Centrify(R) DirectControl(R) 4.4.3 Release Notes (C) 2004-2011 Centrify Corporation. This software is protected by international copyright laws. All Rights Reserved. Table of Contents 1. About This Release 2. New Features in DirectControl 4.4.3 2.1. New Features in DirectControl 4.4.2 2.2. New Features in DirectControl 4.4.1 2.3. New Features in DirectControl 4.4.0 2.4 New Features in DirectControl 4.3.0 2.5. New Features in DirectControl 4.2.2 2.6. New Features in DirectControl 4.2.1 2.7. New Features in DirectControl 4.2.0 2.8. New Features in DirectControl 4.1.2 2.9. New Features in DirectControl 4.1.1 2.10.New Features in DirectControl 4.1.0 2.11.New features in DirectControl 4.0.0 3. Bugs Fixed 4. Known Issues 5. Additional Information and Support 1. About This Release Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating UNIX, Linux, Mac, J2EE and web platforms with Microsoft Active Directory. With DirectControl, organizations can improve IT efficiency, better comply with regulatory requirements, and move toward a more secure, connected infrastructure for their heterogeneous computing environment. DirectControl is non-intrusive, easy to deploy and manage, and is the only solution that enables fine-grained access control, reporting and auditing through its unique Zone technology. DirectControl is part of this Centrify Suite release that includes updates that apply to Windows, UNIX, Linux and Mac OS X operating system environments. An upgrade application note (/Documentation/UpgradeGuide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify DirectControl Knowledge Base. 2. New Features in DirectControl 4.4.3 * A new DNS subsystem has been incorporated in this version of DirectControl that is more resilient to broken DNS environments and requires less manual configuration due to its self-tuning nature. This has resulted in a number of configuration parameter changes and is reflected in the DirectControl documentation set. Removed configuration parameters: adclient.dns.cache.size adclient.dns.response.factor adclient.dns.response.maxtime adclient.dns.terminate.hostnames adclient.dns.update.interval adclient.dns.server.try.max dns.forcetcp dns.max.udp.packet dns.rotate Replaced parameters: adclient.dns.cache.timeout replaced by dns.cache.timeout New parameters dns.servers dns.block dns.sweep.pattern dns.dead.resweep.interval dns.alive.resweep.interval dns.udp.retries dns.timeout dns.fast.sweep.pattern dns.deep.sweep.pattern dc.dead.cache.refresh domain.dead.cache.refresh dc.live.cache.refresh domain.dead.cache.refresh * New group policies * Machine Configuration > Centrify Settings > Mac OS X Settings > App Store Settings > Prohibit Access to App Store When enabled, this group policy prohibits access to the Mac App Store to all users except root and users/groups specified in the GP. If this policy is not configured or is disabled, then all users can access the App Store. * Configuration parameters * New configuration parameter: adclient.dynamic.dns.refresh.interval When dynamic DNS update by addns is enabled, this parameter controls the period (in seconds) between successive periodic updates. A value of 0 (default) disables periodic updates. * New configuration parameter: dns.change.check.interval * CLIs * addns New --force command line parameter added that forces DNS record update even if they have not changed. New --add / -A command line parameter that allows you to create new IP address (A) and domain name pointer (PTR) records in the DNS server for the local or specified computer hostname, even if a record exists for the same hostname. * adsetgroups New -C / --command command line parameter specifies a command to be run in a temporarily created shell. For example: adsetgroups --command 'ls -l' The command line passed to the temporary shell should be <=256 characters long. * adcache New -L / --live command line parameter to send a request to adclient to dump the cache for debugging purposes. The -c parameter may also be used to specify which cache file to dump; without the -c parameter all cache files are dumped. The -L parameter also requires the -o parameter (below) to be specified. The -k parameter may also be specified to dump based on a given key. New -o / --outputfile parameter to specify the output filename for the dumped cache. If a filename is specified without a path then the file will be placed in /var/centrifydc. * Miscellaneous * Mac sample login / logout scripts updated on ISO 3 (UNIX / Linux agents). The new login script no longer assumes share resides on a Domain Controller and an example using an NFS share was added. * Added support for AIX capabilities user attribute. See AIX platform-specific release notes for more information. * Support is added for the following operating systems: - Fedora 14 (32- and 64-bit) - IBM AIX 7.1 - Mandriva 2010.2 One - OpenSuSE 11.4 beta (32- and 64-bit) - Red Hat Enterprise Linux 4.9 beta, 5.6 (32- and 64-bit) - Red Hat Enterprise Linux 4.9 beta, 5.6 (PPC) - Red Hat Enterprise Linux 4.9 beta, 5.6 (Itanium) - Red Hat Enterprise Linux Desktop 5.6 (32- and 64-bit) - Scientific Linux 6 beta (32- and 64-bit) - Ubuntu Desktop 10.10 (32- and 64-bit) - Ubuntu Server 10.10 (32- and 64-bit) 2.1. New Features in DirectControl 4.4.2 * Express mode * Solaris SPARC and x86 now support Express mode. * Configuration parameters * New configuration parameter: krb5.support.alt.identities When true (the default), if Kerberos altSecurityIdentities exist for a user, DirectControl