© 2004-2013 Centrify Corporation.
This software is protected by international copyright laws.
All Rights Reserved.
Table of Contents
Centrify Suite featuring DirectControl 5.1.0 centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Suite, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration. Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.
An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify Knowledge Base.
· DirectManage Access Manager
DirectManage Access Manager is the new name for DirectControl Administrator Console.
· License report in Report Center is replaced by the Deployment Report. There is a start menu item to open the Deployment Report.
· Windows access and auditing
Centrify Windows agents provide role-based access control, privilege management and auditing on Windows computers. For details, please refer to Administrator's Guide for Windows.
· Migrate from sudo to dzdo
A wizard is provided in DirectManage Access Manager to migrate privilege management of UNIX computers from sudoers to Active Directory via the Centrify Suite DirectAuthorize features. It is recommended to import the UNIX users and groups and create the computer roles before importing the sudoers file. Refer to Administrator's Guide for UNIX for details.
· Import users and groups from Deployment Manager database
The import users and groups wizard in DirectManage Access Manager is enhanced to retrieve the users and groups’ data from the Deployment Manager database.
· Forest Analysis in DirectManage Access Manager is enhanced to check for:
- expired profiles storing SID in sidHistory
- profiles schema for cross forest users
- orphan role assignment
· Configure Auto Zone to limit access
You can set configuration parameters or group policies to specify a subset of Active Directory users and groups that have access to computers joined through Auto Zone. Refer to Administrator's Guide for UNIX for details.
· Substitute UID with employee number or employee ID in Auto Zone
Zone Provisioning Agent allows using employee number or employee ID as the UID in the user's UNIX profile.
· Role based Audit rights
There are predefined audit rights that are built into every role definition. They specify whether and under what conditions a user must be audited in order to login. This feature is only available in hierarchical zones.
New pre-defined role definitions :
- scp: Predefined system role for granting scp access without explicit SSH login.
- sftp: Predefined system role for granting sftp access without explicit SSH login.
- UNIX login: Predefined system role that grants typical UNIX user login rights. It is called “login” role in previous releases.
- Windows login: Predefined system role that grants typical Windows user login rights including console and remote login.
- winscp: Predefined system role for granting winscp access.
The pre-defined role definitions are not created for the zones that exist before DirectControl is upgraded. You can use “Generated pre-defined roles” context menu to create those roles.
See the Administrator's Guide for UNIX for details.
· Audit Trail
Authentication and authorization granted and denied messages are written in the syslog file. The audit trail messages are identified by the AUDIT_TRAIL token in the message.
· Migrate Classic Zone to Hierarchical Zone
The admigrate script migrates users, groups, roles and rights in a classic zone to a hierarchical zone. Refer to its manpage for usage.
· Move Computer to Hierarchical Zone
The adchzone script moves a zone computer object from classic to hierarchical zone in the same domain. Refer to its manpage for usage.
· Upgrading DirectControl cache
When DirectControl is upgraded from 5.0.x, its cache is also upgraded. It does not support cache upgrade from 4.x. The 4.x cache will be deleted when upgrade is performed. Upgrade is not performed if the cache is encrypted.
· adedit is enhanced
- get_all_zone_users: gets all zone users along the hierarchical path.
- get_user_groups: gets the groups that the user belongs to.
- get_zone_user_field, get_zone_group_field, get_zone_computer_filed: add dn option to locate AD object.
- dn_to_principal, get_group_members, get_role_assignments, get_zone_users, joined_name_to_principal, list_role_assignments, list_zone_user, principal_from_sid: add upn option to display UPN name.
- move_object: moves the selected object to the specified location in the same domain.
- rename_object: renames the common name of the selected object.
· New adedit sample scripts
- addbloader is enhanced to support the new sysRights and roles in DirectControl and Windows Agent. When you use adedit to modify the sysRights, you must use bit operators to make the change. Otherwise, the Windows Agent sysRights will be reset.
- adreport is enhanced to report command rights.
- adzonediff is new in this release. It compares the roles and rights between two zones. Refer to its command help for usage.
- More adedit sample scripts can be found under /usr/share/centrifydc/samples/adedit directory. See the UNIX and Linux Evaluation Guide for details.
· centrifydc.conf is updated:
- New parameters:
- auto.schema.allow.users: Users allowed in this Auto Zone.auto.schema.allow.groups: Users who are members of the groups specified in here are allowed in this Auto Zone.
- auto.schema.groups: Groups allowed in this Auto Zone.
- auto.schema.max.unix.name.length: Maximum Auto Zone length
- auto.schema.override.uid: Specify which Active Directory user attribute to use to generate the UID.
- auto.schema.substitute.chars: The character is used to substitute invalid characters.
- auto.schema.unix.name.disallow.chars: Characters not allowed in Auto Zone name.
- adclient.binding.refresh.force: Indicate whether we force to re-establish LDAP bindings regardless the current binding is closest site or not.
- adclient.dzdo.clear.passwd.timestamp: Set to true will remove the tickets after logout. Default is false.
