Centrify Authentication Service and Centrify Privilege Elevation Service 5.5.1 (Release 18.8) Release Notes
© 2004-2018 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
Centrify Authentication Service and Centrify Privilege Elevation Service (part of the product category Centrify Infrastructure Services) centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With Centrify Infrastructure Services, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Authentication Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration. Centrify's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.
The Centrify Infrastructure Services related release notes and documents are available online at http://docs.centrify.com.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)
For a list of the supported platforms by this release, refer to the 'Supported Platforms' section in the Centrify Infrastructure Services release notes.
For a list of platforms that Centrify will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Centrify Infrastructure Services release notes.
For a complete list of platforms in all currently supported DirectControl Agent releases, refer to the 'Centrify Infrastructure Services' section in the document available from www.centrify.com/platforms.
· Open Source component upgrade
1. Centrify curl is upgraded based on curl 7.61.0 instead of 7.58.0. (Ref: CS-45501, CS-45495, CS-45496, CS-45497, CS-46015, CS-46016)
§ This includes security fixes for CVE-2018-0500, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000300, CVE-2018-1000301. For details, please refer to https://curl.haxx.se/docs/security.html.
2. Centrify OpenSSH is upgraded based on OpenSSH 7.7p1 instead of 7.6p1. (Ref: CS-45683)
§ This is primarily a bug fix release. This release also removes the compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. For details, please refer to http://www.openssh.com/releasenotes.html.
§ This includes security fixes for CVE-2018-0739. For details, please refer to https://www.openssl.org/news/vulnerabilities-1.0.2.html and https://www.openssl.org/news/cl102.txt.
· Product packaging changes
1. Starting this release, Centrify Infrastructure Services product structure has changed: (Ref: CS-46233)
§ The product previously called Centrify Identity Broker Service is now called Centrify Authentication Service, to align with other product offerings.
§ The bundle filename convention is also changed to Centrify-Infrastructure-Services-18.8-<product>.iso/zip for Windows bundles and centrify-infrastructure-services-18.8-<platform>.tgz for *nix bundles.
2. The DirectControl agent package (CentrifyDC) for CoreOS is now split into 4 packages: CentrifyDC-openssl, CentrifyDC-openldap, CentrifyDC-curl, and CentrifyDC, just like the DirectControl agent packages on all other platforms. Note: if you are doing upgrade from Release 2018, you should use the umbrella installer, install.sh, and it will take care of the dependent packages. (Ref: CS-44417, CS-46752)
3. Added a new plug-in package, CentrifyDC-cifsidmap, for Linux platforms to support the cifs-utils utility which provides the mapping of Active Directory User/Group to the corresponding zone enabled UIDs/GIDs in Common Internet File System (CIFS) support. (Ref: CS-44864)
This release of Centrify DirectControl Agent for *NIX will work with the following:
1. The latest released Centrify for DB2 and Centrify for Samba. (Ref: CS-44594)
2. Centrify DirectSecure Agent of Release 2017.2 or later, except
§ On Solaris x86 and SPARC platforms, DirectSecure Agent must be of Release 2018 or later. (Ref: CS-44594)
3. Centrify DirectAudit Agent of Release 2017 or later, except
§ On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)
§ On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later. (Ref: CS-44594)
4. Centrify OpenSSH of Release 2017 or later, except
§ On Linux PowerPC platforms, all packages must be of Release 2017.3 or later. (Ref: CS-44749, CS-44753)
§ On Solaris x86 and SPARC platforms, Centrify OpenSSH must be of Release 2018 or later. (Ref: CS-44594)
· Sample docker files for installing and setting up Centrify DirectControl inside a docker container are published in github. The docker files can be found in Github repository under centrify/container-security/docker-files/Centrify-Active-Directory-Agent-for-Linux (https://github.com/centrify/container-security/tree/master/docker-files/Centrify-Active-Directory-Agent-For-Linux) (Ref: CS-34433)