uses it for authentication instead of the Windows name, regardless of which two names were supplied. This works as long as 1) the alternate name is always used or the passwords are synchronized, and 2) the third-party KDC is reachable. If these conditions are not met, you can disable the feature by setting this parameter to false, then only the Windows would be used to authenticate the user and any Kerberos altSecurityIdentities are ignored. * New configuration parameter: adjoin.samaccountname.length This parameter was introduced in DirectControl 4.3.0. adjoin uses this value to generate the pre-win2k host name by truncating the host name and to determine how it should create its computer account in Active Directory. This value defaults to 15 as that is the maximum host name size allowed by the NetLogon service that adclient prefers to use for NTLM pass-through authentication. NetLogon is fast and automatically returns a user's group membership. However this value can be configured for up to 19 characters. In this case adclient will use slower NTLM authentication methods, and will use additional LDAP searches to fetch the user's group membership. If the adjoin option -N is used to specify the pre-win2k host name, this configuration parameter is not used for that function. If the computer's host name size exceeds this value, adjoin will use LDAP (and require administrative privileges) to create computer accounts, instead of MS-RPC. Regardless, if the computer's short host name exceeds 19 characters, then it is no longer possible to create computer accounts via MS-RPC methods and LDAP must be used. * The default has changed for adclient.force.salt.lookup from false to true. * CLIs * adcheck * On Mac OS X, if adcheck finds a local administrator account it will recommend adding those accounts to /etc/centrifydc/user.ignore. * Installer * Group "admin" is now automatically added into /etc/centrifydc/group.ignore by install.sh. This avoids local administrators losing sudo privileges after installing DirectControl. * Miscellaneous * MIT Kerberos vulnerability CVE-2009-0846 Kerb 5-1.4.3 is included in this build. It has been included in DirectControl since version 4.3.0 but not noted in the release notes until now. * Solaris patch requirements The minimum supported versions of Solaris 8 & 9 SPARC and 9 x86 have been updated to the following: Solaris 8 SPARC: Sun Alert Patch Cluster 7/27/2006 or later Solaris 9 SPARC: Update 6 or later Solaris 9 x86: Update 6 or later Older versions of these operating systems will still be supported as long as the minimum patch requirements documented in KB-1800 are installed. Patch requirements for the new minimum supported versions are documented in the platform release notes for each package and the centrify.xref file used by pca has been updated to match these new requirements. * The package names for Debian / Ubuntu support has changed from *-deb3.1-* to *-deb5-* to reflect the termination of support for Debian 3.1 and 4. * The package names for Mac OS X 10.5 support have changed from *-mac10.4-* to *-mac10.5-* to reflect the termination of support for Mac OS X 10.4. * Support is added for the following operating systems: - CentOS 4.8 (32- and 64-bit) - CentOS 5.4 (32- and 64-bit) - CentOS 5.5 (32- and 64-bit) - Citrix XenServer 5.5 - Citrix XenServer 5.6 - Mandriva 2010.1 One - Mandriva Enterprise Server 5 (32- and 64-bit) - Novell SuSE Linux Enterprise Server 11 (Itanium) - OpenSuSE 11.3 (32- and 64-bit) - Red Hat Enterprise Linux 6.0 beta 2 (32- and 64-bit) - Red Hat Enterprise Linux 6.0 beta 2 (PPC) - Red Hat Enterprise Linux 6.0 beta 2 (Itanium) - Red Hat Enterprise Linux 6.0 Desktop beta 2 (32- and 64-bit) - Scientific Linux 4.8 (32- and 64-bit) - Scientific Linux 5.4 (32- and 64-bit) - Scientific Linux 5.5 (32- and 64-bit) - Sun OpenSolaris 2009.06 (SPARC) - Sun OpenSolaris 2009.06 (Intel) - VMware ESX 4.1 2.2. New Features in DirectControl 4.4.1 * Configuration parameters * New configuration parameter The following configuration parameter has been added to /etc/centrifydc/centrifydc.conf: * adclient.iterate.private.groups The default value of this option will be false, until a private group is encountered, at which point it will switch to true for the remainder of the adclient process lifetime. It can be overridden to either value by the user in centrifydc.conf. When this value is set to true, group iteration will also iterate over the user population looking for gid == uid, and then generating private groups for those cases. Note this can be time consuming in the cases where there are a large number of users, but only very few have private groups. * Miscellaneous * Support is added for the following new operating systems: - Red Hat Enterprise Linux 4.8 (32- and 64-bit) - Red Hat Enterprise Linux 4.8 (PPC) - Red Hat Enterprise Linux 4.8 (Itanium) - Red Hat Enterprise Linux 5.5 (32- and 64-bit) - Red Hat Enterprise Linux 5.5 (PPC) - Red Hat Enterprise Linux 5.5 (Itanium) - Red Hat Enterprise Linux Desktop 5.5 (32- and 64-bit) - Fedora 13 (32- and 64-bit) - Ubuntu Desktop 10.04 LTS (32- and 64-bit) - Ubuntu Server 10.04 LTS (32- and 64-bit) 2.3. New Features in DirectControl 4.4.0 * Express mode DirectControl can now join a domain in Express mode, which, like auto-zone mode, is a special mode that does not use or require a zone. In the release notes, all references to auto-zone mode apply equally to Express mode unless specifically excluded. * Configuration parameters * New configuration parameters The following configuration parameters have been added to /etc/centrifydc/centrifydc.conf: * gp.disk.space.min Specifies the minimum free disk space in KB that is required for a group policy update. If the free disk space in any folder specified in gp.disk.space.check.folders (see below) is less than this value, then group policy settings will not be updated. The default is 5120 KBytes. 