- adclient.sudo.clear.passwd.timestamp: Set to true will remove the tickets after logout. Default is false.
- adclient.sudo.timestampdir: The directory where sudo stores timestamp files.
- adclient.update.os.interval: How often adclient should wait before attempting to update the OS information in the case where adclient starts up in disconnected mode. Default is 30 seconds.
- dc.penalty.time: controls how long a domain controller that has failed is considered less preferable to the other domain controllers in the forest.
- dzsh.roleswitch.silent: Set to true to not output the role switch info in dzsh use. Default is false.
- dzdo.passprompt: The password prompt format when the target user's password is needed. Default is "[dzdo] password for %p:".
- krb5.cache.post.renewal: a customer defined post krb5renew job to be executed by adclient.
- pam.setcred.respect.sufficient: set to true if pam_setcred calls the remaining modules even the 'sufficient' is fulfilled. DirectControl will set the value according to the target platform.
- Modified parameters:
- adclient.cache.expires: Default is changed from 3600 to 600 seconds.
- adclient.cache.expires.gc: Default is changed from 3600 to 600 seconds.
- adclient.cache.expires.group: Default is changed from 3600 to 600 seconds.
- adclient.cache.expires.user: Default is changed from 3600 to 600 seconds.
- adclient.cache.expires.user.membership: Default is changed from 3600 to 600 seconds.
- nss.program.ignore: added unix_chkpw
Refer to Configuration Parameters Reference Guide for details.
· CLI is updated
- New --dnsname (-D): This is an optional parameter to override the dNSHostName attribute in the computer object.
- New –list (-L): lists DNS record details
- New –refresh (-r): update unchanged records to refresh TTL
- dzdo is enhanced to support local users and local groups.
- dzdo is enhanced to execute a command on a remote machine via SSH connection.
See the Administrator’s Guide for UNIX for details.
- New --computer-role (-C): show the computer role
- New –format (-f): produces scriptable output
· Read-only Domain Controller (RODC) is supported
RODC is supported in DMZ. RODC can also be in the same forest with writeable domain controller. Refer to Administrator's Guide for UNIX for details.
· adnisd supports multiple domains in hierarchical zones
In this release of the Centrify NIS server, the NIS maps can be distributed into different domain controllers in hierarchical zones.
· 0.9.8w OpenSSL
DirectControl is integrated with 0.9.8w OpenSSL.
· DirectControl LDAP Proxy supports global catalog search
In addition to searching through the domain controller, LDAP Proxy also supports global catalog search by adding "CN=$" in front of the search base. The global catalog search is useful in a multi-domain forest environment.
· Centrify 5.1.0 OpenSSH
Centrify DirectControl includes Centrify 5.1.0 OpenSSH, which is based on 6.0p1 OpenSSH in this release. Refer to Administrator Guide for UNIX.
· New UNIX Rights Definition
- SSH Rights
New predefined SSH rights identify specific SSH services that a user who is enabled for PAM SSH access can run. The SSH rights will be generated after upgrade DirectControl console is upgraded. Refer to Administrator's Guide for UNIX for details.
· Support is added for the following new operating systems:
- Mandriva one 2012 (32- and 64-bit)
- Red Hat Enterprise Linux 5.8 PPC (64-bit)
- Red Hat Enterprise Linux 5.8 Itanium (64-bit)
- Linux Mint Debian Edition (32- and 64-bit)
- OpenSuSE 12.2, 12.3 (32- and 64-bit)
· Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.
- Support is added for the following operating systems:
- Fedora 18 (32- and 64-bit)
- Red Hat Enterprise Linux 6.3 (32- and 64-bit)
- Red Hat Enterprise Linux Desktop 6.3 (32- and 64-bit)
- CentOS 5.8, 6.3 (32- and 64-bit)
- Scientific Linux 5.8, 6.3 (32- and 64-bit)
- Oracle Linux 6.3 (32- and 64-bit)
- Ubuntu Desktop 12.10 (32- and 64-bit)
- Ubuntu Server 12.10 (32- and 64-bit)
- Linux Mint 13, 14 (32- and 64-bit)
Only x86 and x86-64 Red Hat packages are updated in this release. The Debian packages in Suite 2012.2 are verified to work with Ubuntu 12.10 and Linux Mint 13 and 14.
All other packages are identical to DirectControl 5.0.4.
· In this release, the following platforms support smart card login:
- Red Hat Enterprise Desktop 5.x and 6.x (32- and 64-bit)
· The following smart cards are supported:
- Gemalto SC 64k 1.2 – CAC
- Oberthur One 5.2 – PIV
- Oberthur 128 v5.5 DI – CAC
- Gemalto 144 TOPDL DI – CAC
- Oberthur ID One 5.2 Dual – CAC
- Gemalto 72k DI - CAC
· Smart card login is supported on GNOME only.
· New group policies are added to support smart cards. Refer to Group Policy Guide for details.
· Only Red Hat packages are updated in this release. All other platforms are identical to DirectControl 5.0.3.
· DirectControl for Mac OS X has been updated to version 5.0.3. See the Centrify DirectControl for Mac OS X release notes in the Documentation directory for more information.