Note: Both Docker host and containers must have the same version of DirectControl agent for proper operation. (Ref: CS-46754)
· Microsoft Privilege Access Management for Active Directory is now supported. The support of this feature is by default disabled. To enable the support in agent, set "microsoft.pam.privilege.escalation.enabled" setting to true in centrifydc.conf, or use the corresponding Group Policy "Enable Active Directory PAM Privilege Escalation Feature" to do so. Please refer to user documentation for details. (Ref: CS-45092)
· A single non-existing user or group can now be ignored by adding the corresponding UID or GID into /etc/centrifydc/uid.ignore or /etc/centrifydc/gid.ignore files using the input format, such as, uid1-uid1, or gid2-gid2. (Ref: CS-45822)
· On Linux or AIX platforms, MIT Kerberos commands or programs linked with MIT Kerberos library (release 1.13 or above) can now inter-operate with Centrify KCM service. (Ref: CS-44043):
· A new field "assignee" for "get_role_assignment_field" is added in the command "adedit". It can be used to get a role assignment's assignee DN. (Ref: CS-45452)
· The command "adinfo" now has the following new options
1. "–i, ––cipinfo" to show information about the Centrify Identity Platform and the HTTP proxy server used by DirectControl. (Ref: CS-45940)
2. "––product-version" to display the Centrify Infrastructure Services version information. The previous option "––suite-version" is still valid and displays the same information. (Ref: CS-45985, CS-46233)
· The command "adjoin" now has the following new options
1. "–o, ––createComputerZone" to create computer zone for the machine at join time. (Ref: CS-32700)
2. "–O, ––forceDeleteExistingComputerZone", effective only with "–o ––createComputerZone", to remove the existing computer zone in Active Directory and to force a new computer zone creation at join time. (Ref: CS-32700)
3. "–E, ––prestage <dir>" to specify <dir> as the directory where the pre-stage cache is located. This option is useful for improving performance of adjoin, especially in large deployment scenario. Please refer to user documentation for details. (Ref: CS-40351)
· The command "dzdo", and the corresponding Access Manager User Interface and sudoers import feature, now support sudo's "command digests". Now dzdo supports specifying multiple SHA-2 digests in privileged command right by setting its new 'digest' field. The supported hash types are 'sha224', 'sha256', 'sha384', and 'sha512'. Please check the manual for its format details. Note: This is supported only if the explicit path matches the command right, and only if it is in a hierarchical zone. Also, to avoid the security issue CVE-2015-8239 of sudo, dzdo will deny the execution of a dzdo command allowed by a privileged command right, if the right has digest check required and passed, but the command file is writable to the run user. In addition, the SHA-2 algorithms used by the command digest check in dzdo and dzsh are all FIPS-compliant. (Ref: CS-45542, CS-45933, CS-38738, CS-45393, CS-46005)
· Audit Trail events
1. The command "adwebproxyconf" used by Multi-Factor Authentication (MFA) now also generates audit trail events under the category "Centrify Commands" for web proxy configuration changes. (Ref: CS-45604)
2. The commands "sftp" and "scp" in Centrify OpenSSH now also generate audit trail events under the category "Centrify sshd". (Ref: CS-44236)
The following parameters are added in centrifydc.conf:
- adclient.dns.cachingserver: This parameter enables DirectControl to work in an environment where caching-only DNS server (such as dnscache) is deployed. The default is false. Set this parameter to true if adjoin fails to join domain and caching-only DNS server is deployed in your environment. (Ref: CS-45017, CS-45987)
o The command adcheck now has a new option '-r' to do the checking – adcheck will fail on a caching-only DNS server without this option but pass with the option.
o You can also instruct install.sh to run adcheck with the option '-r' by applying the option '--dns_cache' on install.sh.
