Dual-persona on Outlook 2016 (Mac OS X 10.11.6, Centrify Express 5.4.2) requests PIN for each new message received, when the expected behavior is to challenge when launching Outlook, and then no more unless the CAC is removed. PIV is activated, have not Walked through forcing PIV.tokend (understood this was addressed in Centrify Express 5.2.0?)
Two quesitons:
OS: AIX 7.1 TL5
Installed Centrify DC 2017 Express with adbindproxy 5.4.0
Samba 4.6.4 AIX Opensource Toolkit version
Ran adbindproxy.pl --info
CentrifyDC Version = 5.4.2-668
CentrifyDC Architecture = 64-bit
Samba Version = 4.6.4
Samba Architecture = 32-bit
Samba Version Supported = no
Samba and CDC in same Realm = yes
Samba and CDC share machine account = yes
Password sync using libtdb = false
Question 1: Is the stack above supported for the CDCE?
Zone: Auto Zone
Last password set: 2017-12-12 14:10:40 CST
CentrifyDC mode: connected
Licensed Features: Disabled
The Centrify AD authentication works and has been fine through it all. Problem is the Samba component.
When I initially installed adbindproxy, Samba worked like a charm. Windows desktops were able to browse shares and users were able to read and write to them. After a reboot of the server... Never again did the shares become available again. Going on 2 days now of adleave's, adjoin's, adbindproxy.pl's, klist, kdestory's, and smb*'s.
Getting the following errors all over the place.
Error NT_STATUS_CONNECTION_REFUSED
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_NO_MEMORY
session setup failed: NT_STATUS_NO_MEMORY
Windows clients do not list the shares and they prompt for user and password, but no access to the shares.
Question 2: Any ideas, tips, troubleshooting to-do's?
----------------------------------------------------------------------------------------------------------------------------------------
CENTRIFY ADINFO RESULTS
bash-4.3# adinfo --all Local host name: pan Joined to domain: pg.local Joined as: psa.pg.local Pre-win2K name: psa Current DC: dc3.pg.local Preferred site: Co-Lo Zone: Auto Zone Last password set: 2017-12-12 14:10:40 CST CentrifyDC mode: connected Licensed Features: Disabled
THIS IS THE SAMBA CONF THAT ORIGINALLY WORKED.
bash-4.3# ./testparm Load smb config files from /etc/samba/smb.conf Processing section "[samba-test]" Processing section "[homes]" Loaded services file OK. WARNING: lock directory /var/locks should have permissions 0755 for browsing to work Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] enable core files = No interfaces = en0 xxx.xxx.xxx.xxx netbios name = PSA realm = PG.LOCAL workgroup = PG machine password timeout = 0 auth methods = guest sam winbind ntdomain kerberos method = secrets and keytab passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb security = ADS server signing = if_required idmap cache time = 0 template shell = /bin/bash winbind use default domain = Yes idmap config * : base_tdb = 0 idmap config * : range = 1000 - 200000000 idmap config * : backend = tdb [samba-test] path = /samba-test guest ok = Yes read only = No [homes] comment = Home directories browseable = No read only = No
PROCS RUNNING...
bash-4.3# ps -ef | grep freeware
root 3670204 3473978 0 15:06:02 pts/1 0:00 grep freeware
root 4259944 3605114 0 14:10:48 - 0:00 /opt/freeware/sbin/smbd -F
root 2359688 3605114 0 14:10:48 - 0:00 /opt/freeware/sbin/smbd -F
root 3211536 2294382 0 14:10:47 - 0:00 /opt/freeware/sbin/nmbd -F
root 3277096 2425488 0 14:10:48 - 0:00 /opt/freeware/sbin/winbindd -F -s /etc/centrifydc/smb2.conf
root 2425488 2294382 0 14:10:47 - 0:00 /opt/freeware/sbin/winbindd -F -s /etc/centrifydc/smb2.conf
root 3605114 2294382 0 14:10:47 - 0:00 /opt/freeware/sbin/smbd -F
root 2163588 1 0 12:47:49 - 0:00 /opt/freeware/sbin/cupsd -C /etc/cups/cupsd.conf -s /etc/cups/cups-files.conf
root 2884494 3605114 0 14:10:48 - 0:00 /opt/freeware/sbin/smbd -F
bash-4.3# ps -ef | grep adb
root 3670214 3473978 0 15:07:04 pts/1 0:00 grep adb
root 1901228 2294382 0 14:10:47 - 0:00 /usr/share/centrifydc/sbin/adbindd -F
Updated our system to AIX TL5 and after every reboot, Centrify errors out and does not startup.
