Quantcast
Channel: Centrify Express topics
Viewing all 473 articles
Browse latest View live

Add certificate - RPC error

October 21, 2017, 2:57 am
$
0
0

In AWS I have a AD DS, AD CS and one linux machine which I joined to the AD:

 

Local host name: ip-172-31-23-93
Joined to domain: tfbic.net
Joined as: ip-172-31-23-93.tfbic.net
Pre-win2K name: ip-172-31-23-93
Current DC: win-fam47drkcg3.tfbic.net
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-10-21 08:41:56 UTC
CentrifyDC mode: connected
Licensed Features: Enabled

 

In AD CA I have a Enteprise CA, where I created a duplicate of Computer certiicate and then created a template.

The tempalte allows auto enrollment.

 

I am trying to issue a new certificate for my linux machine but get an RPC error without any details:

 

/usr/share/centrifydc/sbin/adcert -e -n TFBIC-EC2AMAZ-UISHUC6-CA -s EC2AMAZ-UISHUC6.TFBIC.NET -t Centrify

Error while issuing a certificate for Centrify: RPC error occurred during operation.

 

Any ideas where I should look for the possible problems?

Thanks!

 

Search

Add certificate fails - RPC error

October 21, 2017, 3:01 am
$
0
0

Hi,

 I sucesfully joined my linux machine into a domain, but cannot create a certificate

 


Local host name: ip-172-31-23-93
Joined to domain: tfbic.net
Joined as: ip-172-31-23-93.tfbic.net
Pre-win2K name: ip-172-31-23-93
Current DC: win-fam47drkcg3.tfbic.net
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Last password set: 2017-10-21 08:41:56 UTC
CentrifyDC mode: connected
Licensed Features: Enabled

 

/usr/share/centrifydc/sbin/adcert -e -n TFBIC-EC2AMAZ-UISHUC6-CA -s EC2AMAZ-UISHUC6.TFBIC.NET -t Centrify

Error while issuing a certificate for Centrify: RPC error occurred during operation.

 

In ADCS I have a duplicate of computer cert, enabled auto enrollment, and created a template called "Centrify"

 

Any hints where I should look for the possible root cause of the problem?

Thanks

 

AD user not provisioning in Centrify or Office 365.

October 23, 2017, 2:24 pm
$
0
0

Hello.  First the background to my issue:

 

We had a user resign so I disabled her account in AD.  When her replacement arrived, I went through the AD rename process for the new user.  Big mistake, apparently, as it caused major malfunctions with the new user.  So, I deleted the account altogether and created the new user's account from scratch.  After doing so, I received this error on sync:

 

User already synced or not updated:
jane.doe@domain.local (69279995-90c1-4cd6-9578-0d1c1b2872b3) => jane.doe@domain.org
Reason: UPN jane.doe@domain.org conflict detected

 

I thought this was being caused by what appeared to be an orphaned user in Office 365 for the old user account.  I removed the orphaned user with AD Azure Powershell, but this doesn't seem to have helped.  I've deleted and recreated the new user's account in AD and the provisioning process doesn't even appear to pick it up anymore.

 

I'm totally at a loss for ideas.  Thanks.

Cannot adleave AD because no AD available

October 25, 2017, 8:33 am
$
0
0

Hello,

 

I have CentOS servers that at one time were authenticating to corporate's AD domain using Centrify.  The corporate AD is no longer available to our servers in the data centers.  I need to remove the Centrify RPM but cannot because I need to leave the domain first.  Problem is I cannot leave the domain because I cannot reach the AD.  How do I remove the Centrify software from the servers?

 

Thanks,

 

Wes

Seeing Printers from a Windows Print Server

October 26, 2017, 10:23 am
$
0
0

We have a Windows Print Server here that shares out our printers via Active Directory. When we bind a Mac to AD without Centrify it can see all our printers when you browse printers. When we bind it with Centrify it doesn't see the printers (the ones that begin with TWGLAPRINT01. Anyone know the easiest way to make it show them?

 

Time sync not working

October 27, 2017, 12:22 pm
$
0
0

Hello,

We are using CentrifyDC on our Ubuntu Linux systems.  Since the past cpl of weeks we have been noticing that the time on one of the Linux clients isn't in sync with our Domain Controller. It is off by cpl of minutes.  The issue is specific to only 1 Linux client , rest of our linux clients are able to sync time successfully. 

 

On the problem client, if i run the this command "  /usr/share/centrifydc/bin/adcheck --test ad <domain-name.com> | grep TIME "

 

I get below output

 

TIME : Check clock synchronization : Note
: This system's clock will be synchronized with AD when you join.
: This system thinks the time is Fri Oct, 27 15:18:23 EDT,
: AD thinks the time is Fri Oct, 27 15:20:58 EDT.