- adclient.krb5.permitted.encryption.types.strict: This parameter specifies if DirectControl should add or replace the encryption types in the setting permitted_enctypes in krb5.conf with the ones specified in adclient.krb5.permitted.encryption.types in centrifydc.conf. The default is false which means just add. When this is set to true, DirectControl will replace the setting permitted_enctypes in krb5.conf to match exactly with the setting in adclient.krb5.permitted.encryption.types in centrifydc.conf. (Ref: CS-45047)
- adclient.krb5.tkt.encryption.types.strict: This parameter specifies if DirectControl should add or replace the encryption types in the setting default_tgs_enctypes, and default_tkt_enctypes in krb5.conf with the ones specified in adclient.krb5.tkt.encryption.types in centrifydc.conf. The default is false which means just add. When this is set to true, DirectControl will replace the setting default_tgs_enctypes, and default_tkt_enctypes in krb5.conf to match exactly with the setting in adclient.krb5.tkt.encryption.types in centrifydc.conf. (Ref: CS-45047)
- adclient.krb5.ccache.dir: This parameter specifies the directory where Kerberos ccache files are stored when krb5.cache.type is FILE. The default is empty and the ccache files are stored in /tmp. (Ref: CS-44846)
- adclient.krb5.ccache.dir.secure.usable.check: This parameter specifies whether to do secure and usability check on the CONFIGURED Kerberos ccache directory. The default is false. Do not enable until you know the exact requirements. (Ref: CS-44846)
- adclient.one-way.x-forest.trust.force: This parameter specifies a list of root domains, not accessible due to some reasons, e.g. behind a firewall, in two-way trusted forests that DirectControl Agent needs to treat them as one-way trusted domains. The default is an empty list. (Ref: CS-44419)
- dzdo.requiretty: This parameter specifies whether dzdo will run only when the user is logged in to a real tty. The default is false. When set to true, dzdo can only run from a login session but not via other means, such as, cron(8), or cgi-bin scripts. (Ref: CS-45064)
- krb5.conf.kcm.socket.path: This parameter specifies the alternate socket path for KCM server. The default is empty string meaning that the default path in /etc/krb5.conf, /var/run/.centrify-kcm-socket, is used. If this parameter is set to a valid alternate path, the kcm_socket setting in /etc/krb5.conf will be updated and will take effect after adreload. (Ref: CS-44845)
- krb5.conf.kcm.socket.path.secure.usable.check: This parameter specifies whether to do secure and usability check on the alternate socket path for KCM server. The default is false. Do not enable until you know the exact requirements. (Ref: CS-46584)
- microsoft.pam.privilege.escalation.enabled: This parameter specifies if Centrify DirectControl agent uses Microsoft PAM Privilege Escalation feature in the machine. The default is false. When this is set to true, DirectControl will support dzdo privilege escalation. (Ref: CS-45092)
The following parameters are updated in centrifydc.conf:
- krb5.sso.block.local_user: This parameter specifies whether to allow Kerberos library to block a local user to do Single-Sign-On (SSO) with .k5login or not. If the parameter is set to true, the user UNIX name is checked against the nss.ignore.user list. If the UNIX name is in the list, the user is considered a local user, and SSO is not allowed. To log in the user must enter the local user password. The default is changed from false to true. (Ref: CS-45906)
There is no parameter removed from centrifydc.conf in this release.
Please refer to the manual, Configuration and Tuning Reference Guide, for details.
· The attribute page of command right properties now has a new dialog to support input/display of command digests. (Ref: CS-45393)
· There is a change in the User Interface of all zone-based reports (Ref: CS-45348):
1. The display format of zone selection is changed to '<parent zone>/<child zone>' to show the zone hierarchy as well.
2. The default selected zone is changed from '--All--' to just the first zone in the list to improve the initial report display time.
· Open Source component upgrade
§ This includes security fixes for CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-1000005, CVE-2018-1000007, CVE-2017-1000257. For details, please refer to https://curl.haxx.se/docs/security.html.
2. Centrify OpenSSH is upgraded based on OpenSSH 7.6p1 instead of 7.4p1. (Ref: CS-42772)
§ This includes several security fixes. This release also removes the support of RSA1 key. For details, please refer to http://www.openssh.com/txt/release-7.6 and http://www.openssh.com/txt/release-7.5.
3. Centrify OpenSSL is upgraded based on OpenSSL 1.0.2n instead of 1.0.2k. (Ref: CS-43230)
§ This includes security fixes for CVE-2017-3735, CVE-2017-3736, CVE-2017-3737 and CVE-2017-3738. For details, please refer to https://www.openssl.org/news/secadv/20171207.txt and https://www.openssl.org/news/secadv/20171102.txt.
