Centrify® DirectControl® 5.1.0 Release Notes
© 2004-2013
Centrify Corporation.
This
software is protected by international copyright laws.
All Rights
Reserved.
Table of Contents
2.1. New Features in DirectControl 5.1.0
2.2.
New Features in DirectControl 5.0.5
2.3.
New Features in DirectControl 5.0.4
2.4.
New Features in DirectControl 5.0.3
2.5.
Revise DirectControl 5.0.2
2.5.1.
New Features in DirectControl 5.0.2
2.6.
New Features in DirectControl 5.0.1
2.7.
New Features in DirectControl 5.0.0
3.1. Bugs Fixed in Centrify DirectControl 5.1.0
3.2.
Bugs Fixed in Centrify DirectControl 5.0.5
3.3.
Bugs Fixed in Centrify DirectControl 5.0.4
3.4.
Bugs Fixed in Centrify DirectControl 5.0.3
3.5.
Bugs Fixed in Centrify DirectControl 5.0.2
3.6.
Bugs Fixed in Centrify DirectControl 5.0.1
Centrify
Network Information Service
5.
Additional Information and Support
Centrify Suite
featuring DirectControl 5.1.0 centralizes authentication and privileged user
access across disparate systems and applications by extending Active
Directory-based authentication, enabling use of Windows Group Policy and single
sign-on. With Centrify Suite, enterprises can easily migrate and manage complex
UNIX, Linux and Windows systems, rapidly consolidate identities into the
directory, organize granular access and simplify administration. DirectControl,
through Centrify's patented Zone technology, allows
organizations to easily establish global UNIX identities, centrally manage
exceptions on Legacy systems, separate identity from access management and
delegate administration. Centrify’s non-intrusive and organized approach to identity
and access management results in stronger security, improved compliance and
reduced operational costs.
An upgrade
application note (/Documentation/centrify-upgrade-guide.pdf) is provided with
this release to guide customers who have installed multiple Centrify packages.
The document describes the correct order to perform updates such that all
packages continue to perform correctly once upgraded. This document is also
available in the Centrify
Knowledge Base.
·
DirectManage
Access Manager
DirectManage
Access Manager is the new name for DirectControl Administrator Console.
·
License
report in Report Center is replaced by the Deployment Report. There is a start
menu item to open the Deployment Report.
·
Windows
access and auditing
Centrify
Windows agents provide role-based access control, privilege management and
auditing on Windows computers. For
details, please refer to Administrator's Guide for Windows.
·
Migrate
from sudo to dzdo
A
wizard is provided in DirectManage Access Manager to migrate privilege
management of UNIX computers from sudoers to Active Directory via the Centrify
Suite DirectAuthorize features. It is recommended to import the UNIX users and
groups and create the computer roles before importing the sudoers file. Refer
to Administrator's Guide for UNIX for details.
·
Import
users and groups from Deployment Manager database
The
import users and groups wizard in DirectManage Access Manager is enhanced to retrieve
the users and groups’ data from the Deployment Manager database.
·
Forest
Analysis in DirectManage Access Manager is enhanced to check for:
- expired profiles storing SID in sidHistory
- profiles schema for cross forest users
- orphan role assignment
·
Configure
Auto Zone to limit access
You
can set configuration parameters or group policies to specify a subset of
Active Directory users and groups that have access to computers joined through
Auto Zone. Refer to Administrator's Guide for UNIX for details.
·
Substitute
UID with employee number or employee ID in Auto Zone
Zone
Provisioning Agent allows using employee number or employee ID as the UID in
the user's UNIX profile.
·
Role
based Audit rights
There
are predefined audit rights that are built into every role definition. They
specify whether and under what conditions a user must be audited in order to
login. This feature is only available in hierarchical zones.
New
pre-defined role definitions :
- always permit login: users in
this role are allowed to login even if auditing is required but not available.
- scp: Predefined system role for granting scp access without explicit SSH login.
- sftp: Predefined system role for granting sftp access without explicit SSH login.
- UNIX login: Predefined system role that
grants typical UNIX user login rights. It is called “login” role in previous
releases.
- Windows login: Predefined system role that
grants typical Windows user login rights including console and remote login.
- winscp: Predefined system role for granting winscp access.
The
pre-defined role definitions are not created for the zones that exist before
DirectControl is upgraded. You can use “Generated pre-defined roles” context
menu to create those roles.
See
the Administrator's Guide for UNIX for details.
·
Audit
Trail
Authentication
and authorization granted and denied messages are written in the syslog file. The audit trail messages are identified by the
AUDIT_TRAIL token in the message.
·
Migrate
Classic Zone to Hierarchical Zone
The
admigrate script migrates users, groups, roles and
rights in a classic zone to a hierarchical zone. Refer to its manpage for usage.
·
Move
Computer to Hierarchical Zone
The
adchzone script moves a zone computer object from classic
to hierarchical zone in the same domain.
Refer to its manpage for usage.
·
Upgrading
DirectControl cache
When
DirectControl is upgraded from 5.0.x, its cache is also upgraded. It does not support cache upgrade from 4.x.
The 4.x cache will be deleted when upgrade is performed. Upgrade is not
performed if the cache is encrypted.
·
adedit
is enhanced
- get_all_zone_users: gets all zone users along the hierarchical
path.
- get_user_groups: gets the groups that the user belongs to.
- get_zone_user_field, get_zone_group_field,
get_zone_computer_filed: add dn option to locate AD object.
- dn_to_principal, get_group_members,
get_role_assignments, get_zone_users,
joined_name_to_principal, list_role_assignments,
list_zone_user, principal_from_sid: add upn option
to display UPN name.
- move_object: moves the selected object to the specified
location in the same domain.
- rename_object: renames the common name of the selected
object.
·
New
adedit sample scripts
- addbloader is enhanced to support the new sysRights and roles in DirectControl and Windows
Agent. When you use adedit to modify the
sysRights, you must use bit operators to make the
change. Otherwise, the Windows Agent sysRights will be reset.
- adreport is enhanced to report command rights.
- adzonediff is new in this release. It compares the roles and rights between two
zones. Refer to its command help for usage.