ADSYNC : Check domains all synchronized : Pass
2 warnings were encountered during check. We recommend checking these before proceeding

 

====================================================

 

Can someone pls advise how to resolve this ?  The linux client is joined to AD domain and even i am able to login using my AD account.   If i run a "adinfo" command on the client it shows it is joined to our domain & connected.

 

 

 

 

Centrify disconnected in MAC e Linux

November 7, 2017, 7:19 am
$
0
0

Hi all,

 

I use a Centrify in Express Mode in my company, for MAC and Linux too. But I noticed that, sometimes when I login to my machine just open a terminal, type "adinfo" and I see "Centrify: disconnected". Why? 

The network service start after the Centrify service and for this reason Centrify don't come up? 

 

Any solutions?

 

Thanks

Alex

Centrify Crash Dumps

November 7, 2017, 5:04 pm
$
0
0

We use Centrify Express on several production servers that are a bit dated. On our file server (CentOS 6.3, Centrify DC 5.0.4), Centrify has been working great for years. Yesterday, we rebooted the server to troubleshoot an issue with our backup server, and Centrify never bounced back.

 

Whenever a user attempts to access a Samba share, Centrify would crash and create crash dump files.

 

We've been troubleshooting non-stop for about 36 hours now, so describing everything we've done is probably useless, so here's where we are now:

 

1) We used yum remove CentrifyDC to uninstall Centrify (after doing the adleave command).

2) We used yum update to update the server to CentOS 6.9.

3) We reinstalled Samba and were able to verify that we could connect to local Samba shares with local accounts with Centrify removed.

4) We downloaded Centrify Suite 2017 (Centrify DC 5.4.2) and installed it using instructions.

5) We used the adjoin command to joint to our domain without errors. The adinfo command shows valid info for our domain controller.

5) We are still using stock Samba and our backed-up config for that.

 

At this point, our symptoms are:

1) We can't login to the server with domain credentials. It accepts the username and password, then reverts back to the login screen (yes, home directories exist with the correct permissions).

2) We can't login to the server with local credentials that are not root, but root is working correctly.

3) We cannot connect to Samba shares without getting "Access denied" errors, though permissions have not been changed.

4) We don't know how to test to ensure that Centrify is working correctly or not.

 

At this point, we're really uncertain as to how to proceed. Given that Samba shares work fine without Centrify installed, we believe that Samba is configured correctly and functioning. We believe that Centrify is not processing authentication correctly or that we have a misconfiguration somewhere, but don't know where to begin.

 

Any advice is good advice! Thanks in advance for the help.

Search

openscap failed results on owners of files on AD users.

November 9, 2017, 10:49 am
$
0
0

Hi,

 

Glad that I can get any advise from here. I am right now hardening Red Hat 7.4 with the STIG complianced as requested from the US government. I wonder how I can solve this problems as Active directory user with Centrify express. Since I have used centrify, the local user name are not existed on this template.  I had two below failed results and the the items are getting more on when new user logged on. 

 

Ensure All Files Are Owned by a User

Ensure All Files Are Owned by a Group

 

The most of violating directories are /proc/ and /home/ directory. If you could give me the solution to get pass above failed result will be much appreciated.

 

Thanks,

 

sahn

Login fails with socket error

November 9, 2017, 11:31 am
$
0
0

I have a Ubuntu 16.04 server I'm testing Centrify Express with; I've set up the service (version CentrifyDC 5.4.2-668) with the --express flag and can join the domain successfully (confirmed by adinfo).  However, no AD users can log in.  With debug turned on, I'm seeing these errors.  Same if I include domain in username.