4. Centrify PuTTY 5.5.0 is upgraded based on PuTTY 0.70 instead of 0.69. (Ref: CS-45038)
§ This includes the remaining fixes for CVE-2016-6167 potential malicious code execution via indirect DLL hijacking. For details, please refer to https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.
· Product packaging changes
1. On Solaris x86 and SPARC platforms, Centrify DirectControl package set and its add-on packages (openssh, nis and ldapproxy) are changed to 64-bit. Hence for compatibility reason, you must upgrade both DirectControl and DirectAudit packages together in this release. Because of this, previous versions of DirectSecure Agent for Solaris will not work with this release. (Ref: CS-43308, CS-44083, CS-44085, CS-44594, CS-45441)
2. The required .NET framework is upgraded to version 4.6.2 in this release. (Ref: CS-44070, CS-44209, CS-45110, CS-45299)
§ If you operate in an offline or intranet mode that does not have internet access, you need to download the root certificate from Microsoft first or else the installation of .NET 4.6.2 will fail. Please see https://support.microsoft.com/en-us/help/3149737/.
§ The installation of .NET 4.6.2 will also fail if the URL cache on the destination computer does not contain an up-to-date Certificate Revocation List (CRL). To resolve this issue, please see: https://support.microsoft.com/en-sg/help/2694321/net-framework-4-update-error-generic-trust-failure-0x800b010b
3. The CoreOS packages are now available for download via wget. Adcheck is now also available on CoreOS. (Ref: CS-44862, CS-44205, CS-45206)
4. Centrify Express packages are no longer available on UNIX platforms, which include, AIX, HPUX, and Solaris. (Ref: CS-45040)
1. This release of Centrify DirectControl Agent for *NIX will work with the following:
§ The latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO. (Ref: CS-44594)
§ Centrify DirectSecure Agent of Release 2017.2 or later, except that
· On Solaris x86 and SPARC platforms, DirectSecure Agent must be of Release 2018 or later. (Ref: CS-44594)
§ Centrify DirectAudit Agent of Release 2017 or later, except that
· On AIX, Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)
· On Solaris x86 and SPARC platforms, DirectAudit Agent must be of Release 2018 or later. (Ref: CS-44594, CS-45441)
§ Centrify OpenSSH and Centrify OpenSSL of Release 2017 or later, except that
· On Linux PowerPC platforms, all packages must be of Release 2017.3 or later. (Ref: CS-44749, CS-44753)
· On Solaris x86 and SPARC platforms, Centrify OpenSSH and Centrify OpenSSL must be of Release 2018 or later. (Ref: CS-44594, CS-45441)
· Fixed a security vulnerability in installation and upgrade of the Centrify DirectControl Agent package. (Ref: CS-45617)
· Enhancements for Microsoft Azure
1. Centrify DirectControl Agent now supports Microsoft Azure Active Directory Domain Service. (Ref: CS-41785)
· Enhancements for AIX
1. Active Directory user can now run 'chsec' command to update attributes of a local user. (Ref: CS-41449)
· Enhancements for CoreOS
1. Additional Centrify DirectControl Agent functionalities are now supported inside the CoreOS container. Please refer to KB-9565 and user documentation for details. (Ref: CS-44544)
· Enhancements for local account management
1. We now have options to instruct Centrify DirectControl Agent how strict the enforcement of local account management should be. Please see Configuration Parameters section below for details. (Ref: CS-44844)
· Enhancements for command-line tools
1. The command 'adjoin' is enhanced with the following:
§ added a new option '-d, --forceDeleteObjWithDupSpn' to delete existing object(s) with duplicate Service Principal Name (SPN). (Ref: CS-44604)
§ added a new option '-r, --useConf enctype' to respect the encryption type(s) defined in 'msDS-SupportedEncryptionTypes' in Active Directory, or in the setting 'adclient.krb5.permitted.encryption.types' in centrifydc.conf, in this order, when performing self-serve join. (Ref: CS-44645)
§ added a new option '-r, --useConf spn' to respect the Service Principal Name (SPN) defined in the setting 'adclient.krb5.service.principals' in centrifydc.conf when performing self-serve join. (Ref: CS-44700)
· New feature supported