· Support has been added for Mac OS X 10.8.
· NOTE: only Mac platforms have been updated to DirectControl 5.0.3 in this release. All other platforms are at 5.0.2.
· Centrify 4.5.4 OpenSSH
OpenSSL is upgraded from 0.9.8k to 0.9.8w, which is statically linked. It fixes several security vulnerabilities since 0.9.8k. Refer to the openssl release notes for details.
· All other packages are identical to DirectControl 5.0.2.
· FIPS 140-2
Red Hat Enterprise Linux Server and Mac OS X support FIPS 140-2 standard.
· 0.9.8s OpenSSL
DirectControl in FIPS mode is integrated with 0.9.8s OpenSSL.
· Centrify 4.5.3 OpenSSH
Centrify DirectControl includes Centrify 4.5.3 OpenSSH, which is based on 5.9p1 OpenSSH in this release. Refer to Centrify 4.5.3 OpenSSH release notes for details.
· Centrify 4.5.3 Samba
Centrify 4.5.3 Samba is based on 3.5.11 Open Samba code. Centrify 4.5.3 Samba can be downloaded from Centrify web site. Previous Centrify Samba does not work with Centrify DirectControl in this release.
DirectControl does not provide SQLite shared library in its package that avoids conflict with the SQLite shared library used by other applications.
· Support is added for the following new operating systems:
- Red Hat Enterprise Linux 5.8, 6.2 (32- and 64-bit)
- Red Hat Enterprise Linux Desktop 5.8, 6.2 (32- and 64-bit)
- Scientific Linux 5.7 (32- and 64-bit)
- Fedora 17 (32- and 64-bit)
- CentOS 5.7, 6.1, 6.2 (32- and 64-bit)
- Mandriva Enterprise Server 5 (32- and 64- bit)
- VMWare VIMA vsphere 5
- Linux Mint 12 (32- and 64- bit)
- Solaris 11 (x86_64 and SPARC)
· Support is removed for the following new operating systems:
- All OpenSolaris versions
- AIX 5.1, 5.2
- VMware ESX 3.0.1, 3.0.2
- Fedora 13 and below (32- and 64-bit)
- Ubuntu 6.06, 8.10, 9.04, 9.10 (32 and 64 bit)
- Mac OS X 10.5
· Express mode
- Express mode is now supported and HPUX 11.31 and AIX 7.1 are added to the platform support list for Express.
· DirectControl for Mac OS X
- DirectControl 5.0.1 is the first release on the Macintosh platform that provides support for Next Generation Zones.
- Support for OS X 10.7.x, including support for Apple's FileVault full disk encryption and Microsoft's Distributed File System (DFS) capabilities.
- Automated Certificate Enrollment for 802.1x and VPN services
- Improved support for Printer Management on the Mac using _lpadmin and _lpoperator printer groups on the local mac
- Simplified Group Policies for automatically mounted fileservers and home directories.
- Smart Card support for 10.6 and 10.7 for all CAC, CACNG, and PIV cards, including the Oberthur ID One 128 v 5.5 Dual Smart Card.
- New OCSP Enhancements and GUI for Smart Card configuration
· User password expiration
- Fine-grained password policy is queried to determine user password expiration.
· DirectControl MMC Snapin
- Now implemented in user mode rather than in author mode in order to co-exist better with group policies.
· Support is added for the following new operating systems:
- Citrix XenServer 6.0
- Fedora 16 (32- and 64-bit)
- OpenSuSE 12.1 (32- and 64-bit)
- Ubuntu 11.10 Desktop (32 and 64 bit)
- Ubuntu 11.10 Server (32 and 64 bit)
- Solaris 11 Express 2010.11 (x86_64 and SPARC)
· Hierarchical zoning
· NIS map support added to NSS
The following NIS maps are supported:
· Centrify Zone Provisioning Agent
Zone Provisioning Agent (ZPA) is now included with DirectControl. It has been updated to support hierarchical zoning, new in DirectControl 5.0.0.
· Group Policies
1. New group policy: Enable Auto Zone user home directory This group policy adds the auto.schema.use.adhomedir property to /etc/centrifydc/centrifydc.conf.
2. adm files are now shipped for Centrify group policies as well as xml.
· Configuration parameters
1. New configuration parameter: krb5.cache.clean.exclusion
This parameter defines an exclusion list for when adclient cleans users' cache files. For users in this list, adclient will not clean their krb5cc_* file. UNIX names of AD users should be used. The default value is empty.
2. New configuration parameter: adclient.krb5.use.addresses
This parameter controls the MIT Kerberos HostAddresses option. If the parameter is set to true, adclient will add "noaddresses = false" to krb5.conf. The parameter is set to false by default.
3. New configuration parameter: adclient.altupns
This parameter tells adclient to allow an otherwise unknown Kerberos realm as UPN suffix. The default is unconfigured. For example, to allow "mil" as a UPN suffix:
· New CLI features
adcheck now does a DNS TCP port check as well as a UDP port check in the "net" set of checks.
