Troubleshooting logon failures
If a user attempts to log on to a computer that is in a Centrify zone and the logon fails, the problem is typically caused by one of the following:
- Users attempting to log on to a computer they are not authorized to use.
- Users have an incomplete profile in the zone where the computer they are attempting to use is located.
- Users have not been assigned an appropriate role that allows logon access.
- Users have typed their non-Active Directory password or typed the wrong password more times than allowed.
- Local or group policy settings are applied to the computer to prevent access.
To investigate these potential problem areas:
Check whether the local UNIX computer can connect to the Active Directory domain controller.
- Log on to the computer using a locally authenticated user, such as the local root user.
- Run the ping command with the name of an appropriate domain controller in the forest.
For example, if the local computer is joined to the snowline.org forest, the command might look similar to this:
If the command receives a reply from the domain controller, the DNS service is functioning and the local computer is able to locate the domain controller on the network. If the ping command does not generate a reply, you should check your DNS configuration and check whether the local computer or the domain controller is disconnected from the network.
Check Active Directory information by running the adinfo command. The output from this command should appear similar to the following:
Local host name: magnolia
Joined to domain: snowline.org
Joined as: magnolia.snowline.org
Current DC: shasta.snowline.org
Preferred site: Default-First-Site-Name
Last password set: 2017-12-21 11:37:22 PST
CentrifyDC mode: connected
If the mode is disconnected, check whether adclient is running and network connectivity. On a slow network adclient may drop the connection to Active Directory if there is a long delay in response time.
If the output displays an <unavailable> error, you should try running the adleave command to leave Active Directory, re-run the adjoin command, then re-run the adinfo command. For example:
adjoin --user skip --zone cascade snowline.org
If a problem still exists, check the DNS host name of the local computer and the domain controller, the user name joining the domain, and the domain name you are using.
Check the clock synchronization between the local UNIX computer and the Active Directory domain controller.
If the clocks are not synchronized, reset the system clock on the UNIX computer using the date command.
Check for denied users and groups in the /etc/centrifydc/centrifydc.conf file or the Login Controls group policy. For example, open the centrifydc.conf file in a text editor, such as vi:
- Search for the pam.deny.users line and make sure that the user who is trying to log on is not listed.
- Search for the pam.deny.groups line and make sure that the user who is trying to log on is not a member of any group that is listed on this line.
- Check the contents of the system log files or the centrifydc.log file after the user attempts to log on. You can use information in this file to help determine whether the issue is with the configuration of the software or with the user’s account.
Check for conflicts between local user accounts and the user profiles in Active Directory by running the getent command. For example:
This command displays a list of local and Active Directory users with access to the computer. If the user’s name is not listed but other Active Directory users are listed, the problem may be in the user’s Active Directory account settings or UNIX profile.
If no Active Directory users are listed in the output of the command, check whether adclient is running and whether the Active Directory domain controller is available.
Check the user’s Active Directory account settings using Access Manager or Active Directory Users and Computers. For example:
- Check whether the user has a UNIX profile for the local computer’s zone.
- If the user has a UNIX profile in the zone, check whether the profile is currently enabled.
- If the user has an enabled UNIX profile, check the user’s group membership to determine whether it is a local group defined in a different domain than the computer account.
- Check whether the user’s account has been disabled or locked.
- Check whether any user-based group policies have been applied to the user account that may prevent access to the UNIX computer.
Enable logging of adclient activity using the addebug command. For example:
This command enables extensive logging of each operation performed by the adclient process in the /var/log/centrifydc.log file. You can use the information in this file to further diagnose the cause of any problems or to enable Centrify’s support staff to assist with resolving any issues.