Centrify Identity Broker Service and Centrify Privilege Elevation Service 5.4.3 (2017.3) Release Notes
© 2004-2017 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
Centrify Identity Broker Service and Centrify Privilege Elevation Service (part of Centrify Infrastructure Services) centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Infrastructure Services, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Identity Broker Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration. Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.
The Centrify Infrastructure Services related release notes and documents are available online at http://docs.centrify.com.
Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)
For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Infrastructure Services release notes.
For a list of platforms that Centrify will remove support in upcoming releases, refer to the “Notice of Termination Support” section in the Centrify Infrastructure Services release notes.
For a complete list of platforms in all currently supported DirectControl Agent releases, refer to the “Centrify Infrastructure Services” section in the document available from www.centrify.com/platforms.
· Open Source component upgrade
o Centrify curl is upgraded based on stock cURL 7.55.1. (Ref: CS-43826, CS-43327, CS-43822, CS-43823, CS-43824)
§ This includes several security fixes, e.g. CVE-2017-9502, CVE-2017-1000099, CVE-2017-1000100, and CVE-2017-1000101. Please refer to https://curl.haxx.se/changes.html for details.
· On Solaris SPARC, Linux PPC (not PPC64le), or zLinux (S390) platforms, if you want to upgrade from Suite 2017.1 or older, you must upgrade all installed packages to Release 2017.3 or later. (Ref: CS-44458, CS-44597, CS-44749, CS-44753, CS-45063)
· This release of Centrify DirectControl Agent for *NIX will work with the latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO.
· Fixed a security vulnerability in the command line utility "ksu". (Ref: CS-44567)
o Centrify packages on CoreOS are installed in a different location: /opt/ instead of /usr/share/.
o It has its own installation tarball as there is no package manager.
o It does not support the Centrify Express edition.
For details of this new feature, please refer to user documentation. (Ref: CS-42928, CS-43287, CS-44082, CS-44205, CS-44515)
· DirectControl Agent for *NIX now supports Web Proxy Authentication for MFA. It also allows users to specify which Web Proxy Server MFA authentication should go through. A new CLI, adwebproxyconf, is also added to help configuring this feature. For details of this new feature, please refer to user documentation. (Ref: CS-41754)
· dzdo now supports Role-based Access Control (RBAC) in SELinux. Two new fields, 'selinux_role' and 'selinux_type', are provided for users to specify the default role and type for privileged command execution when creating SELinux context. These settings can be overridden by the '-r'/'-t' command-line options respectively. Note that the settings are currently supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. Access Manager console, Access Module for Powershell, adedit, and Sudoers Import have also been enhanced to support these settings. (Ref: CS-43255, CS-43788, CS-43794, CS-43820)
· The adkeytab command has added a new optional parameter, -y, --set-acct-enctype, for the --new / --adopt commands, to restrict the encryption types to those specified in "msDS-SupportedEncryptionTypes" attribute. If set, the adkeytab command will respect the encryption types defined in this attribute when it adds new Service Principal Name (SPN) or changes account password for this account. (Ref: CS-44314)
· A new command-line option "-T, --command-timeout" is added for dzdo command to specify the command timeout in seconds. The command will be terminated if the specified timeout expires. This setting works only if the parameter 'dzdo.user.command.timeout' is enabled in centrifydc.conf. (Ref: CS-43859)
· Audit trail events have been enhanced: (Ref: CS-43683, CS-43840, CS-43919, CS-44654)
o Login and dzdo privilege elevation events now show whether MFA is required or not. Note: This new field is always set to "N/A" on MacOS.
o MFA now shows only one summarized event per Centrify Identity Platform MFA transaction regardless of how many MFA challenges have been executed.
o DirectAduit session ID is now available in MFA challenge events.
o Note: new version of dzdo and PAM authentication audit trail events introduced in Release 2017.3 cannot be reported by older versions of DirectAudit Audit Manager or PowerShell cmdlets. Please upgrade DirectAudit backend components (Audit Manager, collector, and databases) to Release 2017.3 or later. If you cannot upgrade the DirectAudit backend components, please contact Centrify Technical Support on information about patching the DirectAudit databases to support these new audit trail events.