- More adedit sample scripts can be found under
/usr/share/centrifydc/samples/adedit directory. See the UNIX and Linux Evaluation Guide for
details.
·
centrifydc.conf
is updated:
-
New
parameters:
-
auto.schema.allow.users: Users allowed in this Auto Zone.auto.schema.allow.groups:
Users who are members of the groups specified in here are allowed in this Auto
Zone.
-
auto.schema.groups:
Groups allowed in this Auto Zone.
-
auto.schema.max.unix.name.length: Maximum Auto Zone length
-
auto.schema.override.uid:
Specify which Active Directory user attribute to use to generate the UID.
-
auto.schema.substitute.chars: The character is used to substitute invalid
characters.
-
auto.schema.unix.name.disallow.chars: Characters not allowed in Auto Zone name.
-
adclient.binding.refresh.force: Indicate whether we force to re-establish
LDAP bindings regardless the current binding is closest site or not.
-
adclient.dzdo.clear.passwd.timestamp: Set to true will remove the tickets after
logout. Default is false.
-
adclient.sudo.clear.passwd.timestamp: Set to true will remove the tickets after
logout. Default is false.
-
adclient.sudo.timestampdir: The directory where sudo stores timestamp files.
-
adclient.update.os.interval: How often adclient should wait before attempting to update the
OS information in the case where adclient starts up in disconnected mode.
Default is 30 seconds.
-
dc.penalty.time:
controls how long a domain controller that has failed is considered less
preferable to the other domain controllers in the forest.
-
dzsh.roleswitch.silent: Set to true to not output the role switch info in dzsh use.
Default is false.
-
dzdo.passprompt:
The password prompt format when the target user's password is needed. Default
is "[dzdo] password for %p:".
-
krb5.cache.post.renewal:
a customer defined post krb5renew job to be executed by adclient.
-
pam.setcred.respect.sufficient: set to true if pam_setcred
calls the remaining modules even the 'sufficient' is fulfilled. DirectControl will set the value according to
the target platform.
-
Modified
parameters:
-
adclient.cache.expires: Default is changed from 3600 to 600 seconds.
-
adclient.cache.expires.gc: Default is changed from 3600 to 600 seconds.
-
adclient.cache.expires.group: Default is changed from 3600 to 600
seconds.
-
adclient.cache.expires.user: Default is changed from 3600 to 600 seconds.
-
adclient.cache.expires.user.membership: Default is changed from 3600 to 600
seconds.
-
nss.program.ignore:
added unix_chkpw
Refer
to Configuration Parameters Reference Guide for details.
·
CLI is
updated
- adjoin
- New --dnsname
(-D): This is an optional parameter to override the dNSHostName
attribute in the computer object.
-
addns:
- New –list
(-L): lists DNS record details
- New –refresh
(-r): update unchanged records to refresh TTL
- dzdo
-
dzdo is enhanced to support local users and local
groups.
- dzdo is enhanced to execute a command on a remote
machine via SSH connection.
See
the Administrator’s Guide for UNIX for details.
- dzinfo
-
New --computer-role (-C): show the computer role
-
New –format (-f): produces scriptable output
·
Read-only
Domain Controller (RODC) is supported
RODC
is supported in DMZ. RODC can also be in the same forest with writeable domain
controller. Refer to Administrator's Guide for UNIX for details.
·
adnisd
supports multiple domains in hierarchical zones
In
this release of the Centrify NIS server, the NIS maps can be distributed into
different domain controllers in hierarchical zones.
·
0.9.8w
OpenSSL
DirectControl
is integrated with 0.9.8w OpenSSL.
·
DirectControl
LDAP Proxy supports global catalog search
In
addition to searching through the domain controller, LDAP Proxy also supports
global catalog search by adding "CN=$" in front of the search base.
The global catalog search is useful in a multi-domain forest environment.
·
Centrify
5.1.0 OpenSSH
Centrify
DirectControl includes Centrify 5.1.0 OpenSSH, which is based on 6.0p1 OpenSSH
in this release. Refer to Administrator Guide for UNIX.
·
New UNIX
Rights Definition
- SSH Rights
New
predefined SSH rights identify specific SSH services that a user who is enabled
for PAM SSH access can run. The SSH rights will be generated after upgrade
DirectControl console is upgraded. Refer to Administrator's Guide for UNIX for
details.
·
Support
is added for the following new operating systems:
- Mandriva one 2012 (32- and 64-bit)
- Red Hat Enterprise Linux 5.8 PPC (64-bit)
- Red Hat Enterprise Linux 5.8 Itanium (64-bit)
- Linux Mint Debian
Edition (32- and 64-bit)
- OpenSuSE 12.2, 12.3 (32- and 64-bit)
·
Refer to
http://www.centrify.com/products/all-supported-platforms.asp for the complete list.
-
Support
is added for the following operating systems:
- Fedora 18 (32- and 64-bit)
- Red Hat Enterprise Linux 6.3 (32- and 64-bit)
- Red Hat Enterprise Linux Desktop 6.3 (32- and
64-bit)
- CentOS 5.8, 6.3 (32- and 64-bit)
- Scientific Linux 5.8, 6.3 (32- and 64-bit)
- Oracle Linux 6.3 (32- and 64-bit)
- Ubuntu Desktop 12.10 (32- and 64-bit)
- Ubuntu Server 12.10 (32- and 64-bit)
- Linux Mint 13, 14 (32- and 64-bit)
Only
x86 and x86-64 Red Hat packages are updated in this release. The Debian packages
in Suite 2012.2 are verified to work with Ubuntu 12.10 and Linux Mint 13 and
14.
All
other packages are identical to DirectControl 5.0.4.
·
In this
release, the following platforms support smart card login:
-
Red Hat Enterprise Desktop 5.x and 6.x (32- and 64-bit)
·
The
following smart cards are supported:
-
Gemalto SC 64k 1.2 – CAC
-
Oberthur One 5.2 – PIV
-
Oberthur 128 v5.5 DI – CAC
-
Gemalto 144 TOPDL DI – CAC
-
Oberthur ID One 5.2 Dual – CAC
-
Gemalto 72k DI - CAC
·
Smart
card login is supported on GNOME only.