New --tmp_path (-m) parameter to use the given path for temporary files during check. If not specified the default is /tmp.
- New --undo (-U) parameter to back out changes made since the last change marker. The log for undo is accumulated in
- New --debugcache command line parameter added to tar up
/var/centrifydc cache files.
- -y parameter now accepts parameters. "config" dumps all
property values, "dns" dumps the dns cache and "all"
dumps all system information.
- --support parameter now includes contents of /etc/irs.conf,
/etc/netsvc.conf and shows the ldd output for
- New -G option to report the current GC.
- New --upn (-U) paramter for adjoin sets user's upn.
- New parameter --attribute mail (-b mail) to return the email address of a user. Note that this can only be
used users, it does not work for groups.
- New --principal (-P) parameter for adupdate user allows setting of user's upn.
- New --foreign-sid (-i) parameter allows setting / retrieving of a sid for a foreign user.
- Adupdate now allows changes to users from one-way trusted forests. To use it, retrieve the SID for the user to be changed via adquery user's -Z option, thenuse that SID in adupdate using the --foreign-sid option.
- New --userWorkstations (-W) option for adquery user shows the user's userWorkstations attribute. The -all (-A) option has been extended to include this attribute too.
· Windows Console
An option has been added to the import Wizard to add a prefix or suffix to the name of a group or user, allowing name clashes to be avoided with already existing users and groups.
· New DirectAuthorize reports
Two new reports have been added to report on user roles and rights grouped by zone. The new reports are:
- User Role Assignments Grouped by Zone
- User Privileged Command Rights Grouped by Zone
· The DirectControl NIS server (adnisd) now derives the mail.byaddr map.
· Reworked DirectAuthorize to integrate it with hierarchical zones.
· Can now call a script every time a dzdo command is executed, allows addition of per-command logging or change ticket entry every time a privileged command is executed.
· Centrify Putty "Auto-login username" group policy is default to "User principal name (require DirectControl)".
· Support is added for the following operating systems:
- CentOS 4.9, 5.6, 6.0 (32- and 64-bit)
- Debian 6 (32- and 64-bit)
- Fedora 15 (32- and 64-bit)
- Mandriva 2011 One
- Oracle Linux 6 (32- and 64-bit)
- Red Hat Enterprise Linux 5.7, 6.1 (32- and 64-bit)
- Red Hat Enterprise Linux Desktop 5.7, 6.1 (32- and 64-bit)
- Scientific Linux 4.9, 5.6, 6.1 (32- and 64-bit)
- Ubuntu Desktop 11.04 (32- and 64-bit)
- Ubuntu Server 11.04 (32- and 64-bit)
· DirectManage Access Manager does not time out in a big forest when a computer zone is created (REF#: 33229).
· When a zone is moved in DirectManage Access Manager, the new zone path was not changed in the Centrify Profile in ADUC. This problem is fixed (REF#: 33229).
· DirectManage Access Manager can coexist with DirectManage Audit Manager and DirectManage Audit Analyzer in the same MMC console (REF#: 26113).
· Zone Provisioning Agent copies users and groups correctly when there are duplicate samAccountName (REF# 33535).
· Zone Provisioning Agent will now keep the configuration settings during upgrade.
· Zone Provisioning Agent will not unprovision existing user profiles from a zone when ZPA detects one of the source groups has been deleted (REF#: 30025).
· Zone Provisioning Agent fixed the issue causing "The server is not operational" error by reusing the LDAP connection (REF#: 31331).
· DirectControl Agent has historically written working data to /tmp. This version of DirectControl Agent uses /var/centrify/tmp for its working data. It eliminates the symlink vulnerability issue exposed by the /tmp directory, which every user has the write access (REF#: 38474).
· adclient crashed couple times a day doing its own internal health checks on AIX. It is due to a bug in the gcc shared library. The gcc compiler is upgraded to resolve this issue (REF#:27370).
· When the user moves from local domain to foreign domain in a one-way forest trust, the user cannot login in offline mode. This issue is fixed in this release (REF#: 31031).
· Fixed adclient in “down” status when a user in foreign group is migrated to current domain (REF#: 34512).
· Fixed adclient core dump issue when authenticating bad password (REF#: 32320).
· Fixed a bug that causes high CPU utilization if DirectControl agent switches to another domain controller while it is constructing the internal cache (REF#: 36663).
· Join computer supports host name longer than 15 characters and containing dots (REF#: 32773).
· Fixed the self-serve join problem after pre-create computer if the zone parameter is not specified. Without the zone parameter, self-serve join would select the first zone in the list (REF#: 36662).
· If a group contains more than 500 members, the defect that adquery or getent group command returned duplicate or missing members is fixed (REF#: 31128).
· Fixed the problem that automatically mounts the file system when the group command is executed (REF#: 26467).
· Fixed adquery listing users who have no listed or login role (REF#: 32486).
· Roles can be inherited from more than 2 levels in hierarchical zones (REF#: 29982).
· An LDAP user who has not been migrated to AD could not change their LDAP password upon logon on a server with Centrify installed. This is fixed (REF#: 29383).
