Quantcast
Channel: Centrify Express topics
Viewing all 473 articles
Browse latest View live

Updating Expired PIV Certificates

October 15, 2016, 5:28 am
$
0
0

I recently had to update my expiring certificates on my PIV card.  After the update, I was able to use the PIV card to authenticate on Windows machines, but my MAC still show only the expired certificates in Keychain under "PIV-XXXXX" in the upper left hand corner of Keychain.   

 

I have tried the following:

 

1) Followed the instructions to "Download Intermediate Certificates into Keychain", based upon the advice in other posts.  However, this did not enable the new PIV certificates to appear.

2) Uninstalled and reinstalled Centrify Express.

3) Run diagnostics ... this just verified that the certificates that my MAC sees are all expired.  It doesn't seem to be able to pick up the new certificates from the card.

Search

Mac OS X Sierra. Should I choose CAC or PIV?

October 15, 2016, 8:10 pm
$
0
0

After upgrading to Sierra and I still had an older version of Express, it asked if I wanted to set up my system for CAC, CACNG, or PIV.  If I chose PIV, will that screw up my system?  Can I change that choice?  I've since updated the Express after following all of the clean uninstall instructions, but I was never asked again what the choice was for the system.  

 

I've notice a few strange behaviors, when asked to access my login keychain (to save a new password) if my card is in the reader, by username is greyed out and my password doesn't work.  I pull the card out and it works.  Also, in my login screen, believe it says pin instead of password if my card is in the reader.  This makes be believe the system is set up for PIV.  

 

I'm not sure if this the problem, but I can't access many any CAC enabled DOD sites.  I also noticed that I don't have a SystemCACertificates.keychain.  I've associated my problems with this missing keychain, but now I'm wondering if I screwed up my system by selecting PIV.  I saw another post question about the SystemCACertificates so if someone has a solution to that problem, look for that thread instead.

 

Thanks for your help!

 

 

 

 

How to configure kerberos using centrify for security

October 17, 2016, 10:39 pm
$
0
0

I need to setup namenode HA and kerberos using certify on hortonworks...

can anyone help me by giving links or steps to configure kerberos with centrify on hortonworks

SystemCACertificate.keychain not showing up on macOC Sierra

October 18, 2016, 7:56 am

Unable to login after uninstalling Centrify

October 18, 2016, 11:34 am
$
0
0

I installed Centrify express on a RHEL 6.7 machine and uninstalled it because RedHat wouldn't support it.  Now I cannot login root via ssh I get access denied.  I also attempted to login from the server console and get the same error.  Please help.

adbindd is dying when using Centrify enabled Samba

October 18, 2016, 10:28 pm
$
0
0

I recently upgraded all of our servers to Ubuntu 16.04 and I'm using the Express version of Centrify Suite 2016 along with Centrify enabled Samba.  I'm noticing that after a few days, adbindd dies on our systems and I must restart centrifydc-samba in order to get Samba shares working again.  I can't find anything obvious in the logs as to why adbindd service stops, but it's happening on all servers with Ubuntu 16.04. 

 

A few days after restarting centrifydc-samba, users report not being able to connect to network shares.  When this happens I observe the following:

 

/etc/init.d/centrifydc-samba status
nmbd (pid 2298) is running...
winbindd (pid 2679 2348 2345 2318 2313) is running...
adbindd is stopped
smbd (pid 18973 18765 2689 2336 2329) is running...

 

Has anyone seen this behavior?

 

 

Here's some basic info:

