Centrify® Server Suite 2015 DirectControl® 5.2.2 Release Notes

© 2004-2015 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

 

1.      About This Release. 2

2.      New Features. 3

2.1.       New Features in DirectControl 5.2.2. 3

DirectControl Agent 3

DirectManage Access Manager. 4

Zone Provisioning Agent 5

adedit 5

Centrify OpenSSH.. 5

Supported Platforms. 5

2.2.       New Features in DirectControl 5.2.1. 6

2.3.       New Features in DirectControl 5.2.0. 6

DirectControl Agent 6

DirectManage Access Manager. 6

Deployment Report 7

Supported Platforms. 7

2.4.       New Features in DirectControl 5.1.3. 7

DirectControl Agent 7

DirectManage Access Manager. 9

Zone Provisioning Agent 9

adedit 9

Centrify OpenSSH.. 10

Supported Platforms. 10

2.5.       New Features in DirectControl 5.1.2. 10

DirectControl Agent 10

Centrify OpenSSH.. 11

Supported Platforms. 11

2.6.       New Features in DirectControl 5.1.1. 11

DirectControl Agent 11

DirectManage Access Manager. 12

adedit 12

Centrify OpenSSH.. 12

Supported Platforms. 12

2.7.       New Features in DirectControl 5.1.0. 12

DirectControl Agent 12

DirectManage Access Manager. 14

Migration. 14

adedit 14

Centrify LDAP Proxy. 14

Centrify OpenSSH.. 14

Supported Platforms. 14

2.8.       New Features in DirectControl 5.0.5. 15

2.9.       New Features in DirectControl 5.0.4. 15

2.10.         New Features in DirectControl 5.0.3. 15

2.11.         New Features in DirectControl 5.0.2. 15

2.12.         New Features in DirectControl 5.0.1. 16

2.13.         New Features in DirectControl 5.0.0. 16

3.      Bugs Fixed. 17

3.1.       Bugs Fixed in Centrify DirectControl 5.2.2. 17

DirectControl Agent 17

DirectManage Access Manager. 18

Deployment Report 19

adedit 19

Zone Provisioning Agent 19

Centrify OpenSSH.. 19

3.2.       Bugs Fixed in Centrify DirectControl 5.2.1. 19

DirectControl Agent 19

3.3.       Bugs Fixed in Centrify DirectControl 5.2.0. 19

DirectControl Agent 19

DirectManage Access Manager. 20

adedit 20

Centrify OpenSSH.. 20

3.4.       Bugs Fixed in Centrify DirectControl 5.1.3. 20

DirectControl Agent 20

DirectManage Access Manager. 21

Deployment Report 22

adedit 22

Zone Provisioning Agent 22

Centrify OpenSSH.. 22

3.5.       Bugs Fixed in Centrify DirectControl 5.1.2. 22

DirectControl Agent 22

DirectManage Access Manager. 23

Report Center. 23

Zone Provisioning Agent 23

Centrify OpenSSH.. 23

3.6.       Bugs Fixed in Centrify DirectControl 5.1.1. 23

DirectControl Agent 24

DirectManage Access Manager. 24

Centrify OpenSSH.. 24

3.7.       Bugs Fixed in Centrify DirectControl 5.1.0. 24

DirectControl Agent 24

DirectManage Access Manager. 24

Zone Provisioning Agent 25

Centrify OpenSSH.. 25

3.8.       Bugs Fixed in Centrify DirectControl 5.0.5. 25

3.9.       Bugs Fixed in Centrify DirectControl 5.0.4. 25

3.10.         Bugs Fixed in Centrify DirectControl 5.0.3. 25

3.11.         Bugs Fixed in Centrify DirectControl 5.0.2. 25

3.12.         Bugs Fixed in Centrify DirectControl 5.0.1. 25

4.      Known Issues. 26

DirectControl Agent 26

DirectAuthorize on Linux/UNIX.. 28

DirectControl Auto Zone mode. 29

Smart Card. 29

DirectManage Access Manager. 30

Report Center. 30

Zone Migration. 31

Group policies. 31

Centrify Network Information Service. 31

Centrify LDAP Proxy. 31

Centrify OpenSSH.. 31

Interoperability with Centrify Samba. 31

5.      Additional Information and Support 31

 

1.     About This Release

 

Centrify Server Suite featuring DirectControl centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Server Suite, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

 

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify Knowledge Base.

 

You can obtain information about previous releases from the Centrify Support Portal, in the Documentation & Application Notes page.

 

Centrify Server Suite is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

2.     New Features

2.1.          New Features in DirectControl 5.2.2

DirectControl Agent

 

General

 

·          Hadoop support

Deploying Hadoop in secure mode requires Kerberos service principal management across each cluster as well as within each node.  Centrify Server Suite 2015 facilitates the deployment of Hadoop in secure mode by automating the creation of Hadoop headless accounts and per node service accounts as well as providing support for Kerberos keytab management.  In this way, customers are able to fully integrate their Hadoop deployments with the rest of their enterprise identity system – they can leverage an existing investment in Active Directory to provide centralized identity management and auditing across Hadoop clusters, nodes and services and seamlessly integrate identity and access management, privilege management and session monitoring across the broadest range of platforms in the industry.  This results in a more secure Hadoop environment and addresses regulatory requirements while leveraging existing infrastructure and skillsets.

Centrify Server Suite 2015 includes the following features to enable Hadoop enterprise deployment in secure mode:

-  The adkeytab utility is enhanced to support computer account creation, with the option of password never expires to enable long-lived accounts that must be shared across a cluster. (Ref: 73742)

-  A sample script is provided to automate Hadoop service account creation and keytab management.  This makes deployment easier and reduces risk of error, and it enables secure rotation of Kerberos keys across nodes in the cluster. (Ref: 73961, 74761)

-  Centrify Server Suite continues to support Active Directory user Kerberos credential renewal – this is called out to emphasize the importance of enterprise grade features required for continuous, secure operations. (Ref: KB-3039)

 

Please refer to the README or README.html in /usr/share/centrifydc/samples/hadoop for the pre-requisite requirements, how to setup Hadoop and use the sample scripts.

 

·          Audit Trail

-  Audit Trail events are now documented for customer use. The document AuditTrailEvents.xml can be found on "Autorun">"Documentation" page, or in the Documentation folder of the ISO image. (Ref: 66241)

-  Centrify sshd will now use a new way to send out its Audit Trail messages. These messages will not be received if any of the previous versions of DirectControl agent is used with this new version of Centrify OpenSSH. (Ref: 54642)

 

·          Software Upgrades

-  Centrify OpenSSH is now based on OpenSSH 6.6p1. The fix to CVE-2014-2653 - "The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate" is also included in this release. (Ref: 62477, 63380)

-  Centrify OpenSSH and Centrify DirectControl are now integrated with OpenSSL 0.9.8zc. (Ref: 72505)

-  Centrify DirectControl is integrated with curl library 7.39. (Ref: 73193)

-  Centrify dzdo is now based on sudo-1.8.10p3, with all features and behaviors the same as the former dzdo except for the following. (Ref: 40468)

1.  dzdo behavior is unchanged, including the exit status. But the failure/warning messages in some cases may be different.

2.  When env_reset is enabled, in the new dzdo, the initial value of HOME is set as the current user's (if HOME is in dzdo.env_keep) or target user's home directory, whereas in the old dzdo, it is always set as the current user's home directory. (Ref: 74272)

3.  dzdo now supports the use of -E option to ease the migration from sudo for some users. The -E option is only permitted if the related DirectAuthorize command has 'env_reset' field unset (such as unset the 'Reset environment variables' option of dzcmd in Access Manager). Note: neither the –E option nor the unset of 'env_reset' dzcmd field is a safe operation – use it with care. (Ref: 76005)

Note: dzdo does not support sudo policy and session plugins in this release.  (Ref: 66785)

-  Centrify sudo Import is extended to support sudoers files based on sudo 1.8.10p3 (Ref: 66267)

-  Centrify LDAP Proxy is now based on OpenLDAP 2.4.40.

-  Earlier versions of Centrify DirectControl and DirectSecure will not work with this version of Centrify LDAP Proxy (Ref: 72579)

-  After this upgrade, when ldapsearch outputs the search result, it also checks the size limit. The default value of size limit "-z" is 0 (no limit). However if you specify "-E pr=<size>/prompt" without the "-z" option, it will always display only one page result.  Due to this new behavior in OpenLDAP 2.4.40, you should always use both options "-E" and "-z" together to output the right search results. (Ref: 73260)

-  We have enabled TLS support in this version of Centrify LDAP Proxy. Hence, if Centrify slapd starts with TLS or Active Directory server is accepting TLS/SSL connections, LDAP client tools (e.g. ldapsearch) will be able to connect to slapd or AD using ldaps. Note: please refer to Centrify Server Suite Administrator’s Guide for Linux and UNIX for configuration steps. (Ref: 51382)

 

·          Enhancement of scripts or command line utilities

-  A new command-line utility, adgpresult, is introduced. The adgpresult command enables you to report the group policy settings that are in effect for the local computer, the current user, or a specified user. If you have configured and applied a Group Policy Object to a site, domain, or organizational unit that includes a Centrify−managed computer, you can use the adgpresult command to see the computer and user configuration policies that have been applied. The command displays a Resultant Set of Policies similar to the Microsoft Windows gpresult program. (Ref: 32411)

-  A new script, adautouser.pl, is provided to return automount map entries only for users who are zone enabled. This is different from the existing script adauto.pl which returns all map entries instead. (Ref: 34428)

-  A new script, adsyncignore, is provided to find the non-zone users and groups and update the user.ignore and group.ignore files accordingly. (Ref: 57164)

-  The command, adfixid, now supports a single UID/GID range. E.g. adfixid –id 5000-5000 now uses 5000 for conflict resolution. (Ref: 62209)

-  The command, addns, now has a new option, --secure (-S). This new option instructs addns to skip the non-secure update attempt and only perform the secure update. It works with --update only. (Ref: 40787)

-  The dzsh command history is available and persistent between invocations.  This is done by enhancing dzsh to save and restore commands from a command history file (.dzsh_history). (Ref: 62168)

-  Two new options ("-M" and "-W") are added to the command, adkeytab. "-M, --computer-object" is used to create account as computer object. Without this option, the account is created as user object. "-W, --password-never-expire" is used to set password to never expire when creating the account. (Ref: 73742)

-  A new option (--interactive, -I) is added to allow adkeytab/adinfo to prompt user for password if TGT is revoked. This is normally used when user's Kerberos credential cache is used in authenticating to RODC domain. When a machine is located on a RODC site, and the AD users' passwords are allowed to be replicated to RODC, there is a possibility that RODC would return with TGT_REVOKED error leading to adkeytab/adinfo failure. By specifying the -I option, the CLI automatically prompts user for password to re-request the TGT from the RODC. (Ref: 69631)

-  A new option (----enableAppleIDGenScheme) is added to allow adjoin to apply Apple UID/GID scheme by default. This should take effect only if auto-zone or workstation mode is chosen (i.e option –w or –z "NULL_AUTO"). Once this is applied, centrifydc.conf is modified to have the following two parameters set "auto.schema.apple_scheme:true" and "auto.schema.primary.gid: -1". Note: this does not work with –precreate option. (Ref: 73317)

-  dzdo supports the use of "%groupname" or "%#GID" in the user list part (the part before colon) of dzdo_runas settings for DirectAuthorize commands. If it is set, all users in the specific group will pass the check of the runas user part for command matching in dzdo. (Ref: 73384)

-  Sudo import supports group and GID in the runas user list, the first runas list, in a runas specification from a user specification. However, other items such as netgroup and non-UNIX group and GID, remain unsupported and would be dropped during import. Please note that there is a limitation on sudo import in resolving group membership. Therefore, the default option that is directly applied to group members instead of the group itself would not be recognized and correctly configured during import. (Ref: 73483)

 

·          New start/stop support

-  Added a script "centrify-ldapproxy" to start/stop ldapproxy in Centrify LDAP Proxy.

Usage: /usr/share/centrifydc/bin/centrify-ldapproxy {start|stop|restart|condrestart|status} [options]. (Ref: 5288, 39402)

 

·          New Group Policy support

-  Added a new GP, "Enable core dump cleanup", to clear Centrify DirectControl Agent core dumps which are older than <n> days. (Ref: 66050)

-  Added a new GP, "Add sshd_conf properties", to configure arbitrary sshd parameters. (Ref: 61700)

-  Added two new GPs, "Set ignored programs" and "Add centrifyda.conf properties", to set up nss.program.ignore and generic parameters respectively for DirectAudit. (Ref: 64645)

-  Added the support of "Exception groups" to the GP, "Require smart card login", to allow users in those groups to login with their AD usernames and passwords even when this GP is enabled. Note: the machine has to be online for the exception groups to work. (Ref: 62705)

-  Added Gnome 3 GPs for Linux platforms. (Ref: 50777)

Please refer to the Group Policy Guide for details.

 

·          Add Smart Card support on Red Hat Enterprise Linux 7 (Ref: 65104, 74574)

 

Configuration Parameters

·        centrifydc.conf has been updated:

 

-  New parameters:

-  adclient.cache.upn.index: This parameter specifies whether the cache enables creation of indexes on UPN Names. This is useful to resolve the situation when the UPN of one user is equal to the SAM@DomainName of another user, and both user objects are stored in the cache. The Default value is false. (Ref: 55469)

-  adclient.get.primarygroup.membership: This new parameter specifies whether or not adclient should add zone user as a member of this primary group. The default is false. (Ref: 69928)

-  adclient.krb5.conf.file.custom: This parameter enables merging of custom krb5.conf entries into the existing krb5.conf. By default, this parameter is not enabled, and the default value is an empty string. (Ref: 51038)

-  adclient.krb5.principal: This parameter specifies the name form to be used as the principal in the Kerberos Ticket. The acceptable values are "upn" and "sam". The default value is "upn". Note: (1) If "upn" is specified, and in case the UPN is not available, the SAM@DomainName will be used. (2) For MIT Kerberos users, the UPN will still be used even if "sam" is specified. (3) If "sam" is specified, the configuration parameter adclient.cache.upn.index must be set to true, to resolve ambiguity in the adclient cache. (Ref: 69484)

-  adclient.preferred.login.domains: When duplicate sAMAccountNames exist across multiple domains in a forest, the ambiguity in resolving these names is fixed by configuring the parameter adclient.preferred.login.domains parameter to force adclient to login using the specified domain names. Note: If this parameter is set and adclient caching is enabled, the configuration parameter adclient.cache.upn.index must be set to true, to resolve ambiguity in the adclient cache. (Ref: 60464)

-  adclient.preferred.site: Adclient uses CLDAP NETLOGON requests to discover its site as configured in Active Directory Sites and Services. Active Directory servers in the same site are preferred since they are likely the closest. This keyword enables customers to override the site returned from AD. The default value (empty) instructs adclient to continue discovering sites using CLDAP. There are two types of overrides: (1) Universal site override - where an Active Directory domain is not included in the keyword, e.g. adclient.preferred.site: my-site, (2) Domain specific site overrides - where an Active Directory domain is included in the keyword, e.g. adclient.preferred.site.acme.com: my-acme-site. Note: Domain specific site overrides take precedence over universal site overrides. With the two types of overrides it is possible to override sites for all domains, specific domains, or a combination of the two. (Ref: 65369)

-  dz.auto.anchors: This parameter allows you to specify whether to add anchors ($) automatically for the regex formed DZ commands to do reluctant match to avoid finding the wrong path or command if the regex pattern is not carefully set. The default is true. If set to false, user should be aware of all the possible matches for the regex he/she set there. (Ref: 66057, 67676)

-  gp.use.user.credential.for.user.policy: This parameter allows you to specify whether to use user credential or machine credential to retrieve user GP. When set to false, The Group Policy processor still uses the machine credential to retrieve user GP; when set to true, the GP processor will use user credential to retrieve user GP. The default is false. (Ref: 29077)

-  krb5.sso.block.local_user: This parameter allows you to inform kerberos library to block a local user to do single sign on with .k5login. The default is false. If the parameter is set to true, the UPN is checked against nss.ignore.user list.  If it is in the list, it is considered as a local user and SSO is not allowed.  User has to enter the local user's password to login. (Ref: 71292)

-  nss.passwd.info.hide: This parameter allows you to control the masking of sensitive password attributes (Maximum Password Age, Password Expiration Date, Minimum Password Age, Change Password Needed, and Password Last Changed On) of a user from non-root users. When set to false, the non-root users can also view the password attributes of other users. The default is always true, except for HPUX systems, where these attributes are not protected. (Ref: 60578)

-  pam.homedir.perms.recursive: The default is false. By default, PAM creates user home directory and copies everything in the skeleton directory, including the permissions, to the newly created directory. If this parameter is set to true, PAM will copy everything in the skeleton directory but use the permissions of pam.homedir.perms recursively. (Ref: 56091)

 

Please refer to the Configuration Parameters Reference Guide for details.