1. A new feature 'Use My Account' is introduced in Centrify Admin Portal that allows a user to access a DirectControl-managed system using his/her currently logged-in account without entering the credential again. This is particularly useful in a smartcard use case where the user does not even know his/her password. There are a few configuration steps needed both on the target machine(s) and on the portal. Please refer to user documentation for details. (Ref: CS-45113, CS-45114)
The following parameters are added in centrifydc.conf:
- adclient.binding.dc.failover.delay: This parameter specifies the waiting time in minutes before the DirectControl Agent determines that a Domain Controller is no longer responding and needs a failover. The default is 0 meaning no waiting time. (Ref: CS-44591)
- adclient.local.account.manage.strict: This parameter turns on/off the strict enforcement mode for local account management. The default is false, meaning no strict enforcement. There are two sub-parameters, adclient.local.account.manage.strict.passwd and adclient.local.account.manage.strict.group, to further define if the enforcement applies to users and/or groups. When strict enforcement is turned on, unmanaged local user/group entries will be removed. However, switching back to no strict enforcement of local account management will not restore the unmanaged local user/group. (Ref: CS-44844)
- adclient.local.account.manage.strict.passwd: This parameter specifies if the strict enforcement of local account management applies to user entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If we enable the strict enforcement mode for user, any unmanaged local user entries, except the entry with uid 0, will be removed from /etc/passwd, as well as /etc/shadow if it exists, and any unmanaged users' extended attributes will be removed as well. (Ref: CS-44844)
- adclient.local.account.manage.strict.group: This parameter specifies if the strict enforcement of local account management applies to group entries or not. The default is false. This parameter takes effect only if adclient.local.account.manage.strict is set to true. If we enable the strict enforcement mode for group, any unmanaged local group entries, except the entry with gid 0, will be removed from /etc/group, and any unmanaged groups' extended attributes will be removed as well. (Ref: CS-44844)
- adclient.skip.inbound.trusts: This parameter controls if the DirectControl Agent sends network queries to inbound trusts or not. If it is set to true, all inbound trusts will not be built in domaininfomap and the probing of inbound trusts is skipped. The default is false. (Ref: CS-44718)
- queueable.random.delay.interval: This parameter controls whether or not to introduce a randomized delay in scheduling background tasks on a DirectControl-managed machine. This is to avoid multiple machines from overloading the Active Directory server due to a common event occurring at the same time, such as, joining to the same domain. The default is '0' (maximum randomized delay in minutes) meaning no delay. (Ref: CS-44592)
There is no parameter updated in or removed from centrifydc.conf in this release.
Please refer to the manual, Configuration and Tuning Reference Guide, for details.
· A new configuration parameter, 'RloginControlSsh', is added in 'sshd_config', to indicate if the setting 'rlogin = false' for normal user in '/etc/security/user' should also disallow SSH access or not. The default is 'yes', meaning that SSH access will be denied in such case. (Ref: CS-44247)
· We have made significant performance enhancements in this release. (Ref: CS-44705)
· Centrify OpenLDAP Proxy now provides performance statistics data gathering and reporting controlled by a new configuration parameter 'ldapproxy.performance.log.interval'. This parameter controls the number of seconds between log events that dump useful information about the statistics of search cache and authentication. The summary information (hits, misses, etc.) are DEBUG level events. The default is '0' meaning no statistics enabled. (Ref: CS-40012)
· A new authentication cache is added to improve the LDAP Proxy authentication performance. The validity of this new cache is controlled by a new configuration parameter, 'ldapproxy.cache.credential.expires 300', in slapd.conf. The default expiration is 300 seconds. (Ref: CS-44706)
· Report Center has been deprecated by Centrify Report Services since Release 2016 and is now no longer accessible from Access Manager. (Ref: CS-45568)
· Licensing Service and Licensing Report now support vault-based systems.
