.UK
workgroup = BANDS
netbios name = bass11
auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab
#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
# client use spnego principal = true
#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
# send spnego principal = Yes
# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = auto
client ntlmv2 auth = yes
client use spnego = yes
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
idmap cache time = 0
# ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0
[samba-test]
path = /samba-test
public = yes
# if set public = No, we should set parameter valid users .
# and when the user or group is in AD , the setting syntaxes is:
# valid users = BANDS\user +BANDS\group
writable = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root
create mask = 0664
directory mask = 0775
↧
Push applications silently to DEP iOS devices in Supervised mode
Is there any way to prevent the message on iOS devices which asks users to sign in to iTunes in order to allow the device to be managred. The message reads "App Installation. Sign in to iTunes to allow "*.my.centrify.com" to manage and install apps."
↧
↧
Pre-populate password for active sync e-mail account in iOS policies
Is it possible to pre-populate the password when creating an exchange setting under policies - mobile device policies - ios settings - exchange settings?
↧
Change URL in notification on iOS
Is it possible to change the “aaXXXXX.my.centrify.com is about to install and manage the app…” to i.e. mypreferred.my.centrify.com? I've added a custom one in settings - tennant urls and made it default, but it doesn't change. I've also re-created the APNs and DEP certificates.
↧
Mac Sierra: CAC "The Site Cannot Be Reached" Error
hello,
I'm trying to use my cac to logon to .mil websites and when I go to sign in with my cac then I pic my DOD Email CA-43 certificate and then enter my PIN it consistently brings up a error that says
"This site can’t be reached
The webpage at https://mypay.dfas.mil/Smartcheck/SmartCheck.aspx might be temporarily down or it may have moved permanently to a new web address.
ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED"
This is on Chrome but I've tried it on Safari as well and got the same error. I've always gotten the same error on different CAC enabled websites not just one. Any idea? I've made sure all my keychain stuff was downloaded from militarycac.com, i've installed this software, it pulls up my certifactes so obviously the cac reader is working. Not sure what the issue it.
↧