 

Note: In centrifydc.conf, we now denote configuration parameters that are not available in the Express mode. (Ref: 70413)

 

DirectManage Access Manager

 

·          Delegate zone control

-  Access Manager now allows users to select multiple computers for zone control delegation. This feature works if all the computers selected have the same operating system.

-  One new task, namely Create Computer Role, is added into zone control delegation tasks for hierarchical or SFU zone. This task is to delegate the administrative permission to add computer roles in a specified zone. (Ref: 60601)

 

·          Generate Centrify Recommended Deployment Structure

-  Access Manager now has a new wizard, "Generate Centrify Recommended Deployment Structure", to help users to generate a deployment structure that follows Centrify recommended best practice. Users can use "Use current script for deployment" for default structure, or use "Export script for customize deployment" and "Use custom script for deployment" for customization. (Ref: 62473)

 

·          Now "All Active Directory Accounts" and "All Local Windows Accounts" can be assigned to the roles with Rescue right, e.g. the built-in "Rescue - always permit login" role. (Ref: 74049)
 
·          Dzdo support for RunAs User in an AD group

-  Privileged Command right runas user list now supports group name "%groupname" and GID "%#GID". (Ref: 73484)

 

·          ADUC Extension

-  Administrative notification handler for ADUC snap-in now also removes associated Centrify data and machine-level role assignments upon AD computer object removal. (Ref: 62216)

 

·          Group Policy Management Editor Extension

-  GPOE Extension is now available as a standalone installable package. (Ref: 63451)

 

Zone Provisioning Agent

 

·          A new ZPA option "Ignore disabled user accounts" is added in hierarchical zone's Provisioning tab page (in Advanced dialog). With this option box checked, ZPA will not provision the disabled user accounts into the zone. (Ref: 62533)

 

·          Zone Provisioning Agent now supports one more option "Generate from group SID" as user’s primary group. (Ref: 57105)

 

·          Root level hierarchical zones now support provisioning users and groups from another source zone. (Ref: 61701)

 

·          A new feature has been added to avoid duplicated UNIX names when provisioning with truncated names: There is an option to append an auto-incrementing number at the end in case a duplicate UNIX user/group name is encountered during provisioning. This option is disabled by default. To enable it, go to Zone Properties page -> Provisioning Tab -> Login name -> Advanced UNIX Name Settings dialog, and then enable the Avoid Duplicated Names option. (Ref: 62142)

adedit

 

·          Enhancement of adedit commands/functions

-  Added a function, get_user_role_assignments(), in ade_lib.tcl to collect role assignments in the current zone for a given user. The output list contains the role assignments of a given user either assigned directly, or from AD group membership, or from computer roles in the current zone. (Ref: 36858)

-  Added the support to the function, set_zone_user_field, to unset a field using "-" in SFU zone. (Ref: 38895)

-  Added a new option [-f <forest>] to the command, get_objects, to specify the forest in which an object is searched. (Ref: 45053)

-  Added a new option [-automount <map>] to the command, new_nis_map, to support creating an automount map with the specified name. (Ref: 64408)

-  Added a new option [-stype <service principal name>] to the command, precreate_computer, to add a service principal name to the pre-created computer object.  This option can be repeated in the command for each service type. (Ref: 58732)

 

Centrify OpenSSH

 

·          Centrify OpenSSH with Service Management Facility control

-  Starting with this version, Centrify OpenSSH will be installed and managed by SMF (Service Management Facility) if it is enabled and running in the Solaris machines. Therefore a user can view, set or control the Centrify sshd service using the SMF tools, such as svcs and svccfg from now on. (Ref: 65499)

 

·          Merge of parameters when stock sshd is upgraded to Centrify sshd

-  Customer can add the list of parameters to be merged into the file of /var/centrify/SSHD_MERGE_SPEC, then CDC-openssh post-install script will merge the specified parameters from old sshd_config to new sshd_config. (Ref: 66173)

 

·          Alternate SPN for SSO login to host using ssh

-  A new option 'ServicePrincipalName' is added into the ssh option list (the 'ssh -o') as well as ssh_config, to specify the GSS-SPN name used for GSS authentication. Please note that such name should be in GSS name format and malformed ones will fail the connection immediately. (Ref: 67603)

 

·          Selection of preferred startup service for Centrify sshd

-   Before installing or upgrading of Centrify OpenSSH on RHEL 6 or similar, such as CentOS 6, administrator may select the preferred startup service for Centrify sshd between upstart, sysvinit or systemd. This is done by creating a file at /etc/centrifydc named "CENTRIFY_SSH_UPSTART" for upstart, "CENTRIFY_SSH_SYSVINIT" for sysvinit and "CENTRIFY_SSH_SYSTEMD" for systemd. If no file is created, or the selected one is not available on the system, then: If this is an upgrade or another OpenSSH is running, the current startup service will be used. If there is no OpenSSH installed before installing Centrify OpenSSH, the default is to use the startup service that available. The order is: upstart, systemd, sysvinit. (Ref: 66497)

 

Supported Platforms

 

·          Support has been added for the following operating systems (Ref: 72653, 73601, 73602):

-  CentOS 5.11, 6.6 (x86, x86_64)

-  Debian Linux 7.7 (x86, x86_64)

-  Fedora 21 (x86, x86_64)

-  Linux Mint 17.1 (x86, x86_64)

-  OpenSUSE 13.1, 13.2 (x86, x86_64)

-  Oracle Linux 5.11, 6.6 (x86, x86_64)

-  Oracle Linux 7.0 (x86_64)

-  Oracle Solaris 11.2 (x86_64, Sparc 64-bit)

-  Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)

-  Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)

-  Red Hat Enterprise Linux Server 5.10, 5.11, 7.0 (ppc64)

-  Red Hat Enterprise Linux Server 5.10, 5.11 (IA64)

-  Scientific Linux 5.11, 6.6 (x86, x86_64)

-  Scientific Linux 7.0 (x86_64)

-  Ubuntu Desktop 14.10 (x86, x86_64)

-  Ubuntu Server 14.10 (x86, x86_64)

-  SUSE Enterprise Linux 12 (x86_64)

 

·          Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

-  Fedora 19 (32-bit and 64-bit)

-  Oracle Enterprise Linux 4.x (32-bit and 64-bit)

-  OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

-  HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

-  HP-UX 11.23 Itanium (Normal and Trusted modes)

-  Oracle Solaris 8 SPARC

 

·          This is the last release for the support of the following operating systems (Ref: 56644, 61795, 64457, 68948):

-  AIX 5.3 (32-bit and 64-bit)

-  Linux Mint 15, 16 (32-bit and 64-bit)

-  Ubuntu Desktop 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

-  Ubuntu Server 10.04 LTS (32-bit and 64-bit) - Estimated vendor EOL: 2015-04-30

-  Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

-  Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

-  Windows 2003, Windows 2003R2 – Estimated vendor EOL: 2015-07-14

 

·          Support is removed for the following operating systems (Ref: 56643, 59441, 61010, 66423, 69921):

-  CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-  Citrix/XenSource XenServer 4, 4.1, 5, 5.5, 5.6 (32-bit)

-  Debian Linux 5 (32-bit and 64-bit x86)

-  Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

-  Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

-  Linux Mint 12, 14 (32-bit and 64-bit x86)

-  Mac OS X 10.7 (Mac 10.10 one-off is the last supported release)

-  Mandriva Linux One 2008, 2009, 2009.1, 2010, 2010.1, 2010.2, 2011 (32-bit and 64-bit x86)

-  Mandriva Enterprise Server 5, 5.2 (32-bit and 64-bit x86)

-  OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

-  Red Hat Enterprise Linux 3 (32-bit and 64-bit x86, PPC)

-  Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-  SUSE Enterprise Linux 8.0 (32-bit x86)

-  SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86, PPC, Itanium server)

-  Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

-  VMware ESX 3.5 (32-bit)

-  VMware ESX 4.0, 4.1 (64-bit)

-  Windows XP

 

·          Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

 

2.2.          New Features in DirectControl 5.2.1

 

·          This is a maintenance version update for DirectControl agents with no new feature.       

 

2.3.          New Features in DirectControl 5.2.0

DirectControl Agent

 

General

 

·        Windows 2012 KDC SID Compression (Ref: 60868)

- We now support KDC Sid Compression for domain controllers with Windows 2012 and higher.

 

·        Limited Express (Ref: 64987, 65872)

- User is now alerted during installation/upgrade that the Express version has a limit in features and in number of agents. We have also cleaned up some inconsistent wordings related to the Express version. Please refer to the EULA for details.

- Note: This is a behavioral change that may affect your customized installation logic because the prompts and related informational messages for Express mode in the install script are changed. E.g. "Express authentication mode" is now called "Express mode".

 

Smart Card

 

·        Allow certificates without an Extended Key Usage (EKU) (Ref: 58322)

- A new smartcard login support is added to allow smartcard login even though its certificate does not have the EKU property. A new centrifydc.conf parameter "smartcard.allow.noeku" and the corresponding windows group policy "Allow certificates with no extended key usage certificate attribute" are implemented for this purpose. A new option "-E" is also added to the utility "sctool" to support the group policy. This option must be used with "-a" or "-k" option. It would allow smartcard to do pkinit, even though the certificate has no EKU.

 

·        Centrify now supports SmartCard authentication on CentOS 5.x and 6.x. (Ref: 64284)

 

DirectControl Agent Commands

·        CLI is updated (Ref: 62616, 63949):

 

-   adquery

- New --guid (-B): This is an optional parameter to display the GUID of the user.

- Modified --all (-A): This option will now display the GUID of the user as well.

-   dzinfo

- the output of this command now includes the Audit Level even for a user in a classic zone.

 

Configuration Parameters

·        centrifydc.conf has been updated:

 

-   New parameters:

- smartcard.allow.noeku: This parameter allows you to do SmartCard logon using certificates without an Extended Key Usage (EKU) set (Ref: 58322). The default is false, which means only certificates that have "Smartcard Login" as an extended key usage attribute can be used to log in with a smart card. If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card:

- Certificates with no EKU

- Certificates with an All Purpose EKU

- Certificates with a Client Authentication EKU

- nss.user.ignore.all: In a Centrify environment, a user can be identified by different names: a UNIX name, a distinguish name (LDAP name), a SamAccount name and a display name. This parameter allows you to specify if the names listed in nss.user.ignore apply to unix user names only or all the different user names. The default is false, which means unix user names only. If it is set to true, user names listed in nss.user.ignore will not be searched in AD at all. That means the listed user names can only be accessed as a local user. This will save CPU cycles by avoiding unnecessary AD access. (Ref: 64054, 64398) 

  

Please refer to the Configuration Parameters Reference Guide for details. 

DirectManage Access Manager

 

·  JScript support in SDK is now discontinued starting from this release. (Ref: 67601, 55282)

 

Deployment Report

 

·  Deployment Report enhancement (Ref: 60216, 60217, 62412)

- Under the Deployment Summary, a more in-depth comparison among different agent types of DirectControl/DirectAuthorize agents is added. It lists out the number of deployed agents in zones, Auto Zone, Null Zone (if available) as well as Express agents. If zLinux system is also deployed, the number zLinux systems in each type would also be reported.  The number of zones that is created under the forest is reported. This is followed by a detail breakdown of number of deployed agents in each zone. Please note that Auto Zone and Null Zone are not created by user; therefore, they are not included.

 

 

Supported Platforms

 

·        Support has been added for the following operating systems (Ref: 60522, 62251, 65973, 68311):

- CentOS Linux 7 (64-bit)

- Citrix XenServer 6.1, 6.2 (32-bit) – added in post Suite 2014.1 GA

- Debian Linux 7.5, 7.6 (32-bit and 64-bit)

- Linux Mint 17 (32-bit and 64-bit)

- Linux Mint Debian Edition 201403 (32-bit and 64-bit)

- Mac OS/X 10.10 - added in post Suite 2014.1 GA

- Red Hat Enterprise Linux 7 (64-bit)

- Ubuntu Desktop 14.04 LTS (32-bit and 64-bit)

- Ubuntu Server 14.04 LTS (32-bit and 64-bit)

 

·        Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56208, 56644, 61795, 68948):

- AIX 5.3 (32-bit and 64-bit)

- Linux Mint 15, 16 (32-bit and 64-bit)

- Mac OS X 10.7

- Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

- Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

 

·        This is the last release for the support of the following operating systems (Ref: 56643, 61009):

- CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- Citrix/XenSource XenServer 4, 4.1, 5, 5.5, 5.6 (32-bit)

- Debian Linux 5 (32-bit and 64-bit x86)

- Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

- Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

- Linux Mint 12, 14 (32-bit and 64-bit x86)

- Mandriva Linux One 2008, 2009, 2009.1, 2010, 2010.1, 2010.2, 2011 (32-bit and 64-bit x86)

- Mandriva Enterprise Server 5, 5.2 (32-bit and 64-bit x86)

- OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

- Red Hat Enterprise Linux 3 (32-bit and 64-bit x86, PPC)

- Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- SUSE Enterprise Linux 8.0 (32-bit x86)

- SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86, PPC, Itanium server)

- Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

- VMware ESX 3.5 (32-bit)

- VMware ESX 4.0, 4.1 (64-bit)

- Windows XP

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

2.4.          New Features in DirectControl 5.1.3

DirectControl Agent

 

General

 

·        Apple UID/GID/Primary GID scheme support (Ref: 28065)

- We now support the generation of UIDs, GIDs and primary GIDs in Auto Zone or in hierarchical zones using Apple scheme (Apple Open Directory), thereby making it easier for users who want to change their workstations from Apple AD plugin. To achieve this goal, we have enhanced the following components: Access Manager, Access Module for PowerShell, Windows SDK, ADEdit, ZPA, group policies, configuration parameters, and a new helper script. If you plan to use the Apple scheme in Centrify Server Suite, read more about each component below:

- Access Manager – In the hierarchical zone User Defaults and Group Defaults properties page, a new option has been added to generate UIDs/GIDs using Apple's scheme. User can also use Apple or SID based auto-generation scheme to define UIDs and GIDs when adding Active Directory users or groups to hierarchical zones. (Ref: 50220, 57574)

- ADEdit – Two functions have been added for Apple scheme support: "-guid_to_id" which will take a GUID and returns UID/GID using Apple scheme and "-principal_to_id" -apple <UPN> which will take a principal name and returns UID/GID using Apple scheme (Note: if –apple option is not used, it returns UID/GID using Centrify scheme (Ref: 49808).

