Hello
i am using centrify express with ubuntu 14.04. i installed the express agent. then i installed samba. after that i ran the adbindproxy but i am getting following error
Please specify Samba's path if it is not in [/usr/] :
Using (/usr/)
The Samba base path is : /usr/
/usr/sbin/winbindd doesn't exist or is not executable!
any idea?
Brian,
I have done everything to remove all software from my computer in attempts to get my CAC reader to work after updating to Version 10.11.4 on my imac. I followed the instructions to the letter 3 times. I can't get the CAC reader to work SCR3310 V2.0. When I go to the diagnostics portion of the program it can’t locate the smart card. I also can’t find the card in my keychains. The light on the card reader never flashes or comes on. I can see the card reader under USB devices when it is plugged in. It worked before updating to this OS any recomendations would be appreciated.
Thank you,
Justin
Dear Centrify experts,
I have a single Centrify Cloud Connector installed in my LAN. I use it for Office 365 SSO. Lets imagine it is down for some reason. When I simulate this scenario I can see that users are unable to login to Office 365 portal. What are the other consequences? Is connection to Exchange server lost when Centrify Cloud Connector is down?
Thank you in advance!
I'm not looking for integration. We already have that for our Linux systems. What I need is a way to manage the unix attributes - command line would be best.
I've read about adedit - twhat I saw made me think that might work. will it? it it get-table? other suggestions?
Thanks!
/ Sid /
When I download "Free Mac Smart Card Support for Federal CAC and PIV Card Users" a page with computer code opens.
I've followed the steps exactly in the READ ME 1ST post, but Keychain still doesn't show my CAC. I have SCR331 with 5.18 firmware (Mac recognizes the reader correctly), Oberthur ID One 128 v5.5 Dual. The Centrify Smart Card Assistant also does not see the CAC ("no smartcards found"). The light on the SCR331 blinks a few times, then goes solid green shortly after I insert a CAC. Any recommendations on how to make this work? Thanks!
Hi!
Please help!
Ubuntu 16.04 LTS x64(all update installed). Centrify 5.3.1-389.
Log file
Before I re-invent the wheel I am curious if anyone has an example of a CentOS Kickstart that includes an installation of Certify express that they can share? If not that is fine.
After adding the correct keychain, I go to access my outlook OWA email and I get "Page cannot be displayed."
I don't even get the pop up to select my certificate anymore. Never had the issue before.
Previous troubleshoots included deleting my identity preferences as well.
How is licensed the Centrify Privilege Service (the software that is able to rotate passwords, record sessions, etc)?
The licenses are perpetual or subscription?
Thanks,
Bruno
Hi,
Let's say my subscription to the Centrify Privilege Service expires and an administrator need to open a RDP or SSH session to one of the servers where the password is under management. The user will still be able to login to the CPS portal and retrieve the password or a session or he would not be able to do that because the license is expired?
Once the subscription expires what happens exactly?
Thanks,
Bruno
Dear Community members,
I can see a lot of users synchronized from my Active Directory to Office 365 Portal Active Users list.
Before Centrify we have tried Azure AD Connect, it is stopped few weeks ago.
I actually need only few of my AD users in Office 365 portal. I have add them in Centrify Cloud Manager - Roles - Office 365 Role - Members page. But a lot of unwanted users are still listed on Office 365 portal page.
How can I remove those unwanted AD users from Office 365 Portal Active Users list?
Thank you in advance!
Hi,
I am working on integrating Windows AD with Linux machine. I downloaded Centrify Express and installed it on Windows machine. In the DirectManage Deployment Manager, I received DNS error as shown below.
********Error 1********
No good DNS servers were found.
You must fix this issue before continuing.
Check the IP addresses in /etc/resolv.conf
Alternatively you can use the -s <server> option and
place all required system names in /etc/hosts,
but this is not recommended.
The following table lists the state of all configured
DNS servers.
192.168.59.2 (unknown): dead
*********************
As a result, I cannot proceed ahead and analyze the environment. Can I get help on this?
Hi,
I have rolled out Express to a text Ubuntu server and would like to found out a step by step way of allowing AD groups to be nested into a local group to be able to log into the server and perform admin tasks?
Thanks
Keith
Hi All,
The server load peaks up every hour. The server gets hang every 2 hours. Below are the logs for it.
May 26 12:03:17 p kernel: [ 7078.771346] INFO: task adclient:1216 blocked for more than 120 seconds.