· /tmp directory is filled up with random name files after running adauto.pl repeatedly. A random name file is created by each invocation of adauto.pl. This problem is now fixed (REF#: 34582).
· The Ticket Granting Ticket (TGT) is not forwarded by Centrify OpenSSH. This problem is now fixed (REF#: 30610).
· Added group policies for Mac 0S/X 10.8. See the Group Policy Guide for details.
· Centrify 4.5.5 OpenSSH does not remove /usr/local/bin in the PATH environment variable.
· This release contains new features and no bugs fix. See section 2.2 for the list of the new features.
· See the Centrify DirectControl for Mac OS X release notes in the Documentation directory for more information.
· User can login to Active Directory with sid in sidHistory in the tokenGroups attribute.
· User can login to Active Directory through local cache after the machine is disconnected and restarted.
· NTLM can login Active Directory domain through local cache when the machine cannot access the domain controller.
· adedit create_zone API works for FIPS compliant license.
· AD user will expire in cache if it is marked force expired even though AD user in cache is queried frequently.
· Overridden AD user is visible although its name in cache has been flushed.
· adsmb can successfully get a file.
· Centrify 4.5.3 OpenSSH X11 forwarding works in IPv4 network.
· Centrify 4.5.3 OpenSSH does not stall a few seconds when it logins Solaris SPARC machines.
· Centrify 4.5.3 OpenSSH can coexist with Solaris SSH.
· Imported users and groups from passwd and group files do not show "Incomplete user UNIX data" error message.
· Deployment Manager can work with interactive prompt after ssh connection.
· Rights are cumulated across multiple roles with restrictive shell.
· Centrify 4.5.3 PuTTY release is updated with the latest open source PuTTY 0.62 release and adds all new features delivered in that release. PuTTY 0.62 contains a security fix that it no longer retains passwords in memory.
· SuSE 11 won't crash if tilde is used in ksh.
· DirectControl can now be upgraded via Ubuntu apt-get.
· User with effective rights of non-password cannot login with a password.
· User gets restricted shell if "Login with non-Restricted Shell" in "System Rights" is not checked.
· adsmb is able to use the current Active Directory user's credentials.
· Upper case netgroup names are supported in LDAPProxy.
· adnisd reads the correct NIS maps even if the DirectControl agent switches to another domain controller while adnisd is reading the NIS maps.
· ZPA does not truncate the UNIX name to 8 characters if the "Truncate the UNIX name to eight characters" check box is not selected.
· ZPA can collect debug log if "Turn on debug logging" is checked in the ZPA Configuration Panel.
· When searching for users in a remote forest, the remote forest is shown in a separate tree.
· Find Users now works even if orphans exist in zones.
The following sections describe common known issues or limitations associated with this Centrify Suite release; they are categorized as follows:
- DirectManage Access Manager
- Report Center
- Group policies
- Zone Provisioning Agent
- DirectControl Agent
- Centrify NIS server (adnisd)
- Centrify Network Information Service
- Centrify LDAP Proxy
- DirectControl Auto Zone mode
- Smart Card
- DirectAuthorize on Linux/UNIX
- Zone Migration
- Centrify Samba
- Centrify Putty
In addition to the known issues described in these sections, you should review the details in the appropriate platform-specific release-notes-agent.txt file for the operating environments you support.
For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.
· Uninstalling DirectManage Access Manager while it is open on Windows 2008
If you attempt to uninstall the DirectManage Access Manager on Windows 2008 while the program is still open, the installer will report twice that files are still in use. If you want to continue to uninstall, you should close the program and click Retry each time and the uninstall will complete correctly.
· Import users and groups before importing sudoers file
Sudoers Import creates the user roles but not the users. It is recommended that you import users and groups prior to importing the sudoers file. Otherwise, no sysRights are created for the users.
· Pre-create computers before importing computer role from sudoers file
The computers contained in the sudoers file must either be joined to a zone or pre-created.
· Delegating zone administration permissions for SFU zones
Delegate permissions to add, remove or modify users for SFU zone are not supported.
· UID does not automatically increment when adding users through Welcome page
When adding users to a zone, the UID used is automatically incremented each time. However, if you use the Add User to Zone feature on the Access Manager Welcome page, the UID is not incremented after the user is added. In this case you should select “<Use auto incremented UID>” for UID in the “User Defaults” tab in its zone property page.
· NIS domain name with adnisd
The NIS domain name in the Access Manager Zone Properties page is currently ignored by adnisd. The NIS domain name defaults to the name of the zone, or can be overridden in /etc/centrifydc/centrifydc.conf via the property "nisd.domain.name". This will be fixed in a future release.
· Users with rights to import user and groups into a zone also gain rights to modify profiles
Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles".
· Secondary groups not imported from XML files
Using the Import Wizard to import user information from XML files does not import secondary group membership.
· Using domain local groups to manage resources
Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains.
· Domain local groups from other domains shown in search dialog
When using the search dialog in the Access Manager to delegate zone control to a group, domain local groups from child domains will be shown incorrectly in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups.