- ZPA - A new configuration option "Apple scheme" has been added to generate UIDs/PGIDs/GIDs for hierarchical zones using the Apple scheme in both the ZPA MMC console and the ZPA CLI utility. (Ref: 49544).

- Group Policies – Two new group policies have been added. "Computer Configuration" -> "Centrify Settings" -> "DirectControl Settings" -> "Adclient Settings" -> "Generate new uid/gid using Apple scheme in Auto Zone" will set the configuration parameter "auto.schema.apple_scheme" and "Set user’s primary gid" will set the configuration parameter "auto.schema.primary.gid" in centrifydc.conf.

- Configuration parameters – You set "auto.schema.apple_scheme" to true if you want to use the Apple scheme (the default is false). If you want to use the Apple scheme for your primary GID, too, you need to set "auto.schema.primary.gid" to -1 also.

- A new helper script – The script fixhome.pl has been added to fix the potential conflict between a UID and its corresponding home ownership. When a user is given a new UID/GID, say, by using Apple scheme, the home folders do not change accordingly by default. This helper script helps users to change their home folder's mode automatically.

- Note: For share folder (or remote file system) in the home directory, fixhome.pl may not have permission to change the UID/GID of the folder. User probably needs to remount it again. This should work on SMB share folder. For AFP/NFS mount folder, UIDs/GIDs of files need to be changed at server side. (Ref: 52932, 56039)

- Note: The fixhome.pl script cannot fix the same home folder twice. Option "-u" "-f" may not work when a home folder already has the correct ownership. When the script detects a home folder which has correct ownership, it would skip the folder directly and files under it will not be traversed. To make the script work again, user needs to change the home folder ownership back to the original one so that the script can fix the files and/or the symlink under the folder. (Ref: 59014)

- Note: The Primary Group ID and Apple scheme relationship on non-Mac platform – If a non-Mac customer using Auto Zone wants to activate the Apple scheme, please be aware that, if "auto.schema.private.group" is set to false (true by default) and "auto.schema.primary.gid" is un-set (commented out) in centrifydc.conf, when the Apple scheme is activated, the user's primary GID will be generated using the Apple scheme, which is the same behavior as other UID schemes on non-Mac platforms. (Ref: 57303)

 

·        Audit Trail Integration with DirectAudit (Ref: 54220)

- The Audit Trail feature has been enhanced to include a number of different UNIX audit events. These audit events are enforced with audit role based access control. The DirectAudit UI now allows querying of both Windows and UNIX audit events. Audit reports also cover both Windows and UNIX computers.

- A new group policy has been added to allow global control of whether audit trail events from Centrify UNIX Agent for Access should be generated and whether they should be sent to syslog or to DirectAudit: "Centrify Settings" -> "Audit Trail Settings" -> "Set global audit trail targets" (Ref: 44098)

- A couple of new configuration parameters have been added to support this feature, e.g. audittrail.Centrify_Suite.Trusted_Path.machinecred.skipda (Ref: 56027), audittrail.targets (Ref: 55094, 54967, 54220, 44099). For details, please refer to Configuration Parameters section below.

- A new command-line utility, adsendaudittrailevent, has been introduced. It can be used in dzcheck to send audit events with extra customer-defined information such as trouble tickets. (Ref: 56335, 53328)

- Centrify OpenSSH audit trail events have also been integrated with DirectAudit. However, the integration is only available starting from Centrify DirectControl version 5.1.3. (Ref: 56763)

- Note:  

1. When using this version of OpenSSH with an older version of Centrify DirectControl, special characters such as '\', '=', or '|' contained in an event will not be escaped, thus the final audited syslog message may be incorrect in CEF format.

2. When using an older version of OpenSSH with this version of Centrify DirectControl (5.1.3) and the event contains special characters as '\', '=', or '|', the final audited syslog message may have these characters escaped twice. (Ref: 57769)

 

·        New Group Policy support

- Some group policies have been added to support dzdo related configuration parameters. (Ref: 52001)

- A few new group policies are added for better printer support (mainly for Mac environment). (Ref: 56165, 55788, 28868)

- New group policies have been added to configure Centrify UNIX Agent for Audit. These policies include DirectAudit shell, DirectAudit Daemon and some other settings related to the DirectAudit UNIX agent. (Ref: 08146)

Please refer to the Group Policy Guide and the user documentation for individual products for details.

 

·        Fedora 20 support (Ref: 50148, 57265)

- Because Fedora 20 uses system journal (systemd) as the default logging solution, centrifydc.log does not exist anymore on these computers. Instead, systemd-journald stores the log data in /var/log/journal/ if that location exists; otherwise it stores log data in /run/log/journal/ (note: because /run/ is volatile, log data is lost at reboot). The tool, journalctl, has been provided by Fedora 20 to query the systemd journal.

- To support the new system journal behavior, new command options (--begin, --end, --lastnhrs) have been added to adinfo. Note: addebug is also updated to support system journal. Please refer to command usage for more information.

- Note: GNOME 3.x GPs are not supported yet in this release (Ref: 50777).

 

·        New Windows Installer (Ref: 55877)

- In this release we have adopted the latest Windows Installer technologies and deprecated the previous approach for doing unattended installation. Answer files (*.iss) and their master folder (../iss) have been removed from the suite. For details about how to use Windows Installer and how to perform unattended installation, please refer to: http://technet.microsoft.com/en-us/library/cc759262%28v=ws.10%29.aspx

- With this new installer, we have also rearranged the locations of some of the component ‘exe’ and ‘msi’ files. For example, instead of all files being in the same directory, individual component files may reside in their own sub-folders.

 

 

Configuration Parameters

·        centrifydc.conf has been updated:

 

-   New parameters:

- adclient.autoedit.user.root: This parameter specifies whether root login is controlled by the Centrify authentication mechanism or not. If the parameter is set to true, the root stanza ‘SYSTEM = “compat”’ in /etc/security/user will be commented out and root login has to go through the Centrify mechanism. The default is false.

- Note: this is a behavior change. Root login by default no longer goes through the Centrify mechanism. This change applies to upgrade as well. Users may observe that the behavior changes to root login without the Centrify mechanism by default. (Ref: 56235)

- audittrail.targets: This parameter specifies the destination of audit trail events. ‘1’ means DA and ‘2’ means syslog. Multiple destinations can be specified at the same time. Specifying ‘0’ will disable the audit trail. The default is ‘3’ (syslog and DA) if DirectAudit 3.2 or later is installed or else the default will be ‘2’ (syslog). (Ref: 54220, 54967)

- audittrail.Centrify_Suite.Trusted_Path.machinecred.skipda: This parameter specifies whether trusted path audit trail events when machine credentials are used, will be sent to DirectAudit or not. The default is true which means that the events will NOT be sent to DirectAudit. (Ref: 56027)

- auto.schema.apple_scheme: This parameter allows Auto Zone installations to use the Apple style (scheme) of UIDs and GIDs. If you change UIDs to the Apple scheme, you need to flush the cache and restart adclient to update all the UIDs, GIDs and probably user's primary GIDs, and then run the fixhome.pl script to change the users' home directory mode. The default is false. Note: when this setting is set to true, auto.schema.rids and auto.schema.first.uid and auto.schema.first.gid settings are ignored. If a user's primary group is not allowed in Auto Zone, the user cannot login, because the primary GID is null. This parameter can also be controlled by the group policy "DirectControl Settings" -> "Adclient Settings" -> "Generate new uid/gid using Apple scheme in Auto Zone". (Ref: 28065, 58104, 59185)

- dzdo.command_alias: This parameter specifies the map between alias and command file. Dzdo will support command alias by searching this map file to implement command alias if it is found. The default value is /etc/centrifydc/dzdo.commandalias.map. (Ref: 53344)

- dzdo.validator: This parameter specifies the full path of a validator script that dzdo should execute. The script will take AD user name (in user@domain format), command and "run as user" as the credential to execute the script. All are set in environment variables: DZDO_USER, DZDO_COMMAND and DZDO_RUNASUSER respectively. The validator returns "0" for success and non-zero for failure. "0" will signal dzdo to go ahead and run the command; non-zero will signal dzdo to exit and not run the command. (Note that no message to that effect is shown on the console – it is the validator's responsibility). The default path is "/usr/share/centrifydc/sbin/dzcheck". (Ref: 53252)

- dzdo.validator.required: This parameter specifies whether dzdo has to run the validator script or not. The default is false. Note: dzdo will skip the validator script if it is not available, is not owned by root, or is group/world writable. By default, dzdo will continue to run the command even if the validator script is skipped. When this parameter is set to true, dzdo will not run the command if the validator script is skipped. (Ref: 53252)

- pam.auth.create.krb5.cache: This parameter allows PAM to create user Kerberos credential cache. Set it to true to create user Kerberos credential cache, and false if not. The default is true. Note that, when set to false, no user Kerberos credential cache is created and any attempt to do SSO operation is expected to fail. The user Kerberos credential cache could be file based or KCM in-memory mode, depending on the setting krb5.cache.type. This parameter can also be controlled by the group policy "DirectControl Settings" -> "Kerberos Settings" -> "Allow PAM to create user Kerberos credential cache". (Ref: 51654)

- pam.setcred.support.refresh: This parameter specifies whether we should support PAM_REFRESH_CRED flag, i.e. to renew an existing session, or not. The default is false. Note: By default, adclient only supports PAM_ESTABLISH_CRED flag, i.e. to establish a new session. (Ref: 39377)

- pam.setcred.support.reinitialize: This parameter specifies whether we should support PAM_REINITIALIZE_CRED flag, i.e. to update an existing session, or not. The default is false. Note: By default, adclient only supports PAM_ESTABLISH_CRED flag, i.e. to establish a new session.  (Ref: 39377)

- secedit.system.access.lockout.allowofflinelogin: This parameter specifies whether to allow user login when user account is locked out and the computer is in disconnected mode. The default is false. This parameter can also be controlled by the group policy "DirectControl Settings" -> "Login Settings" -> "Allow offline login when user account is locked out". (Ref: 54531)

 

-   Modified parameters:

- adclient.cache.expires: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of a generic object in cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.cache.expires.gc: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of global catalog cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.cache.expires.group: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of a group object in cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.cache.expires.group.membership: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of group membership information in cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.cache.expires.user: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of a user object in cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.cache.expires.user.membership: The default of this parameter is changed from 600s (10 minutes) to 3600s (1 hour), which means that the expiration time of user membership information in cache by default is up to 1 hour. Note: This is a default behavior change. If you want to keep the previous behavior, please explicitly set this parameter to 600 in centrifydc.conf. (Ref: 60177)

- adclient.os.version.use.win7prefix: The default of this parameter is changed from 1 to 2, which means that adclient adds OS version prefix (6.1:) to the joined machine object, for both FIPS and non-FIPS mode. (Ref: 56187)

- adclient.refresh.interval.dz: Note: This parameter replaces the deprecated adclient.azman.refresh.interval. The parameter specifies the amount of time in minutes that adclient will cache access control information before refreshing the data from Active Directory. Access control information is used to store authorization information used by dzdo, dzsh, pam and potentially third party applications. The default is 30 minutes. This parameter can also be controlled by the group policy "DirectControl Settings" -> "Network and Cache Settings" -> "Set refresh interval for access control cache". Upgrade script will rename the old parameter. (Ref: 54296, 55635)

- auto.schema.homedir: This parameter allows Auto Zone installations to designate the home Directory. Previously this parameter only supported %{user} but in this release it also supports %{pgroup}. %{user} and %{pgroup} can be used as placeholders. %{user} will be replaced with a user name and %{pgroup} will be replaced with a primary group name during login. You must run adflush to flush the cache after changing this value. This parameter is also controlled by the group policy "DirectControl Settings" -> "Adclient Settings" -> "Auto Zone home directory". (Ref: 49611)

- auto.schema.primary.gid: This parameter specifies the default primary group for all users in Auto Zone. This parameter is enhanced to support -1, which means using either Apple, RID, or the default scheme in that preference order. This parameter can also be controlled by the group policy "DirectControl Settings" -> "Adclient Settings" -> "Set user's primary gid in Auto Zone". Note: this group policy does not allow empty value. (Ref: 28065, 59185)

 

Please refer to the Configuration Parameters Reference Guide for details.

 

DirectManage Access Manager

 

·        Centrify PuTTY

- This release of Centrify PuTTY incorporates the open source PuTTY version 0.63 (Ref: 52400). PuTTY 0.63 contains the following security fixes: 

1) PuTTY now wards off nefarious SSH server or network attackers from crashing PuTTY.

2) PuTTY no longer retains the private half of users' keys in memory by mistake.

- This new Centrify PuTTY is now also in the Deployment Manager package (Ref: 53652).

-   A new group policy has been added to support the new UI: Computer Configuration > Policies > Centrify Settings > Centrify Putty Settings > Connection > SSH > Bugs > Chokes on PuTTY's SSH-2 'winadj' requests. (Ref: 55016)

 

·        New substitution variable

-   "%{pgroup}" is used as a new placeholder in the home directory of a user zone profile. It will be replaced with a primary group name during login. Both %{user} and %{pgroup} can now be used as placeholders. For example, for hierarchical zones, the user home directory can be set as "/home/%{pgroup}/%{user}" in the "Home directory" property of a user zone profile in DirectManage Access. (Ref: 49611)

 

·        Newly supported platforms for DirectManage Access Manager (Ref: 59174)

-   Windows 2012 R2

-   Windows 8.1

 

Zone Provisioning Agent

 

·  Two new tools, namely CopyGroup and CopyGroupNested, have been added to the Zone Provisioning Agent (ZPA) package. These tools can mirror group membership and hierarchy across trusted domains and forests (Ref: 29883, 53524). They can be found in the Tools folder of the ZPA installation directory.