·
New
group policies are added to support smart cards. Refer to Group Policy Guide
for details.
·
Only Red
Hat packages are updated in this release. All other platforms are identical to
DirectControl 5.0.3.
·
DirectControl
for Mac OS X has been updated to version 5.0.3. See the Centrify DirectControl
for Mac OS X release notes in the Documentation directory for more information.
·
Support
has been added for Mac OS X 10.8.
·
NOTE:
only Mac platforms have been updated to DirectControl 5.0.3 in this release.
All other platforms are at 5.0.2.
·
Centrify
4.5.4 OpenSSH
OpenSSL
is upgraded from 0.9.8k to 0.9.8w, which is statically linked. It fixes several
security vulnerabilities since 0.9.8k. Refer to the openssl release notes for
details.
·
All
other packages are identical to DirectControl 5.0.2.
·
FIPS
140-2
Red
Hat Enterprise Linux Server and Mac OS X support FIPS 140-2 standard.
·
0.9.8s
OpenSSL
DirectControl
in FIPS mode is integrated with 0.9.8s OpenSSL.
·
Centrify
4.5.3 OpenSSH
Centrify
DirectControl includes Centrify 4.5.3 OpenSSH, which is based on 5.9p1 OpenSSH
in this release. Refer to Centrify 4.5.3 OpenSSH release notes for details.
·
Centrify
4.5.3 Samba
Centrify
4.5.3 Samba is based on 3.5.11 Open Samba code. Centrify 4.5.3 Samba can be
downloaded from Centrify web site. Previous Centrify Samba does not work with
Centrify DirectControl in this release.
·
SQLite
DirectControl
does not provide SQLite shared library in its package
that avoids conflict with the SQLite shared library
used by other applications.
·
Support
is added for the following new operating systems:
-
Red Hat Enterprise Linux 5.8, 6.2 (32- and 64-bit)
-
Red Hat Enterprise Linux Desktop 5.8, 6.2 (32- and 64-bit)
-
Scientific Linux 5.7 (32- and 64-bit)
-
Fedora 17 (32- and 64-bit)
-
CentOS 5.7, 6.1, 6.2 (32- and 64-bit)
-
Mandriva Enterprise Server 5 (32- and 64- bit)
-
VMWare VIMA vsphere 5
-
Linux Mint 12 (32- and 64- bit)
-
Solaris 11 (x86_64 and SPARC)
·
Support
is removed for the following new operating systems:
-
All OpenSolaris versions
-
AIX 5.1, 5.2
-
VMware ESX 3.0.1, 3.0.2
-
Fedora 13 and below (32- and 64-bit)
-
Ubuntu 6.06, 8.10, 9.04, 9.10 (32 and 64 bit)
-
Mac OS X 10.5
·
Express
mode
-
Express mode is now supported and HPUX 11.31 and AIX 7.1 are added to the
platform support list for Express.
·
DirectControl
for Mac OS X
-
DirectControl 5.0.1 is the first release on the Macintosh platform that
provides support for Next Generation Zones.
-
Support for OS X 10.7.x, including support for Apple's FileVault
full disk encryption and Microsoft's Distributed File System (DFS) capabilities.
-
Automated Certificate Enrollment for 802.1x and VPN services
-
Improved support for Printer Management on the Mac using _lpadmin and _lpoperator
printer groups on the local mac
-
Simplified Group Policies for automatically mounted fileservers and home
directories.
-
Smart Card support for 10.6 and 10.7 for all CAC, CACNG, and PIV cards, including the Oberthur
ID One 128 v 5.5 Dual Smart Card.
-
New OCSP Enhancements and GUI for Smart Card configuration
·
User
password expiration
-
Fine-grained password policy is queried to determine user password expiration.
·
DirectControl
MMC Snapin
-
Now implemented in user mode rather than in author mode in order to co-exist
better with group policies.
·
Support
is added for the following new operating systems:
-
Citrix XenServer 6.0
-
Fedora 16 (32- and 64-bit)
-
OpenSuSE 12.1 (32- and 64-bit)
-
Ubuntu 11.10 Desktop (32 and 64 bit)
-
Ubuntu 11.10 Server (32 and 64 bit)
-
Solaris 11 Express 2010.11 (x86_64 and SPARC)
·
Hierarchical
zoning
·
NIS map
support added to NSS
The
following NIS maps are supported:
-
networks
-
rpc
-
auth_attr
-
prof_attr
-
user_attr
-
exec_attr
-
auuser
-
protocols
-
networks
-
bootparams
-
netmasks
-
netgroup
-
hosts
-
printers
-
project
-
services
-
ethers
-
aliases
-
ipnodes
-
AIX
·
Centrify
Zone Provisioning Agent
Zone
Provisioning Agent (ZPA) is now included with DirectControl. It has been
updated to support hierarchical zoning, new in DirectControl 5.0.0.
·
Group
Policies
1. New group policy: Enable Auto Zone user home
directory This
group policy adds the auto.schema.use.adhomedir
property to /etc/centrifydc/centrifydc.conf.
2. adm files are now shipped for Centrify group policies
as well as xml.
·
Configuration
parameters
1. New configuration parameter:
krb5.cache.clean.exclusion
This
parameter defines an exclusion list for when adclient cleans users' cache
files. For users in this list, adclient
will not clean their krb5cc_* file. UNIX names of AD users should be used. The default value is
empty.
2. New configuration parameter:
adclient.krb5.use.addresses
This
parameter controls the MIT Kerberos HostAddresses option. If the parameter is set to true,
adclient will add "noaddresses = false" to
krb5.conf. The parameter is set to false by default.
3. New configuration parameter: adclient.altupns
This
parameter tells adclient to allow an otherwise unknown Kerberos realm as UPN suffix. The default
is unconfigured.
For example, to allow "mil" as a UPN suffix:
adclient.altupns: mil
·
New CLI
features
-
adcheck
adcheck now does a DNS TCP port check as well as a UDP port check in
the "net" set of checks.