0 means "do not check free disk space". * gp.disk.space.check.folders Specifies the folders that need the free disk space check. If the free space in any specified folder is less than the value in gp.disk.space.min, then group policy settings will not be updated. The default is "/,/etc,/var". * adclient.get.group.membership This property controls whether group membership is retrieved from Active Directory on login. The default is true, and means that a user's group memberships will be retrieved from Active Directory when the user logs in. Setting this property to false will prevent this occurring and can improve login times in auto-zone mode when a user belongs to a large number of Active Directory groups. * adclient.dns.response.factor This parameter is used with adclient.dns.response.maxtime to determine the maximum time allotted to resolving DC addresses. By default, the factor is 3 and the maxtime is 9, meaning 27 seconds of DC address resolution. In correctly functioning systems DC addresses should be resolved in less than 3 seconds. * Modified configuration parameters pam.allow.groups, pam.allow.users, pam.deny.groups and pam.deny.users now support a comma separated list of users or groups. Alternatively, a file may be specified that contains the list of users or groups to use. * Administration console * A new column has been added to the Computer Report and the Computer Summary Report to show the date and time the computer password was last changed. * Group policies * Mac OS X Settings -> Login Settings Enabling this group policy allows you to open frequently used items, such as applications, folders or server connections, when a user logs in. * CLI changes * Adcheck now checks the CRLE path to ensure it contains paths that DirectControl requires. * New parameter -t / --reset added to adleave This parameter allows a computer with a precreated computer account to reset its Active Directory information to allow it to re-adjoin the domain, for example: adjoin --precreate --name computername -p adminpassword ... adjoin --selfserve adleave --reset adjoin --selfserve adleave --reset ... * New parameter -W / --userWorkstations added to adquery This parameter displays the value of the userWorkstations attribute. Note that the -A (all) parameter has been updated to include the userWorkstations attribute as well. * New parameter -F added to adquery to allow reading from the cache rather than forcing a read through to Active Directory. This should make adquery faster with large user populations. * New parameter -G / --gc added to adinfo to report the connected Global Catalog. * New parameter -n / --nfs added to adfixid If specified, this parameter causes adfixid to recurse into directories on NFS filesystems. * Mac OS X * Support is now included for mobile users whose home directory is on an NFS-mounted share. * On Mac OS X 10.5 and later, FileVault is now supported. * Miscellaneous * Support is added for the following new operating systems: - OpenSolaris 2008-11 SPARC - OpenSolaris 2008-11 x86 - SuSE Linux Enterprise Server 10 IA64 - SuSE Linux Enterprise Server 11 (32- and 64-bit) - SuSE Linux Enterprise Server 11 PPC - SuSE Linux Enterprise Desktop 11 (32- and 64-bit) - OpenSuSE 11.2 (32- and 64-bit) - Red Hat Enterprise Linux 4.8 and 5.4 (32- and 64-bit) - Red Hat Enterprise Linux 4.8 and 5.4 IA64 - Red Hat Enterprise Linux 4.8 and 5.4 PPC - Fedora 11 (32- and 64-bit) - Fedora 12 (32- and 64-bit) - CentOS 5.3 (32- and 64-bit) - Scientific Linux 5.3 (32- and 64-bit) - Mandriva Linux 2009.1 One - Debian Linux 5 (32- and 64-bit) - Ubuntu Desktop 9.04 and 9.10 (32- and 64-bit) - Ubuntu Server 9.04 and 9.10 (32- and 64-bit) - VMware ESX 4 - VMware VIMA 4 - Apple Mac OS X 10.6 - Apple Mac OS X Server 10.6 - Microsoft Windows 2008 R2 - Microsoft Windows 7 * Support is added for the following service packs and patch bundles: - HP-UX 11.31 March 2009 - Solaris 10 5/09 (update 7) * Solaris LDOMs are now supported. * Kerberos Vulnerability patched: CVE-2009-4212: integer underflow Please reference the following KB article in the Centrify support portal: - KB-1520: Does "krb5 vulnerability CVE-2009-4212" apply to DirectControl? 2.4. New Features in DirectControl 4.3.0 * Support is now provided for AIX system and application WPARs * Improved AppArmor integration. DirectControl is now automatically added, rather than requiring manual configuration. * Can now open all zones automatically in the Administrator Console rather than just the Default zone. * Miscellaneous * Support is added for the following new operating systems: - SuSE Linux Enterprise Server 10 PPC - SuSE Linux Enterprise Server 10 SP2 on S/390x (64-bit) - OpenSuSE 11.0 (32 and 64-bit) - OpenSuSE 11.1 (32 and 64-bit) - Red Hat Enterprise Linux 5.3 (32 and 64-bit) - Red Hat Enterprise Desktop 5.3 (32 and 64-bit) - Red Hat Enterprise Linux 5.0 IA64 - Red Hat Enterprise Linux 5.1 IA64 - Red Hat Enterprise Linux 5.2 IA64 - Red Hat Enterprise Linux 5.3 IA64 - Red Hat Enterprise Linux 5.0 PPC - Red Hat Enterprise Linux 5.1 PPC - Red Hat Enterprise Linux 5.2 PPC - Red Hat Enterprise