If we stop it and start it again, sometimes it comes online properly. At other times, it takes more than one stop/start because adinfo hangs and so does centrifydc status..
errpt is posting the following:
LABEL: SRC_SVKO IDENTIFIER: BC3BE5A3 Date/Time: Wed Dec 13 12:00:41 CST 2017 Sequence Number: 804 Machine Id: 00F83C874C00 Node Id: psa Class: S Type: PERM WPAR: Global Resource Name: SRC Description SOFTWARE PROGRAM ERROR Probable Causes APPLICATION PROGRAM Failure Causes SOFTWARE PROGRAM Recommended Actions MANUALLY RESTART SUBSYSTEM IF NEEDED Detail Data SYMPTOM CODE 393222 SOFTWARE ERROR CODE -9017 ERROR CODE 0 DETECTING MODULE 'srchevn.c'@line:'376' FAILING MODULE centrifydc
The following related services do make it ok:
root 2883924 2163006 0 12:09:08 - 0:00 /usr/share/centrifydc/libexec/adinfo -m root 1573764 1246190 174 12:09:03 - 5:25 /usr/sbin/adclient -F -M
Anything that can be done to fix it's startup?
Server AIX 7.1 TL 5 with CentrifyDC Express 5.4.2-668
The documentation (link) to install centrify-adbindproxy-5.4.0-aix6.1-ppc.tgz (IBM AIX 6.1 or later) says
Please excuse my ignorance, just installed Centrify Express,
Centrify on install asks you...
"In order to download Centrify Software you will need to import the Centrify Product Catalogue. To do so, right click Centrify..... Centrify\Deployment Manager Folder location and import the centrify-product-catalog-offline.xml file.
This does not exist on my device and links in another logged forum are inaccessible due to not being a paying customer. Am I on the wrong path, or is there another location for this file ?
We are running centrifydc on Oracle Linux 5.11,6.9 and 7.2. random times it stops recognizing AD groups for logins and sudo. When I run adinfo it shows as connected.The groups are clearly defined in the centrifydc/users.allow file and /etc/sudoers as %linux_admins-gg and when a user tried to login it stops working until the server is removed and re-added to the domain. This is a problem as we get users complaining all the time. There is no rhyme or reason to tell what the cause is. Is there a log file? Also I know that AD is annoying how it wants to control time. is this the cause.
AIX 7.1 TL5
AIX Samba (smbd, nmbd, winbindd) is being launched by inittab on startup.
After adbindproxy is installed, an SRC group is created and it is set to start. The inittab config is left alone.
So, 'both Samba's' are running once the machine comes back after a reboot.
Is this by design?
I was expecting the inittab config to be removed since the Samba group calls the same executables.
I've done all the tests suggested on KB-1425 and in KB-4208 but the client remains in disconnected mode and the user is unable to change password.
Only way to fix this: unbind and rebind on the domain.
What's wrong?
PS I've collected the logs as stated in the kb
It will not let me download Centrify Express for Mac. When i enter my inofrmation "Our apologies something did not go as expected" pops up.
How does one 'force' adbindproxy to use Centrify's Kerberos executables?
Environment:
AIX 7.1 TL5 being used as a SAMBA file server.
Windows 7 clients.
Issue:
Inaccessible SAMBA shares after reboot.
Notes:
(During this entire excercise users were able to successfully authenticate with their AD credentials in order to gain access to an AIX shell and run programs. The DC Express serivice(s) seem to work properly.)
