Please what is the easiest way to use centrify express  to control access with limited AD groups to access a rhel 7 server?

I've had no issues with my CAC reader/access until today.  I am using a SCR3310 v2.0, Mac High Sierra 10.13.6 and Centrify smart card assistant 5.4.2.  In keychain, I already deleted all websites with Identity Preference all all DOD certs.  New DOD certs were installed via MilitaryCAC.com.  

In Centrify, the card status never gets past "Authentification attempts remaining: 2."

Thank you for any help you can provide.

Below is the log file from Diagnositics (I've removed email addresses below):

Smart card: VERGA.JARED.MICHAEL.1249313420
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address: 
NT Principal Name: 1249313420@mil
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0x45
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0x1f
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USN/CN=VERGA.JARED.MICHAEL.1249313420
Email Address: 
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Wed May 05 24 00:00:00 2017 UTC
Not valid after: Sat May 05 23 23:59:59 2020 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.39,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 3
Not valid before: Tue Mar 03 20 18:46:41 2012 UTC
Not valid after: Sun Dec 12 30 18:46:41 2029 UTC
This certificate is valid
This certificate is trusted by the domain
** This certificate cannot be used for pkinit

Hello,

When it will be possible to load Mojave Centrify Macos client express edition ?

https://www.centrify.com/support/macos-mojave-download/

At this momoent only previous verstion is accesible at free download page.

https://www.centrify.com/express/linux/download-files/#accordion-download-express-02

Regards,

Alexey

Hello all members, 

I do not know who registered or how to retrieve my domain in Centrify Saas. 

I do not know the admin account, nothing.

I only have access to my DNS

How should I proceed?

Hi,

I'm having trouble to login users with centrifyad with a Samba Ad.

Can't login and su users.

- adinfo -m shows connected

- adinfo (CentrifyDC 5.5.1-400)

- Linux Debian 9.5 Cinnamon

- adquery user domain_user -A

samAccountName:domain_user
displayName:domain_user
sid:S-1-5-21-543736460-3497894086-1236349235-1107
userPrincipalName:domain_user@domain.lan
canonicalName:domain.lan/domain/diretoria/domain_user
passwordHash:x
guid:e8585021-56bf-4782-9d3f-fabd430ec4d2
accountExpires:Never
passwordExpired:false
passwordExpires:Never
passwordWillExpire:-2
nextPasswordChange:Fri Sep 28 14:07:51 2018
lastPasswordChange:Tue Sep 25 14:07:51 2018
accountLocked:false
accountDisabled:false
requireMfa:false
zoneEnabled:false
memberOf:domain.lan/Users/Domain Users,domain.lan/domain/diretoria/diretoria

root@efi-cli-01:/home/administrator# adinfo --diag
adinfo (CentrifyDC 5.5.1-400)

Host Diagnostics
uname: Linux efi-cli-01 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64
OS: Debian
Version: 9.0
Number of CPUs: 4

IP Diagnostics
Local host name: cli-01
Local IP Address: xxx.xxx.xxx.xxx
Not found in DNS!Make sure it is in Reverse Lookup Zone.
FQDN host name:cli-01 (domain missing?)

Domain Diagnostics
Domain: domain.lan
Subnet site: Default-First-Site-Name
DNS query for: _ldap._tcp.domain.lan
Found SRV records:
efi-srv-ad.efiltros.lan:389
Testing Active Directory connectivity:
Domain Controller: efi-srv-ad.domain.lan
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: efi-srv-ad.domain.lan:389
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN
DNS query for: _gc._tcp.DOMAIN.LAN
Testing Active Directory connectivity:
Global Catalog: efi-srv-ad.domain.lan
gc: 3268/tcp - good
Domain Controller: efi-srv-ad.domain.lan:3268
Domain controller type: Windows 2008 R2
Domain Name: DOMAIN.LAN
isGlobalCatalogReady: TRUE
domainFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
forestFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
domainControllerFunctionality: 4 = (DS_BEHAVIOR_WIN2008_R2)
Forest Name: DOMAIN.LAN

Retrieving zone data from domain.lan

Could not get domain RIDs from adclient: Bad data

Computer Account Diagnostics
Joined as: cli-01.domain.lan
Trusted for Delegation: false
Use DES Key Only: false
Key Version: 4
Service Principal Names: cifs/cli-01
cifs/cli-01.domain.lan
ftp/cli-01
ftp/cli-01.domain.lan
host/cli-01
host/cli-01.domain.lan

Supported Encryption Type(s): DES-CBC-CRC
DES-CBC-MD5
RC4-HMAC
AES128-CTS-HMAC-SHA1-96
AES256-CTS-HMAC-SHA1-96

Operating System Version: 6.1:9.0

System Diagnostic
Failed to get sysinfo from adclient.