 

adedit

 

·        addbload/adreport enhancement (Ref: 40884, 51983)

- This adedit-based report set is enhanced to provide better reporting and customization abilities using SQL database with user-accessible views. A new generation of adreport, adreport2.tcl, has been created for this purpose. Please refer to command usage for more information.

 

·        Provisioning support of DirectAuthorize objects for classic zone (Ref: 53143)

- adedit is enhanced to support provisioning of DirectAuthorize objects for classic zones. Please refer to the Centrify Server Suite documentation for more information.

 

Centrify OpenSSH

 

·        Centrify OpenSSH 5.1.3 (Ref: 56084, 47979)

-  Several SELinux patches are included in this version to better support SELinux environment. For example, the patches support the login with a specified SELinux role (and level) for a user by 'ssh host -l username / specifiedRole / specifiedLevel' on the client side.

- Integration of audit trail events with DirectAudit is also included in this version.

- Note: Centrify OpenSSH 5.1.3 only works with Centrify DirectControl 5.1.2 or later. However, some new features, such as the integration of Centrify OpenSSH audit trail events with DirectAudit, are only available when both Centrify OpenSSH and Centrify DirectControl are version 5.1.3. In a mixed environment, such as OpenSSH 5.1.2 with DirectControl 5.1.3, the integration will not work. In a regular upgrade scenario install.sh will lead you to upgrade both to version 5.1.3 so you will not have this situation. However, you may create a mixed environment when you use custom install or rpm install. (Ref: 56763)

 

Supported Platforms

 

·        Support has been added for the following operating systems (Ref: 54668, 57135, 58738, 59134):

-   Red Hat Enterprise Linux Server 5.10, 6.5 (32-bit and 64-bit)

-   Red Hat Enterprise Linux Desktop 5.10, 6.5 (32-bit and 64-bit)

-   Red Hat Enterprise Linux Server 5.10, 6.0 – 6.5 PPC (64-bit)

-   Red Hat Enterprise Linux Server 5.10 Itanium (64-bit)

- CentOS 5.10, 6.5 (32-bit and 64-bit)

-   Oracle Linux 6.5 (32-bit and 64-bit)

-   Scientific Linux 5.10, 6.5 (32-bit and 64-bit)

-   Fedora 20 (32-bit and 64-bit)

-   Debian Linux 7.2, 7.3, 7.4 (32-bit and 64-bit)

-   Linux Mint 16 (32-bit and 64-bit)

-   Ubuntu Desktop 13.10 (32-bit and 64-bit)

-   Ubuntu Server 13.10 (32-bit and 64-bit)

- Mac OS/X 10.9

 

·        Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56640, 59381):

- Red Hat Enterprise Linux 3 (32-bit and 64-bit x86, PPC)

- CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- Citrix XenServer 4, 4.1, 5, 5.5, 5.6 (32-bit)

- Debian Linux 5, 6 (32-bit and 64-bit x86)

- Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

- Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

- Mandriva Linux One 2008, 2009, 2009.1, 2010, 2010.1, 2010.2, 2011 (32-bit and 64-bit x86)

- Mandriva Enterprise Server 5, 5.2 (32-bit and 64-bit x86)

- Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

- Linux Mint 12, 14 (32-bit and 64-bit x86)

- OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

- Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- SUSE Enterprise Linux 8.0 (32-bit x86)

- SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86, PPC, Itanium server)

- VMware ESX 3.5 (32-bit)

- VMware ESX 4.0, 4.1 (64-bit)

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

2.5.          New Features in DirectControl 5.1.2

DirectControl Agent

 

General

 

·        In-memory Kerberos credential cache (Ref: 27272, 45252)

- Prior to this release, DirectControl could only support file-based Kerberos credential cache. Now we have provided a more secure option to store Kerberos tickets in memory.

- A new setting, krb5.cache.type, is added to centrifydc.conf with the corresponding GP to allow administrators to configure to use this in-memory Kerberos credential cache.

- Centrify OpenSSH and Centrify Samba are also enhanced to make use of this new in-memory Kerberos credential cache.

 

·        In this release we have provided the following enhancements surrounding ‘dzdo’ feature (Ref: 51605)

- The ‘dzcheck’ validator script can be used to determine which role is used in the selected dzdo command.

-   An environmental variable DZDO_ROLE is set up for this purpose and a sample file /usr/share/centrifydc/dzcheck.sample is provided as a reference.

-   Some important security changes are made:

-   Since the dzcheck validator script is executed in the context of another user who may have more privileges, dzdo needs to ensure that dzcheck is trusted.  We now require dzcheck to be owned by root, and not group/world writable.  If dzcheck does not meet this requirement, it will not be executed.

-   To prevent malicious users from modifying any DirectControl configuration parameters and potentially compromising system integrity and security, the security settings of the following files must be owned by root and must NOT be writable by group or world:

a. /etc/centrifydc/centrifydc.conf

b. /etc/centrifyda/centrifyda.conf

c. All files referred by “file:<path>” in /etc/centrifydc.conf.

- The ‘dzdo –i’ command line option can be used to open a login shell other than the default login shell of the runas user. (Ref: 48298)

-   A new environment variable DZDO_LOGIN_SHELL is added to specify the shell to run when “dzdo –i” is used.

- An administrator can specify a list of directories where ‘dzdo’ searches for commands and scripts. An administrator can also specify a secure search path for use by ‘dzdo’ commands and scripts. (Ref: 48296)

-   Two new configuration parameters, ‘dzdo.search.path’ and ‘dzdo.secure.path’ are added to support this feature.

-   If you are using the secure_path parameter in the sudoers configuration file, you can achieve the same security level by setting both dzdo.search_path and dzdo.secure_path to the same value as secure_path setting in the sudoers file.

-   A new selection “System search path” option in the “Match path” attribute is added for this purpose in Access Manager when you define a command right.

-   You can also use adedit to set the path attribute of a command right to SYSTEMSEARCHPATH.

- If you use DirectAudit to audit the dzdo command and the users use “dzdo –i”, you need to create a command right definition for the DirectAudit shell and grant it to the roles that invoke “dzdo –i”.  If you are using DirectAudit 3.1.0 or earlier (Suite 2013.2 or earlier, please use “/da/cdashmod” as the command for the DirectAudit shell. From DirectAudit 3.1.1 (Suite 2013.3) onwards, please use “/bin/centrifyda” as the command for the DirectAudit shell. (Ref: 45346)

  

 

Smart Card

 

·        PKCS 11 support for RHEL (Ref: 51238)

- Apart from our default PKCS 11 module, you can now plug in 3rd party PKCS 11 modules through a new centrifydc.conf parameter and the corresponding GP.

 

 

Configuration Parameters

·        centrifydc.conf is updated:

 

-   New parameters:

-   adclient.cache.expires.group.membership: This parameter specifies cache timeout for the object membership information. If not specified the object expiration settings are used. (Ref: 22238)

-   adclient.excluded.domains: This parameter specifies a list of space-separated AD domain names in dotted format. Users can use this parameter to blacklist one or multiple domains. If the list is not empty, domains in this list will be excluded in the trusted domain map. Default is an empty list. (Ref: 41000)

-   adclient.included.domains: This parameter specifies a list of space-separated AD domain names in dotted format. If the list is not empty, only domains in this list (and the joined domain) will be included in the trusted domain map. Default is an empty list. (Ref: 41000)

-   adclient.krb5.conf.domain_realm.strict: This parameter controls whether adclient should remove any unknown hosts for the joined domain in the [default_realm] section of krb5.conf. Default is false. (Ref: 49897)

-   dzdo.search_path: This parameter defines a path used for every command run from dzdo, like 'secure_path' option in sudoers but used only in command searching. Default is not set. You can also use a file to specify path, and the lines in file shall contain only path values split by colons, for example:

dzdo.search_path: file:/etc/centrifydc/dzdo.search_path

(Ref: 48296)

-   dzdo.secure_path: This parameter defines a path used for every command run from dzdo, like 'secure_path' option in sudoers but used only in command executing. Default is not set. You can also use a file to specify path, and the lines in file shall contain only path values split by colons, for example:

dzdo.secure_path: file:/etc/centrifydc/dzdo.secure_path

(Ref: 47769, 51472)

-   dzdo.use.realpath: For some customers, when using dzdo to run commands, he/she may want dzdo to resolve the real path of the command before checked against authorization and run. This parameter is introduced for user to decide whether to use realpath(3) routine in dzdo to get the canonicalized path of the run command before checked against the DZ commands. Default is not used.

(Ref: 52662)

-   krb5.cache.type: This parameter defines the type of kerberos crendential cache adclient should create when AD user login. Valid value:

# FILE : create FILE based credential cache in /tmp when AD user login. Note: Mac OS only supports this type.

# KCM : create in-memory based credential cache. This requires KCM server to be running.

Default is FILE. (Ref: 27272)

-   rhel.smartcard.pkcs11.module: This parameter specifies which PKCS #11 module to be used for SmartCard support on RedHat. Default is /usr/$LIB/pkcs11/libcentrifypkcs11.so. $LIB variable is supported in specifying PKCS #11 module path. lib and lib64 will replace the value of $LIB for 32 and 64 bit system respectively. You must re-enable SmartCard support once you change this parameter.

To re-enable SmartCard support, please run the following command as root:

> /usr/bin/sctool -d && /usr/bin/sctool -e.

You might also want to refresh GNOME to reflect the change. You can run the following command as root to do so:

> /usr/sbin/gdm-safe-restart

(Ref: 51238)

 

-   Obsoleted parameters:

-   log.audit: This parameter has not been used and hence is now removed. (Ref: 50751)

-   log.client: This parameter has not been used and hence is now removed. (Ref: 50751)

 

Please refer to Configuration Parameters Reference Guide for details.

 

Centrify OpenSSH

 

·        Upgraded to OpenSSH 6.2p2 (Ref: 40359, 51889)

Centrify OpenSSH 5.1.2 is now based on OpenSSH 6.2p2 and hence may support more configuration parameters. By this upgrade, Centrify OpenSSH 5.1.2 only works with Centrify DirectControl 5.1.2 or later.

 

Supported Platforms

 

·        Support is removed for the following operating systems:

- Mac OX X 10.6 version

- This release does not support Mac OSX as we are planning a separate release to coincide with the OSX 10.9 release.

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

2.6.          New Features in DirectControl 5.1.1

DirectControl Agent

 

General

 

·        Audit Trail

Audit Trail is enhanced to track security-related operations in DirectControl Agent and DirectManage Access Manager.

 

Smart Card

 

·        Name mapping smart card (a.k.a alternate identity smart card)

Centrify DirectControl agent is enhanced to support login via name mapping smart cards on both Mac and RedHat platforms. This feature is disabled by default and must be enabled manually as follows:

·        Edit /etc/centrifydc/centrifydc.conf and set the following configuration parameter to true:

o   smartcard.name.mapping: true

·        Restart the DirectControl agent:

o   /usr/share/centrifydc/bin/centrifydc restart

·        Note the following sequence during login process:

o   At system startup, user is prompted for smart card insertion

o   Upon card insertion, user is prompted for PIN

o   At this point, user is prompted for user name. User must specify which user account to authenticate with.

 

DirectControl for Mac

 

·        DirectControl for Mac OS X has been updated to version 5.1.1. Please see the Centrify DirectControl for Mac OS X release notes in the Documentation directory for more information.

 

Configuration Parameters

·        centrifydc.conf is updated:

 

-   New parameters:

-   adclient.altupn.update.interval: This parameter tells the DirectControl Agent to update the list of alternate UPN suffixes at a given interval. The default is 1800 seconds.

-   adclient.cache.flush.interval.dz: This parameter configures the frequency (in seconds) for the DirectControl Agent to flush its DirectAuthorize (DZ) cache. This parameter forces periodic DZ cache updates (not the DC cache). The default '0' means no periodic DZ cache update (to match existing behavior).

-   dzdo.set.runas.explicit: This parameter configures whether it is required to specify the runas user in dzdo use. The default is true.

-   smartcard.name.mapping: This parameter allows non-root user to be able to see the Alternate Security Identity field in Active Directory objects. The ‘name mappings for smartcard’ feature uses this field to identify which cards can login to which Active Directory user.

 

-   Modified parameters:

-   adclient.server.try.max: The default is changed from 3 to 0. Note: this parameter was deprecated since 4.4.3 and resurrected in 5.1.0.

 

Please refer to Configuration Parameters Reference Guide for details.

 

DirectManage Access Manager

 

·        Sudoers Import

Sudoers Import now supports GID in user list and runas list (Ref: 37923)

 

·        Audit Trail

Audit Trail is enhanced to track administrative operations related to Centrify objects, such as creation and deletion of zones, definition of user and group profiles, and roles and rights definition and assignment.

 

adedit

 

·        adedit sample scripts are enhanced:

-   addbloader is enhanced to better support the effective user rights and special user/group types: All AD Users, All Local Unix Users and All Local Unix Groups, in UNIX environment. Note: Classic zones are not supported.

-   adreport is enhanced to work with the new addbloader to report the effective user rights and special user/group types: All AD Users, All Local Unix Users and All Local Unix Groups, in UNIX environment.

 

Centrify OpenSSH

 

·        When Centrify-openssh is installed, it will check whether the computer already has an ssh. If an ssh is found, Centrify-openssh will automatically adopt the Port and AuthorizedKeysFile settings in the sshd_config. (Ref: 39835)

 

Supported Platforms

 

·        Support is added for the following operating systems:

-   Red Hat Enterprise Linux 5.9, 6.4 (32-bit and 64-bit)

-   Oracle Linux 5.9, 6.4 (32-bit and 64-bit)

-   CentOS 5.9, 6.4 (32-bit and 64-bit)

-   Scientific Linux 5.9, 6.4 (32-bit and 64-bit)

-   Fedora 18, 19 (32-bit and 64-bit)

-   OpenSuSE 12.3 (32-bit and 64-bit)

-   Ubuntu 13.04 (32-bit and 64-bit)

-   Debian 7 (32-bit and 64-bit)

-   Mint LMDE 201303 (32-bit and 64-bit)

-   Mint 15 (32-bit and 64-bit)

- Solaris 11.1 (x86_64 and SPARC)

 

·        Support is removed for the following operating systems:

- Ubuntu 8.04LTS

- Microsoft Windows Vista

 

·        This is the last release for the support of the following operating systems:

- Mac OX X 10.6 version

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

2.7.          New Features in DirectControl 5.1.0

DirectControl Agent

 

·        Read-only Domain Controller (RODC) is supported

RODC is supported in DMZ. RODC can also be in the same forest with writeable domain controller. Refer to Administrator's Guide for UNIX for details.

 

·        adnisd supports multiple domains in hierarchical zones

In this release of the Centrify NIS server, the NIS maps can be distributed into different domain controllers in hierarchical zones.

 

·        0.9.8w OpenSSL

DirectControl is integrated with 0.9.8w OpenSSL.