New
--tmp_path (-m) parameter to use the given path for temporary
files during check. If not specified the default is /tmp.
-
adfixid
-
New --undo (-U) parameter to back out changes made since the last change
marker. The log for undo is accumulated in
/etc/centrifydc/adfixid.log
-
adinfo
- New --debugcache
command line parameter added to tar up
/var/centrifydc
cache files.
- -y parameter now accepts parameters.
"config" dumps all
property
values, "dns" dumps the dns
cache and "all"
dumps all
system information.
- --support parameter now includes
contents of /etc/irs.conf,
/etc/netsvc.conf
and shows the ldd output for
/usr/lib/netsvc/dynload/nss_cdc.so.
- New -G option to report the current GC.
- adjoin
- New --upn
(-U) paramter for adjoin sets user's upn.
-
adquery
-
New parameter --attribute mail (-b mail) to return the email address of a user.
Note that this can only be
used users, it
does not work for groups.
-
adupdate
-
New --principal (-P) parameter for adupdate user allows setting of user's upn.
-
New --foreign-sid (-i)
parameter allows setting / retrieving of a sid for a foreign user.
-
Adupdate now allows changes to users from one-way trusted forests. To use it,
retrieve the SID for the user to be changed via adquery user's -Z option, thenuse that SID in adupdate using the --foreign-sid option.
-
New --userWorkstations (-W) option for adquery user
shows the user's userWorkstations attribute. The -all
(-A) option has been extended to include this attribute too.
·
Windows
Console
An
option has been added to the import Wizard to add a prefix or suffix to the
name of a group or user, allowing name clashes to be avoided with already
existing users and groups.
·
New
DirectAuthorize reports
Two
new reports have been added to report on user roles and rights grouped by zone.
The new reports are:
-
User Role Assignments Grouped by Zone
-
User Privileged Command Rights Grouped by Zone
·
The
DirectControl NIS server (adnisd) now derives the mail.byaddr
map.
·
Reworked
DirectAuthorize to integrate it with hierarchical zones.
·
Can now
call a script every time a dzdo command is executed, allows addition of
per-command logging or change ticket entry every time a privileged command is
executed.
· Centrify Putty "Auto-login username" group policy is default to "User principal name (require DirectControl)".
·
Support
is added for the following operating systems:
-
CentOS 4.9, 5.6, 6.0 (32- and 64-bit)
-
Debian 6 (32- and 64-bit)
-
Fedora 15 (32- and 64-bit)
-
Mandriva 2011 One
-
Oracle Linux 6 (32- and 64-bit)
-
Red Hat Enterprise Linux 5.7, 6.1 (32- and 64-bit)
-
Red Hat Enterprise Linux Desktop 5.7, 6.1 (32- and 64-bit)
-
Scientific Linux 4.9, 5.6, 6.1 (32- and 64-bit)
-
Ubuntu Desktop 11.04 (32- and 64-bit)
-
Ubuntu Server 11.04 (32- and 64-bit)
·
DirectManage
Access Manager does not time out in a big forest when a computer zone is
created (REF#: 33229).
·
When a
zone is moved in DirectManage Access Manager, the new zone path was not changed
in the Centrify Profile in ADUC. This problem is fixed (REF#: 33229).
·
DirectManage
Access Manager can coexist with DirectManage Audit Manager and DirectManage
Audit Analyzer in the same MMC console (REF#: 26113).
·
Zone
Provisioning Agent copies users and groups correctly when there are duplicate samAccountName (REF# 33535).
·
Zone
Provisioning Agent will now keep the configuration settings during upgrade.
· Zone Provisioning Agent will not unprovision existing user profiles from a zone when ZPA detects one of the source groups has been deleted (REF#: 30025).
·
Zone
Provisioning Agent fixed the issue causing "The server is not
operational" error by reusing the LDAP connection (REF#: 31331).
·
DirectControl
Agent has historically written working data to /tmp. This version of DirectControl Agent uses /var/centrify/tmp
for its working data. It eliminates the
symlink vulnerability issue exposed by the /tmp
directory, which every user has the write access (REF#: 38474).
·
adclient crashed couple times a day doing its own
internal health checks on AIX. It is due to a bug in the gcc
shared library. The gcc
compiler is upgraded to resolve this issue (REF#:27370).
·
When the
user moves from local domain to foreign domain in a one-way forest trust, the
user cannot login in offline mode. This
issue is fixed in this release (REF#: 31031).
·
Fixed
adclient in “down” status when a user in foreign group is migrated to current
domain (REF#: 34512).
·
Fixed
adclient core dump issue when authenticating bad password (REF#: 32320).
·
Fixed a bug
that causes high CPU utilization if DirectControl agent switches to another
domain controller while it is constructing the internal cache (REF#: 36663).
·
Join
computer supports host name longer than 15 characters and containing dots
(REF#: 32773).
·
Fixed
the self-serve join problem after pre-create computer if the zone parameter is
not specified. Without the zone
parameter, self-serve join would select the first zone in the list (REF#:
36662).
·
If a
group contains more than 500 members, the defect that adquery or getent group command returned duplicate or missing members
is fixed (REF#: 31128).
·
Fixed
the problem that automatically mounts the file system when the group command is
executed (REF#: 26467).
·
Fixed
adquery listing users who have no listed or login role (REF#: 32486).
·
Roles
can be inherited from more than 2 levels in hierarchical zones (REF#: 29982).
·
An
LDAP user who has not been migrated to AD could not change their LDAP password
upon logon on a server with Centrify installed.
This is fixed (REF#: 29383).
·
/tmp directory is filled up with random name files after
running adauto.pl repeatedly. A random
name file is created by each invocation of adauto.pl. This problem is now fixed (REF#: 34582).
·
The Ticket
Granting Ticket (TGT) is not forwarded by Centrify OpenSSH. This problem is now fixed (REF#: 30610).
·
Added
group policies for Mac 0S/X 10.8. See the Group Policy Guide for details.
·
Centrify
4.5.5 OpenSSH does not remove /usr/local/bin in the
PATH environment variable.
·
This
release contains new features and no bugs fix. See section 2.2 for the list of
the new features.