· Analyze forest and SFU zones
The analyze forest feature in the Access Manager does not report empty zones or duplicated users or groups in a SFU zone.
· Working with users that have more than one UNIX mapping
DirectControl supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with more than one UNIX mapping, you should use a DirectControl 5.0.0 or later Access Manager to remove all but one of the UNIX profiles for each of these AD users and then re-add them.
In addition, you should always use a DirectControl 5.0.0 or later console when modifying these users.
· In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such problems with a computer joined to a classic zone.
· Using the 32-bit Access Manager on 64-bit OSes
While it is possible to run the 32-bit Access Manager on 64-bit Microsoft Windows, the installer will not recognize that the 32-bit console is installed, it will not offer any maintenance mode options and will assume a new installation. To upgrade a 32-bit console on a 64-bit OS, you should uninstall the old version and install the new version.
· Cannot delegate control of an SFU zone from the Report Center
It is not possible to delegate the control of an SFU zone from within the report center. To delegate SFU zone control, right click on the SFU zone node in the left pane.
· Color and font change in Report Center occasionally fails
Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report.
· Extra results when analyzing duplicate service principal names
When running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly returned as a duplicate. The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains.
· The Access Manager is unresponsive when running the "Classic Zone - User Privilege Command Rights" report. This is due to a Microsoft library used to determine user rights and the program will be responsive once the report is completed.
· There are four group policies that can merge the lines of different GPOs to a resulting group policy. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy.
· Disable does not function with “Allow Groups” group policy
Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the groups should be removed from the Group Policy Object.
· Entering multi-line password prompt group policies
Multi-line group policies are supported, however an escape newline character "\\n" must be used.
· Default value for the NIS daemon update interval
In the Administrator Guide for UNIX the default for this value is shown as 5 minutes, but in the Group Policy user interface it is shown as 4 minutes. The correct value is 5 minutes and the Group Policy user interface will be updated to reflect this in a future release.
· Install's "repair" option reports files in use
When using the repair install option, the installer may pop up a “Files in Use” dialog that does not contain any entries. It is safe to simply click the Ignore button and continue the repair operation. This may happen on all supported platforms, except Windows Server 2003 and Windows Server 2003, R2.
· One-way cross forest trusts not supported in Auto Zone mode
· Default zone not used in DirectControl 5.x
In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed a default zone could be created that would be the default zone used when none was specified. If no zone was specified when joining a domain with adjoin, the default zone would be used.
This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.
A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used.
· Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting.
· Using the --notime option with adjoin
If the --notime option is used when running adjoin, the centrifydc.conf parameter, adclient.sntp.enabled, is not updated to false. This means that subsequent adjoin operations also need to specify the --notime option if required.
· Attempted logins by non-zone members
If an AD user that is not a member of the zone attempts to log in, they will be unsuccessful logging in on future attempts for a period of 15 minutes from the time of their last unsuccessful log in, even if they are made members of the zone. This lockout may be worked around by running adflush or logging in using the user's UNIX name (if different from the AD name), or by logging in using the computer's GUI rather than ssh or telnet.
· RSA Authentication Agent for Windows
Computers using DirectControl software are not able to authenticate to domain controllers running RSA Authentication Agent for Windows. To use DirectControl on these computers, it is necessary to disable the RSA Authentication Agent.
· Use of rsh and rcp with DirectControl
rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances.
· Change password and rsh / rlogin
When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.
· Working with /var mounted via NFS
If /var is mounted via NFS then, in order for DirectControl to function correctly, it is necessary to use the adclient.clients.socket parameter in /etc/centrifydc/centrifydc.conf to point to a local directory. In addition, you should make a symlink from
to the local directory you have chosen.
You should set no_root_squash option in order to let /var/centrify/tmp to work over NFS. Otherwise root will be mapped to anonymous user “nobody” in NFS server, which does not always have write access to the exported directory.
· Changing the password of an orphan user with adpasswd
adpasswd should not be used to change the password of an orphan user. If it is used, an error will be generated as follows:
Error: Unsuccessful IPC execute: system error
· Working with adclient.client.idle.timeout
This property is only read at startup, so if it is changed adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines.
· Use of adupdate by non-administrators
adupdate uses the current user's Kerberos credentials when -a is not specified on the command line. To run the command as an administrator you should do one of the following:
- use "-a <adminname>" on the command line
- use "-p <adminpassword>" on the command line
- run "kinit <firstname.lastname@example.org>" before using adquery
- Give the current AD user rights to create users
· Using adkeytab to change account passwords
To change a service account password using adkeytab, you should ensure that there is at least one Service Principal Name (SPN) associated with that service account. Attempting to change the service account password for an account without an SPN is not supported in this release.
· PAM messages depend on operating system
Configurable PAM messages will be shown inconsistently depending on the login method, daemon version and operating system version.
· adquery merges results for groups with no members
Groups that have no members do not have a newline after the GID when output by adquery.