 

 

Auto Zone

·        Configure Auto Zone to limit access

You can set configuration parameters or group policies to specify a subset of Active Directory users and groups that have access to computers joined through Auto Zone. Refer to Administrator's Guide for UNIX for details.

 

·        Substitute UID with employee number or employee ID in Auto Zone

Zone Provisioning Agent allows using employee number or employee ID as the UID in the user's UNIX profile.

 

 

Auditing

·        Role based Audit rights

There are predefined audit rights that are built into every role definition. They specify whether and under what conditions a user must be audited in order to login. This feature is only available in hierarchical zones.

 

New pre-defined role definitions:

-   always permit login: users in this role are allowed to login even if auditing is required but not available.

-   scp: Predefined system role for granting scp access without explicit SSH login.

-   sftp: Predefined system role for granting sftp access without explicit SSH login.

-   UNIX login: Predefined system role that grants typical UNIX user login rights. It is called “login” role in previous releases.

-   Windows login: Predefined system role that grants typical Windows user login rights including console and remote login.

-   winscp: Predefined system role for granting winscp access.

 

The pre-defined role definitions are not created for the zones that exist before DirectControl is upgraded. You can use “Generated pre-defined roles” context menu to create those roles.

 

See the Administrator's Guide for UNIX for details.

 

·        Audit Trail

Authentication and authorization granted and denied messages are written in the syslog file. The audit trail messages are identified by the AUDIT_TRAIL token in the message.

 

DirectControl Agent Commands

·        CLI is updated

 

-   adjoin

- New --dnsname (-D): This is an optional parameter to override the dNSHostName attribute in the computer object.

-   addns:

- New –list (-L): lists DNS record details

- New –refresh (-r): update unchanged records to refresh TTL

-   dzdo

-     dzdo is enhanced to support local users and local groups.

-     dzdo is enhanced to execute a command on a remote machine via SSH connection.

See the Administrator’s Guide for UNIX for details.

 

-   dzinfo

- New --computer-role (-C): show the computer role

- New –format (-f): produces scriptable output

 

 

Configuration Parameters

·        centrifydc.conf is updated:

 

-   New parameters:

-   auto.schema.allow.users: Users allowed in this Auto Zone.auto.schema.allow.groups: Users who are members of the groups specified in here are allowed in this Auto Zone.

-   auto.schema.groups: Groups allowed in this Auto Zone.

-   auto.schema.max.unix.name.length: Maximum Auto Zone length

-   auto.schema.override.uid: Specify which Active Directory user attribute to use to generate the UID.

-   auto.schema.substitute.chars: The character is used to substitute invalid characters.

-   auto.schema.unix.name.disallow.chars: Characters not allowed in Auto Zone name.

-   adclient.binding.refresh.force: Indicate whether we force to re-establish LDAP bindings regardless the current binding is closest site or not.

-   adclient.dzdo.clear.passwd.timestamp: Set to true will remove the tickets after logout. Default is false.

-   adclient.sudo.clear.passwd.timestamp: Set to true will remove the tickets after logout. Default is false.

-   adclient.sudo.timestampdir: The directory where sudo stores timestamp files.

-   adclient.update.os.interval: How often adclient should wait before attempting to update the OS information in the case where adclient starts up in disconnected mode. Default is 30 seconds.

-   dc.penalty.time: controls how long a domain controller that has failed is considered less preferable to the other domain controllers in the forest.

-   dzsh.roleswitch.silent: Set to true to not output the role switch info in dzsh use. Default is false.

-   dzdo.passprompt: The password prompt format when the target user's password is needed. Default is "[dzdo] password for %p:".

-   pam.setcred.respect.sufficient: set to true if pam_setcred calls the remaining modules even the 'sufficient' is fulfilled.  DirectControl will set the value according to the target platform.

 

-   Modified parameters:

-   adclient.cache.expires: Default is changed from 3600 to 600 seconds.

-   adclient.cache.expires.gc: Default is changed from 3600 to 600 seconds.

-   adclient.cache.expires.group: Default is changed from 3600 to 600 seconds.

-   adclient.cache.expires.user: Default is changed from 3600 to 600 seconds.

-   adclient.cache.expires.user.membership: Default is changed from 3600 to 600 seconds.

-   nss.program.ignore: added unix_chkpw

 

Refer to Configuration Parameters Reference Guide for details.

 

DirectManage Access Manager

 

·        DirectManage Access Manager

DirectManage Access Manager is the new name for DirectControl Administrator Console.

 

·        License report in Report Center is replaced by the Deployment Report. There is a start menu item to open the Deployment Report.

    

·        Windows access and auditing

Centrify Windows agents provide role-based access control, privilege management and auditing on Windows computers.   For details, please refer to Administrator's Guide for Windows.

 

·        Migrate from sudo to dzdo

A wizard is provided in DirectManage Access Manager to migrate privilege management of UNIX computers from sudoers to Active Directory via the Centrify Server Suite DirectAuthorize features. It is recommended to import the UNIX users and groups and create the computer roles before importing the sudoers file. Refer to Administrator's Guide for UNIX for details.

 

·        Import users and groups from Deployment Manager database

The import users and groups wizard in DirectManage Access Manager is enhanced to retrieve the users and groups’ data from the Deployment Manager database.

 

·        Forest Analysis in DirectManage Access Manager is enhanced to check for:

-   expired profiles storing SID in sidHistory

-   profiles schema for cross forest users

-   orphan role assignment

 

Migration

 

·        Migrate Classic Zone to Hierarchical Zone

The admigrate script migrates users, groups, roles and rights in a classic zone to a hierarchical zone.  Refer to its manpage for usage.

 

·        Move Computer to Hierarchical Zone

The adchzone script moves a zone computer object from classic to hierarchical zone in the same domain.  Refer to its manpage for usage.

 

·        Upgrading DirectControl cache

When DirectControl is upgraded from 5.0.x, its cache is also upgraded.  It does not support cache upgrade from 4.x. The 4.x cache will be deleted when upgrade is performed. Upgrade is not performed if the cache is encrypted.

 

adedit

 

·        adedit is enhanced

-   get_all_zone_users: gets all zone users along the hierarchical path.

-   get_user_groups: gets the groups that the user belongs to.

-   get_zone_user_field, get_zone_group_field, get_zone_computer_filed: add dn option to locate AD object.

-   dn_to_principal, get_group_members, get_role_assignments, get_zone_users, joined_name_to_principal, list_role_assignments, list_zone_user, principal_from_sid: add upn option to display UPN name.

-   move_object: moves the selected object to the specified location in the same domain.

-   rename_object: renames the common name of the selected object.

 

·        New adedit sample scripts

-   addbloader is enhanced to support the new sysRights and roles in DirectControl and Windows Agent.  When you use adedit to modify the sysRights, you must use bit operators to make the change.  Otherwise, the Windows Agent sysRights will be reset.

-   adreport is enhanced to report command rights.

-   adzonediff is new in this release.  It compares the roles and rights between two zones. Refer to its command help for usage.

-   More adedit sample scripts can be found under /usr/share/centrifydc/samples/adedit directory.  See the UNIX and Linux Evaluation Guide for details.

 

Centrify LDAP Proxy

 

·        DirectControl LDAP Proxy supports global catalog search (Ref: 19540)

In addition to searching through the domain controller, LDAP Proxy also supports global catalog search by adding "CN=$" in front of the search base. The global catalog search is useful in a multi-domain forest environment.

 

Centrify OpenSSH

 

·        Centrify 5.1.0 OpenSSH

Centrify DirectControl includes Centrify 5.1.0 OpenSSH, which is based on 6.0p1 OpenSSH in this release. Refer to Administrator Guide for UNIX.    

 

·        New UNIX Rights Definition

 

-   SSH Rights

New predefined SSH rights identify specific SSH services that a user who is enabled for PAM SSH access can run. The SSH rights will be generated after upgrade DirectControl console is upgraded. Refer to Administrator's Guide for UNIX for details.

 

Supported Platforms

 

·        Support is added for the following new operating systems:

-   Centos 6.4 (32-bit and 64-bit)

-   Scientific Linux 6.4 (32-bit and 64-bit)

-   Red Hat Enterprise Linux 6.4 (32-bit and 64-bit)

-   Red Hat Enterprise Linux 5.8 PPC (64-bit)

-   Red Hat Enterprise Linux 5.8 Itanium (64-bit)

-   Linux Mint Debian Edition (32-bit and 64-bit)

-   OpenSuSE 12.2 (32-bit and 64-bit)

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

2.8.          New Features in DirectControl 5.0.5

 

-   Support is added for the following operating systems:

-   Red Hat Enterprise Linux 6.3 (32-bit and 64-bit)

-   Red Hat Enterprise Linux Desktop 6.3 (32-bit and 64-bit)

-   CentOS 5.8, 6.3 (32-bit and 64-bit)

-   Scientific Linux 5.8, 6.3 (32-bit and 64-bit)

-   Oracle Linux 6.3 (32-bit and 64-bit)

-   Ubuntu Desktop 12.10 (32-bit and 64-bit)

-   Ubuntu Server 12.10 (32-bit and 64-bit)

-   Linux Mint 13, 14 (32-bit and 64-bit)

 

Only x86 and x86-64 Red Hat packages are updated in this release.  The Debian packages in Suite 2012.2 are verified to work with Ubuntu 12.10 and Linux Mint 13 and 14.

 

All other packages are identical to DirectControl 5.0.4.

2.9.          New Features in DirectControl 5.0.4

 

·        In this release, the following platforms support SmartCard login:

- Red Hat Enterprise Desktop 5.x and 6.x (32-bit and 64-bit)

 

·        The following smart cards are supported:

- Gemalto SC 64k 1.2 – CAC

- Oberthur One 5.2 – PIV

- Oberthur 128 v5.5 DI – CAC

- Gemalto 144 TOPDL DI – CAC

- Oberthur ID One 5.2 Dual – CAC

- Gemalto 72k DI - CAC

 

·        SmartCard login is supported on GNOME only.

 

·        New group policies are added to support smart cards. Refer to Group Policy Guide for details.

 

·        Only Red Hat packages are updated in this release. All other platforms are identical to DirectControl 5.0.3.  

2.10.     New Features in DirectControl 5.0.3

 

·        DirectControl for Mac OS X

 

DirectControl for Mac OS X has been updated to version 5.0.3. See the Centrify DirectControl for Mac OS X release notes in the Documentation directory for more information.

 

Support has been added for Mac OS X 10.8.

 

·        Centrify 4.5.4 OpenSSH

 

OpenSSL is upgraded from 0.9.8k to 0.9.8w, which is statically linked. It fixes several security vulnerabilities since 0.9.8k. Refer to the openssl release notes for details.

 

·        All other packages are identical to DirectControl 5.0.2.

2.11.     New Features in DirectControl 5.0.2

 

·        FIPS 140-2

Red Hat Enterprise Linux Server and Mac OS X support FIPS 140-2 standard.

 

·        DirectControl in FIPS mode

DirectControl in FIPS mode is integrated with 0.9.8s OpenSSL.

 

·        Centrify 4.5.3 OpenSSH

Centrify DirectControl includes Centrify 4.5.3 OpenSSH, which is based on 5.9p1 OpenSSH in this release. Refer to Centrify 4.5.3 OpenSSH release notes for details.

 

·        Centrify 4.5.3 Samba

Centrify 4.5.3 Samba is based on 3.5.11 Open Samba code. Centrify 4.5.3 Samba can be downloaded from Centrify web site. Previous Centrify Samba does not work with Centrify DirectControl in this release.

 

·        SQLite

DirectControl does not provide SQLite shared library in its package that avoids conflict with the SQLite shared library used by other applications.

 

·        Support is added for the following new operating systems:

- Red Hat Enterprise Linux 5.8, 6.2 (32-bit and 64-bit)

- Red Hat Enterprise Linux Desktop 5.8, 6.2 (32-bit and 64-bit)

- Scientific Linux 5.7 (32-bit and 64-bit)

- Fedora 17 (32-bit and 64-bit)

- CentOS 5.7, 6.1, 6.2 (32-bit and 64-bit)

- Mandriva Enterprise Server 5 (32-bit and 64- bit)

- VMWare VIMA vsphere 5

- Linux Mint 12 (32-bit and 64- bit)

- Solaris 11 (x86_64 and SPARC)

 

·        Support is removed for the following new operating systems:

- All OpenSolaris versions

- AIX 5.1, 5.2

- VMware ESX 3.0.1, 3.0.2

- Fedora 13 and below (32-bit and 64-bit)

- Ubuntu 6.06, 8.10, 9.04, 9.10 (32 and 64 bit)

- Mac OS X 10.5 

2.12.     New Features in DirectControl 5.0.1

 

·        Express mode

- Express mode is now supported and HPUX 11.31 and AIX 7.1 are added to the platform support list for Express.

 

·        DirectControl for Mac OS X

- DirectControl 5.0.1 is the first release on the Macintosh platform that provides support for Next Generation Zones.

- Support for OS X 10.7.x, including support for Apple's FileVault full disk encryption and Microsoft's Distributed File System (DFS) capabilities.

- Automated Certificate Enrollment for 802.1x and VPN services

- Improved support for Printer Management on the Mac using _lpadmin and _lpoperator printer groups on the local mac

- Simplified Group Policies for automatically mounted fileservers and home directories.

- Smart Card support for 10.6 and 10.7 for all CAC, CACNG, and PIV cards, including the Oberthur ID One 128 v 5.5 Dual Smart Card.

- New OCSP Enhancements and GUI for SmartCard configuration

   

·        User password expiration

- Fine-grained password policy is queried to determine user password expiration.

 

·        DirectControl MMC Snapin

- Now implemented in user mode rather than in author mode in order to co-exist better with group policies.

 

·        Support is added for the following new operating systems:

- Citrix XenServer 6.0

- Fedora 16 (32-bit and 64-bit)

- OpenSuSE 12.1 (32-bit and 64-bit)

- Ubuntu 11.10 Desktop (32 and 64 bit)

- Ubuntu 11.10 Server (32 and 64 bit)

- Solaris 11 Express 2010.11 (x86_64 and SPARC)

2.13.     New Features in DirectControl 5.0.0

 

·        Hierarchical zoning

 

·        NIS map support added to NSS

The following NIS maps are supported:

- networks

- rpc

- auth_attr

- prof_attr

- user_attr

- exec_attr

- auuser

- protocols

- networks

- bootparams

- netmasks

- netgroup

- hosts

- printers

- project

- services

- ethers

- aliases

- ipnodes

- AIX

 

·        Centrify Zone Provisioning Agent

Zone Provisioning Agent (ZPA) is now included with DirectControl. It has been updated to support hierarchical zoning, new in DirectControl 5.0.0.

 

·        Group Policies

 

1.  New group policy: Enable Auto Zone user home directory. This group policy adds the auto.schema.use.adhomedir property to /etc/centrifydc/centrifydc.conf.

 

2.  adm files are now shipped for Centrify group policies as well as xml.