Linux 5.3 PPC - Fedora 10 (32 and 64-bit) - CentOS 3.9 (32 and 64-bit) - CentOS 4.7 (32 and 64-bit) - CentOS 5.1 (32 and 64-bit) - CentOS 5.2 (32 and 64-bit) - Scientific Linux 3.0.9 (32 and 64-bit) - Scientific Linux 4.6 (32 and 64-bit) - Scientific Linux 4.7 (32 and 64-bit) - Scientific Linux 5.1 (32 and 64-bit) - Scientific Linux 5.2 (32 and 64-bit) - Mandriva 2009 one - Citrix XenServer 5 - Ubuntu Desktop 8.10 (32 and 64-bit) - Ubuntu Server 8.10 (32 and 64-bit) * Installation integrity checker added to adinfo --diag and --support for Solaris. * Added a new property adclient.dns.terminate.hostnames with default true. Set to false to use /etc/hosts rather than DNS. * Kerberos Vulnerability patched: CVE-2009-0846 (MITKRB5-SA-2009-002): ASN.1 decoder vulnerability Please reference the following KB article in the Centrify support portal: - KB-1619: Does "Kerberos ASN decoder vulnerability CVE-2009-0846 (MITKRB5-SA-2009-002)" apply to DirectControl? 2.5. New Features in DirectControl 4.2.2 * None. This is a bug fix release only. 2.6. New Features in DirectControl 4.2.1 * None. This is a bug fix release only. 2.7. New Features in DirectControl 4.2.0 * Workstation Mode The Mac version of DirectControl now supports a Workstation mode which does not require creation of a zone or use of the DirectControl console. See the Administrator's Guide for Mac OS X for more information. * Infinite Kerberos Renewal If configured to do so, DirectControl will renew a user's Kerberos credentials indefinitely, as long as the user is logged in, or a process owned by that user still exists. This can be enabled by setting the property "krb5.cache.infinite.renewal" to true in centrifydc.conf or via Group Policy. * AIX User Attributes DirectControl now supports the standard set of AIX extended user attributes (su, ttys, umask, ...). In this release, these attributes are only supported via the UNIX adupdate and adquery command line interfaces. Support in the DirectControl console for editing and reporting on these attributes will be added in a future release. * MIT Kerberos Realm Users DirectControl now supports Active Directory users whose login credentials are stored in a trusted MIT Kerberos Realm. Active Directory users must be configured as documented in the following Microsoft TechNet document: http://technet.microsoft.com/en-us/library/bb742433.aspx * Performance Improvements * The DirectControl UNIX agent cache performance has been greatly improved. * Two new properties have been added which can improve login speed of non-Zone enabled users: adclient.user.lookup.displayName adclient.user.lookup.cn See the DirectControl Configuration Guide or the comments in /etc/centrifydc/centrifydc.conf for more information * The performance of pam.allow/deny groups and password overrides has been greatly improved. * The performance of login when there are thousands of groups defined in the zone has been greatly improved. * CLI changes * adquery group now reports the type of Active Directory group. * The command 'adcheck' is now included to analyze the current OS and Active Directory environment to verify that DirectControl can be installed and deployed successfully. This command can also be downloaded from the Web site and run as a standalone program prior to installing DirectControl. * adinfo can now detect and warn when a domain is running in Windows 2000 mixed (NT domain compatibility) mode, but may require user credentials to do so if the domain controller is Windows 2003 or above. * /etc/centrifydc/centrifydc.conf * The following new properties can now be set in centrifydc.conf or via Group Policy. See the Configuration Parameters Guide for more information. adclient.autoedit.mac.netlogin adclient.azman.refresh.interval adclient.mac.map.home.to.users adclient.os.name adclient.os.version adclient.paged.search.return.max adclient.user.computers adclient.user.lookup.cn adclient.user.lookup.display adclient.zone.group.count addns.wait.time adjust.offset.time auto.schema.private.group auto.schema.remote.file.service auto.schema.use.adhomedir dns.block gp.user.login.run krb5.cache.infinite.renewal logger.memory.bufsize logger.memory.enabled logger.memory.log logger.memory.log mac.dsplugin.pwcache.lifetime * The following properties apply to AIX only aix.user.attr.admin aix.user.attr.admgroups aix.user.attr.daemon aix.user.attr.rlogin aix.user.attr.su aix.user.attr.sugroups aix.user.attr.tpath aix.user.attr.ttys aix.user.attr.umask aix.user.attr.fsize aix.user.attr.core aix.user.attr.cpu aix.user.attr.data aix.user.attr.rss aix.user.attr.stack aix.user.attr.nofile * Miscellaneous * The UNIX agent can be configured to ignore specific domain controllers by hostname via the property dns.block. * krb5.conf format is now compatible with more third party applications. * Group policies have been added for DirectControl NIS configuration. See the Administrator's Guide for more information. * The sidHistory attribute is now supported for zone users and groups who are migrated from one domain controller to another. * The addns command is now run by default when adclient is started to register the current hostname with DNS. To disable this feature, set the centrifydc.conf property adclient.dynamic.dns.enabled: false * DirectControl now supports read-only Windows 2008 Domain controllers. * The DirectControl agent will use AES encryption by default when communicating with Windows 2008 Domains. Other encryption types can be specified in centrifydc.conf or via Group