·
See the
Centrify DirectControl for Mac OS X release notes in the Documentation
directory for more information.
·
User can
login to Active Directory with sid
in sidHistory in the tokenGroups
attribute.
·
User can
login to Active Directory through local cache after the machine is disconnected
and restarted.
·
NTLM can
login Active Directory domain through local cache when the machine cannot
access the domain controller.
·
adedit create_zone API works for FIPS compliant
license.
·
AD user
will expire in cache if it is marked force expired even though AD user in cache
is queried frequently.
·
Overridden
AD user is visible although its name in cache has been flushed.
·
adsmb can successfully get a file.
·
Centrify
4.5.3 OpenSSH X11 forwarding works in IPv4 network.
·
Centrify
4.5.3 OpenSSH does not stall a few seconds when it logins Solaris SPARC
machines.
·
Centrify
4.5.3 OpenSSH can coexist with Solaris SSH.
·
Imported
users and groups from passwd and group files do not show "Incomplete user
UNIX data" error message.
·
Deployment
Manager can work with interactive prompt after ssh
connection.
·
Rights
are cumulated across multiple roles with restrictive shell.
·
Centrify
4.5.3 PuTTY release is updated with the latest open source PuTTY 0.62 release
and adds all new features delivered in that release. PuTTY 0.62 contains a
security fix that it no longer retains passwords in memory.
·
SuSE 11 won't
crash if tilde is used in ksh.
·
DirectControl
can now be upgraded via Ubuntu apt-get.
·
User
with effective rights of non-password cannot login with a password.
·
User
gets restricted shell if "Login with non-Restricted Shell" in
"System Rights" is not checked.
·
adsmb is able to use the current Active Directory
user's credentials.
·
Upper
case netgroup names are supported in LDAPProxy.
·
adnisd reads the correct NIS maps even if the
DirectControl agent switches to another domain controller while adnisd is
reading the NIS maps.
·
ZPA does
not truncate the UNIX name to 8 characters if the "Truncate the UNIX name
to eight characters" check box is not selected.
·
ZPA can
collect debug log if "Turn on debug logging" is checked in the ZPA
Configuration Panel.
·
When
searching for users in a remote forest, the remote forest is shown in a
separate tree.
·
Find
Users now works even if orphans exist in zones.
The
following sections describe common known issues or limitations associated with
this Centrify Suite release; they are categorized as follows:
-
DirectManage Access Manager
-
Report Center
-
Group policies
-
Zone Provisioning Agent
-
DirectControl Agent
-
Centrify NIS server (adnisd)
-
Centrify Network Information Service
-
Centrify LDAP Proxy
-
DirectControl Auto Zone mode
-
Smart Card
-
DirectAuthorize on Linux/UNIX
-
Zone Migration
-
Centrify Samba
-
Centrify Putty
In
addition to the known issues described in these sections, you should review the
details in the appropriate platform-specific release-notes-agent.txt file for
the operating environments you support.
For
the most up to date list of known issues, please login to the Customer Support
Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any
known issues with the release.
·
Uninstalling
DirectManage Access Manager while it is open on Windows 2008
If
you attempt to uninstall the DirectManage Access Manager on Windows 2008 while
the program is still open, the installer will report twice that files are still
in use. If you want to continue to uninstall, you should close the program and
click Retry each time and the uninstall will complete
correctly.
·
Import
users and groups before importing sudoers file
Sudoers
Import creates the user roles but not the users. It is recommended that you
import users and groups prior to importing the sudoers file. Otherwise, no sysRights
are created for the users.
·
Pre-create
computers before importing computer role from sudoers file
The
computers contained in the sudoers file must either be joined to a zone or
pre-created.
·
Delegating
zone administration permissions for SFU zones
Delegate
permissions to add, remove or modify users for SFU zone are not supported.
·
UID does
not automatically increment when adding users through Welcome page
When
adding users to a zone, the UID used is automatically incremented each time.
However, if you use the Add User to Zone feature on the Access Manager Welcome
page, the UID is not incremented after the user is added. In this case you
should select “<Use auto incremented UID>” for UID in the “User Defaults”
tab in its zone property page.
·
NIS
domain name with adnisd
The
NIS domain name in the Access Manager Zone Properties page is currently ignored
by adnisd. The NIS domain name defaults to the name of the zone, or can be
overridden in /etc/centrifydc/centrifydc.conf via the property "nisd.domain.name". This will be fixed in a future release.
·
Users
with rights to import user and groups into a zone also gain rights to modify
profiles
Any
users who are given the right to "Import users and groups to zone"
are automatically also given the right to "Modify user/group
profiles".
·
Secondary
groups not imported from XML files
Using
the Import Wizard to import user information from XML files does not import
secondary group membership.
·
Using
domain local groups to manage resources
Domain
local groups can only be used to manage resources in the same domain as the
group. So, for instance, a domain local group in domain A may be used to manage
a computer in domain A but not one in domain B, despite a trust relationship
between the two domains.
·
Domain
local groups from other domains shown in search dialog
When
using the search dialog in the Access Manager to delegate zone control to a
group, domain local groups from child domains will be shown incorrectly in the
results and should be ignored. The search results when using the ADUC extension
do not show these domain local groups.
·
Analyze
forest and SFU zones
The
analyze forest feature in the Access Manager does not report empty zones or
duplicated users or groups in a SFU zone.
·
Working
with users that have more than one UNIX mapping
DirectControl
supports Active Directory users that have more than one UNIX profile in a zone.
However, if you are upgrading from DirectControl 4.x or earlier and have
existing users with more than one UNIX mapping, you should use a DirectControl
5.0.0 or later Access Manager to remove all but one of the UNIX profiles for
each of these AD users and then re-add them.
In
addition, you should always use a DirectControl 5.0.0 or later console when
modifying these users.
·
In the
Centrify Profile tab of the Properties page of a computer joined to a
hierarchical zone, you cannot move this computer to a classic zone. Nor can you
move it to a zone in another domain. There are no such problems with a computer
joined to a classic zone.