· Centrify curl command now supports SPNEGO authentication. (Ref: CS-43894)
· The Login and Privilege Elevation profiles in previous "Settings>Authentication>Server and Workstation" tab in the Centrify Admin Portal are now regrouped under "Core Services>Login Policies" and "Core Services>Privilege Elevation Policies". Please note that not all the options are valid for MFA Login or Privilege Elevation. Here is the highlight (Ref: CS-43898):
o If you have previously created custom profiles in the Admin Portal, the new Admin Portal UI will provide an auto generated policies set "Infrastructure Policy (Auto generated)".
o However, some of the new options are supported only by 2017.3 agents, or 2017.2 agents (November 2017 update). For example, irrespective of the "Windows Workstation" setting, older agents will still use the "Unix and Windows Servers" policy even though the machine is a Workstation. Also, older agents do not support new options, such as "Device OS" and "Identity Cookie" in the authentication profiles for Login or Privilege Elevation.
The following parameters are added in centrifydc.conf:
- adclient.tcp.connect.timeout: This parameter specifies the timeout of all TCP port probing used in the DirectControl Agent. The default is 10 seconds. (Ref: CS-43841)
- adclient.user.name.max.exceed.disallow: This parameter specifies if the length of a UNIX user name can exceed the system defined login name maximum length. The default is false which means allow. Note this parameter only applies to hierarchical zones. (Ref: CS-42714)
- dzdo.user.command.timeout: This parameter allows a user to specify dzdo command execution timeout, with the new "-T, --command-timeout" option. The default is false. (Ref: CS-43859)
Please refer to the Configuration and Tuning Reference Guide for details.
· OpenLDAP Proxy now supports anonymous query for rootDSE. (Ref: CS-43986, CS-27196)
· OpenLDAP Proxy also adds the support to the filter "(&(objectClass=posixGroup)(memberUid=*))". (Ref: CS-44421)
· Report Services now support Delegation Report and Effective Delegation Report which provide information of who can do what as defined in Centrify Access Manager. Note you need to provide additional permission in the service account to read ACE for the report. (Ref: CS-44055, CS-43685, CS-44103)
· The performance of "Right Summary Report" is further optimized by leveraging some newly added views. Here are the corresponding new views, EffectiveAuthorizedUserPrivilegesSummary, EffectiveAuthorizedUserPrivilegesSummary_Classic, EffectiveAuthorizedUserPrivilegesSummary_Hierarchical, and EffectiveLocalUserPrivilegesSummary. (Ref: CS-43482, CS-43477)
· The Microsoft SQL Server 2012 SP3 – Express is now bundled in Centrify Report Services package. This version of SQL server supports TLS 1.2. Thus, the size of the installer ISO has increased by ~1 GB. (Ref: CS-43572)
· Added support in console and sudoers import for SELinux Role-based Access Control (RBAC). Users can now set SELinux role and type by using the SELinux Setting button in Access Manager> Property page of the Command Right object> Attributes tab, or using the ROLE and TYPE fields in Import Sudoers file. These settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. (Ref: CS-43788, CS-43820)
· Added support for SELinux RBAC. Users can now set SELinux role and type using SELinuxRole and SELinuxType with New-CdmCommandRight and Set-CdmCommandRight cmdlets. Note such settings are supported only on RHEL and effective only on machines with SELinux enabled and joined to a hierarchical zone. (Ref: CS-43794)
· Added a new switch "-nonisserversgroup" to adedit command "create_zone" to allow users to create a hierarchical/classic zone without generating the corresponding zone_nis_servers group. (Ref: CS-43111)
· The adedit commands, "set_dzc_field" and "get_dzc_field", are enhanced to support the new fields, selinux_role and selinuz_type, for SELinux RBAC. (Ref: CS-43255)
· The registry option SkipOfflineDomain was used to skip only the "server not operational" error in order to continue provisioning. Now it will skip other errors as well. (Ref: CS-43243)
· Logging in CopyGroup tool is improved in this release. (Ref: CS-44321)
· Open Source component upgrade
o Centrify PuTTY 5.4.2 is upgraded based on stock PuTTY 0.69. (Ref: CS-42664, CS-42839)
§ This includes security fixes for CVE-2016-6167 and CVE-2017-6542.