In this release, vault-based audited UNIX systems are counted as 'UNIX without license type' whereas vault-based audited Windows systems are counted as 'Windows Server'.
Note: You should use the new Licensing Service and Licensing Report if you want to use vault-based systems, or else, both UNIX and Windows vault-based audited systems may all be counted as 'UNIX without license type' and may be treated as orphan systems, as the previous versions of Licensing Service and Licensing Report do not support vault-based systems yet. (Ref: CS-45342)
· The SSH group policy 'Match Block' now supports Match block directives that have sub-directives. (Ref: CS-44660, CS-44652)
· The tool 'CopyGroupNested' now has a better logging feature. (Ref: CS-44339)
· The command-line tool 'zoneupdate' now supports event logging. (Ref: CS-44113)
· Filenames of DEB and RPM types (i.e for Debian, RHEL, and SuSE packages) now have both version and build numbers. Filenames with just version numbers are also available as symlinks to the real files. (Ref: CS-45909)
· Fixed various errors reported by rpmlint.
1. Fixed all the manpage-not-compressed errors. (Ref: CS-43284)
2. Customer can safely ignore the rpath errors (i.e. rpath-in-buildconfig and binary-or-shlib-defines-rpath) from rpmlint as the RPATHs are either required or safe to use. (Ref: CS-43281)
3. Customer can safely ignore the setuid-binary, setgid-binary, and non-standard-executable-perm errors from rpmlint as these permissions are required and it's safe to use the corresponding RPM packages. (Ref: CS-43280)
· When a user is removed from an AD group, the corresponding batch renewal keytab file is not removed. This is fixed by having a background task to do the clean-up. (Ref: CS-45238)
· Fixed an issue where user specified Web Proxy Server does not work properly if 'negotiate' authentication type is used and proxy user's password/machine's password is configured to be cached in an RODC. (Ref: CS-44177)
· On SLES systems, dzdo PAM configuration is now properly set for AppArmor. i.e. If the pam_apparmor.so library is not present on a SLES system, the pam_apparmor.so line will be removed from the dzdo pam configuration files during the DirectControl Agent installation. (Ref: CS-45478)
· The command wrapper for running "ssh" command is now using fully qualified command path when invoked. (Ref: CS-46140)
· Fixed an issue where the command "adjoin" will mess up nsswitch.conf if passwd_compat or group_compat are enabled on Solaris 11. (Ref: CS-44843)
· Fixed the following "adquery group" issues
1. The command fails to show a user whose sysrights are updated through a computer role assignment. (Ref: CS-46259)
2. The command may not properly expand the list of group members if the group contains multiple nested groups and some of which contain the same member group. Note: Even the command "adflush -f" cannot help in this case. (Ref: CS-46064)
· Added a new Group Policy "Enable Rlogin Control Ssh" to control the option 'RloginControlSsh' in sshd_config. (Ref: CS-45592)
· Fixed a rekeying failure with GSSAPI key exchange. (Ref: CS-46409)
· Fixed the following resource leakage issues
1. a memory leak issue when the ldap search scope is base. (Ref: CS-45744)
2. socket and file descriptor leak issues which may appear as error message saying, "Failed to communicate with adclient due to broken session handle". (Ref: CS-46218)
· Fixed an issue where the principle name field incorrectly uses user's display name instead of logon name in the creation/update/removal of "Role assignment" audit trail events. (Ref: CS-45137)
· Licensing Report is now correctly showing the entries of CoreOS/Atomic host and containers.