·
Using
the 32-bit Access Manager on 64-bit OSes
While
it is possible to run the 32-bit Access Manager on 64-bit Microsoft Windows,
the installer will not recognize that the 32-bit console is installed,
it will not offer any maintenance mode options and will assume a new
installation. To upgrade a 32-bit console on a 64-bit OS, you should uninstall
the old version and install the new version.
·
Cannot
delegate control of an SFU zone from the Report Center
It
is not possible to delegate the control of an SFU zone from within the report
center. To delegate SFU zone control, right click on the SFU zone node in the
left pane.
·
Color
and font change in Report Center occasionally fails
Changing
the font or colors in a report occasionally fails, even though the Format
dialog shows the chosen font and color choices when they are made. Re-opening
the Format dialog and changing color and/or font again will correctly set the
choices for the report.
·
Extra
results when analyzing duplicate service principal names
When
running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly
returned as a duplicate. The SPN is
actually found multiple times, but this is by Microsoft design as it is the
default account for the Key Distribution Center service in all domains.
·
The
Access Manager is unresponsive when running the "Classic Zone - User
Privilege Command Rights" report. This is due to a Microsoft library used
to determine user rights and the program will be responsive once the report is
completed.
·
There
are four group policies that can merge the lines of different GPOs to a
resulting group policy. For the policies to merge, the policy in each GPO must
be enforced. Policies with higher precedence will be placed lower in the
resulting multi-line policy.
·
Disable
does not function with “Allow Groups” group policy
Disabling
the group policy Computer Configuration > Centrify Settings > Centrify
SSH Settings > Allow Groups does not disable the policy. To effectively
disable groups of users, the groups should be removed from the Group Policy
Object.
·
Entering
multi-line password prompt group policies
Multi-line
group policies are supported, however an escape
newline character "\\n" must be used.
·
Default
value for the NIS daemon update interval
In
the Administrator Guide for UNIX the default for this value is shown as 5
minutes, but in the Group Policy user interface it is shown as 4 minutes. The
correct value is 5 minutes and the Group Policy user interface will be updated
to reflect this in a future release.
·
Install's
"repair" option reports files in use
When
using the repair install option, the installer may pop up a “Files in Use”
dialog that does not contain any entries. It is safe to simply click the Ignore
button and continue the repair operation. This may happen on all supported
platforms, except Windows Server 2003 and Windows Server 2003, R2.
·
One-way
cross forest trusts not supported in Auto Zone mode
·
Default
zone not used in DirectControl 5.x
In
DirectControl 4.x, and earlier, there was a concept of the default zone. When
DirectControl was installed a default zone could be created that would be the
default zone used when none was specified. If no zone was specified when
joining a domain with adjoin, the default zone would be used.
This
concept has been removed from DirectControl 5.0.0 and later as it is no longer
relevant with hierarchical zones. In zoned mode, a zone must now always be
specified.
A
zone called "default" may be created, and default zones created in
earlier versions of DirectControl may be used, but the name must be explicitly
used.
·
Cross
forest groups are not supported in the pam.allow.group
or pam.deny.groups property setting.
·
Using
the --notime option with adjoin
If
the --notime option is used when running adjoin, the
centrifydc.conf parameter, adclient.sntp.enabled, is
not updated to false. This means that subsequent adjoin operations also need to
specify the --notime option if required.
·
Attempted
logins by non-zone members
If
an AD user that is not a member of the zone attempts to log in, they will be
unsuccessful logging in on future attempts for a period of 15 minutes from the
time of their last unsuccessful log in, even if they are made members of the
zone. This lockout may be worked around by running adflush or logging in using
the user's UNIX name (if different from the AD name), or by logging in using
the computer's GUI rather than ssh or telnet.
·
RSA
Authentication Agent for Windows
Computers
using DirectControl software are not able to authenticate to domain controllers
running RSA Authentication Agent for Windows. To use DirectControl on these
computers, it is necessary to disable the RSA Authentication Agent.
·
Use of rsh and rcp with DirectControl
rsh and rcp are
considered archaic methods and should not be used with DirectControl as their
behavior cannot be guaranteed in all circumstances.
·
Change
password and rsh / rlogin
When
using rsh or rlogin to access a computer that has
DirectControl installed, and where the user is required to change their
password, users are prompted to change their password twice. Users may use the
same password each time they are prompted and the password is successfully
changed.
·
Working
with /var mounted via NFS
If
/var is mounted via NFS then, in order for
DirectControl to function correctly, it is necessary to use the adclient.clients.socket parameter in
/etc/centrifydc/centrifydc.conf to point to a local directory. In addition, you
should make a symlink from
/var/centrifydc/daemon
to the local directory you have chosen.
You
should set no_root_squash option in order to let /var/centrify/tmp
to work over NFS. Otherwise root will be mapped to anonymous user “nobody” in
NFS server, which does not always have write access to the exported directory.
·
Changing
the password of an orphan user with adpasswd
adpasswd should not be used to change the password of
an orphan user. If it is used, an error
will be generated as follows:
Error:
Unsuccessful IPC execute: system error
·
Working
with adclient.client.idle.timeout
This
property is only read at startup, so if it is changed adclient must be
restarted. There is a Group Policy setting for this property but changing it
has no effect until adclient is restarted on affected machines.
·
Use of
adupdate by non-administrators
adupdate uses the current user's Kerberos credentials when -a is not
specified on the command line. To run the command as an administrator you
should do one of the following:
-
use "-a <adminname>" on the command
line
-
use "-p <adminpassword>" on the
command line
-
run "kinit <adminname@domain.name>"
before using adquery
-
Give the current AD user rights to create users
·
Using
adkeytab to change account passwords
To
change a service account password using adkeytab, you should ensure that there
is at least one Service Principal Name (SPN) associated with that service
account. Attempting to change the service account password for an account
without an SPN is not supported in this release.
·
PAM
messages depend on operating system
Configurable
PAM messages will be shown inconsistently depending on the login method, daemon
version and operating system version.
·
adquery merges
results for groups with no members
Groups
that have no members do not have a newline after the GID when output by
adquery.