o Centrify libcurl is upgraded based on stock cURL 7.54.0. (Ref: CS-42841, CS-42945)
§ This includes security fixes for CVE-2017-7407 and CVE-2017-7468.
o Centrify dzdo is upgraded based on stock sudo 1.8.20p2. (Ref: CS-43244)
§ This includes security fixes for CVE-2017-1000367.
· Product packaging changes
o Starting with this release (2017.2), Centrify Server Suite is renamed and is now a part of Centrify Infrastructure Services. It offers the following services:
§ Centrify Identity Broker Service
§ Centrify Privilege Elevation Service
§ Centrify Auditing & Monitoring Service.
The DirectControl Agent provides services for the Identity Broker Service and Privilege Elevation Service contained in the CentrifyDC packages. The DirectAudit Agent provides services for Auditing & Monitoring Service contained in the CentrifyDA packages.
o Due to the product name change described above, install.sh now uses the new product component names. Please check your scripts if you parse its outputs. (Ref: CS-43410, CS-43713)
o As all user documents are now posted on the internet, http://docs.centrify.com , user documents are excluded from software bundles. You may download or search for the latest user documents on the internet instead. (Ref: CS-42848)
o Starting with this release, we only support 64-bit architecture on the following platforms. Please note the corresponding packaging changes:
§ Solaris Sparc, Debian, RHEL, and SUSE platforms - The Centrify DirectControl package set and its add-on packages (nis and ldapproxy) are changed to 64-bit. The package still provides PAM and NSS 32-bit libraries to work with 32-bit programs. (Ref: CS-42816, CS-43158, CS-43306)
§ Linux PowerPC platforms - The names of Centrify DirectControl and its add-on packages (nis and ldapproxy) are changed, from *-ppc.rpm to *-ppc64.rpm, as we are now only support 64-bit OS on all Linux PowerPC platforms. The package still provides PAM and NSS 32-bit libraries to work with 32-bit programs. (Ref: CS-43228)
· This release of Centrify DirectControl Agent for *NIX will work with the latest released Centrify for DB2, Centrify for Samba and Centrify for SAP Netweaver ABAP SSO. However, it does not work with any Centrify DirectSecure Agent for *NIX prior to release 2017.2. (Ref: CS-42573, CS-43528, CS-43932)
· The security of the local inter-process communication protocol (LRPC2) has been enhanced by adding a signature to all messages (message signing). This enhancement is controlled by a new configuration parameter "lrpc2.message.signing". Please see Configuration Parameter section below for details. (Ref: CS-42573)
· A new capability is added in certgp.pl to allow users to explicitly include/exclude some certificates. This feature is controlled by two new configuration parameters, gp.mappers.certgp.pl.additional.cafiles, and gp.mappers.certgp.pl.exclude.cacerts. (Ref: CS-43132)
The following parameters are added in centrifydc.conf:
- aix.cache.extended.attr.enable: This parameter specifies whether to enable caching of the default values of AIX extended attributes or not. The default is false. (Ref: CS-43082)
- gp.mappers.certgp.pl.additional.cafiles: This parameter defines a list of certificate(s) to be included in certgp.pl. It can be a list of certificate file(s), e.g. "newcert.der", or a file which contains the list of certificate file(s), e.g. "file:/etc/centrifydc/certfile_included.list", to be included. The default is empty. (Ref: CS-42988)
- gp.mappers.certgp.pl.exclude.cacerts: This parameter defines certificate(s) to be excluded in certgp.pl. It can be one or more fingerprint(s) of certificate(s), e.g. "F3D79384E55767A9681D0104FFF22C8980EAD06E", or a file which contains the list of fingerprint(s) of certificate(s), e.g. "file:/etc/centrifydc/fingerprint_excluded.list", to be excluded. The default is empty. (Ref: CS-42988)
