Chrome on Mac - browser restart required

September 20, 2018, 1:27 pm

≫ Next: Centrify directory password report

≪ Previous: VMWare infrastructure web access, hyperlinks between vmware servers

This is more of an anoyance than a bug, but I thought there might be a solution?

I'm on latest OS X (10.13.6) with current Google Chome (69.0.3497.100). Everything works as it should, but if I remove my card, I need to completely restart my browser in order for things to work properly again.

With the default High Sierra smart card support this does not occur, but the default smart card support doesn't work with Kerberized SSH (KRB/OSSH). Centrify Express makes the kerberized SSH work and my card is always seen as a CACNG.

Is there any way to either (1) force Chrome to use the built-in High Sierra smart card support, or (2) get Chrome to work so that I don't have to restart my browser each time I remove my card?

↧

Centrify directory password report

December 12, 2018, 12:32 pm

≫ Next: Sync AD info with Linux clients

≪ Previous: Chrome on Mac - browser restart required

I am trying to create a report that shows all user accounts from the Centrify Directory and when their password was set. Is there a data dictionary that give you the date of password change?

↧

Sync AD info with Linux clients

December 13, 2018, 12:55 pm

≫ Next: After installing centrify express on Linux servers, all AD users are able to login-how to restrict?

≪ Previous: Centrify directory password report

Hello All,

I have a fundamental question to ask. I am using Centrify express to join my linux systems to AD. I have recently created new groups in AD. I need to use these groups on my linux clients now. Is there any default sync interval for the Linux clients to get this updated info from AD ? OR Is there any command to refresh the AD data on the clients ?

i was looking at the Centrify-Server-Suite-Cheat-Sheet and as per it, should i start by using adquery to query the group ?

Thanks in advance

Neeraj

↧

After installing centrify express on Linux servers, all AD users are able to login-how to restrict?

January 2, 2019, 11:02 am

≫ Next: Centrify-Express and Redhat rhel 7.4

≪ Previous: Sync AD info with Linux clients

After installing centrify express on Linux servers, all AD users on our domain are able to login to the Linux servers. How do I restrict the logins only to the members of the Security Group "AllowLogin" ?

↧

Centrify-Express and Redhat rhel 7.4

January 25, 2019, 4:29 pm

≫ Next: centrify loses account

≪ Previous: After installing centrify express on Linux servers, all AD users are able to login-how to restrict?

Does Centrify-Express compatible with Redhat 7.4? I couldn't get it to install successfully. Here is centrifydc-install.log.

install.sh ************** rev = 18.11 (5.5.2-546) *****************
Fri Jan 25 14:24:37 PST 2019
INFO: found /etc/os-release:
NAME="Red Hat Enterprise Linux Server"
VERSION="7.4 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.4"
PRETTY_NAME="Red Hat Enterprise Linux"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.4:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.4"

INFO: TARGET_OS=linux
INFO: OS_REV=rhel7
INFO: ARCH=x86_64
INFO: Express mode is supported
INFO: script_name=install.sh
INFO: current umask: 0022
INFO: CentrifyDC-openssl is supported
INFO: CentrifyDC-openldap is supported
INFO: CentrifyDC-curl is supported
INFO: CentrifyDC-ldapproxy is supported
INFO: CentrifyDC-nis is supported
INFO: CentrifyDC-cifsidmap is supported
INFO: CentrifyDC-openssh is supported
INFO: CentrifyDA is supported

install.sh: is_installed:
package CentrifyDC is not installed
package CentrifyDC-openssl is not installed
package CentrifyDC-openldap is not installed
package CentrifyDC-curl is not installed
package CentrifyDC-ldapproxy is not installed
package CentrifyDC-nis is not installed
package CentrifyDC-cifsidmap is not installed
package CentrifyDC-openssh is not installed
package CentrifyDC-krb5 is not installed
package CentrifyDC-web is not installed
package CentrifyDC-apache is not installed
package CentrifyDC-samba is not installed
package CentrifyDC-idmap is not installed
package CentrifyDC-adbindproxy is not installed
package CentrifyDC-db2 is not installed
package CentrifyDA is not installed
package CentrifyDS is not installed

install.sh: search_adcheck:
... found

Running ./adcheck-rhel5-x86_64 ...

WARNING: Centrify adcheck exited with warning(s).

install.sh: do_suite_prompt:

INFO: Silent mode settings:
CDC_VER=5.5.2
ADCHECK=N
ADJOIN=N
ADJ_LIC=
ADJ_FORCE=N
ADJ_TRUST=N
DOMAIN=company.com
USERID=admin
PASSWD=********
COMPUTER=sc12xx
"/var/log/centrifydc-install.log" 929L, 26714C

↧

centrify loses account

February 1, 2019, 9:01 am

≫ Next: Is centrify express still available?

≪ Previous: Centrify-Express and Redhat rhel 7.4

I have an issue where a user is unable to login to a the linux server. adinfo shows its connected and enabled, lone is auto zone. if I do a adquery user, it will pull all the users except this one user. I do an adflush, then another adquery user, it will pull all the users and this time that one user will appear. In a random time, that user will again disapear from the query. It seems to be only that server and only that user. I hope I explained it so someone can understand. Any Ideas?