When you join both CoreOS/Atomic host and containers to zones individually, each of them will be counted in the license usage. i.e. the host counts one license and each individual container also counts one license. (Ref: CS-45768)
· If the group policy "Force Sudo Re-authentication when rlogin" is enabled/disabled, group policy migration will be performed and will enable/disable the corresponding group policy "Sudo Rights". This behavior is not desirable in most cases. This is now fixed by controlling whether to do group policy migration with a new registry key. By default, no policy migration will be performed in new installation. You can manually add a key "migration.enabled" (REG_DWORD type) in key path "HKEY_LOCAL_MACHINE\Software\Centrify\GPOE\" and set the value to 1 if you prefer to have group policy migration perform when loading the Group Policy Object Editor. If the key value set as 0, no policy migration will be performed (same as the default). (Ref: CS-45247)
· When the GPO setting "Specify network login message settings" is set to be "Not configured", we now properly keep the /etc/issue.net link as it is without removing nor creating it. (Ref: CS-45279)
· Fixed an issue where Report Services do not work under Zone mode if Global Catalog (GC) is not operational. (Ref: CS-43506)
· Fixed an issue where Delegation Report and Effective Delegation Report fail to show delegation tasks for Managed Service Account (MSA) or group Managed Service Account (gMSA). (Ref: CS-44414)
· The column name 'SubGroup_NTLogoName' is changed to 'SubGroup_NTLogonName' in the Report Services DB view ReportView.ADGroupSubGroups. (Ref: CS-45584)
· Fixed an issue where the exception 'The item already exists' will be thrown during computation if there exists a role which is assigned to a local UNIX user and another local UNIX group having the same account name. (Ref: CS-45948)
· Fixed an issue where the following 7 reports show duplicate data if one role is assigned to same account with different start time and end time on same zone, computer or computer role (Ref: CS-45957):
1) Hierarchical Zone - Computer Role Assignments Report
2) Hierarchical Zone - Computer Role Effective Assignments Report (UNIX)
3) Hierarchical Zone - Computer Role Effective Assignments Report (Windows)
4) Hierarchical Zone - Effective Rights Report
5) Hierarchical Zone - Effective Role Report
6) Hierarchical Zone - Zone Effective Assignments Report (UNIX)
7) Hierarchical Zone - Zone Effective Assignments Report (Windows)
· Added a new option named 'enctype' to the 'precreate_computer' command to specify which encryption types are permitted in the pre-created computer. (Ref: CS-45782)
· Fixed an upgrade issue resulting with EXIT CODE 26 on Solaris 11.3. (Ref: CS-45048)
· Several packaging issues, e.g. missing configuration file mark, etc., are now fixed. (Ref: CS-40755)
· AIX related fixes
1. Fixed a problem which causes login failure for some users even if they have 'login-all' role. (Ref: CS-44942)
2. Centrify DirectControl Agent crashes on AIX 7.1 with TL5 installed due to some function compatibility. This is fixed. (Ref: CS-44918)
· Multi-Factor Authentication (MFA)
1. MFA may use a different authentication profile at the wrong time if 'Time Range' or 'Date Range' rule setting is set to 'User Local Time'. This is fixed. (Ref: CS-44940, CS-44984)
2. MFA sometimes may not be able to locate the correct connector right, after Centrify DirectControl Agent restarts, resulting in SSH login fails. This is fixed. (Ref: CS-44964)
3. MFA may not work on docker images until you touch the file /etc/centrifydc/centrifydc.conf. This is fixed. (Ref: CS-44886)
· Centrify Network Information Service (NIS) and Centrify NIS Server
1. Added systemd support in adnisd init script on SuSE, Debian, and RHEL platforms. Also fixed several wrong log messages related to niswatch. (Ref: CS-44860)
· Centrify for DB2
1. Centrify for DB2 does not function correctly if the corresponding Active Directory object has no UNIX name. This is fixed. (Ref: CS-45567)
· Command-line tools
1. The command 'adcheck' does not honor the 'dns.servers' setting in centrifydc.conf when performing DNS check (DNSPROBE). This is fixed. (Ref: CS-45018)
2. The command 'adjoin' now always uses the Domain Controller specified with '-s, --server'. (Ref: CS-44293)
3. Fixed a bug that the command 'adjoin' fails to add a computer to the associated group of a computer role, if the computer was already pre-created in zone. (Ref: CS-45294)
4. The command 'dzdo -l' wrongly returns exit code '1' in Release 2017.3. This is fixed. (Ref: CS-45590)
5. The command 'id' shows duplicate groups for the specified user when the group has more than one profiles in the zone hierarchy. This is fixed. (Ref: CS-44799)
· Audit trail support in Centrify OpenSSH can now coexist with other audit mechanisms that come with the operating system. (Ref: CS-44605)
· The performance of 'sftp' and 'scp' is now improved by utilizing the hardware acceleration in Solaris 11.2 or above with SPARC T4 or newer CPU. For details, please refer to the corresponding Centrify Knowledge Base article. (Ref: CS-40402)