Policy. * Support is added for the following new operating systems: - Red Hat Enterprise Linux 5.2 (32 and 64 bit) - Red Hat Enterprise Desktop 5.2 (32 and 64 bit) - Fedora 9 (32 and 64 bit) - CentOS 4.6 (32 and 64 bit) - Mandriva 2008 one - Citrix XenServer 4.1 - Ubuntu Desktop 8.04 (32 and 64 bit) - Ubuntu Server 8.04 (32 and 64 bit) 2.8. New Features in DirectControl 4.1.2 * None. This is a bug fix release only. 2.9. New Features in DirectControl 4.1.1 * Support is added for the following new operating system: - Red Hat Enterprise Linux 4 on an IBM Power PC platform Use the Red Hat Enterprise Linux 3 / PPC package. * A new centrifydc.conf property has been added to prevent the modification of the shell setting for denied users. See pam.deny.change.shell in /etc/centrifydc/centrifydc.conf for more information. * User Group Policy is now disabled by default on all platforms except for the Apple Mac. This setting can be controlled via the Computer Group Policy. 2.10.New Features in DirectControl 4.1.0 * Upgrade Issues * Centrify DirectControl for Apache 4.0 must be removed and upgraded to 4.1 with this release * The mapped root user feature is disabled by default with this release. You can use group policy or edit the centrifydc.conf file to enable this feature. Note, however, that the feature will be enabled after upgrading to 4.1.0 if mapping was used prior to upgrade, so mapping will continue to work if it was used. * Performance Improvements * Users who are members of 100's of groups in Active Directory now authenticate much faster * adclient now caches DNS requests. There are new GP and centrifydc.conf settings to configure this. See: * adclient.dns.cache.size * adclient.dns.update.interval * adclient now accepts much larger UDP DNS responses. See dns.max.udp.packet * Delegation Report in console should be much faster and can handle large domains * CLI changes * New command addns implements secure DNS updates with Active Directory. addns can only be run by a user with root privileges. * adupdate and adkeytab can now use kerberos credentials * adinfo has a new mode "starting" used when adclient is starting up, but not yet answering requests * adjoin returns a standard list of error codes (see documentation) * All CLIs which prompt for a password can also read it from a pipe: cat /etc/secret | adjoin wonder.land * adupdate now reads it's defaults from the zone settings, not centrifydc.conf * adupdate can now generate user passwords. See -W. adupdate -W should be used in conjunction with the -C switch. * adupdate/adjoin now prompts for "user@domain.name's password:" * /etc/centrifydc/centrifydc.conf * Most centrifydc.conf parameters are commented out by default (the default value is in the comment) * The properties nss.min.uid and nss.min.gid have been removed. Instead, the users and groups to ignore are generated automatically from the user.ignore and group.ignore files * krb5.cache.cleanup is now in cdc mode by default (as previously documented) * The mapped root user is disabled by default * Miscellaneous * Private groups are now generated automatically. When adding a user, click "Browse" next to Primary Group, select Auto-private. There will be no associated group created in AD. If you want the old behavior, then create a group using ADUC and UNIX enable that group * New property adclient.local.group.merge to merge local group membership with AD groups with matching names and gid * DirectControl now supports Windows 2008 Domain and Forest Functional Level * Support is added for the following new operating systems: - AIX 6.1 - SuSE Linux Enterprise Server 9 on Power PC - OpenSuSE 10.3 (32 and 64 bit) - Red Hat Enterprise Linux 3 on Power PC - Red Hat Enterprise Linux 4 on Intel Itanium - Red Hat Enterprise Linux 5.1 (32 and 64 bit) - Red Hat Enterprise Desktop 5.1 (32 and 64 bit) - Fedora 8 (32 and 64 bit) - Scientific Linux 4.5 (32 and 64 bit) - VMWare ESX 3.5 - Ubuntu Desktop LTS 6.06 (64 bit) - Ubuntu Desktop 7.04 (64 bit) - Ubuntu Desktop 7.10 (32 and 64 bit) - Ubuntu Server LTS 6.06 (32 bit) - Ubuntu Server 7.04 (32 bit) - Ubuntu Server 7.10 (32 and 64 bit) - Mac OS X 10.5 (Power PC and Intel) - Mac OS X Server 10.5 (Power PC and Intel) 2.11.New Features in DirectControl 4.0.0 * All-new reporting subsystem for the DirectControl Management Console * All-new Group Policy user interface using a Group Policy Object Editor snap-in * All-new Web-based management console * Pre-created / joined computer accounts may be defined in the Management console * Pre-validated offline accounts * Agent version is now reported for joined computers in the Management Console * New account administration CLI tools: adupdate, adquery, adsetgrps, adcache, adid, adreload * The Centrify NIS server now supports agentless mode * The Centrify NIS server now supports additional map types * Large UNIX groups are now supported by Centrify NIS server * Use of nscd and pwgrd now supported * An LDAP proxy is provided * Support is added for the following operating systems: - HP-UX 11i v3 (HP-UX 11.31) PA-RISC - HP-UX 11i v3 (HP-UX 11.31) Itanium - Oracle Enterprise Linux 5 (32 and 64 bit) - Citrix XenServer 4 - VMWare ESX 3.0.2 - Microsoft Vista (32 bit and 64 bit) * Security Enhanced Linux and AppArmor is now supported by agents when supported by the underlying operating system. See the SuSE specific release notes for more information about configuring DirectControl with AppArmor enabled. 