 

adinfo -V

root@db-accu-1:/etc/init.d# adinfo -V
Options:
-------
task: all
domain: null
output: null
additional paths: null
user: null
using user's credential cache: No
allow password prompt in kerberos get init credential: Yes
user's credential cache: null
server: null
Local host name: db-accu-1
Joined to domain: ad.finrcvgrp.com
Joined as: db-accu-1.ad.finrcvgrp.com
Pre-win2K name: db-accu-1
Current DC: marge-backup.ad.finrcvgrp.com
Preferred site: Default-First-Site-Name
Zone: Auto Zone
Retrieving site information from site=any, server='marge-backup.ad.finrcvgrp.com'
Using machine credentials
Using principal name 'db-accu-1$@AD.FINRCVGRP.COM'
Binding to ad.finrcvgrp.com, cache=MEMORY:0xe86ac0
Searching for (&(samAccountName=db-accu-1$)(objectClass=computer))
in dc=AD,dc=FINRCVGRP,dc=COM
Found computer account: CN=db-accu-1,CN=Computers,DC=ad,DC=finrcvgrp,DC=com
Last password set: 2016-10-18 18:02:33 EDT
CentrifyDC mode: connected
Licensed Features: Disabled

 

adbindd -v
adbindd Version 1.1 (CentrifyDC-adbindproxy 5.3.0-504)

 

smbd -V
Version 4.3.11-Ubuntu

 

 

Does Centrify DirectManage Express work with Redhat 6.8

October 20, 2016, 7:25 am
$
0
0

Does Centrify DirectManage Express work with Redhat 6.8 ?

 

most of my Red hat servers are running 6.8   

 

Thanks, I am going to be a Brand New Customer of Centrify on my Rhel server.

 

Michael....

Cannot access Enterprise Webmail with my CAC card

October 20, 2016, 11:04 am
$
0
0

Hello,

 

I am trying to access Enterprise Webmail on my MAC, with no success. I am running Mac OS Sierra 10.12, Centrify Express for the 10.12 upgrade, and have tried in both Safari and Chrome. I have uninstalled Centrify, I have cleaned out the tokend, and I have re-installed the DOD certs, I have exposed my PIV (I am dual persona), my Mac is reading the CAC card reader, but regardless when I access web.mail.mil, it takes me to the BIG IP logout page.


Thank you for your help.

Search

Program logout due to centrify express

October 20, 2016, 12:17 pm
$
0
0

Our customer is using a single sign on tool on OSX to login to multiple off their tools.

we are using centrify express as an ad plugin which warks like a charm.

 

the only issue that we see is that when using centirfy express the single sign on tools from our customer is giving issues.

for example when you lock  the mac or start the screensaver the user has to authenticate again to login to the system. if they login they are being logged out of all customer tools from their single sign on session.

 

i changed pam.auth.create.krb5.cache: to false in centrifydc.conf now the logout problem from our customer tools dissapear but we are not getting kerberos tickets from our domain.

 

any ideas?

NKO does not recognize CAC

October 21, 2016, 5:31 pm
$
0
0

I recently purchased and then attempted to set up a CAC card reader on my Macbook pro. After downloading this CAC system my 1st attempt to signing on to NKO was successful but since then when I try to access the page it tells me i am not authorized. Im not sure if its something wrong with the reader or if its me setting up the programs incorrectly.

SystemCAcertificates.keychain not available on OS Sierra for DHS user.

October 25, 2016, 2:53 pm
$
0
0

Lookes through other threads on the subject and the SystemCAcertificates available on git or MilitaryCAC do not support DHS users. Any additional help available?

adbindproxy.pl Get Domain SID failed. Please try again with authentication and a valid DC

October 26, 2016, 12:06 pm
$
0
0

I have Centrify Express installed and authentication via ssh and the console is working for Domain Users.  I am trying to get AD Samba auth working and have installed adbindproxy-5.3.0. When I run  adbindproxy.pl but I get an error  Get Domain SID failed. Please try again with authentication and a valid DC.

 

OS: centos 7

 

adinfo (CentrifyDC 5.3.1-398)

 

adbindproxy.pl (CentrifyDC-adbindproxy 5.3.0-504)

 

adinfo -T
Domain Diagnostics:
Domain: ou.ad3.ucdavis.edu
DNS query for: _ldap._tcp.ou.ad3.ucdavis.edu
DNS query for: _gc._tcp.ou.ad3.ucdavis.edu
Testing Active Directory connectivity:
Domain Controller: xxxxx.ou.ad3.ucdavis.edu
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: xxxxx.ou.ad3.ucdavis.edu
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller: xxxxxx.ou.ad3.ucdavis.edu
ldap: 389/tcp - good
ldap: 389/udp - timeout
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good