·
nss.minuid
and nss.mingid are no longer used
These
have been replaced by user.ignore and group.ignore. DirectControl will ignore the local uid and
gid values which correspond to the users and groups in the .ignore file and
generate a uid.ignore and gid.ignore
file. The values from nss.minuid and nss.mingid will be
added to this file during the upgrade process.
·
adclient
-c no longer supported
To
modify core dump behavior you should edit the adclient.dumpcore
property in
/etc/centrifydc/centrifydc.conf
·
Logging-in
in disconnected mode
In
disconnected mode the UNIX name or the Windows login name should be used for
logging-in. The Active Directory display name is not guaranteed to be unique
and may not allow the user to authenticate.
·
Invalid
argument reported when identifying a user whose uid or gid are zero
If
you use the id command to display user and group information about a user whose
uid or gid are zero, a message is displayed warning of an invalid argument, for
example:
bash-3.1# id user1
setgroups: Invalid argument
uid=4294967294(nobody) gid=4294967294(nogroup)
groups=3(sys),0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users)
This
message is a side effect of the nss.squash.root
feature and can be safely ignored.
·
Use of
addns on computers that act as network gateways
UNIX
computers that act as gateways between different networks may require specification
of the addns command line such that the correct network adapter IP address is
registered in Active Directory's DNS. Set the adclient.dynamic.dns.command
property in
/etc/centrifydc/centrifydc.conf
to the addns command line necessary to select the correct network
interface and IP address.
·
Working
with users defined in a Kerberos realm
DirectControl
supports users defined in a Kerberos realm as long as the Kerberos domains /
realms are resolvable by DNS. Kerberos realm names are case sensitive, so care
should be taken to check the spelling / case of any realm used.
·
Using
DirectControl 4.x agents with DirectControl 5
DirectControl
4.x agents can join classic zones created by DirectControl 5. It is possible to
join a DirectControl 4.x agent to a hierarchical zone as well, but this should
be avoided as the behavior is undefined.
·
adclient
and asymmetric DNS servers
adclient expects all DNS servers to have the same information (i.e. they
are symmetric), it has no concept of asymmetric DNS servers. This means that if
multiple DNS servers are defined and the information in each is not the same,
it is possible that the information in some domains may be inaccessible some or
all of the time, depending on the speed of response of the DNS servers and the
information they hold. The /etc/centrifydc/centrifydc.conf parameter dns.sort will turn off the random nature of the
accessibility and allow specification of the order in which to attempt to use
DNS servers. Note, however, that it will still not use the DNS servers as a
"path", the highest placed DNS server will win.
·
Change
in behavior of users to ignore
In
DirectControl 4.x the nss.user.ignore and pam.ignore.users lists were treated separately and adclient
only checked nss.user.ignore. In DirectControl 5.0.0
and later, both nss.user.ignore and pam.ignore.users are checked and the ignore list is the
logical "or" of the two.
·
Some
non-alphanumeric characters are valid for Windows user or group names and are
converted to underscore ("_") when changed to be UNIX names in the
Access Manager, but cannot be used in adedit. The list is:
\
( ) + ; " , < > =
·
adedit cannot create AIX extended attributes in a
SFU zone.
·
Active
Directory user fails to login a newly created WPAR on AIX
In
a newly created WPAR, the /var/krb5/security/creds/ directory does not exist. DirectControl post-install script will create
it with root permissions. However, it
does not change its permission to make it a world-writable directory. You need to manually fix up the permissions
(REF#: 39909).
·
Cannot
do single sign-on in Red Hat 5.9 SELinux on IA64 platform
You
can login but Kerberos credential cache is not created. This problem does not happen if SELinux
status is disabled. Also, it does not
happen on x86 platform (REF#: 40078).
·
adnisd
daemon fails to start
The
adnisd service is not defined in the WPAR (REF#: 39911).
·
Require
“auto” in the automount map.
If
an automount map created with a 4.x or earlier
version of the DirectControl Console does not start with the string
"auto" (i.e. auto.home, auto_master,
auto_net, etc), it will not be recognized by this
release of the DirectControl LDAP Proxy as an automount
map. Automount maps which do not start with the
string "auto" must be exported and imported using this version of the
DirectControl Console or adedit.
·
Wildcard
use not supported with LDAP Proxy
This
release of the LDAP Proxy does not support searches using wildcards in rfc2307
mode.
·
LDAP
Proxy not started after upgrade from DirectControl 4.x
You
need to re-join the zone before LDAP Proxy can be started.
·
When
logging into a RedHat system using an Active
Directory user that has the same name as a local user, the system will not warn
the user of the conflict, which will result in unpredictable login behavior.
The workaround is to remove the conflict or login with a different AD user.
·
An
unauthorized PIV Smart card user, when attempting to log in, may still get a
password login prompt. However the unauthorized user, after entering a
password, will get an authentication error and will
never be able to log into the system, nor change their password.
·
In order
to log in successfully in disconnected mode, a user must log in successfully
once in connected mode prior to logging in using disconnected mode. This
applies to a standard Active Directory user as well as Smartcard user.
·
If a
Smart Card user's Active Directory password expires while in disconnected mode, the user may still be
able to log into their machine using their expired password. This is not a
usual case, as secure Smart Card AD environments usually do not allow both PIN
and Password logins while using a Smart Card.
·
Cannot
add cross domain or cross forest users to roles in classic zone
DirectAuthorize
does not currently support adding users from other domains into roles when the
domain controllers are running Windows Server 2003 with security update 926122
or service pack 2. This is a Microsoft
issue and a hot fix is available to install on computers running the
DirectAuthorize console that need to run in these domains. More information may
be found here:
http://support.microsoft.com/kb/943875
·
Cannot
add cross forest groups to a role in classic zones
DirectAuthorize
does not support adding groups from a trusted forest into roles at this time;
all groups added to roles should be defined in the local forest. However, users
from a trusted forest may be added to groups in the local forest and then added
to a role, or they may be directly added to a role.
·
Use of
common UNIX commands with DirectAuthorize restricted shells
The
DirectAuthorize restricted shell allows users to be restricted to use only a
predetermined set of commands, however several common UNIX commands may allow
users to execute commands that are not allowed in the restricted shell. The
following list provides general guidance and specific examples of the issues to
be considered:
-
The man command
When
adding a privileged command for the man command in a restricted environment,
Centrify recommends:
*
selecting Reset Environment Variables to allow users to use the default pager
only.