There have been times when after multiple adleave's, adjoins's, full CentrifyDC Express uninstall/reinstalls with adbindproxy.pl included, the shares DO become available and work properly. Shares are browsable from Windows explorer. The smb.conf file can be updated normally. Shares can be added/removed normally, too.
Until a reboot happens. Afterwards, we get the enter username password window at the clients that doesn't go away because Samba is getting authentication errors.
[2018/01/03 09:28:37.460974, 3] ../source3/auth/token_util.c:317(create_local_nt_token_from_info3) Failed to finalize nt token [2018/01/03 09:28:37.460996, 1] ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
Come to find out our AIX 7 install has it's own IBM JAVA-flavored Kerberos which I believe is confusing/interfiering with Centrify Express' Kerberos. Resulting in inaccessible SAMBA shares.
All commands were run as root.
#AIX'S KERBEROS bash-4.3# which kinit /usr/java5/jre/bin/kinit
#CENTRIFY'S KERBEROS
bash-4.3# /usr/share/centrifydc/kerberos/bin/kinit
All the information that I found asks to run kinit, klist, or kdestroy from the prompt. In our case, doing so runs the AIX version of the commands, and they error out.
bash-4.3# kinit testuser
Password for testuser@PSA.LOCAL:
{visible password characters}
com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
message: java.security.InvalidKeyException: Illegal key size
Not to mention consistently running into these errors once the shares become unavailable. Not sure if they are related somehow.
#re-running adbindproxy.pl
... Updating smb.conf with Centrify recommended settings... Connection failed: NT_STATUS_INVALID_PARAMETER Get Domain SID failed. Please try again with authentication and a valid DC. ... Done. Failed to change computer password in AD domain psa.local /usr/sbin/adkeytab fails with: Error: Computer failed to change its own password Adjust the privilege settings for 'server1' or retry with a more privileged principal. Failed: Change Password: Default Key Tab
I did not find a way to change/renew the password unless it was leaving the domain and rejoining it.
However...
Running the executables from within the Centrify directory produces the results displayed in the information online.
bash-4.3# /usr/share/centrifydc/kerberos/bin/kinit testuser
Password for testuser@PSA.LOCAL:
{NON-visible password characters}
bash-4.3#
bash-4.3#
bash-4.3#
bash-4.3# /usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: testuser@PSA.LOCAL
Valid starting Expires Service principal
01/03/18 10:18:33 01/03/18 20:18:33 krbtgt/PSA.LOCAL@PSA.LOCAL
renew until 01/04/18 10:18:27
Also, we have a centrify-kcm service isn't launched on server startup.
What is centrify-kcm? What is it used for?
I'm testing Centrify Express for Linux (CentOS 7) and it's refusing to acknowledge my working ntp server. From an ssh session on my testing box:
sudo ntpdate -q hubcap server 192.168.6.10, stratum 2, offset -0.004164, delay 0.02596 5 Jan 16:11:08 ntpdate[5219]: adjust time server 192.168.6.10 offset -0.004164 sec
Hubcap is the DC for this domain. But when I analyze with Centrify, I get "We re-queried hubcap.ad.goldblattsystems.com for the time, and it did not answer."
How can I get this working?
Hi,
the download link for Centrify Express is broken:
https://www.centrify.com/express/mac-form/
I urgently need to download the latest version as we have computers were users have updated their MAC OS X and now cannot authenticate anymore.
Thanks a lot!
I'm trying to get myself set up to be able to authenticate to websites in Chrome using my CAC on my Macbook. I have a smart card reader; Smart Card Assistant (Centrify Express for Smart Card) installed and recognizing my card; all necessary certificates installed and recognized. I am able to authenticate to, for instance, myaccess.dmdc.osd.mil using Safari. It prompts for my PIN. After I enter it I am sent to the page I'm accessing.
When attempt to log into the above website using Chrome, I instead get "ERR_BAD_SSL_CLIENT_AUTH_CERT". It doesn't prompt for my PIN. The certificates are never presented for selection and aren't being sent to the site. I've tried the option in Chrome to manage certficates but this simply opens Keychain Access. My CAC is listed with its certificates. I'm not able to link these certificates to Chrome in any way. I've even tried to add a New Identity Preference but the only certificates given to select are from Apple.