Centrify DirectControl Status
Running in connected mode

Licensed Features: Disabled

with I try to su domain-user I get

No passwd entry for user 'domain-user'

Hello,

we have a bunch of centos machines joined to the domain using sssd / winbind that have been working. one of these hosts is a file server. we decided add the linux desktops, all running ubuntu to the domain and had issues. this is when we found centrify, this worked in adding the machines but the UID and GIDs are different for example

two machines pulling down info for a windows group.

ubuntu

getent group domain_secure_high
domain_secure_high:x:1308624036:

centos

 getent group domain_secure_high
domain_secure_high:*:79801188:

this is obviously causing a permission nightmare.. anyway to match these up? i have tried the group.ovr but that seems to only work with local groups? it did nothing for me.

I have Centrify Express (CentrifyDC 5.5.0-200) installed on several servers.   On some of the servers, when I issue this command:

               adquery group database_administrators

I get back the group name, its id # and members.  On some of the servers, when that command is issued, I get this response instead:

              database_administrators is not a zone group

All servers are running the same version (version listed above); all info from adinfo --server, --version, etc. is the same; I have done an adreload, adflush as well as left and rejoined the domain.  The end result is the above "not a zone group" message. 

Why does this work on some servers but not others?  I am guessing something is amiss, but with the things I have looked at so far, I havent been able to determine what or where.   Has anyone run into this?  Any ideas on what needs updating/fixing would be appreciated.

Apparently, my upgrading my MacMini from High Sierra to OSX "Mojave" has broken my Centrify A.D. connect and software compatibility.

Is there an updated version compatible with Mojave that anyone here might know of ?

Thanks.

Hi,

I am unable to login to the sites I need via my card reader. I have tried on both Chrome and Safari. The military login site gives an error of "No Client Certificate presented".

I have removed the built-in CAC enabler for High Sierra as suggested on another website, so only Centrify remains (or at least I think I have).

First, I noticed on the Diagnostics instructions that it says to open Keychain and make sure the smart card reader is there. I don't see the smart card reader in there anywhere, but the status on Centrify does say "Authentication Attempts Remaining: 3". Is there something I need to do to get it into Keychain? Or perhaps I'm not looking for the right thing in Keychain.

Any help is greatly appreciated!

I ran diagnositcs and here is my log:

Smart card: THOMPSON.ROBERT.EARON.116531080
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41 not found
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
Email Address: robert.e.thompson202.mil@mail.mil
NT Principal Name: 1165310809@mil
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41 not found
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0x1d
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0xad
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
Email Address: robert.e.thompson202.mil@mail.mil
** This certificate has no NT Principal Name
** This certificate has not been mapped to any user
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.39,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41
Not valid before: Mon Nov 11 09 16:05:27 2015 UTC
Not valid after: Tue Nov 11 09 16:05:27 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD EMAIL CA-41 not found
** This certificate cannot be used for pkinit
Certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=USA/CN=THOMPSON.ROBERT.EARON.1165310809
NT Principal Name: 1165310809121004@mil
Not valid before: Thu Jun 06 07 00:00:00 2018 UTC
Not valid after: Mon May 05 20 23:59:59 2019 UTC
This certificate is valid
Policies specified: .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13,
Issuer: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41
Not valid before: Mon Nov 11 09 16:13:56 2015 UTC
Not valid after: Tue Nov 11 09 16:13:56 2021 UTC
This certificate is valid
This certificate is trusted by the domain
Policies specified: .2.16.840.1.101.2.1.11.36, .2.16.840.1.101.2.1.11.39, .2.16.840.1.101.2.1.11.42, .2.16.840.1.101.3.2.1.3.13, .2.16.840.1.101.3.2.1.3.17,
Require Explicit Policy at depth 0
** Could not get issuer certificate: Issuer certificate for /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD ID CA-41 not found
This certificate can be used for pkinit, testing:
** Data signing failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Signature verification failed: Unknown PKCS#1 padding type 0xc3
Public key encryption succeeded
** Private key decryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Private key encryption failed: CSSM_DecryptData failed: CSSMERR_DL_INTERNAL_ERROR
** Public key decryption failed: Unknown PKCS#1 padding type 0xc3

In Windows Server Print Management on our print server we've changed default color to black/white, under Set Printing Defaults . But it doesn't sync/propagate to the Macs, even though all Windows devices behave properly. How do we solve this? I've tried to browse the World Wide Web now for a while without finding anything. 