3. Bugs Fixed This release features the following updates: * AD users can now do offline logins on Mac OS X. * Screensaver unlock now refreshes the Kerberos credential cache on Mac OS X. * Screensaver GP on Mac OS X now correctly chooses the active ByHost plist in the case where there are multiple screensaver plist files. * Mac sample login/logout scripts have been updated to make them more robust. * Mac "Enable login items" group policy UI reworked to make it less confusing. * The disable auto login group policy now works with Mac OS X 10.6. * Mobile accounts no longer lose admin privileges while disconnected from the corporate network. * Smart Card and other automatic logins now create Kerberos tickets. * The trusted root CA certificates specified by the following Windows GP: Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certificate Authorities are now installed in the Mac system keychain. * Adclient now does not go into disconnected mode after a reboot on Fedora 11 and later. * /usr/centrifydc/centrifydc.conf parameter adclient.iterate.private.groups now functions as described in the Configuration Parameters Guide. * adclient and adquery no longer hang after a kernel upgrade on Solaris when DirectAuthorize is enabled. * Adclient now correctly renews TGT and service ticket from other domains. 4. Known Issues The following sections describe common known issues or limitations associated with this Centrify DirectControl release; They are categorized as follows: - DirectControl Administrator Console - DirectControl Web Console - Report Center - Group policies - Zone Conversion - Zonegen - DirectControl agents - DirectControl NIS server (adnisd) In addition to the known issues described in these sections, you should review the details in the appropriate platform-specific release-notes-agent.txt file for the operating environments you support. DirectControl Administrator Console * Uninstalling Administrator Console while it is open on Windows 2008 If you attempt to uninstall the Administrator Console on Windows 2008 while the Console is still open, Installshield will report twice that that files are still in use. If you want to continue the uninstall, you should click Retry each time and the uninstall will complete correctly. * Delegating zone administration permissions for SFU zones Although you may delegate permissions to add, remove or modify users in all types of zone in the Zone Delegation Wizard, the permissions do not take effect in an SFU zone. This means that you cannot delegate these administrative permissions for SFU zones. * UID does not automatically increment if adding users through Welcome page When adding users to a zone, the UID used is automatically incremented each time. However, if you use the Add User to Zone feature on the Administrator Console welcome page, the UID is not incremented after the user is added. In this case you should remember to check the UID and reset as necessary when adding subsequent users. * NIS domain name with adnisd The NIS domain name in the DirectControl Administrator Console zone properties page is currently ignored by adnisd. The NIS domain name defaults to the name of the zone, or can be overridden in /etc/centrifydc/centrifydc.conf via the property "nisd.domain.name". This will be fixed in a future release. * Cannot add groups from child domains to SFU zone DirectControl does not support adding objects from a child domain into an SFU zone. You should choose only objects from the local zone. * Users delegated to import into a zone also gain rights modify profiles Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles". * Working with users in a remote forest When searching for users in a remote forest, the remote forest is incorrectly shown as a sub-member of the local forest. This is just a display issue, users are correctly added from the remote forest. It will be resolved in a future release. * Secondary groups not imported from XML files Using the Import Wizard to import user information from XML files does not import secondary group membership. * Using domain local groups to manage resources Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains. * Domain local groups from other domains shown in search dialog When using the search dialog in the Administrator Console to delegate zone control to a group, domain local groups from child domains will be incorrectly shown in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups. * Analyse forest and SFU zones The analyse forest feature in the Administrator Console does not report on empty zones or duplicated users or groups in the zone. * Cannot use Find Profiles if orphan user or group exists in zone You should remove all orphan users and groups from a zone before using the Find Profiles... context menu item on the zone node. Failing to remove orphan users and groups before using this feature will result in an unexpected error. * Uninstalling Console component uninstalls help If you uninstall the Group Policy Object Editor Extension, the NIS maps extension or the Centrify Zone Generator, this also uninstalls the online help feature, the Quickstart Guide and the Administrator Guide. To avoid this, you should uninstall the entire Directcontrol Administrator Console package and then install the components that you need. * Using the Administrator Console and NetIQ GPA There are some minor user interface behavioral changes in the right hand pane of the Centrify Administrator Console when running with NetIQ GPA: - Cannot double-click to open properties However, right clicking