 

Full output of proccess

Please specify Samba's path if it is not in [/usr/] :
Using (/usr/)
The Samba base path is : /usr/
Joined to Domain: ou.ad3.ucdavis.edu
Zone: Auto Zone
Do you want to leave and join to another domain? [N] :
Using (N)
Remove Winbind settings (if any) from /etc/nsswitch.conf.
No Winbind settings found.
Removing old state files...
Please specify the stock samba winbindd listen path(dir) if it is not in [/run/samba/winbindd] :
Using (/run/samba/winbindd)
Updating smb.conf with Centrify recommended settings...
Connection failed: NT_STATUS_NOT_SUPPORTED

Get Domain SID failed. Please try again with authentication and a valid DC.

Enter the Active Directory authorized user [Administrator] : xxxxxxxx
Using (admin-cns)
Enter a valid domain controller [xxxxx.ou.ad3.ucdavis.edu] :
Using (xxxxxx.ou.ad3.ucdavis.edu)

Get Domain SID failed. Please try again with authentication and a valid DC.

Enter the Active Directory authorized user [admin-cns] :

Office 365 SSO does not work anymore

October 27, 2016, 12:20 am
$
0
0

Dear Community Experts,

 

My Office 365 SSO worked fine several month already, thanks Centrify for a great product.

 

But last week SSO has stopped working. Users have to type username and password on every O365 app login.  The only change in settings I remember - "Email confirmation code" is disabled in Authentication Profile. Not sure if this change really breaks SSO.

 

How can I fix it?

 

How can I find why SSO  stopped working with Office 365? Log files? Some other troubleshoot tool?

 

Thank you in advance!

slow to connect to SMB shares when secondary DC is switched off

October 28, 2016, 3:21 am
$
0
0

Hi All

 

I seem to have a strange problem. We installed centrify express on a CentOS 6.5 box. This was installed successfully and joined the domain allowing authentication via AD. We then installed a secondary DC and running a adcheck brings up both DCs.

 

We now have a strange problem in that whenever we switch off the secondary DC connecting to SMB shares becomes really slow and eventually no one can connect. AFP shares connect straight away.

 

Its almost as if centrify is using the secondary DC as primary and is timing out whenever it can no longer see it.

 

Any help would be gratefully appreciated.

 

Thanks guys.

S/MIME control isn't available

October 28, 2016, 2:04 pm
$
0
0

My OWA email is showing the folowing for encrypted emails, "The content can't be displayed because the S/MIME control isn't available."  Anybody know how to resolve the certificate issue on a Mac OS El Capitan?

 

V/R,

Matt

Search

Centrify Cloud Connector error

October 31, 2016, 2:49 am
$
0
0

Hello,

 

When I check for status in Centrify Cloud Connector, it says "Failed connecting to cloud..." with the following error:
---------------------------
Centrify
---------------------------
Failed connecting to cloud.
Reason: The security timestamp is invalid because its creation time ('2016-10-31T09:29:44.992Z') is in the future. Current time is '2016-10-31T09:22:06.473Z' and allowed clock skew is '00:05:00'.
---------------------------
OK  
---------------------------

 

When it get resolved on its own randomly after sometime, I get the following error.
---------------------------
Centrify
---------------------------
Failed connecting to cloud.
Reason: The ChannelDispatcher at 'sb://centrifyapac-southeast-asia-11.servicebus.windows.net/Proxies/12269c33-4324-46f4-bc5f-2f1f91968528/f7f99f30-744a-4009-bbfe-2c1be5f5be53/' with contract(s) '"IServiceBusRpc"' is unable to open its IChannelListener.
---------------------------
OK  
---------------------------

 

Can anyone give clues separately on why these errors occur?