- krb5.sso.ignore.k5login: This parameter specifies whether adclient k5login module should ignore .k5login for SSO. The default is false. (Ref: CS-42140)
- krb5.unique.cache.files: This parameter specifies whether a unique Kerberos ticket cache file is used for each login even from the same user. If this parameter is set to true, each Kerberos authentication will generate a different ticket cache file for a given user. If it is set to false, it may leave the second login instance without credential cache because the only cache file may have been cleaned up by the first logout. The default on Mac OS is set to false; otherwise it is set to true. (Ref: CS-42971)
- lam.attributes.group.ignore: This parameter points to a file which contains a list of AIX group attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default is "file:/etc/centrifydc/attributes.group.ignore". (Ref: CS-43082)
- lam.attributes.user.ignore: This parameter points to a file which contains a list of AIX user attributes that the LAM module should ignore and let AIX provide the default value or return ENOATTR. The default is "file:/etc/centrifydc/attributes.user.ignore". (Ref: CS-43082)
- lrpc2.message.signing: This parameter defines the LRPC2 message signing behavior. The value can be "disabled" – do not do LRPC2 message signing, "allowed" – do LRPC2 message signing if the peer allows or requires it, and "required" – must do LRPC2 message signing. The default is disabled. (Ref: CS-42573)
Please note that after you have upgraded to the 2017.2 version, if you set this parameter to "required", you will need to re-start the system.
The following parameters are updated in centrifydc.conf:
- mac.protected.keychain.lock.inactivity: This configuration parameter locks the protected keychain when the Mac is idle for the specified number of minutes. Once enabled, this parameter takes effect at the next user login. Note: This parameter only works if "mac.protected.keychain.enable" is set to true. Leaving this unset will leave the corresponding keychain setting unchanged. The default is unset. (Ref: CC-46979)
- mac.protected.keychain.lock.when.sleeping: This configuration parameter locks the protected keychain when the Mac sleeps. Once enabled, this parameter takes effect at the next user login. Note: This parameter only works if "mac.protected.keychain.enable" is set to true. Leaving this unset will leave the corresponding keychain setting unchanged. The default is unset. (Ref: CC-46979)
The following parameters are removed from centrifydc.conf:
- logger.facility.adclient.audit: This parameter has been deprecated by logger.facility.adclient and is now removed. (Ref: CS-43032)
Please refer to the manual, Configuration and Tuning Reference Guide, for details.
· A new configuration parameter, ldapproxy.cdctranslate.fetchbydnuid, is added in slapd.conf. This parameter controls if a search query for generic Active Directory user/group objects should be translated automatically into a search query for zone user/group instead. The default is false. (Ref: CS-42084)
The translation will take effect if this parameter is set to true, and the following 3 conditions are met in the search request:
1) Search base: the first part of dn is "uid=<unixname>",
2) Search scope: base (0)
3) Search filter: (objectClass=*)
· The deprecated license key management (add/remove) function in Access Manager, Audit Manager, and Licensing Report is now removed. Please use the Centrify Licensing Service Control Panel to do license management for all components.