What special steps do I need to take to get this to work with Chrome?
Good afternoon all,
I have a co-worker using a Samsung Galaxy Note 4 running Android 6.0.1 attempting to login with Microsoft Staff Hub app, but it never completes the multi-factor authentication. It shows attempting to call *** *** ####, but no call is received.
Any suggestions?
I would assum its possible, but I'm trying tyo find out how to get a network share to show up on my mobile devices, pushed through Centrify.
Perhaps there is a way for them to open the CompanyApps app, and there would be a folder that links back to my file server?
Hey everyone.
I'm trying to get this login script to work to change my printer settings from color (default) to black and white...
Here's what I've done...
I've gone into Group Policy>Computer Configuration>Policies>Centrify Settings>Common Unix Settings>Copy Files
I have it set to copy this file to /usr/local/bin
This is the script "7545_BW_Login.sh":
#!/bin/bash
lpadmin -h 127.0.0.1:631 -p Xerox7545 -o XRColorCorrection=gray
This command does what I want it to do when executed locally.
Next I've tried several different aproaches to get this script to fire on login with no success. I'm pretty new to mac management but here's what I've tried...
Group Policy>Computer Configuration>Policies>Centrify Settings>Mac OS X Settings>Scripts (Login/Logout)
I've tried \\mycomp.local\sysvol\mycomp.local\scripts\execute_7545_BW_Login.sh
Didn't work.
Created an execute script that says this"execute_7545_BW_Login.sh:
#!/bin/bash
bash /usr/local/bin/7545_BW_Login.sh
Tried putting this script into the computer config login script area.
No dice.
I've tried putting one / both of these scripts into the user login script with run as root privilidges.
(User Configuration>Centrify Settings>Mac OS X Settings>Scripts (login/logout
None of these options have worked. Am I putting the script in the wrong location? There's no evidence that the script is attempting to fire. I can execute either of these script text on my local mac and get them to work, but it's not firing from login via group policy.
I've done gpupdate /force on the AD controller and adgpupdate on my machine and nothing.
Any advice?
I downloaded centrify express, but my smart card does not appear on keychain access. I do not think the computer is recognizing my smart card. How do you correct this?
Thank you for your time and consideration.
unable to log in to any .mil websites that require CAC cards. Did everything on this website "https://militarycac.com/". with still no success. On my CACcard log it siads ** This certificate cannot be used for pkinit.
also this is on a MacOS High Sierra
Could anyone provide a way to identify the previous version installed from backup files, eg reg entry for Enterprise, Express, etc
We've had a physical DC crash which had this running but have never had to deal with (inherited, appears to have been v3, v4 and currently 5.0.2)
Centrify Corporation Centrify Common Component 3.0.0.100 3.0.0.100
Centrify Corporation Centrify Deployment Manager 2.1.2.443 2.1.2.443
Centrify Corporation Centrify DirectControl ADUC Extension 5.0.2.388 5.0.2.388
Centrify Corporation Centrify DirectControl ADUC Extension 5.0.2.388 5.0.2.388
Centrify Corporation Centrify DirectControl Console 5.0.2.388 5.0.2.388
Centrify Corporation Centrify DirectControl Console 5.0.2.388 5.0.2.388
Centrify Corporation Centrify DirectControl Password Sync 5.0.2.388 5.0.2.388
Centrify Corporation Centrify DirectControl Password Sync 5.0.2.388 5.0.2.388
We have backups of the DC however the previous administrator has not kept the install files on the server.
I'm unsure what might happen if we just install the latest express version.
So if possible could also let me know what version of the suite I need to re-install the same version.
Any advice appreciated.
Thanks
Good Afternoon,
I am working for a client who uses Centrify software on their RHEL7 servers. I have been reaching out on all channels to implement a change that they requested. Basically, Centrify accounts work fine with normal SSH logins, but using the rhel supported tigervnc-server, a separate password is requested. Are you aware if there is a documented solution using Centrify to log in with the same credentials both to ssh and VNC?
Thank you,
-Paul