Nov 09 14:23:38 sshd[2774] DEBUG: -> getpwnam_centrifydc_r user="sshd"
Nov 09 14:23:38 sshd[2774] DEBUG: User="sshd" str2ent=(nil) result=0x7f63365a2d80, buffer=0xbc8a16dce0
Nov 09 14:23:38 sshd[2774] DEBUG: User 'sshd' is not an override user
Nov 09 14:23:38 sshd[2774] DEBUG: getpwnam: User 'sshd' is in 'pam.ignore.users' list
Nov 09 14:23:38 sshd[2774] DEBUG: <- getpwnam_centrifydc_r, result=NSS_NOTFOUND(0)
Nov 09 14:23:41 sshd[2774] DEBUG: Failed to open logging connection to adclient through '/var/centrifydc/daemon2': Socket error
Nov 09 14:23:41 sshd[2774] DEBUG: -> getpwnam_centrifydc_r user="steve-admin"
Nov 09 14:23:41 sshd[2774] DEBUG: User="steve-admin" str2ent=(nil) result=0x7f63365a2d80, buffer=0xbc8a16dce0
Nov 09 14:23:41 sshd[2774] DEBUG: User 'steve-admin' is not an override user
Nov 09 14:23:41 sshd[2774] DEBUG: Failed to open connection to adclient through '/var/centrifydc/daemon2' Socket error (No such file or directory)
Nov 09 14:23:41 sshd[2774] DEBUG: <- getpwnam_centrifydc_r, result=NSS_UNAVAIL(-1)
Nov 09 14:23:41 sshd[2776] DEBUG: Failed to open logging connection to adclient through '/var/centrifydc/daemon2': Socket error
Nov 09 14:23:41 sshd[2776] DEBUG: -> pam_sm_authenticate
Nov 09 14:23:41 sshd[2776] DEBUG: PAM Options: (none)
Nov 09 14:23:41 sshd[2776] DEBUG: PAM Flags: DISALLOW_NULL_AUTHTOK
Nov 09 14:23:41 sshd[2776] DEBUG: Failed to open connection to adclient through '/var/centrifydc/daemon2' Socket error (No such file or directory)
Nov 09 14:23:41 sshd[2776] DEBUG: All local users are APU.
Nov 09 14:23:41 sshd[2776] INFO: Authentication for user 'steve-admin': access allowed in emergency mode.
Nov 09 14:23:41 sshd[2776] DEBUG: pam_sm_common() failed 9
Nov 09 14:23:41 sshd[2776] DEBUG: Can't open /usr/share/centrifydc/lib64/libatda.so (/usr/share/centrifydc/lib64/libatda.so: cannot open shared object file: No such file or directory).
Nov 09 14:23:41 sshd[2776] INFO: AUDIT_TRAIL|Centrify Suite|PAM|1.0|100|PAM authentication granted|5|user=steve-admin pid=2776 utc=1510255421000 DASessID=N/A DAInst=N/A status=GRANTED service=sshd tty=ssh client=192.168.65.27 reason=User is always permitted to login

Getting "failed to clear tatoo" error

November 10, 2017, 8:09 am
$
0
0

We have been building out an AD domain and joining Linux machines to it using centrifydc

 

Going pretty well for the most part.

 

One Linux box is disconnecting from the domain, for no obvious reason. (Not obvious to me, at any rate). After enabling centrifydc debugging, I found that the kerberos keytab was missing from this box.

 

I tried to use "adkeytab" but it failed with error:

 

# adkeytab -r verbose -K /etc/kb5.keytab

Error: Keytab file does not exists /etc/kb5.keytab

 

I then decided to start from scratch, and I ran "adleave". I got a weird "tatoo" error:

 

# adleave --user "${ADJOIN_USERNAME}" --password "${ADJOIN_PASSWORD}" --remove
Using domain controller: qadc01b.qa.example.com writable=true
Failed to clear tatoo in computer object, leave continue. Please advise the administrator of the failure to cleanup tatoo in operatingSystemServicePack attribute of the computer object "CN=batch01b,OU=Linux,OU=Servers,DC=iad1,DC=qa,DC=example,DC=com".
Left domain.
Centrify DirectControl stopped.

 

"Failed to clear tatoo in computer object, leave continue"

 

What on earth??? (I've since learned what "registry tattooing" is. As a long time Linux admin, I've never encountered this term)

 

In any case, the computer appeared to have left the domain. adinfo showed as much

 

# adinfo
Not joined to any domain
Licensed Features: Disabled

 

I then re-ran the centrifydc install script and it joined the domain and installed /etc/krb5.keytab, and adinfo shows it is joined and "getent passwd" shows AD users

 

QUESTIONS

Is this "tatoo" error anything I should be concerned about? How do I fix it?

How can I determine why this box became disconnected from the domain in the first place?

Why did the krb5.keytab disappear? Why didn't "adkeytab" work?

 

 

Thanks!

Eliminate Centrify Sync after removal

November 13, 2017, 7:03 am
$
0
0

We've stopped using Centrify to sync Samanage with Azure AD since there is direct support now.  I've removed all components locally but I'm still getting daily sync reports (which show failure of course) from Centrify.  How can I eliminate this daily sync attempt?

Download Links Broken

November 14, 2017, 2:14 am

Having trouble updating Centrify Express

November 17, 2017, 12:28 pm
$
0
0

We're having trouble updating Centrify Express. We're on Version: 5.4.2.648.  When I click on Download Software, it goes to download, then nothing happens.