on an object and choosing Properties will open the property page in the usual way. - Administrator Console icons are replaced by default Windows icons. DirectControl Web Console * On Vista SP1 is required On Windows Vista, Service Pack 1 is required in order to host the DirectControl Web Console. * Running the configuration program on Windows 2008 and Vista The Web Console installation program is run as a local Administrator. On Windows 2008 and Windows Vista, this means that you should run the Configure Web Console application as a local administrator. To do this, right click on All Programs->Centrify->DirectControl->Web Console->Configure Web Console And choose Run As... Then choose the local administrator account. * The next page button remains disabled once it has been disabled When paging through a list of users in the right pane of the Web Console, if the next page button is disabled (because there is only one page or on reaching the last page of a list), the button will not re-enabled next time there are multiple pages to display. To workaround this, left click on the zone node and then left click on the users node again; the next page button will be re-enabled. Report Center * Cannot delegate control of an SFU zone from the Report Center It is not possible to delegate the control of an SFU zone from within the report center. To delegate SFU zone control, right click on the SFU zone node in the left pane. * Color and font change in Report Center occasionally fails Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report. * Extra results when analyzing duplicate service principal names When running the Analyze / Duplicate Service Principal Names report kadmin/changepw is incorrectly returned as a duplicate. The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains. Group policies * There are four group policies that can merge the lines of different GPOs to a resulting group policy. The precedence rules that are used to merge these multi-line policies has changed. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. * Disable does not function with Allow Groups group policy Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the group should be removed from the Group Policy Object. * Entering multi-line password prompt group policies Multi-line group policies are supported, however an escaped newline character "\\n" must be used. * Default value for the NIS daemon update interval In the Administrator Guide the default for this value is shown as 5 minutes, but in the Group Policy user interface it is shown as 4 minutes. The correct value is 5 minutes and the Group Policy user interface will be updated to reflect this in a future release. Zone Conversion * Using zone conversion with orphan groups Before using zone conversion you should ensure that you have fixed all orphan groups in the zone. * Cannot select Zone Settings after zone conversion After converting a standard zone to an RFC 2307 zone you should close the zone and then reopen. If you attempt to open Zone Settings for the converted zone without closing and reopening, the Zone Settings dialog will not open. * Agent does not automatically recognize in-place zone conversion If a standard zone is in-place converted to an RFC 2307 zone using the Administrator Console, UNIX agents do not automatically become aware of the change and the following should be run on each agent connected to the zone: echo -n CDC_RFC_2307 > /var/centrifydc/kset.schema and then adclient should be restarted. Zonegen * Merging zones with duplicate UIDs and GIDs using Zonegen Zonegen does not support merging zones with duplicate UID and GID values in this release. The following is an example of duplicate UID and GID values that is not supported by zonegen: ZoneA: users u1 and u2 with UIDs 1000 and 1001 groups g1 and g2 with GIDs 20000 and 20001 ZoneB: users bu1 and bu2 with UIDs 1000 and 1001 groups bg1 and bg2 with GIDs 20000 and 20001 DirectControl agents * Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting. * Working with large Active Directory groups Centrify recommends a practical maximum of 200 users per Active Directory-enabled group. Groups with more than 10,000 users have been tested with DirectControl and found to function, however larger groups will slow login performance to what may be considered an unacceptable level. * Using the --notime option with adjoin If the --notime option is used when running adjoin, the centrifydc.conf parameter, adclient.sntp.enabled, is not updated to false. This means that subsequent adjoin operations also need to specify the --notime option if required. * Attempted logins by non-zone members If an AD user that is not a member of the zone attempts to log in, they will be unsuccessful logging in on future attempts for a period of 15 minutes from the time of their last unsuccessful log in, even if they are made members of the zone. This lockout may be worked around by running adflush or logging in using the user's UNIX name (if different from the AD name), or by logging in using the computer's GUI rather than ssh or telnet. * adsmb cannot use current Active Directory user's credentials When using adsmb you should always specify the credentials to use, it will not assume that the current user's credentials should be used. * RSA Authentication Agent for Windows Computers using DirectControl software are not able to authenticate to domain controllers running RSA Authentication Agent for Windows. To use DirectControl on these computers, it is