Note: Centrify Licensing Service needs to have access to a working Global Catalog (GC) for license management feature to function properly. (Ref: CS-40967, CS-40968, CS-43318)
· Password Synchronization now supports SHA-256 and SHA-512 hashes. SHA-256 hashes starting with "$5$" are generated using crypt(3)-SHA256 algorithm method and SHA-512 hashes starting with "$6$" are generated using crypt(3)-SHA512 algorithm method. SHA-256 and SHA-512 hashes can be controlled using registry setting (Registry Key: HKLM/Software/Centrify/EncryptionType, Type: REG_DWORD). The value of the registry key defines which algorithm is used - '1': MD5 hash; '2': SHA-256 hash; '3': SHA-512 hash. (Ref: CS-40277)
· A more frequent synchronization schedule than once a day is supported. You may now set the interval up to every 1 hour. (Ref: CS-42600)
· The ability to monitor zones in other domains is now supported. (Ref: CS-43083)
· Multiple users per the entry, "member: ", in local group profile is supported. (Ref: CS-42951)
· Report Services now supports using Managed Service Account (MSA) to retrieve information from Active Directory (AD). (Ref: CS-43176)
· Access Manager now supports more than 1000 members in a local group. (Ref: CS-42949)
· Access Manager and the ADUC Property Page Extension now support the ability to create a Centrify hierarchical zone without creating the corresponding zone_nis_servers group. You use registry setting to control the behavior. (Registry Key: HKEY_CURRENT_USER\Software\Centrify\CIMS, ValueName: NoNisServersGroup, Type: DWORD, Value - '1': do not generate zone_nis_servers group; '0' or unspecified: generate zone_nis_servers group.) (Ref: CS-43109)
· A new parameter, NoNisServersGroup, is added to the command, New-CdmZone, to allow user to create a hierarchical zone without generating the corresponding zone_nis_servers group. (Ref: CS-43110)
· adedit now supports more than 256 characters in the "member" field setting of its "set_local_group_profile_field" function. (Ref: CS-42823)
· Centrify products which use Centrify OpenSSL libraries can now utilize the Intel AES-NI hardware acceleration if it is supported by machine/hardware (Linux and Solaris). Please note that such optimization exists only in the 64bit Centrify OpenSSL for Solaris on x86_64. (Ref: CS-44397)
· A new switch is added to control if user can login with name longer than system maximum login length or not. This applies to both Active Directory users and local users in hierarchical zones. (Ref: CS-42714, CS-43825)
· The adinfo command with option "-t" can now show nscd status and nscd configuration. In Solaris 11, it prints the nscd configurations in adinfo_support.txt instead. (Ref: CS-21754)
· The "adinfo -y domain" command now shows the trusted domain prefix IDs. (Ref: CS-44565)
· Fixed a bug that caused the adquery command to return duplicate group entries. (Ref: CS-43252)
· The configuration parameter, adclient.get.primarygroup.membership, does not work as expected. It is now fixed. (Ref: CS-44057)
· One-way cross-forest trust users are incorrectly prompted for expired password when it is not expired. It is now fixed. (Ref: CS-42584)
· On AIX, the Local Account Handling will now disallow empty password hash in /etc/security/passwd for enabled users. If the password hash is empty, it is set to "*". (Ref: CS-44415)
· On Solaris, /etc/certs/ca-certificates.crt is added to CentrifyDC and CentrifyDC-curl SSL CA bundle file search list. (Ref: CS-44248)
· Fixed an issue in Centrify OpenSSH on AIX/HPUX where SSOMFA feature cannot work as expected. (Ref: CS-43873)
· Access Manager did not allow assignment of role to the same assignee in different start or end times under the same zone, same computer or same computer role. This is now supported in hierarchical zones. (Ref: CS-43451)
· In an environment where child domain users cannot read objects in the forest root domain, errors may occur during zone creation and adding users to zone. It is now fixed. (Ref: CS-43835)
· Access Manager cannot successfully finish the Identity Platform connection test in an environment where TLS 1.0 is not allowed. It is now fixed. (Ref: CS-43951)
· If a user selects "Allow the computer to join itself to the zone" in "Precreate Computer Profile Wizard", the operation may fail if the account specified in "Allow this user, group or computer to join the computer to the zone" does not exist. It is now fixed. (Ref: CS-43420)
· The task name "Initialize data for DirectAuthorize" is changed to "Enable Privilege Elevation for Classic Zone" in the Centrify Access Manager Zone Delegation Wizard as well as in Delegation Report or Effective Delegation Report to reflect the actual usage. (Ref: CS-44506, CS-44520)