 

·        Configuration parameters

 

1.  New configuration parameter: krb5.cache.clean.exclusion

 

This parameter defines an exclusion list for when adclient cleans users' cache files. For users in this list, adclient will not clean their krb5cc_* file. UNIX names of AD users should be used. The default value is empty.

 

2.  New configuration parameter: adclient.krb5.use.addresses

 

This parameter controls the MIT Kerberos HostAddresses option. If the parameter is set to true, adclient will add "noaddresses = false" to krb5.conf. The parameter is set to false by default.

 

3.  New configuration parameter: adclient.altupns

 

This parameter tells adclient to allow an otherwise unknown Kerberos realm as UPN suffix. The default is unconfigured. For example, to allow "mil" as a UPN suffix:

 

adclient.altupns: mil

 

·        New CLI features

 

- adcheck

 

adcheck now does a DNS TCP port check as well as a UDP port check in the "net" set of checks.

 

New --tmp_path (-m) parameter to use the given path for temporary files during check. If not specified the default is /tmp.   

 

- adfixid

 

- New --undo (-U) parameter to back out changes made since the last change marker. The log for undo is accumulated in

 

/etc/centrifydc/adfixid.log

 

- adinfo

 

- New --debugcache command line parameter added to tar up /var/centrifydc cache files.

 

- -y parameter now accepts parameters. "config" dumps all property values, "dns" dumps the dns cache and "all" dumps all system information.

 

- --support parameter now includes contents of /etc/irs.conf, /etc/netsvc.conf and shows the ldd output for /usr/lib/netsvc/dynload/nss_cdc.so.

 

- New -G option to report the current GC.

 

- adjoin

 

- New --upn (-U) paramter for adjoin sets user's UPN.

 

- adquery

 

- New parameter --attribute mail (-b mail) to return the email address of a user. Note that this can only be used with users, it does not work for groups.

 

- adupdate

 

- New --principal (-P) parameter for adupdate user allows setting of user's UPN.

 

- New --foreign-sid (-i) parameter allows setting / retrieving of a sid for a foreign user.

 

- Adupdate now allows changes to users from one-way trusted forests. To use it, retrieve the SID for the user to be changed via adquery user's -Z option, thenuse that SID in adupdate using the --foreign-sid option.

 

- New --userWorkstations (-W) option for adquery user shows the user's userWorkstations attribute. The -all (-A) option has been extended to include this attribute too.

 

·        Windows Console

 

An option has been added to the import Wizard to add a prefix or suffix to the name of a group or user, allowing name clashes to be avoided with already existing users and groups.

 

·        New DirectAuthorize reports

 

Two new reports have been added to report on user roles and rights grouped by zone. The new reports are:

 

- User Role Assignments Grouped by Zone

- User Privileged Command Rights Grouped by Zone

 

·        The DirectControl NIS server (adnisd) now derives the mail.byaddr map.

 

·        Reworked DirectAuthorize to integrate it with hierarchical zones.

 

·        Can now call a script every time a dzdo command is executed, allows addition of per-command logging or change ticket entry every time a privileged command is executed.

 

·        Centrify Putty "Auto-login username" group policy is default to "User principal name (require DirectControl)".

 

·        Support is added for the following operating systems:

- CentOS 4.9, 5.6, 6.0 (32-bit and 64-bit)

- Debian 6 (32-bit and 64-bit)

- Fedora 15 (32-bit and 64-bit)

- Mandriva 2011 One

- Oracle Linux 6 (32-bit and 64-bit)

- Red Hat Enterprise Linux 5.7, 6.1 (32-bit and 64-bit)

- Red Hat Enterprise Linux Desktop 5.7, 6.1 (32-bit and 64-bit)

- Scientific Linux 4.9, 5.6, 6.1 (32-bit and 64-bit)

- Ubuntu Desktop 11.04 (32-bit and 64-bit)

- Ubuntu Server 11.04 (32-bit and 64-bit)

3.     Bugs Fixed

3.1.          Bugs Fixed in Centrify DirectControl 5.2.2

DirectControl Agent

 

·          Because KCM server is restarted during an upgrade, the in-memory Kerberos cache credentials will be lost. A warning message is now added in the upgrade log to remind users about this behavior. (Ref: 59013)

 

·          Previously when adflush is run without any option, object caches were flushed. This was not a desirable default behavior. In this release, adflush will only expire the object caches if no option is specified. Use '-f' or '--force' option if you really want to flush the object caches. Note: this is a behavior change. (Ref: 61501)

 

·          A fix has been added to adclient, by handling the DNS_REFUSED error (Error Code: 5), such that you can successfully join to a domain even with some caching-only DNS Servers. (Ref: 56826)

 

·          The command, adsendaudittrailevent, will now run only if the effective UID is 0. This is to avoid non-root users from generating unnecessary log messages. (Ref: 63255)

 

·          It is found that zone hierarchy may not able to load successfully at adclient startup under unusual DNS status. Failing to load zone hierarchy causes sysright not be set properly, which results in user login failure. This problem is now fixed.  (Ref: 60104)

 

 

·          If an AD group from cross domain assigned to a role is moved to another container, and this result in change in DN. Therefore, before AD DC automatically correct the object references in CDC zones, group members would lose roles assigned to the AD group, even adreload would not help. This release fixes this problem by searching the object by its group SID. (Ref: 63746, 65530, 65691)

 

·          If autoprivate group is used, sporadic "No Primary Group with gid" error messages shows up in the log. It happens more likely in large AD environment. This was caused by a race condition between the background and the calling application. (Ref: 71090, 71103)

 

·          Previously a dzdo command always used the invoker’s ulimits on AIX. In this release, dzdo correctly uses the runas target user's major ulimits settings for the executed commands. This is the same behavior as the stock sudo in sudo-1.8.10p3. (Ref: 63444)

 

·          Previously when using dzdo on HP/UX 11.31, customer gets the following error message in syslog:

dzdo: hpsec: auth - illegal option use_first_pass.

This issue has been fixed. (Ref: 64168)

 

·          In dzsh, if the cd command fails due to insufficient permission, the PWD and OLDPWD are still updated as if it was in the target directory. This is fixed. (Ref: 58761)

 

·          The fixhome.pl script now does not support the ‘-f’ option any more. ‘-f’ option was used to follow the symbolic link while fixing the home directory. This has become a default behavior now. When a user runs the script, all files or directories pointed to by symlinks will be fixed as well. (Ref: 59014)

 

·          On AIX, no user is able to login except root if the stanza in methods.cfg contains redundant blank lines or the module name starts with whitespace character.  From DirectControl 5.1.2 on, we have improved adcheck to alert users about this incorrect formatting in methods.cfg. (Ref: 36849)

 

·          On AIX, certain LIBPATH order causes DirectControl agent to load the wrong libcrypto library.  This release always loads the libcrypto library installed by DirectControl agent. (Ref: 68886)

 

·          On HPUX, some local accounts with UID 0 may get locked out repeatedly. See KB-4065 for more details. This problem is now fixed. (Ref: 59156, 60948)

 

·         When computer and user password change is disable by setting adclient.krb5.password.change.interval:0 or pam.allow.password.change :false in centrifydc.conf correspondingly, adclient will not probe for kpasswd port 464. (Ref: 55441)

 

·         To avoid all machines changing their machine password simultaneously, a random number within the value specified in adclient.krb5.password.change.random_offset.interval is added to compute the next update time of the machine password. (Ref: 70744)

 

·         adinfo displays the previously joined domain controller to a non-root user.  This problem does not happen to the root user.  It is now fixed.  (Ref: 58208)

 

·         adcheck is improved to ignore the properly formatted swap entries in /etc/fstab to avoid unnecessary warning messages. (Ref: 61272)

 

·         adclient crashes if /etc/group contains a line longer than 1024 characters. This problem is now fixed. (Ref: 75211)

 

·         adclient significantly improves the performance when iterating through UNIX objects.  Iteration is now performed through local cache rather than paged search to Active Directory. (Ref: 57828)

 

DirectManage Access Manager

 

·          The permission checking was incorrect when a user/group was added/removed in a SFU zone. This has been fixed. (Ref: 60601)

 

·          The predefined role "always permit login" is now renamed to "Rescue - always permit login". This will clarify the fact that this role only permits assignee login when running in emergency mode. (Ref: 39917)  

 

·          The column "canonical name" under zone->users is now available again. (Ref: 57662)

 

·          Previously Access Manager failed to launch due to the dependency with PowerShell 2.0. This issue has been fixed by (Ref: 70537):

-  showing proper error message during installation on an unsupported Windows platform.

-  prompting user to confirm the installation of the needed PowerShell 2.0.

 

·          If a zone contained any user profile or group profile from a disconnected Active Directory domain, the Effective Windows User Rights dialog would stop working and would show an error message "Object reference not set to an instance of an object".  The same problem would occur if any of the roles is assigned to an AD user or AD group coming from the disconnected domain. This was a known issue in Centrify Server Suite 2014.  This issue has been fixed. (Ref: 59459)

 

·          Pending import from UNIX can now match candidates with accounts from foreign forest. (Ref: 46142)

 

·          When defining application right criteria from importing process, for remote machines with IPv6 address, link-local, multicast, or site-local address can now retrieve file details and description of its running processes. Other IPv6 address types are not supported. (Ref: 68956)

 

·          “Import from UNIX” wizard now supports exact match or partial match when matching candidates. (Ref: 51146)

 

·          The dialog adding rights to a role now sorts the rights by name. (Ref: 40758)

 

·          There was a warning message that a command object is not configured for restricted role. The warning message is irrelevant because restricted shell doesn’t apply to local accounts. It is fixed in this release. (Ref: 42965)

 

·          In the Effective UNIX User Rights screen, “Show omitted users” is missing users having complete profiles but no role assignments. This problem also happened to the Effective Windows User Rights screen. This is fixed.  (Ref: 40764)

 

·          Forest analysis can detect invalid secondary user profile(s) even though the user’s primary profile does not exist or is invalid. (Ref: 31373)

 

·          If the auto-enrollment GP is set to “Not configured”, certificate auto-enrollment is still performed.  This problem happens on DirectControl agent before version 5.2.2.  This is fixed.  (Ref: 73278)

 

Deployment Report

 

·          The report file extension has been changed from '.csv' to '.txt' to avoid it from being automatically reformatted by certain spreadsheet editors. The report context remains the same. Note: as the file extension is changed, please update your affected automation script if any. (Ref: 72951)

  

adedit

 

·          adedit previously used inconsistent Boolean arguments for the following five commands: set_role_field allowLocalUser, set_role_field AlwaysPermitLogin, set_zone_computer_field enabled, set_zone_group_field required and set_zone_user_field enabled. Now they all accept the following Boolean values: 1/0, y/n, yes/no, true/false. (Ref: 57180)

 

·          adedit is now able to change the ADS_UF_PASSWD_CNT_CHANGE flag in UserAccountControl attribute in Active Directory. (Ref: 57908)

 

·          admigrate adds support of AIX extended attributes. (Ref: 62850)

 

Zone Provisioning Agent

  

·          Previously Windows events generated by ZPA all had the same Event ID 0. This problem has been fixed. (Ref: 55904)

 

·          The ‘Zone default value’ option of UID has been changed to ‘Use auto incremented UID’. The ‘Zone default value’ option of GID has been changed to ‘Use auto incremented GID’. These changes are to reflect the proper default values. (Ref: 70575)

 

·          ZPA can now resolve user’s primary group information in the nested groups.  The default is to resolve only its immediate group.  To enable this feature, you need to set the DWORD registry key “HKLM\Software\Centrify ZPA\IncludeNestedGroups” to 1. (Ref: 51968)

 

·          ZPA is improved to ignore the leading and trailing space characters in the value field of the registry keys. (Ref: 62185)

 

Centrify OpenSSH

 

·          Previously the sshd would fail with 'no hostkey alg' error and drop login if client required ECDSA hostkey algorithm by, e.g., "ssh host -o HostKeyAlgorithms=ecdsa-sha2-nistp256". Such issue existed since Centrify Openssh5.9p1, and could be solved by manually generating the ECDSA hostkey through this command: /usr/share/centrifydc/bin/ssh-keygen -q -t ecdsa -f /etc/centrifydc/ssh/ssh_host_ecdsa_key -C '' -N '' and restarting the sshd server. This issue has been fixed. Note: when upgrading to this new version, please remove the old incorrect ECDSA key file /etc/centrifydc/ssh/ssh_host_ecdsa_key first, or else the new Centrify OpenSSH will not regenerate it. (Ref: 62152)

 

·          The service name in the sysvinit output of new Centrify OpenSSH in the command '/etc/init.d/centrify-sshd status' in Redhat systems has been changed from 'sshd' to 'Centrify-openssh-daemon'. This is to distinguish the name from other sshd processes and hence avoid the unexpected 'status' result in Redhat 5 systems. (Ref: 73425)

 

·          Centrify OpenSSH now integrates with Solaris SMF control.  (Ref: 70978, 71207)

 

·          Centrify sshd produced extra timestamp and the meaningless “\terror” string in its syslog messages.  This problem is fixed in this release. (Ref: 67329, 67897)

 

3.2.          Bugs Fixed in Centrify DirectControl 5.2.1

DirectControl Agent

 

·          A problem was found in 64-bit Solaris 10 platforms that users might not be able to log in and adinfo would show ‘mode: <unavailable>’ even though the machine was successfully joined. This problem has been fixed. (Ref: 71202)

 

3.3.          Bugs Fixed in Centrify DirectControl 5.2.0

DirectControl Agent

 

·  Dzdo, to avoid the command path faking risk, will always get the full path of the command to be run and add such info in the DZCommand checking done by DirectAuthorize. However, the special command, 'dzedit' which can be used unrelated to path (that is, run directly such as 'dzdo -e file' or 'dzedit file', not run under dzdo such as 'dzdo dzedit file' which will be related to its path), will not be affected by such limit and work well as expected in both use styles.

 

Note: This problem has been fixed in Suite 2014 and is recorded here for reference purpose. (Ref: 59852)

 

·  A problem was found having core dumps due to local AD object cache operations. It was related to the adding and deleting of records from our local AD object cache using an open source library Berkeley DB. There was no known workaround but this problem has been fixed now. (Ref: 63761)

 

·  A problem was found having to do with a role being associated with more than 1500 rights ended up with no way to retrieve or list all the rights in the role. There was no known workaround for this problem but it has been fixed now. (Ref: 63880)

 

·  On Solaris 10, a problem was found that adnisd did not start up on zone reboot if either passwd or group was excluded, e.g. "nisd.exclude.maps: passwd group". This was because in this case adnisd startup script unnecessarily checked for passwd and group maps and refused to start up if they were not there. This problem has been fixed. (Ref: 60446)

 

·  On AIX, a problem was found that a background thread in adclient might consume unnecessary CPU cycles when processing user/group attributes if a network failure happened during the operation. This problem has been fixed. (Ref: 61008)

 

·  Previously group policy logic might create folder and files, e.g. Previous.pol, Local.pol and Registry.pol, with incorrect permission. These files/folders should only grant root user permission, i.e. 0600/0700. This problem has been fixed. (Ref: 63506)

 

·  The /usr/share/cdentrifydc/bin/centrifydc script starting from version 5.1.1 might hang on Solaris 10 or above if the machine was in single user mode. This might cause a problem if user was upgrading DirectControl in single user mode. This problem has been fixed. (Ref: 62786)

 

·  Smart card (Ref: 64519)

 

A smartcard login fail issue, which would happen when a smartcard had different UPN prefix and samAccountName under RHEL, has been fixed. 