 

Regards,
Ganesan

"Kerberos FAST is not currently supported" error when attempting to join domain

October 31, 2016, 2:40 pm
$
0
0

Hello,

 

I'm trying to join a newly cloned CentOS 6.8 server to our (Windows Server 2012) domain. I successfully joined a CentOS 7 server to the same domain just last week, but today when I tried to join this new server, I got:

 

[root@iiamabqzblox02d centrify]# adjoin -w -u matthew.mccleary02 -V domain.net
matthew.mccleary02@DOMAIN.NET's password:
Options
-------
Precreate: no
Compatible with: 2.x/3.x: no
Enable Apple Scheme to generate UID/GID: no
domain: ia.doi.net
user: matthew.mccleary02@DOMAIN.NET
container: null
computer name: xxx02d
Pre-Windows 2000 name: xxx02d
DNS Host Name user for dNSHostName addr: null
zone: Auto Zone
server: null
zoneserver: null
gc: null
upn: null
noconf: no
set time: yes
force: no
trust: no
des: no
self-serve: no
use ldap to create computer object: no
license type: null
Setting time
Initializing domain settings file to ia.doi.net
Attempting bind to domain.net(site:) as matthew.mccleary02@DOMAIN.NET on any server
Error: Kerberos Policy Failure.
(For Windows 2012 Kerberos FAST is currently not supported)
Join to domain 'domain.net', zone 'Auto Zone' failed.

I haven't seen this error before, and haven't turned up much on Google. Any ideas how I can proceed?

 

Centrify Customer Advisory - Centrify Browser Extension Security Issue (Action Required)

November 3, 2016, 5:57 pm

SMB Share can only access using AD user not groups

November 9, 2016, 8:29 am
$
0
0

 

I recently setup a machine to use centrify and authentication is working fine for console and ssh access but I am still having some problems with SMB sharing.

I have created a share with Unix Permission 770. The user owner is as AD User and the Group Owner is an AD Group.

 

The AD user is able to access the share but not members of the AD group. I also set the valid user as the domain group in smb.conf using valid users=+OU\test-us-ubuntu-users


If I change the linux permissions owner to another AD user they will be able to access the share but they will then be the only person that can access it.

 

I can resolve the groupname using wbinfo and adquery

wbinfo -g | grep test-us-ubuntu-users
test-us-ubuntu-users
[testadmin@test-centos bin]$ adquery group test-us-ubuntu-users
test-us-ubuntu-users:x:243347734:admin-test,norton

adbindproxy
sudo /usr/share/centrifydc/bin/adbindproxy.pl --version
adbindproxy.pl (CentrifyDC-adbindproxy 5.3.0-504)

[testadmin@test-rn-centos ~]$ smbstatus
Samba version 4.2.10

[testadmin@test-centos /]$ sudo adinfo -V
Options:
-------
task: all
domain: null
output: null
additional paths: null
user: null
using user's credential cache: No
allow password prompt in kerberos get init credential: Yes
user's credential cache: null
server: null
Local host name: test-centos
Joined to domain: ou.ad3.ucdavis.edu
Joined as: test-centos.ou.ad3.ucdavis.edu
Pre-win2K name: test-centos
Current DC: oudc3c.ou.ad3.ucdavis.edu
Preferred site: Default-First-Site
Zone: Auto Zone
Retrieving site information from site=any, server='xxxxxx.ou.ad3.ucdavis.edu'
Using machine credentials
Using principal name 'test-centos$@OU.AD3.UCDAVIS.EDU'
Binding to ou.ad3.ucdavis.edu, cache=MEMORY:0x8c4c40
Searching for (&(samAccountName=test-centos$)(objectClass=computer))
in dc=OU,dc=AD3,dc=UCDAVIS,dc=EDU
Found computer account: CN=test-centos,OU=test-OU-Computers,OU=test,OU=DEPARTMENTS,DC=ou,DC=ad3,DC=ucdavis,DC=edu
Last password set: 2016-11-03 10:24:49 PDT
CentrifyDC mode: connected
Licensed Features: Disabled

Upgrade to Centrify Express 5.3.3

November 10, 2016, 12:17 am
$
0
0

If I have Centrify Express 5.2.4 and I need to install 5.3.3, do I need to uninstall 5.2.4? I don't see anything about upgrading on the site.

Viewing all 473 articles
Browse latest View live
Search