· nss.minuid and nss.mingid are no longer used
These have been replaced by user.ignore and group.ignore. DirectControl will ignore the local uid and gid values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file. The values from nss.minuid and nss.mingid will be added to this file during the upgrade process.
· adclient -c no longer supported
To modify core dump behavior you should edit the adclient.dumpcore property in
· Logging-in in disconnected mode
In disconnected mode the UNIX name or the Windows login name should be used for logging-in. The Active Directory display name is not guaranteed to be unique and may not allow the user to authenticate.
· Invalid argument reported when identifying a user whose uid or gid are zero
If you use the id command to display user and group information about a user whose uid or gid are zero, a message is displayed warning of an invalid argument, for example:
bash-3.1# id user1
setgroups: Invalid argument
This message is a side effect of the nss.squash.root feature and can be safely ignored.
· Use of addns on computers that act as network gateways
UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in
to the addns command line necessary to select the correct network interface and IP address.
· Working with users defined in a Kerberos realm
DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used.
· Using DirectControl 4.x agents with DirectControl 5
DirectControl 4.x agents can join classic zones created by DirectControl 5. It is possible to join a DirectControl 4.x agent to a hierarchical zone as well, but this should be avoided as the behavior is undefined.
· adclient and asymmetric DNS servers
adclient expects all DNS servers to have the same information (i.e. they are symmetric), it has no concept of asymmetric DNS servers. This means that if multiple DNS servers are defined and the information in each is not the same, it is possible that the information in some domains may be inaccessible some or all of the time, depending on the speed of response of the DNS servers and the information they hold. The /etc/centrifydc/centrifydc.conf parameter dns.sort will turn off the random nature of the accessibility and allow specification of the order in which to attempt to use DNS servers. Note, however, that it will still not use the DNS servers as a "path", the highest placed DNS server will win.
· Change in behavior of users to ignore
In DirectControl 4.x the nss.user.ignore and pam.ignore.users lists were treated separately and adclient only checked nss.user.ignore. In DirectControl 5.0.0 and later, both nss.user.ignore and pam.ignore.users are checked and the ignore list is the logical "or" of the two.
· Some non-alphanumeric characters are valid for Windows user or group names and are converted to underscore ("_") when changed to be UNIX names in the Access Manager, but cannot be used in adedit. The list is:
\ ( ) + ; " , < > =
· adedit cannot create AIX extended attributes in a SFU zone.
· Active Directory user fails to login a newly created WPAR on AIX
In a newly created WPAR, the /var/krb5/security/creds/ directory does not exist. DirectControl post-install script will create it with root permissions. However, it does not change its permission to make it a world-writable directory. You need to manually fix up the permissions (REF#: 39909).
· Cannot do single sign-on in Red Hat 5.9 SELinux on IA64 platform
You can login but Kerberos credential cache is not created. This problem does not happen if SELinux status is disabled. Also, it does not happen on x86 platform (REF#: 40078).
· adnisd daemon fails to start
The adnisd service is not defined in the WPAR (REF#: 39911).
· Require “auto” in the automount map.
If an automount map created with a 4.x or earlier version of the DirectControl Console does not start with the string "auto" (i.e. auto.home, auto_master, auto_net, etc), it will not be recognized by this release of the DirectControl LDAP Proxy as an automount map. Automount maps which do not start with the string "auto" must be exported and imported using this version of the DirectControl Console or adedit.
· Wildcard use not supported with LDAP Proxy
This release of the LDAP Proxy does not support searches using wildcards in rfc2307 mode.
· LDAP Proxy not started after upgrade from DirectControl 4.x
You need to re-join the zone before LDAP Proxy can be started.
· When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user.
· An unauthorized PIV Smart card user, when attempting to log in, may still get a password login prompt. However the unauthorized user, after entering a password, will get an authentication error and will never be able to log into the system, nor change their password.
· In order to log in successfully in disconnected mode, a user must log in successfully once in connected mode prior to logging in using disconnected mode. This applies to a standard Active Directory user as well as Smartcard user.
· If a Smart Card user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure Smart Card AD environments usually do not allow both PIN and Password logins while using a Smart Card.
· Cannot add cross domain or cross forest users to roles in classic zone
DirectAuthorize does not currently support adding users from other domains into roles when the domain controllers are running Windows Server 2003 with security update 926122 or service pack 2. This is a Microsoft issue and a hot fix is available to install on computers running the DirectAuthorize console that need to run in these domains. More information may be found here:
· Cannot add cross forest groups to a role in classic zones
DirectAuthorize does not support adding groups from a trusted forest into roles at this time; all groups added to roles should be defined in the local forest. However, users from a trusted forest may be added to groups in the local forest and then added to a role, or they may be directly added to a role.
· Use of common UNIX commands with DirectAuthorize restricted shells
The DirectAuthorize restricted shell allows users to be restricted to use only a predetermined set of commands, however several common UNIX commands may allow users to execute commands that are not allowed in the restricted shell. The following list provides general guidance and specific examples of the issues to be considered:
- The man command
When adding a privileged command for the man command in a restricted environment, Centrify recommends:
* selecting Reset Environment Variables to allow users to use the default pager only.
