Enabling logging for the Centrify DirectControl Agent for Mac

The Centrify DirectControl Agent for Mac installation includes some basic diagnostic tools and a logging mechanism to help you trace the source of problems if they occur. These diagnostic tools and log files allow you to periodically check your environment and view information about the agent operation, your Active Directory connections, and the configuration settings for individual computers.

In most cases, logging is not enabled by default for performance reasons. Once enabled, however, log files provide a detailed record of Centrify DirectControl Agent for Mac activity and can be used to analyze the behavior of Centrify Management Services and communication with Active Directory to locate points of failure.

For performance and security reasons, you should only enable agent logging when necessary, for example, when requested to do so by Centrify Corporation Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it.

You can enable logging either by using the cdcdebug command or the Centrify for Mac Diagnostic Tool application.

To enable logging with the cdcdebug command:

  1. Log in to the Mac as Local Admin and open the Terminal.

  2. Run the following commands to clear and then enable the Centrify DirectControl Agent for Mac log file:

    % sudo /usr/local/share/centrifydc/bin/cdcdebug clear

    % sudo /usr/local/share/centrifydc/bin/cdcdebug on

  3. Record the start time point:

    % date +%s

    For example: the output is 1610614011, please remember this output, it is the start time point.

  4. Log out of the local admin user account.

  5. Reproduce the issue: try to log in as the affected Active Directory user. Let it fail.

  6. Log back in as Local Admin and open the Terminal again.

  7. Record the end time point:

    % date +%s

    For example: the output is 1610614043, please remember this output, it is the end time point)

  8. Enter the following commands to collect the Centrify DirectControl Agent for Mac log file:

    % sudo /usr/local/share/centrifydc/bin/cdcdebug -f pack [affected_AD_user_name] [start_time_point] [end_time_point]

    % adquery user -A [affected_AD_user_name] > /tmp/adquery.log

  9. Send us the following files for analysis:

    /var/centrify/tmp/cdcdebug.tar.gz

    /tmp/adquery.log

  10. Disable the Centrify DirectControl Agent for Mac log:

    % sudo /usr/local/share/centrifydc/bin/cdcdebug off

 

To enable logging with the Centrify for Mac Diagnostic Tool:

  1. Log in to the Mac as Local Admin and open the application MacDiagnosticTool.app.

    The location of this app is “/Library/Application Support/Centrify/MacDiagnosticTool.app.” You can run the following command to open it:

    % open /Library/Application\ Support/Centrify/MacDiagnosticTool.app

  2. Click the Debug/Logs tab.

  3. Click 0. Clear Debug Log Files.

  4. Click the 1. Enable Debugger .

  5. Click the 2. Get Start Time Point.

    Note:   You do not need to remember the start time point, it will be saved automatically.

  6. Click Quit to close the application.

  7. Log out of the Local Admin account.

  8. Reproduce the issue: try to log in as the affected Active Directory user. Let it fail.

  9. Log back in as Local Admin and open the application MacDiagnosticTool.app again.

  10. Click 4. Get End Time Point and enter input the affected Active Directory user name.

  11. Click 5. Save Debug Log Files to Desktop, the tool will start to collect agent log files.

    Note:   You might see a message display about installing the “otool” command; you can select “Cancel” or “Install”, either choice works.

    The log file “CENTRIFY_FULL_LOG_PACK.zip” will be on the Desktop. Send the file to Centrify Technical Support for analysis.

  12. Click 6. Disable Debugger then click Quit to close the application.