 

The following analysis tools will be downloaded:
    - Centrify adcheck for Mac 10.10 Intel, Mac 10.11 Intel, Mac 10.12 Intel, Mac 10.13 Intel
    - Centrify adcheck for Mac 10.6 Intel, Mac 10.7 Intel, Mac 10.8 Intel
    - Centrify adcheck for Mac 10.7 Intel, Mac 10.8 Intel, Mac 10.9 Intel, Mac 10.10 Intel
   - Centrify adcheck for Mac 10.8 Intel, Mac 10.9 Intel, Mac 10.10 Intel
   - Centrify adcheck for Mac 10.9 Intel, Mac 10.10 Intel, Mac 10.11 Intel
The following packages will be downloaded:
  - Centrify Infrastructure Services 2017.2 for Mac 10.10,10.11,10.12,10.13 Intel
Click Finish to start downloading software from Centrif

 

Centrify is Deployed on a Windows Server 2008 R2 Standard machine.

 

 

Any Ideas?

Two Factor Authentication - PAM_Radius

November 21, 2017, 5:10 pm
$
0
0

Hi ,

 

One of my linux server running oracle linux 6.9 OS and centrify client is installed on it to integrate with AD . AD intergration is done and all my users are login to server with AD credentials . No issues in login .

 

As a additional security i want to implement two factor authentication with pam-radius . I have installed the pam-raidus rpm and point the server to secureauth server . I have enabled usepam=yes in ssh config file and restarted  the machine. After reboot 2 factor authentication is not working. I'm able to login with normal ssh . Need help on configruing radius client . I had seen many online doc but it didn't help me. 

 

 

Search

high sierra problems

November 28, 2017, 6:03 am
$
0
0

Hi,

 

I upgraded my MacOS from Sierra to High Sierra witout doing anything with Centrify Express. Now is my computer looping in login. Can`t use it....

 

I have Apple support on it, but nothing happends. Are there any out there who has the same problem?

 

Regard

Jan-Erik

AD Users Share Local Account

November 29, 2017, 12:44 pm
$
0
0

We are migrating to a new server which  running AIX 7.1. All seems to work properly. Current prod server is running AIX 6.1 using 5.0 or 5.1 Express.

There is config in the current server (6.1) where all AD authenticated users share a local AIX logon (named tempuser).
Our use case is Win users only need authenticate to run an AIX app and they do not need nor use any other AIX local resources.

Does any one know where I can find/set this logon-sharing in Centrify?

 

 

 

 

Cross domain users cannot login pam module believes their password is expired

December 6, 2017, 8:32 am
$
0
0

Intro:

 

We have two domains that we will call domain 1 and domain 2.  Our users live in domain 1.  We join our dev/test servers to domain 2.  There is a two way trust between domain 1 and domain 2.  Users log into the dev/test servers living on domain 2 with their credentials from domain 1.

 

Problem:

 

Users intermittenly receive errors when logging into machines joined to domain 2.  The error indicates that the server on domain 2 believes the users account/password has expired.  However, checking on domain 1 the account/password has not expired.

Connector is not available error message

December 7, 2017, 10:41 pm
$
0
0

We are getting "Connector is not available" frequently for the past two days. Is there any update going on in the Centrify Server?

 

The error reported in the log file is
2017-12-08 06:24:35,077 [P-ProxyUI.exe-3312|(null)|(null)|77d66f725e474cb1a5ee3f8f9cc3a9e1|9|472924|WARN ] Centrify.Cloud.Core.InternalProxyClient.RunChannelAction: Failed to connect to address net.tcp://<servername>:9521/OnPremRpc with spn null and impersonated user null.
Details: System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://<servername>:9521/OnPremRpc. The connection attempt lasted for a time span of 00:00:02.0500327. TCP error code 10061: No connection could be made because the target machine actively refused it 10.10.10.83:9521.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 10.10.10.83:9521
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   --- End of inner exception stack trace ---

 

Please let us know how to overcome this ASAP.

directory synchronization report: group deprovisioned

December 7, 2017, 11:35 pm
$
0
0

Hi, 

 

I played with groups and deleted them after my experiments. But my Centrify directory synchronization report  still shows few deprovisioned groups, see example below.

 

Group deprovisioned:

srv@custom-domain.com@ad-doamin.intra (a1d2ff40-e20c-46f2-8601-7c0fd8f05af5) => srv@custom-domain.com

 

I cannot find the groups, not in AD neither in Centrify. How can I find and delete them? Thank you!

 

Viewing all 473 articles
Browse latest View live
Search