* disallow the -P, -C, -B or -H options to allow users to use the default pager and man configuration file only, by adding the following commands in addition to the command for man:
!man * -[PCBH]*
The PAGER, MANPAGER environment variables and -P, -C, -B, or –H option can allow a user to run a command not permitted by DirectAuthorize in the restricted environment.
- The Allow nested command execution option
The Allow nested command execution checkbox on the Attributes tab of the property page for a privileged command allows the privileged command to execute another command. This option is deselected by default (so the command is not allowed to execute other commands), but not all operating systems honor this restriction:
Solaris Honored in all cases
AIX 5.1, 5.2 Not honored in all cases
AIX 5.3, 6.1, 7.1 Honored except if a program is seteuid
HP-UX Honored except if a program is seteuid
Linux Honored except if a program is seteuid and
the Run As... user is not root
- The tar command
When adding the tar command to a restricted environment Centrify recommends adding the following commands to prevent the --use-compress-program option to tar in addition to the tar command itself.
!tar * --use-compress-program*
This prevents the user from using the --use-compress-program option to run other commands not allowed in the restricted environment.
- cron jobs
Cron jobs are run by the crontab daemon and this has no dzsh restrictions, meaning that any restrictions placed on the user who created the cron job will not be in force when the job itself is run.
For this reason, Centrify recommends that users who run in the dzsh restricted shell are not given access to the crontab cmmand.
- Editors that allow shell escapes
When adding the vi or view command to a restricted shell, the shell escape feature of the command can allow the user to execute a command not allowed in the restricted shell.
In addition, the perl, python and ruby support feature of vim, if available, can allow a user to execute a command not allowed in the restricted shell. To check if your version of vim command has perl, python or ruby support, run vim --version, and look for +perl, +python, or +ruby.
Centrify recommends the following:
* Configure the command to not allow nested command execution (this is the default) to prevent shell escapes
* Use the rvi or rview command instead if available.
Vim is used as an example here, this applies to other editors that include the ability to escape to the shell and/or include scripting language support.
- The rsync command
When adding the rsync command to a restricted environment, Centrify recommends adding the following commands, in addition to adding the rsync command itself, to prevent usage of the -e and --rsh options:
!rsync * -e*
!rsync * --rsh*
This prevents the user from using the -e or --rsh options to run commands not allowed in the restricted environment.
· Cannot open Roles & Rights node when user's domain is unavailable
For users that have been added to roles, or assigned rights, who are located in a domain other than the domain where the zone is located, when the user's domain is unavailable the roles & rights node for that zone does not appear in the Access Manager when the zone is opened. When the domain becomes available again the Roles & Rights node will reappear when the zone is closed and reopened.
· Unexpected error when selecting the role assignment node
You may see the following unexpected error message when selecting the role assignment node:
System.Exception: More than one node has been registered for scope ID 3309168 at Ironring.Management.MMC.SnapinBase.FindNodeByHScope(IntPtr HScopeID) at
Ironring.Management.MMC.Component.Notify(IntPtr lpDataObject, UInt32 aevent, IntPtr arg, IntPtr param)
In this case, please close the MMC and reopen it and the role assignment node will open as expected.
· Unexpected error when removing orphaned role assignments
You may see the following unexpected error message when removing orphaned role assignment:
System.ArgumentNullException: Value cannot be null.
Parameter name: role
In this case, please close the error dialog and leave the orphans alone, because they won't hurt the system functionalities.
· DirectAuthorize reports do not include users in remote forest
In this release the "Classic Zone - User Role Assignments" and “Classic Zone - User Privilege Command Rights" reports only show users in the local forest; any users in remote (trusted) forests are not included in the report.
· UI elements occasionally do not appear when expected
On occasion, the DirectAuthorize console does not show the expected results, or nodes do not appear in the tree on the left side of the console screen. When this happens, choose Refresh from the right-click menu and the screen should refresh to show the expected results. If this does not fix the problem, choose Refresh from the next higher point up the tree from where you expect the result to be shown and that should cure the problem.
· Only enable DirectAuthorize once in a zone
DirectAuthorize should be enabled only once in a given zone. If it is enabled more than once, on the second and subsequent times you may receive an exception from the DirectAuthorize console. If you receive the exception you should restart the MMC and then continue.
· admigrate does not migrate classic SFU zone.
· admigrate does not migrate zone delegation rights.
· Centrify 4.5.4 Samba
This release of DirectControl Agent does not work with the earlier Centrify Samba on AIX and SuSE 8. It works with Centrify 4.5.4 Samba that is based on 3.6.5 stock Samba.
· puttytel does not support Kerberos authentication.
· If you specify Alternate Kerberos credentials on the SSH > Kerberos properties page, you will always be prompted for a password. This will happen even if you choose to remember the password when first prompted for it.
In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.
The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately. For more information, see the Centrify Resource Center Web site:
You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Suite, send email to email@example.com or call 1-408-542-7500, option 2. For information about purchasing or evaluating Centrify products, send email to firstname.lastname@example.org.