necessary to disable the RSA Authentication Agent. * Use of rsh and rcp with DirectControl rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances. * Change password and rsh / rlogin When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed. * Finding global catalog information with adfinddomain When the global catalog is located in the root domain and the computer where a user is running adfinddomain is joined to a child domain, it is possible that adfinddomain will report that it is unable to find the global catalog when it is run with: adfinddomain If adfinddomain is run from a computer that is joined to the root domain, it will correctly find the global catalog. * Working with /var mounted via NFS If /var is mounted via NFS then, in order for DirectControl to function correctly, it is necessary to use the adclient.clients.socket parameter in /etc/centrifydc/centrifydc.conf to point to a local directory. In addition, you should make a symlink from /var/centrifydc/daemon to the local directory you have chosen. * Changing the password of an orphan user with adpasswd adpasswd should not be used to change the password of an orphan user. If it is used, an error will be generated as follows: Error: Unsuccessful IPC execute: system error * Use of pam.allow.users When using pam.allow.users in /etc/centrifydc/centrifydc.conf to specify users that are allowed to log in to a particular computer, either the SAMAccountName or the UNIX name should be used to identify the users. * Working with adclient.client.idle.timeout This property is only read at startup, so if it is changed adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines. * Use of adpasswd with cross domain users The use of adpasswd with cross domain users is not supported in this release. Use the passwd command to change the password of cross domain users. * Use of adupdate by non-administrators adupdate uses the current user's Kerberos credentials when -a is not specified on the command line. To run the command as an administrator you should do one of the following: - use "-a " on the command line - use "-p " on the command line - run "kinit " before using adquery - Give the current AD user rights to create users * Using adkeytab to change account passwords To change a service account password using adkeytab, you should ensure that there is at least one Service Principal Name (SPN) associated with that service account. Attempting to change the service account password for an account without an SPN is not supported in this release. * PAM messages depend on operating system Configurable PAM messages will be shown inconsistently depending on the login method, daemon version and operating system version. * Adquery merges results for groups with no members Groups that have no members do not have a newline after the GID when output by adquery. * nss.minuid and nss.mingid are no longer used These have been replaced by user.ignore and group.ignore. DirectControl will ignore the local uid and gid values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file. The values from nss.minuid and nss.mingid will be added to this file during the upgrade process. * adclient -c no longer supported To modify core dump behavior you should edit the adclient.dumpcore property in /etc/centrifydc/centrifydc.conf * Logging-in in disconnected mode In disconnected mode the UNIX name or the Windows login name should be used for logging-in. The Active Directory display name is not guaranteed to be unique and may not allow the user to authenticate. * Invalid argument reported when id-ing a user whose uid or gid are zero If you use the id command to display user and group information about a user whose uid or gid are zero, a message is displayed warning of an invalid argument, for example: bash-3.1# id user1 setgroups: Invalid argument uid=4294967294(nobody) gid=4294967294(nogroup) groups=3(sys),0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users) This message is a side effect of the nss.squash.root feature and can be safely ignored. * Use of addns on computers that act as network gateways UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in /etc/centrifydc/centrifydc.conf to the addns command line necessary to select the correct network interface and IP address. * Working with users defined in a Kerberos realm DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used. DirectControl auto-zone mode * One-way cross forest trusts not supported in auto-zone mode Users from a remote forest that is trusted via a one-way cross forest trust are not supported in auto-zone mode in this version of DirectControl. DirectControl NIS server (adnisd) * adnisd cannot create derived map mail.byaddr In this release, adnisd cannot create the derived map mail.byaddr from mail.aliases. If mail.byaddr is needed, it should be imported as a standalone map. For the most up to date list of known issues, please refer to the Knowledge Base article in the Centrify Support Portal, KB-1870 for the latest known issues with DirectControl 4.4.3. 5. Additional Information and Support In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base. The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately. For more information, see the Centrify Resource Center Web site: http://www.centrify.com/resources/application_notes.asp You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify DirectControl, send email to support@centrify.com or call 1-408-542-7500, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.