DirectManage Access Manager

 

·  Previously Access Manager Group Report might crash or showed no entry due to a bug in the object cache. This problem has been fixed. (Ref: 62702)  

 

·  Auto private group was mistakenly used as the user primary group GID when adding user with Access Manager. This issue has been fixed. (Ref: 64088)

adedit

 

·        Under certain occasions, e.g. stack size is set to a high value, running might result in error 'Unable to initialize tcl environment' on AIX. This problem has been fixed by applying a corresponding tcl patch. (Ref: 61760)

Centrify OpenSSH

 

·  Previously, if dzssh check enabled, Centrify sshd through dzsshchk only checked for 'dzssh-scp' right for any scp request. Now it will also check for 'dzssh-exec' right if a scp request has -S option set, or else it will only check for 'dzssh-scp' right same as before. (Ref: 60288)

 

3.4.          Bugs Fixed in Centrify DirectControl 5.1.3

DirectControl Agent

 

·  If a computer was located in site with RODC only environment and the computer was also a member of the "Allowed RODC Password Replication Group" AD Group, a machine password change failure might sometimes happen. This is fixed. (Ref: 43810)

 

·  SSH login might fail and sshd debug would show pam_acct_mgmt return 4 (System error), if you were using public key login via PAM_AUTH on AIX. This is fixed. (Ref: 56964)

 

·  On AIX 6.1 and later, AIX has set up its native symlink /usr/lib/security/methods.cfg -> /etc/methods.cfg and we now support this setup. (Ref: 55443)

 

·  In dzsh, 'role -l' wrongly showed a role as '[restricted]' if it did exist yet was not currently effective/usable. This is fixed and now 'role -l' will show the denied roles as '[not effective]' and will not show the expired ones. (Ref: 35575)

 

·  If a user was migrated from one domain to another, the user might encounter login problem in an offline / disconnected mode. This is now fixed. (Ref: 54902)

 

·  Local crontab entries appended after Centrify group policy crontab entries now are preserved after a group policy is updated. (Ref: 57282)

 

·  Some unnecessary warning messages, e.g. "… Failed to extend object" due to missing optional dNSHostName attribute, are now shown only as debug messages. (Ref: 46936)

 

·  Fixed a bug that might cause high CPU utilization and outdated result when iterating AD groups in classic zones. (Ref: 57406)

 

·  Support for syslog level control for Centrify-kcm is now added. For example, in krb5.conf, user can configure:

 

[logging] kcm = SYSLOG:INFO:AUTH

 

Then Centrify-kcm will only send messages of INFO or higher level to syslog. (Ref: 57748)

 

·  If the user home directory was created by DirectControl PAM module, the security context of the ~/.k5login would be wrong. When the user tried to single-sign-on to the machine, as the .k5login could not be read, failure would occur. This bug is fixed in this release. (Ref: 56131)

 

·  dzdo -V now shows the related dzdo settings which used to be available only in centrifydc.conf, such as secure_path, password prompt message, etc., along with output similar to that is shown in sudo -V. (Ref: 51288)

  

·  You might get hostkey verification error after installation of Centrify Agent on server running Solaris of a version earlier than 9 or running HPUX. This was because those platforms use different directories to store a hostkey. This is fixed - If an agent is installed on a computer which has only stock OpenSSH, Centrify OpenSSH will copy the stock hostkey files of stock openssh (for Solaris before Solaris 9, it's under /usr/local/etc/; for HPUX, it's under /opt/ssh/etc/; for all the others, it's under /etc/ssh/) into /etc/centrifydc/ssh and use them. (Ref: 55054)

 

·  Earlier, adcert failed to enroll to certificate template with "(" and ")" in its name. This is fixed so that "(" and ")" are allowed in the certificate template name. (Ref: 48157)

 

·  User login performance with user group policies enabled has been improved. User group policies now run when a session is opened. (Ref: 44026, 46549)

 

·  Centrify previously modified the root stanza upon adjoin which had a side effect that root might not be able to login on some AIX computers under some rare conditions. A new configuration parameter, adclient.autoedit.user.root, is introduced in this release to let you specify Centrify NOT to modify the root stanza by default.

 

Note: this is a change of user-facing behavior. Please make sure your system has the proper setting for the behavior you want. (Ref: 56235)

 

·  The log messages from PAM and NSS used to be written at the wrong log level if the level was INFO or above (i.e. INFO, WARNING, ERROR or FATAL). The log level values were shifted before writing to log: INFO -> DIAG, WARNING -> INFO, ERROR -> WARNING, FATAL -> ERROR. This is fixed. (Ref: 54379)

 

·  The dzinfo message that you may receive if no role is available for a user has been rewritten to be more accurate for each situation in which the message is needed. (Ref: 55307)

 

When no role is found or none is found available for a user, dzinfo now shows 'No role is currently available. User cannot login now.' for the user of hierarchical zones, and now shows 'No role is currently available.' for the user of classic zones.

 

·  A seemingly unexpected result would occur with certain dzdo command definitions. This is fixed. (Ref: 55533)

 

Consider the situation where a “sh –c abc” command is defined as a regular expression in order to execute internal shell command. Previously users could run the following dzdo command successfully:

-   dzdo –i “abc” [or dzdo sh –c “abc”]

-   dzdo –i “abcefg” [or dzdo sh –c “abcefg”]

-   dzdo –i “abc –xyz” [or dzdo sh –c “abc -xyz”]

-   dzdo –i “abc;mnl” [or dzdo sh –c “abc;mnl”]

 

Now only dzdo –i abc [or dzdo sh –c “abc”] is allowed. Note: this is a behavior change.

 

·  Previously Centrify LRPC/LRPC-2 protocols needed to access /tmp while processing authentication. As a result, AD user could not login when /tmp was full. This is fixed in DirectControl.

 

Note: If your system has DirectAudit installed as well, this may still be a problem. (Ref: 19940)

 

·  The adsetgroups -C "cmd" can now return the correct exit code of the command "cmd". (Ref: 56821)

 

·  Files referred to by ‘file: parameter’ in centrifydc.conf should not allow symlinks. This is now enforced. (Ref: 54267)

 

·  New options have been added for adinfo and adflush. (Ref: 55376)

 

Added adinfo -y health and adflush --health to view and manage health state. Also added Warn level logging for health problems and Info level logging for resets.

 

·        On AIX with a WPAR environment set up, in-memory credential cache provided by Centrify-KCM service did not work due to a bug in the System Resource Controller (SRC) area. This is fixed. Now the Centrify KCM Service subsystem will automatically be created and destroyed when you install and uninstall the Centrify DirectControl. Hence we can enable the "in-memory based credential cache" mode without any issue. (Ref: 54235)

 

·  Previously when you used KCM cache, running klist –A did not show the default file cache of the user. This is fixed. (Ref: 51249) The correct behavior is:

1. If klist –A is run by root, it should list every Kerberos cache in KCM plus the default cache (KRB5CCNAME) of root.

2. If klist –A is run by a non-root user, it should show the Kerberos cache of that user in KCM plus the default cache (KRB5CCNAME) of the user.

 

·  The command ‘dzinfo root’ used to show the wrong audit level when there was a computer role. This is fixed and the syntax of dzinfo is also tightened as follows (Ref: 47063):

1. 'dzinfo' without any user given or 'dzinfo $SELF' shall show the DirectAuthorize information for the current user who runs it.

2. Only root can run 'dzinfo $other_user(s)' which shall show the DirectAuthorize information for target user(s).

3. Only root can run 'dzinfo -C'.

4. If 'dzinfo -C' is run without specifying target user, it will show all users/groups which have computer roles assigned.

5. If 'dzinfo -C user(s)' is run, then it will show the computer role information for the target user(s) and its related group(s)

  

·  On a Redhat Linux computer, a Red Hat bug concerning stale RPM db lock, which would hang RPM commands, caused sctool to wait indefinitely for RPM queries to finish. Now sctool times out if the RPM queries take too long (Ref: 48411)

  

·  Smart card (Ref: 54741)

 

Previously, in some situations the default module changed to "opensc" in /etc/pam_pkcs11/pam_pkcs11.conf. This is fixed and now "Lock Smart Card screen for RHEL" group policy has been moved from User Configuration to Computer Configuration.

 

DirectManage Access Manager

 

·  On the ‘Specify Zone Properties’ page of the Zone Creation Wizard, there was a Master Domain Controller field which was rarely used. This has now been moved from the Zone Creation Wizard to the properties page and context menu. (Ref: 48844)

 

·  Sorting ability has been added to the "Show Effective UNIX User Right" page for each zone. (Ref: 49410)

 

·  Access Manager now defaults to generate UID values for zone users based on the AD user SID. (Ref: 48848)

 

·  When defining a user profile, especially at the parent level, every field was grayed out and the user had to select a check box to enable each option. This was very inconvenient. All checkboxes are now enabled by default. (Ref: 48849)

 

·        Evaluation license support (Ref: 52237, 55720)

 

The default option to generate and install 30 days DirectControl evaluation license in DirectManage Access Manager's Setup Wizard is removed. Users can still install a valid evaluation license obtained from Centrify.

 

·  The default behavior "Prepare UNIX computer for adjoin" was wrongly set to "Allow this user, group or computer to join the computer to the zone". This is fixed by changing the default behavior back to "Allow the computer to join itself to the zone". (Ref: 56248)

 

 

Deployment Report

 

·  The Deployment Report now can show the number of licenses in use by zone as well as the zone the system is joined to. (Ref: 35655)

  

adedit

 

·        The value of "UNIX_ENABLE" was wrongly set to false in computer SCP when precreating a computer by adedit script (Ref: 53211)

- The syntax of the commands szcf “enabled” and gzcf “enabled” is corrected as follows: this field specifies whether the zone computer is enabled in its zone or not. Use szcf to set the field to 1 if enabled and 0 if not. Similarly the gzcf returns 1 if enabled and 0 if not.

  

Zone Provisioning Agent

 

·        If there were some offline domains in the forest, ZPA sometimes failed to finish the provisioning cycle. This is now fixed by adding a switch to control the behavior. To ignore offline domains, you need to add a new entry with the following, name=SkipOfflineDomain, type=DWORD and value=1, to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Centrify ZPA. (Ref: 49942)

 

Centrify OpenSSH

 

·        The stock OpenSSH 6.2p2 has recommended the sshd_config option 'UsePrivilegeSeparation' to be set as 'sandbox', which will limit the syscalls that the unprivileged subprocess can use during connection and thus eliminate the risk from the compromised subprocess, rather than the default 'yes', which will have no sandbox in such processing. Centrify OpenSSH now follows this recommendation to have such option uncommented and set as 'sandbox' too. Note: this is a behavior change inherited from stock OpenSSH. (Ref: 58590)

 

·  Previously the cdc-openssh RPM package did not have 'openssh' in its 'provides' list. This might cause problems if there are other packages that depend on OpenSSH. Now this is fixed. Note: If there is another package installed which also provides 'openssh' such as stock openssh-core, and there is a package such as stock openssh-clients which requires 'openssh', then the cdc-openssh package can only be safely removed by RPM using option --nodeps. (Ref: 54756)

 

·  Previously Centrify sshd might log multiple SSH_GRANTED messages during one SSH login. This is fixed. It will now log only one SSH_GRANTED or SSH_DENIED audit trail message for each SSH login. (Ref: 55680)

 

·  Previously our install script would install cdc-openssh successfully but would fail to run on a PowerPC platform that was not installed with a 32-bit PAM library, e.g. RHEL 6.4 PPC. Now we have fixed the install script to trigger an error and end the installation if the library is not there.

 

Note: 32-bit PAM is required for PowerPC platforms. On those platforms, please make sure pam-<version>.ppc package is installed before installing Centrify openssh. (Ref: 53153)

 

 

3.5.          Bugs Fixed in Centrify DirectControl 5.1.2

DirectControl Agent

 

·       When running selinux in enforced mode we find that the executable map adauto.pl was blocked by selinux. This is fixed. (Ref: 37027, 48829)

  

·       We do not support a scenario that a zone is in one forest while a machine is joined to another forest. However, adjoin did not stop users doing it. This is fixed such that adjoin will reject such request. (Ref: 41017)

  

·       adjoin self-serve failed for precreated computer with hostname (samAccountName) > 14 chars if the domain name was entered in upper case. This is fixed such that adjoin will accept both upper case and lower case domain names. (Ref: 44297)

  

·       An AD user was incorrectly allowed to ssh into a machine that was not zone enabled. This problem only occurs if the machine has local user that matches the AD user that is logging in. This is fixed. Now the authentication, including Centrify OpenSSH, will honor .k5login first, if it is present. That means an empty .k5login file will force the user, in this case the local user, to do an interactive password login. (Ref: 45175)

  

·       When a computer was removed from a computer role group it did not correctly get updated on Linux. This is fixed. (Ref: 45632)

  

·       User cannot login with mixed case (Ref: 45965)

 

When users have set auto.schema.name.lower: true, all authentications will use lower case names for verification. However, previously some kerberized applications were still using case-sensitive verification with credentials. This is fixed.

  

·       autozone users failed to login in offline mode after a while (when the password cache, controlled by adclient.cache.expire, expired). This is fixed by keeping the cache live while in offline mode.  (Ref: 47494)

  

·       On AIX, if a member list in /etc/group is longer than 1000 characters, the system would not recognize the group membership after joining a domain, e.g. run “id user1” could not show all secondary groups of user1. This is fixed. Note: With the fix, you need to run adreload after you make changes to /etc/group. Otherwise the change won't take effect. (Ref: 48160)

  

·       Installation flags are relocated. (Ref: 48407)

 

With Installation script now uses /var/centrifydc/tmp, instead of /var/tmp, to hold installation directives, such as CENTRIFY_FORCE_DISCONNECTED_UPGRADE to force upgrade in disconnected mode. This is a change of behavior.

  

·       Added security check in configuration file access, e.g. file referenced by centrifydc.conf, or other, such as group.ovr, user.ignore, etc. (Ref: 48413, 53583)

 

When Centrify software tries to access a parameter in a user-defined configuration file (e.g. file reference in centrifydc.conf), the file referenced has to be owned by root and not world writable or otherwise it is ignored. If this happens, you may see warning messages in centrifydc.log like these:

-   Config file [<file name>] is not owned by root. Skip reading config file for property <property name>. Please change its owner to root to enhance security.

-   Config file [/tmp/allow.txt] is world writable. Skip reading config file for property adclient.prevalidate.allow.users. Please ensure the file is not world writable to enhance security.