· The default install path of Centrify Access API for Windows has been changed to "C:\Program Files\Centrify\Access API for Windows\" in Identity Broker & Privilege Elevation Service 5.4.2. PowerShell sample scripts are now updated to use the new default install path. (Ref: CS-43896)
· PowerShell cmdlet did not allow assignment of role to the same assignee in different start or end times under the same zone, same computer or same computer role. This is now supported in hierarchical zones. (Ref: CS-43451)
· The Centrify Audit Trail Settings group policy template is now installed by Centrify Group Policy Management Editor Extension. (Ref: CS-44013)
· Report Services can now skip Computer Zone containers with unexpected CN name format and allow synchronization to continue. (Ref: CS-43911)
· Zone Provisioning Agent can provision users in Domain Users group only if it is explicitly assigned as the source group but not if Domain Users group is a member of another provisioning group. It is now fixed. (Ref: CS-35047)
· The "Save As…" button in Zone Provisioning Agent (ZPA) configuration panel now save logs for both ZPA service and ZPA configuration panel. (Ref: CS-44031)
· In an environment where child zone user cannot access forest root domain, errors may occur while building domain tree in Domain Browser or clicking the Apply button. It is now fixed. (Ref: CS-44208)
· CopyGroupNested.exe tool fails to run with empty prefix. It is now fixed. (Ref: CS-44627)
· Cross-forest authentication with preferred login domains is now supported. (Ref: CS-43231)
· adauto.pl now supports asynchronous reload and handling of empty map. (Ref: CS-43246)
· The adjoin command still synchronizes time with the domain controller even when the property, adclient.sntp.enabled, is set to false in centrifydc.conf. It is now fixed. (Ref: CS-43229)
· The DirectControl agent daemon, adclient, now checks for uid/uname conflict with multiple UNIX profiles and rejects the conflicting profiles. Preference is given to the profile defined closer to the joined zone. (Ref: CS-39720)
· Fixed a bug that requires restarting adclient due to mismatched encryption type, after migrating Domain Functional Level from Windows 2003 to Windows 2008. (Ref: CS-43207)
· Fixed a bug that incorrectly causes an error message "ERROR <bg:krb5.conf> daemon.main update /etc/krb5.conf failed with error...Krb5 Config file update: Cannot find KDC for requested realm" when Global Catalog (GC) is blocked. (Ref: CS-42760)
· Fixed a bug in the Kerberos library specific to encryption types RC4 and DES, which are the default encryption types used in Windows Server 2003 Domain Functional Level. The symptom is a failure in fetching certificates from CA, resulting in a warning message: “… certificate request failed on CA … - Attempt to access past end of buffer”. (Ref: CS-43718)
· Fixed a bug that incorrectly generates a warning message "… WARN <fd:## PAMUserLoggedOut2 > daemon.ipcclient2 Problem processing logged out user xxxxx: stat ccache:No credentials cache found" during logout if the user logged in via a trusted SSH connection. (Ref: CS-43650)
· Fixed a bug on AIX WPAR zone that dzdo will fail and falsely complain “no tty present and no askpass program specified”. (Ref: CS-43766)
· Fixed a bug that centrifydc.conf is incorrectly truncated when a machine’s disk is full. (Ref: CS-40844)
· On Linux platforms, fixed an issue in PAM module that running the command su from root to non-root user does not create home directory. (Ref: CS-42878)
· Fixed a bug on AIX that limits the login user name to only 8 characters. Now it follows the login_max setting in sysconf. (Ref: CS-42713)
· Packaging fixes
o Some RPM packages for the Centrify DirectControl Agent for *NIX, such as CentrifyDC-openldap and CentrifyDC-openssl, no longer advertise libraries that are for Centrify internal use. (Ref: CS-43257)
o Fixed several bugs that cause the rpmlint command to report "file-not-utf8", "postin-without-ldconfg" and "postun-without-ldconfig" errors. (Ref: CS-43279, CS-43283)
o Fixed a bug in the RPM specification files that causes the check in Oracle Linux or Red Hat Enterprise Linux Security Technical Implementation Guide (STIG) to falsely complain that executables got modified. (Ref: CS-43636)
o Fixed a bug that causes upgrading with install.sh from v5.4.0 to v5.4.1 to fail due to the file ownership issue. (Ref: CS-43517)
o Fixed the open source package license statements and stripped the libraries in RPM packages. (Ref: CS-43310, CS-43311)
· Fixed a bug on Red Hat that the SSH daemon does not properly support SELinux. Centrify OpenSSH is now updated based on Fedora patch: openssh-7.4p1-4 + 0.10.3-1 (Ref: CS-43254)
· The following limitations are fixed (Ref: CS-43402):
o The Members node under Computer Role node can only show at most 1500 members of computer role.
o At most 1499 members will be preserved while deleting any member from it. It is now fixed.