· The rescue mode is now extended to the use case when Centrify OpenSSH is used for Single-Sign-On login with Multi-Factor Authentication (SSOMFA). If Centrify OpenSSH can communicate with Centrify DirectControl Agent but the agent fails to connect to Centrify Identity Platform because of configuration or network problems, it will fall into rescue mode. In this case, if the user being authenticated has 'rescue Rights' role assigned, login is allowed; if not, login will be denied at once. Note that the 'Rescue Rights' role setting is now supported in both Centrify Auditing and Monitoring Service as well as Multi-Factor Authentication (MFA) for GUI and Centrify OpenSSH login but not for MFA used in 'dzdo execute' commands. (Ref: CS-44626)
· The ldapsearch does not work using nisNetgroupTriple as filter while setting objectClass to nisNetGroup. This is fixed. (Ref: CS-44857)
· The Setup wizard option 'Generate Centrify recommended deployment structure' does not grant correct rights on the license container when generating deployment structure, and hence fails to generate structure under 'OU' with a name containing a slash. This is now fixed. (Ref: CS-44823)
· Access Manager now handles Domain Controller replication conflicts better. (Ref: CS-43394)
· The Centrify API for Windows Reference, centrify-win-api-ref.chm, and the Centrify API for Windows Programmer's Guide, Centrify-win-progguide.pdf, are updated to show the usage of custom attributes in role definition, role assignment and computer role definition. (Ref: CS-43856)
· The Group Policy 'Enforce Screen Locking' does not work on Ubuntu platforms. This is fixed. (Ref: CS-44985)
· We have made more performance improvements in Report Services. (Ref: CS-44895, CS-44372)
· Zone Provisioning Agent may search from a wrong domain when resolving primary group member. This is fixed. (Ref: CS-45139)
· In classic zones, 'get_zone_user_field gecos' incorrectly returns the user's 'description' attribute which is different from the result of 'getent passwd'. This is fixed. (Ref: CS-44757)
The following sections describe common known issues or limitations associated with this Centrify Infrastructure Services release.
For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.
· Known issues with Multi-Factor Authentication (MFA)
If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)
· Known issues with AIX
On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)
Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)
· Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)
There are several potential issues on Fedora 19 and above:
1) The adcheck command will fail if the machine does not have Perl installed.
2) Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
· Known issues with RedHat
When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)
· Known issues with rsh / rlogin (Ref: IN-90001)
- When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.
· Known issues with compatibility
Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)
- DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.
Default zone not used in DirectControl 5.x (Ref: IN-90001)
- In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.
- This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
- A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.
· Release 18.8 includes an update to Coolkey to support Giesecke & Devrient 144k, Gemalto DLGX4-A 144, and HID Crescendo 144K FIPS cards. However, this has caused known issues that may cause CAC cards to only work sporadically. A workaround for CAC cards is to wait for it to prompt for PIN and Welcome, without removing the card, and then try again. (Ref: CC-58013)
· There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)
· When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)
· On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)
· If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)
· In order to login successfully in disconnected mode (Ref: CS-29111a):
1. For a password user:
§ A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
2. For a SmartCard user:
§ The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
§ If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
§ If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
· After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*
then run adgpupdate. (Ref: CS-30025c)
· When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)
· After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*"
and then re-login using the SmartCard and PIN. (Ref: CS-30353c)
· A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
· Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
· Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
· Screen saver shows password not PIN prompt (Ref: CS-31559a)
Most smart card users can log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.
However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.
On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)
· The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674a)
In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.
The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:
You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this software, send email to firstname.lastname@example.org or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to email@example.com.