In short, 

We want all users to have b/w as default color setting, but be able to change it when they need to print in color. 

Thanks, 

We use CentrifyDC 5.5.1

Hi Community

I have a group of Macs that had High Sierra running on it.

I used to be able to turn the Mac on and it would come up with the "other..." button on startup so i could login in using my domain credentials.

I upgraded CentrifyDC to version 5.5.1 and upgraded to OSX Mojave version 10.14.1.

Now when the Mac starts up, i can only see the local user listed to log in to.

If i log in as a local user and then log out again the "other..." button will re-appear and i can then log in on the domain.

Any ideas how to resolve the strange issue?

Many Thanks! 

Hello,

I installed Centrify Express on two of my RHEL 6 systems. I joined the domain successfully and after I logon, I tried to "Switch User" via the GUI  but this does not work. 

I also tried this under the root login and still clicking on the "Switch User" button does not do anything.

Could you please advise what else needs to be modified for this to work properly?

Thank you.

Hi, I have a new cac and keep getting the ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED message when I attempt to sign in to My Navy Portal. I have all the certificates installed and trusted and have run a diagnostic on Centrify Smart Card Assistant, though I'm not sure how to read it. I am running MAC OS X Yosemite 10.10.2

Please help!!

How do you limit access to Linux servers after express install,

My entire AD all 200 Users are able to login using AD credentials,

I only want a certain Windows AD groups to be able to login to the linux server I installed Centrify express on.

How can this be achieved ?

Good day! How can I download Centrify DirectManage ?

Hi!

I've been trying to install Centrify Express to one of my Ubuntu hosts for quite some time now. Somehow, the Deployment Manager always gives me an error about the AD subnets. (https://imgur.com/a/UdZC2hM)

However, from the Sites and Services console I can see that the subnets have indeed been properly configured. (https://imgur.com/a/DBqSCuh).

What could be causing this? I'm running Ubuntu Server 18.04 on the Linux side and Windows Server 2019 DC with 2016 functional level.

Hi All,

We need to provide root access to technical users to perform application setup.

we would like to check any feasibility to to provide previlege access to user with DZDO and this access should be revoked after certain time.

Suppose if we provide root access to a technical user through DZDO, the previlege access should be expired after  7 days or 10 days.

Regards,

NK

Currently I’m using centrify for AD authentication for linux severs. I need to get list of all the UID and GID with associate to centrify and is there any documentation to learn how uid and gid map between AD and linux severs 

Hello everyone,

We have a server running Centrify Express and Samba.  After migrating the server to a new domain (which ran with out any issues -- the server is happily a member of the new domain), winbindd crashes on start up with the following error: Could not fetch our SID - did we join?

-- log.winbindd Logs --

[2018/12/06 07:35:25.844382, 0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2018/12/06 07:35:26, 0] winbindd/winbindd.c:1354(main)
winbindd version 3.6.22-cdc-4.5.7-403 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
[2018/12/06 07:35:26.318376, 0] winbindd/winbindd_cache.c:3169(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version number 2
[2018/12/06 07:35:26.321088, 0] winbindd/winbindd_util.c:635(init_domain_list)
Could not fetch our SID - did we join?
[2018/12/06 07:35:26.321252, 0] winbindd/winbindd.c:1114(winbindd_register_handlers)
unable to initialize domain list

I was hoping someone might be able to point me in the right direction to fix this.

Thanks,

Jim

We are using multiple vmware servers, that each host several vmware images/instances. Each department uses its own vmware server. The vmware instances are always accessed through the "VMWare infrastructure web access" web page from the console tab panel. The vmware servers are plain windows servers (nothing fancy).

Now it turns out that some of these vmware images are useful for multiple departments. Of course we considered to copy these images, distributing them to all vmware servers, hosting the same image multiple times.

But we would in fact prefer to only host 1 copy of each instance. But still we would like to have all images accessible from 1 web page. Merging them to 1 server is of course impossible (performance-wise).

So, this got me wondering, perhaps there is a way to create hyperlinks within the vmware web access portal to vmware instances that are actually hosted on a different server. They would appear to be all on the same server but in fact they are distributed.