May 26 12:03:17 p kernel: [ 7078.771365] Not tainted 3.13.0-85-generic #129-Ubuntu
May 26 12:03:17 p kernel: [ 7078.771380] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
May 26 12:03:17 p kernel: [ 7078.771401] adclient D ffff88043fc13180 0 1216 1 0x00000000
May 26 12:03:17 p kernel: [ 7078.771402] ffff8804280afc20 0000000000000086 ffff880426766000 ffff8804280affd8
May 26 12:03:17 p kernel: [ 7078.771404] 0000000000013180 0000000000013180 ffff880426766000 ffff8804268a9b08
May 26 12:03:17 p kernel: [ 7078.771405] ffff8804268a9b0c ffff880426766000 00000000ffffffff ffff8804268a9b10
May 26 12:03:17 kernel: [ 7078.771406] Call Trace:
May 26 12:03:17 pkernel: [ 7078.771408] [<ffffffff81730089>] schedule_preempt_disabled+0x29/0x70
May 26 12:03:17 pkernel: [ 7078.771409] [<ffffffff81731ef5>] __mutex_lock_slowpath+0x135/0x1b0
I'm using centrify express and I'm wondering how to totally control my AD users from being able to invoke sudo?
TIA,
--Sid
hello,
I am trying to join linux hosts to an AD domain where I also have a local MIT Kerberos KDC and cross domain trust configured.
I am setting
adjoin.krb5.conf.file: /home/ec2-user/krb5.conf
in /etc/centrifydc/centrifydc.conf to speciy a custom kerberos config file.
after joining the domain with:
sudo adjoin -u "${ADJOIN_USER}" -p "${ADJOIN_PASSWORD}" -c "${COMPUTER_OU}" -w "${DOMAIN}" --prewin2k "${PREWIN2K_HOSTNAME}"
no custom settings are being applied and the default kerberos file is being used.
I'm using centrify-unix-config-guide for reference - is there something i am missing with this?
thanks
Pete
Hello
(This is not a Centrify-specific issue, but I hope you may be able to point me in the right direction).
We bind our Macs to AD using the Apple AD plugin, and all our staff and students login using their AD accounts. We give admin rights to some users by using their AD account and mapping it to the OS X local admin group. We also subscribe to Office 365, and users are authenticated using PingFederate, from a cloud-based service. Therefore, we use SSO to allow access to 365 without requiring an additional login.
We have discovered that a curious potential security hole. Scenario as follows
- Student Jane is logged in (AD user)
- Staff member Bob is helping her install some software, and enters his AD username/password in the Apple OS X dialog box that appears when dragging an application to /Applications.
- Student Jane opens her browser and goes to https://outlook.office365.com.
- Staff member Bob's email appears, not Jane's.
Looking in Ticket Viewer, Bob is listed as having a kerberos ticket, but only after entering his username and password.
We have replicated this issue on 10.10.5 and 10.11.5.
So, my questions are:
a) Is there any way to not generate a kerberos ticket in this scenario?
b) If we used Centrify to bind to AD, would the same issue arise?
c) If we used local admin user accounts, rather than AD accounts for administrative elevation, can we restrict these users from logging in, but still allow the account to be used when dialog boxes appear?
Many thanks, Rob
We are running CentrifyDC Express on SLES 11 Level 3. We ahve one client that is unable to login with their AD credentials. When they try to login the following entries are in /var/log/messages.
Jun 7 09:03:03 servername sshd[12164]: pam_access(sshd:account): access denied for user `userid' from `desktoptop.our.organization.com'
Jun 7 09:03:03 auplif07 sshd[12159]: error: PAM: User account has expired for userid from desktop.our.organization.com
Jun 7 09:03:03 auplif07 sshd[12159]: error: Received disconnect from 192.168.1.2: 14: No supported authentication methods available [preauth]
If we check adquery the ID is enabled for this server and the ID does not expire in AD.
# adquery user userid -A | grep -i expire
accountExpires:Never
passwordExpires:Sun Aug 7 08:31:30 2016
passwordWillExpire:60
CentrifyDC Express on SLES 11 Level 3 - We have one client who is unable to login to this server. Other clients are able to login fine. adquery returns good info for this client and then are able to login to other servers.
accountExpires:Never
passwordExpires:Sun Aug 7 08:31:30 2016
passwordWillExpire:60
The system log file has some info on why the login failed, but we are unable to determine how to correct it.
error: PAM: User account has expired
pam_access(sshd:account): access denied for user
A zipped Centrify support file is attached.
How do we correct this?
[Admin Edit: attachment removed]