*
disallow the -P, -C, -B or -H options to allow users to use the default pager
and man configuration file only, by adding the following commands in addition
to the command for man:
!man
-[PCBH]*
!man
* -[PCBH]*
The
PAGER, MANPAGER environment variables and -P, -C, -B, or –H option can allow a
user to run a command not permitted by DirectAuthorize in the restricted
environment.
-
The Allow nested command execution option
The
Allow nested command execution checkbox on the Attributes tab of the property
page for a privileged command allows the privileged command to execute another
command. This option is deselected by default (so the command is not allowed to
execute other commands), but not all operating systems honor this restriction:
Solaris Honored in all cases
AIX
5.1, 5.2 Not
honored in all cases
AIX
5.3, 6.1, 7.1 Honored except if a program is seteuid
HP-UX Honored except if a program is seteuid
Linux Honored except if a program is seteuid and
the
Run As... user is not root
-
The tar command
When
adding the tar command to a restricted environment Centrify recommends adding
the following commands to prevent the --use-compress-program option to tar in
addition to the tar command itself.
!tar
--use-compress-program*
!tar
* --use-compress-program*
This
prevents the user from using the --use-compress-program option to run other
commands not allowed in the restricted environment.
-
cron jobs
Cron jobs are run by the crontab daemon
and this has no dzsh restrictions, meaning that any restrictions placed on the
user who created the cron job will not be in force
when the job itself is run.
For
this reason, Centrify recommends that users who run in the dzsh restricted
shell are not given access to the crontab cmmand.
-
Editors that allow shell escapes
When
adding the vi or view command to a restricted shell,
the shell escape feature of the command can allow the user to execute a command
not allowed in the restricted shell.
In
addition, the perl, python and ruby support feature
of vim, if available, can allow a user to execute a command not allowed in the
restricted shell. To check if your version of vim command has perl, python or ruby support, run vim --version, and look
for +perl, +python, or +ruby.
Centrify
recommends the following:
*
Configure the command to not allow nested command execution (this is the default)
to prevent shell escapes
*
Use the rvi or rview
command instead if available.
Vim
is used as an example here, this applies to other editors that include the
ability to escape to the shell and/or include scripting language support.
-
The rsync command
When
adding the rsync command to a restricted environment,
Centrify recommends adding the following commands, in addition to adding the rsync command itself, to prevent usage of the -e and --rsh options:
!rsync -e*
!rsync * -e*
!rsync --rsh*
!rsync * --rsh*
This
prevents the user from using the -e or --rsh options
to run commands not allowed in the restricted environment.
·
Cannot
open Roles & Rights node when user's domain is unavailable
For
users that have been added to roles, or assigned rights, who are located in a
domain other than the domain where the zone is located, when the user's domain
is unavailable the roles & rights node for that zone does not appear in the
Access Manager when the zone is opened. When the domain becomes available again
the Roles & Rights node will reappear when the zone is closed and reopened.
·
Unexpected
error when selecting the role assignment node
You
may see the following unexpected error message when selecting the role
assignment node:
-------------------------------------------
System.Exception: More than one node has been registered for
scope ID 3309168 at Ironring.Management.MMC.SnapinBase.FindNodeByHScope(IntPtr HScopeID)
at
Ironring.Management.MMC.Component.Notify(IntPtr lpDataObject,
UInt32 aevent, IntPtr arg, IntPtr param)
-----------------------------------------
In
this case, please close the MMC and reopen it and the role assignment node will
open as expected.
·
Unexpected
error when removing orphaned role assignments
You
may see the following unexpected error message when removing orphaned role
assignment:
-------------------------------------------
System.ArgumentNullException: Value cannot be null.
Parameter
name: role
-------------------------------------------
In
this case, please close the error dialog and leave the orphans alone, because
they won't hurt the system functionalities.
·
DirectAuthorize
reports do not include users in remote forest
In
this release the "Classic Zone - User Role Assignments" and “Classic
Zone - User Privilege Command Rights" reports only show users in the local
forest; any users in remote (trusted) forests are not included in the report.
·
UI
elements occasionally do not appear when expected
On
occasion, the DirectAuthorize console does not show the expected results, or
nodes do not appear in the tree on the left side of the console screen. When
this happens, choose Refresh from the right-click menu and the screen should
refresh to show the expected results. If this does not fix the problem, choose
Refresh from the next higher point up the tree from where you expect the result
to be shown and that should cure the problem.
·
Only
enable DirectAuthorize once in a zone
DirectAuthorize
should be enabled only once in a given zone. If it is enabled more than once, on
the second and subsequent times you may receive an exception from the
DirectAuthorize console. If you receive
the exception you should restart the MMC and then continue.
·
admigrate does not migrate classic SFU zone.
·
admigrate does not migrate zone delegation rights.
·
Centrify
4.5.4 Samba
This
release of DirectControl Agent does not work with the earlier Centrify Samba on
AIX and SuSE 8. It works with Centrify 4.5.4 Samba
that is based on 3.6.5 stock Samba.
·
puttytel does not support Kerberos authentication.
·
If you
specify Alternate Kerberos credentials on the SSH > Kerberos properties
page, you will always be prompted for a password. This will happen even if you
choose to remember the password when first prompted for it.
In addition to
the documentation provided with this package, you can find the answers to
common questions and information about any general or platform-specific known
limitations as well as tips and suggestions from the Centrify Knowledge Base.
The Centrify
Resource Center provides access to a wide range of packages and tools that you
can download and install separately. For
more information, see the Centrify Resource Center Web site:
http://www.centrify.com/resources/application_notes.asp
You can also
contact Centrify Support directly with your questions through the Centrify Web
site, by email, or by telephone. To contact Centrify Support or to get help
with installing or using this version of Centrify Suite, send email to support@centrify.com or call 1-408-542-7500, option 2. For
information about purchasing or evaluating Centrify products, send email to info@centrify.com.