Centrify Authentication Service known issues

When troubleshooting, be aware of the following issues and constraints:

  • Import users and groups before importing the sudoers file (Ref: IN-90001).

    Sudoers Import creates user roles but not the users. It is recommended that you import users and groups prior to importing the sudoers file. Otherwise, no sysRights are created for the users.

  • Pre-create computers before importing computer role from sudoers file (Ref: IN-90001).

    The computers contained in the sudoers file must either be joined to a zone or pre-created.

  • Delegating zone administration permissions for SFU zones (Ref: IN-90001)

    Delegate permissions to add, remove or modify users for SFU zone are not supported.

  • Users with rights to import user and groups into a zone also gain rights to modify profiles (Ref: IN-90001)

    Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles".

  • Using domain local groups to manage resources (Ref: IN-90001)

    Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains.

  • Domain local groups from other domains shown in search dialog (Ref: IN-90001)

    When using the search dialog in the Access Manager to delegate zone control to a group, domain local groups from child domains will be shown incorrectly in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups.

  • Analyze forest and SFU zones (Ref: IN-90001)

    The analyze forest feature in the Access Manager does not report empty zones or duplicated users or groups in a SFU zone.

  • Working with users that have more than one UNIX mapping (Ref: IN-90001)

    Centrify Authentication Service supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with more than one UNIX mapping, you should use DirectControl Access Manager 5.0.0 or later to remove all but one of the UNIX profiles for each of these Active Directory users and then re-add them.

    In addition, you should always use DirectControl console 5.0.0 or later when modifying these users.

  • In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such limitations with a computer joined to a classic zone. (Ref: IN-90001)

  • Extra results when analyzing duplicate service principal names (Ref: IN-90001)

    When running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly returned as a duplicate. The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains.

  • Secondary groups not imported from XML files (Ref: IN-90009)

    Using the Import Wizard to import user information from XML files does not import secondary group membership.