· The previous versions of Licensing Report will fail to send reports to Centrify with the error message, "Unable to send report to Centrify Support Portal because the server is not available for this request.", because the receiving end does not allow TLS v1.0 anymore. It is now fixed in release 2017.2 by enabling TLS v1.1/1.2 by default. Note: you now need to upgrade to Centrify Licensing Report 2017.2 v5.4.2 to send report to Centrify. (Ref: CS-43850)
· The command to create/update local group profile, New-CdmLocalGroupProfile and Set-CdmLocalGroupProfile, may not work well if there are more than 1000 members in a local group. It is now fixed. (Ref: CS-42950)
· The command to create match-criteria, New-CdmMatchCriteria, always set the boolean field, -IsArgumentExactMatch, to true if any Argument parameter is passed into the command and there is no way to reset it back to false. It is now fixed. The new behavior is that it defaults to false unless set to true by the user. (Ref: CS-43552)
· The group policy, Copy Files, cannot load all trusted domains in one forest for the source file. It is now fixed. (Ref: CS-35765)
· When Report Services is configured to Domain mode, the report data of deleted domains cannot be cleaned up if Microsoft Distributed Transaction Coordinator (MSDTC) is turned off in the machines running Report Services or Report database. It is now fixed. (Ref: CS-43130)
· The synchronization logic is revised to avoid unnecessary consecutive update cycles for background job. If an interactive force update request is made while another update is in progress, users will be prompted to choose "yes" to abort the running update, "no" to wait for completion, or "cancel" to abandon the force update request. (Ref: CS-43350)
· The commands, CopyGroup and CopyGroupNested, may fail due to Active Directory replication delay. It is now fixed. The CopyGroup and CopyGroupNested tools now also support specifying the domain controller to use. (Ref: CS-42590)
The following sections describe common known issues or limitations associated with this Centrify Infrastructure Services release.
For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.
· Known issues with Multi-Factor Authentication (MFA)
If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)
User specified Web Proxy Server won't work properly if 'negotiate' authentication type is used and proxy user's password/machine's password is configured to be cached in an RODC. (Ref: CS-44177)
· Known issues with AIX
On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)
Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)
· Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)
There are several potential issues on Fedora 19 and above:
1) The adcheck command will fail if the machine does not have Perl installed.
2) Group Policy will not be fully functional unless Text/ParseWords.pm is installed.
· Known issues with RedHat
When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)
· Known issues with rsh / rlogin (Ref: IN-90001)
- When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.
· Known issues with compatibility
Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)
- DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.
Default zone not used in DirectControl 5.x (Ref: IN-90001)
- In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.
- This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
- A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.
· There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)
· On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)
· When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)
· On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)
· If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)
· In order to login successfully in disconnected mode (Ref: CS-29111a):
o For a password user:
§ A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)
o For a SmartCard user:
§ The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.
§ If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.
§ If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.
· After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*
then run adgpupdate. (Ref: CS-30025c)
· When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)
· After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:
sudo rm /etc/pam_pkcs11/cacerts/*
sudo rm /etc/pam_pkcs11/crls/*
sudo rm /var/centrify/net/certs/*"
and then re-login using the SmartCard and PIN. (Ref: CS-30353c)
· A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)
· Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)
· Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)
· Screen saver shows password not PIN prompt (Ref: CS-31559a)
Most smart card users can log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.
However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.
On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)
· The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674a)
In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.
The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:
You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Infrastructure Services, send email to firstname.lastname@example.org or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to email@example.com.