↧

Is centrify express still available?

February 4, 2019, 9:58 am

≫ Next: GSSAPI authentication works on one machine, but not on three (almost) exact clones

≪ Previous: centrify loses account

When I go to the link:
https://www.centrify.com/express/

I get redirected to a different page.

Is centrify express discontinued?

Thanks.

↧

GSSAPI authentication works on one machine, but not on three (almost) exact clones

February 7, 2019, 3:32 am

≫ Next: What does the error "This machine's subnet is not known by AD." actually mean?

≪ Previous: Is centrify express still available?

I have four machines running Centrify Express (DC 5.5.1, stock SSH under updated CentOS 7). One machine was properly installed, configured adn added to the domain and autozone, the other three are clones in which the hostnames and IPs were changed after which they were a(re)dded to the domain and autozone. The original machines nicely uses SSO through GSSAPI. The other three keep asking for a password. As said, ssh_config and sshd_config are identical. Any pointers on how to troubleshoot this?

↧

What does the error "This machine's subnet is not known by AD." actually mean?

February 21, 2019, 8:28 am

≫ Next: AD user primary group

≪ Previous: GSSAPI authentication works on one machine, but not on three (almost) exact clones

I'm getting this error on only two machines out of ten. The machines are all based on a standard image, are all getting addresses from DHCP, and I can't see any difference in their network settings on the computers themselves.

On the machines that are failing, the only error in the trace is this:

ADSITE : Check that this machine's subnet is in a site known by AD : Failed
: This machine's subnet is not known by AD.

The problem is I don't know what that actually means, because the same AD and the same subnet are not an issue for other computers.

Obviously there must be something different, but I have no idea where to even start looking.

↧

AD user primary group

February 25, 2019, 7:20 am

≫ Next: Local linux login

≪ Previous: What does the error "This machine's subnet is not known by AD." actually mean?

I need to change the local primary group of a couple of AD service accounts. Changing the primary group in AD is not an option. I've read some previous posts and found this to be the most promising. https://community.centrify.com/t5/Centrify-Express/Map-AD-group-to-local-Linux-group-with-Centrify-Express-and-make/m-p/5101/highlight/true#M2270

Has anyone had success doing this?

This functionality is not available in the free version of Centrify, correct?

↧

Local linux login

February 27, 2019, 6:15 am

≫ Next: Mojave SafeNet Centrify working for AD accounts but not for PKI cards

≪ Previous: AD user primary group

Is it possible to login to a local version of an account once a server is "Centrified" into an AD domain?

If not, is it possible to temporarily pause/disable the Centrify service so authentication is local and not against AD?

↧

Mojave SafeNet Centrify working for AD accounts but not for PKI cards

March 15, 2019, 5:28 am

≫ Next: SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been gr

≪ Previous: Local linux login

Mojave 10.14.3, fresh installl, no other applications installed
i have installed Centrifydc-5.5.1-mac10.1.dmg
i have installed Safenet 10.2
AD Domain Controller Server 2016 running in 2008 mode
Safenet Authentication Manager 9.0
this has been working with El Capitan for about 2 years very successfully
this is not working with Mojave,
i can bind the Mojave workstation with Centrify to the AD DC
i can login with any AD account with the correc t password,
when i put the PKI card in at the login window it prompts me for my PIN.
This PKI card works on all the El capitan workstations with the PIN entered correctly.
when i put the PIN in Mojave the login screen just shakes at me.
we have tried to look through all the Event logs in the AD DC, but they indicate no problems but no events.
i have contacted Safenet and sent them all the logs they requested, they can see no problem with their product.
i believe the Mojave operating system is accessing the card, but then it doesn't request the ticket from the AD DC target.

Do i need to install Safenet in Mojave? if not, how do i get the Smart Card services to access the card?

any advice would be appreciated

↧

SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been gr

March 22, 2019, 2:06 am

≪ Previous: Mojave SafeNet Centrify working for AD accounts but not for PKI cards

I try to set up a new department server using Ubuntu Bionic Beaver.

The fileserver part is supposed to serve files for windows machines, and integrate in the company network which uses Active Directory.

So we installed samba, the centrify express agent for ubuntu, and the debian integration with samba package from

https://www.centrify.com/express/linux/download-files/?_ga=2.46390703.949394481.1553244143-2113436499.1546513343#accordion-download-express-02

It almost works. With my account everything is fine. But if I try any other account, I get the following error:

~$ smbclient -L hugo -U qdm1.arad -d3
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface ens160 ip=192.168.170.140 bcast=192.168.170.255 netmask=255.255.255.0
Client started (version 4.7.6-Ubuntu).
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name hugo<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name hugo<0x20>
Connecting to 192.168.170.140 at port 445
got OID=1.2.840.48018.1.2.2
Enter SYSTRONICS\qdm1.arad's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
SPNEGO login failed: {Access Denied} A process has requested access to an object but has not been granted those access rights.
session setup failed: NT_STATUS_ACCESS_DENIED

After rerunning adbindproxy.pl, other accounts work for a while, but revert to this error after some time.

Any idea what might cause this?

↧