 

Note: the default root umask on some HPUX is 0 which results in files created by root being world writable and hence being ignored if they are used in centrifydc.conf. The system will not work properly until you fix the file permission. It is recommended to change the default root umask to 022.

 

This is a security enhancement but also a change of behavior.

  

·       non-unique kerberos credential cache was removed prematurely. (Ref: 48286)

 

With centrifydc.conf parameter krb5.unique.cache.files: false, non-unique Kerberos credential cache should be shared by multiple concurrent sessions. However, it was incorrectly removed while one or more user sessions are still in open state. This is fixed.

  

·       Using auto.schema.allow.groups in centrifydc.conf to allow AD groups access to a machine did not work reliably. Sometimes users had to run ‘adquery group’ command to trigger the update of group information. This is fixed. (Ref: 48557, 51428)

  

·       In DirectControl version 5.1.0, the preferred site was incorrectly converted to lower case reported by adinfo. The impact could be that, e.g. DirectAudit installed on the same machine failed to find a valid Collector by referring site information because of the site name was not the same any more. This is fixed. (Ref: 48836)

  

·       adclient failed to remove decommissioned domain controllers from krb5.conf. (Ref: 49897)

 

adclient by default will update the Kerberos configuration file, krb5.conf, with new domain information. However, it will not remove lines that it does not know about because the file may contain some other information, such as target hosts, etc. In this release, we provide a new switch, adclient.krb5.conf.domain_realm.strict, in centrifydc.conf for users to decide if we should remove any unknown hosts for [default_realm] section of the joined domain or not.

 

·       Upgrade from 5.0.x to 5.1.0 or above failed to upgrade the authorization cache resulting in some users might not be recognized. This is fixed. (Ref: 50476)

 

·        Force enable smartcard support for RHEL (Ref: 51229)

- Enabling smart card support via Group Policy or 'sctool' utility will automatically turn on RHEL's 'Smartcard Authentication' option. Previously it did not.

 

·       adkeytab now disallows -m with the -r (--reset) option because this is not a valid combination. (Ref: 43682)

  

·       If dzcheck is executed by dzdo under the context of the runas user, so it can be executed by root.  As a security enhancement, before dzcheck is executed, dzdo will check if dzcheck is owned by root and not group/world writable.  It should not execute dzcheck if it is not trusted. A DEBUG log message, “Dzdo Validator: /usr/share/centrifydc/sbin/dzcheck does not exist or not executable or cannot be trusted.”, can verify this condition. If this happens, you may need to correct the file permission and ownership of dzcheck. (Ref: 50087, 50088)

  

·       If dzdo.search_path was set to path ending with “/”, e.g. “/usr/bin/” instead of “/usr/bin”, the path matching would fail. This is fixed. (Ref: 52662)

  

DirectManage Access Manager

 

·       ‘Show effective users’ failed to show any users if an AD group had a contact as one of its members. This is fixed such that the contact will be ignored. (Ref: 43912)

  

·       Precreating a computer account with hostname > 15 characters might result in a computer object with CN up to 19 characters but the samAccountName was truncated to 15 characters, resulting in failure of subsequent adjoin. This is fixed in DirectManage Access Manager. When users precreate a computer with hostname > 15 characters, the following warning will be shown to alert users: (Ref: 44349)

 

The computer name exceeds 15 characters. Please note that:

-   This will break the NTLM secure channel.

-   For adclient to work with long host name (up to 19 characters), you have to update the adjoin.samaccountname.length setting in centrifydc.conf.

Do you want to continue?

  

    Report Center

 

·        Export now supports csv format instead of excel format (which was in fact a html format). (Ref: 43745)

 

Zone Provisioning Agent

 

·       ZPA failed to provision if a Contact object was in the AD group. This is fixed. (Ref: 49585)

 

Centrify OpenSSH

 

·        The previous version used SSHv2 protocol as default but yet did not show this in the corresponding configuration file and hence some security analyzer might incorrectly judge that it was using SSHv1 as default. This is made clear by explicitly specified ‘Protocol 2’ in the configuration file. (Ref: 53959)

 

3.6.          Bugs Fixed in Centrify DirectControl 5.1.1

DirectControl Agent

 

·        Active Directory user fails to find credential cache after login to a newly created WPAR on AIX

 

In a newly created WPAR, the /var/krb5/security/creds/ directory does not exist.  DirectControl post-install script will create it with root permissions.  However, it does not change its permission to make it a world-writable directory. Hence Active Directory user fails to find credential cache after login because the application cannot access the credential cache in that directory.  This issue is fixed in this release. (Ref: 39909)

 

·        The command utility, adcheck, had a potential security vulnerability of creating temporary files with world write access. This is fixed in this release. (Ref: 47636).

 

DirectManage Access Manager

 

·        Some roles may not appear in the Role Browser when creating new role assignment. This is related to the default role in older version. This is now fixed. (Ref: 39899, 40968)

 

·        The User Effective Rights Report shows only users in current forest. This is now fixed. (Ref: 40023)

 

·        The “Incomplete user UNIX Data” check in Analyze wizard may take a very long time to run if the zone has over thousands of users. This is now fixed. (Ref: 45896).

 

·        Prepare computer wizard may show error “Unable to find Zone” if the letter case of domain name appears different in object path and trustedDomain object. This is now fixed. (Ref: 43474)

 

·        Unexpected exception is thrown if user ‘Accept’ a pending UNIX group in computer zone. This is now fixed. (Ref: 44900)

 

Centrify OpenSSH

 

·        Fixed the following issues of Centrify openSSH’s helper scripts.

- Centrify SSH daemon does not start automatically after reboot on HPUX (Ref: 38294)

- "/etc/init.d/centrify-sshd status" gets unexpected result when cdc-sshd is stopped (Ref: 37157)

- condrestart in centrify-sshd.init does not work in the RHEL 6.x upstart (Ref: 43655)

- "/etc/init.d/centrify-sshd" does not show confirmation message on Solaris or Debian (Ref: 37798)

 

3.7.          Bugs Fixed in Centrify DirectControl 5.1.0

DirectControl Agent

 

·        DirectControl Agent has historically written working data to /tmp.  This version of DirectControl Agent uses /var/centrify/tmp for its working data.  It eliminates the symlink vulnerability issue exposed by the /tmp directory, which every user has the write access (Ref: 38474).

 

·        adclient crashed couple times a day doing its own internal health checks on AIX. It is due to a bug in the gcc shared library.  The gcc compiler is upgraded to resolve this issue (Ref:27370).

 

·        When the user moves from local domain to foreign domain in a one-way forest trust, the user cannot login in offline mode.  This issue is fixed in this release (Ref: 31031).

 

·        Fixed adclient in “down” status when a user in foreign group is migrated to current domain (Ref: 34512).

 

·        Fixed adclient core dump issue when authenticating bad password (Ref: 32320).

 

·        Fixed a bug that causes high CPU utilization if DirectControl agent switches to another domain controller while it is constructing the internal cache (Ref: 36663).

 

·        Join computer supports host name longer than 15 characters and containing dots (Ref: 32773).

 

·        Fixed the self-serve join problem after pre-create computer if the zone parameter is not specified.  Without the zone parameter, self-serve join would select the first zone in the list (Ref: 36662).

 

·        If a group contains more than 500 members, the defect that adquery or getent group command returned duplicate or missing members is fixed (Ref: 31128).

 

·        Fixed the problem that automatically mounts the file system when the group command is executed (Ref: 26467).

 

·        Fixed adquery listing users who have no listed or login role (Ref: 32486).

 

·        Roles can be inherited from more than 2 levels in hierarchical zones (Ref: 29982).

 

·        An LDAP user who has not been migrated to AD could not change their LDAP password upon logon on a server with Centrify installed.  This is fixed (Ref: 29383).

 

·        /tmp directory is filled up with random name files after running adauto.pl repeatedly.  A random name file is created by each invocation of adauto.pl.  This problem is now fixed (Ref: 34582).

 

DirectManage Access Manager

 

·        DirectManage Access Manager does not time out in a big forest when a computer zone is created (Ref: 33229).

 

·        When a zone is moved in DirectManage Access Manager, the new zone path was not changed in the Centrify Profile in ADUC. This problem is fixed (Ref: 33229).

 

·        DirectManage Access Manager can coexist with DirectManage Audit Manager and DirectManage Audit Analyzer in the same MMC console (Ref: 26113).

 

Zone Provisioning Agent

 

·        Zone Provisioning Agent service account is now retained over upgrade (Ref:33500, 57575).

 

·        Zone Provisioning Agent will now keep the configuration settings during upgrade (Ref: 30031).

 

·        Zone Provisioning Agent copies users and groups correctly when there are duplicate samAccountName (Ref: 33535).

  

·        Zone Provisioning Agent will not unprovision existing user profiles from a zone when ZPA detects one of the source groups has been deleted (Ref: 30025).

 

·        Zone Provisioning Agent fixed the issue causing "The server is not operational" error by reusing the LDAP connection (Ref: 31331).

 

Centrify OpenSSH

 

·        The Ticket Granting Ticket (TGT) is not forwarded by Centrify OpenSSH.  This problem is now fixed (Ref: 30610).

 

·        Previously, Centrify OpenSSH sshd used the hardcoded USERPATH resulting in some paths specified in $PATH missing after sshd started.  This problem is now fixed and a new DefEnvPATH option has been added in sshd_config for admin to set the appropriate default PATH values. (Ref: 29759).

 

3.8.          Bugs Fixed in Centrify DirectControl 5.0.5

 

·        Added group policies for Mac 0S/X 10.8. See the Group Policy Guide for details.

 

·        Centrify 4.5.5 OpenSSH does not remove /usr/local/bin in the PATH environment variable.

3.9.          Bugs Fixed in Centrify DirectControl 5.0.4

 

·        This release contains new features and no bugs fix. See section 2.2 for the list of the new features.

3.10.     Bugs Fixed in Centrify DirectControl 5.0.3

 

·        See the Centrify DirectControl for Mac OS X release notes in the Documentation directory for more information.

3.11.     Bugs Fixed in Centrify DirectControl 5.0.2

 

·        User can login to Active Directory with sid in sidHistory in the tokenGroups attribute.

 

·        User can login to Active Directory through local cache after the machine is disconnected and restarted.

 

·        NTLM can login Active Directory domain through local cache when the machine cannot access the domain controller.

 

·        adedit create_zone API works for FIPS compliant license.

 

·        AD user will expire in cache if it is marked force expired even though AD user in cache is queried frequently.

 

·        Overridden AD user is visible although its name in cache has been flushed.

 

·        adsmb can successfully get a file.

 

·        Centrify 4.5.3 OpenSSH X11 forwarding works in IPv4 network.

 

·        Centrify 4.5.3 OpenSSH does not stall a few seconds when it logins Solaris SPARC machines.

 

·        Centrify 4.5.3 OpenSSH can coexist with Solaris SSH.

 

·        Imported users and groups from passwd and group files do not show "Incomplete user UNIX data" error message.

 

·        Deployment Manager can work with interactive prompt after ssh connection.

 

·        Rights are cumulated across multiple roles with restrictive shell.

 

·        Centrify 4.5.3 PuTTY release is updated with the latest open source PuTTY 0.62 release and adds all new features delivered in that release. PuTTY 0.62 contains a security fix that it no longer retains passwords in memory.

3.12.     Bugs Fixed in Centrify DirectControl 5.0.1

 

·        SuSE 11 won't crash if tilde is used in ksh.

 

·        DirectControl can now be upgraded via Ubuntu apt-get.

 

·        User with effective rights of non-password cannot login with a password.

 

·        User gets restricted shell if "Login with non-Restricted Shell" in "System Rights" is not checked.

 

·        adsmb is able to use the current Active Directory user's credentials.

 

·        Upper case netgroup names are supported in LDAPProxy.

 

·        adnisd reads the correct NIS maps even if the DirectControl agent switches to another domain controller while adnisd is reading the NIS maps.

 

·        ZPA does not truncate the UNIX name to 8 characters if the "Truncate the UNIX name to eight characters" check box is not selected.

 

·        ZPA can collect debug log if "Turn on debug logging" is checked in the ZPA Configuration Panel.

 

·        When searching for users in a remote forest, the remote forest is shown in a separate tree.

 

·        Find Users now works even if orphans exist in zones.

4.     Known Issues

 

The following sections describe common known issues or limitations associated with this Centrify Server Suite release; they are categorized as follows:

 

- DirectManage Access Manager

- Group policies

- Zone Provisioning Agent

- DirectControl Agent

- Centrify NIS server (adnisd)

- Centrify Network Information Service

- Centrify LDAP Proxy

- Smart Card

- Zone Migration

- Interoperability with Centrify Samba

 

In addition to the known issues described in these sections, you should review the appropriate platform-specific release-notes-agent.txt file for the operating environments you support.

 

For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

DirectControl Agent

 

·          Issue with RHEL 7 (Ref: 65104a)

 

DirectControl is supported on RHEL 7. However, due to a RHEL 7 issue, you need to reboot the machine or run the following commands from the ssh console in order to make GDM UI login work.

$ sudo systemctl restart messagebus

$ sudo systemctl restart gdm

 

·          pam.allow.override is not working on AIX (Ref: 61917a)

  

This is because using username with suffix @localhost is not supported on AIX. The LAMGetEntry call that is used to get user information and extended attribute information does not support login name change. Hence login fails as there is no way to find the user or authenticate the user.

 

·          Issue on interoperability with DirectAudit (Ref: 64841a)

  

In DA 2.x, there is a configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf that holds a list of users who can start a session even when the DirectAudit agent cannot perform auditing. However, this parameter is not honored by the DirectControl agent when DirectAudit is not functional.

 

In DA 3.x, a better solution is implemented using the "rescue/always permit login" sysright. This sysright will be honored by both DirectControl and DirectAudit and it should obsolete ‘dash.user.alwaysallowed.list’. Hence, when upgrading from DA 2.x to DA 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles).

 

·          On AIX, upgrading DirectControl in disconnected mode may cause unexpected behavior (Ref: 39461a)

 

On AIX, upgrading DirectControl from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl in disconnected mode.

 

·          On some versions of AIX, user may not be able to login if LOGIN_NAME_MAX is set to 9 (Ref: 40731a)

 

Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in adcheck to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users may understand the potential risk and decide if it may be a problem in their environment or not.

 

·          On Solaris 8 and 9, user may fail to install DirectControl due to Perl not installed (Ref: 45722a)

 

Some versions of Solaris, e.g. 8 and 9, may not have Perl version 5.8 or above pre-installed, thus resulting in some DirectControl features, e.g. group policy, not running properly. Starting from DirectControl version 5.1.1, we have enforced the checking for the correct Perl version in adcheck. If the Perl version is not 5.8 or above, adcheck will fail the test case. User has to install a proper Perl version before deploying the DirectControl agent.

 

·          On HPUX 11.11 and 11.23, KCM server credential support may not work due to missing libc patches, resulting in some features not working, e.g AD users cannot access Samba server. (Ref: 53496a)

 

On HPUX 11.11, the patch PHCO_36184 is required whereas on HPUX 11.23, the patch PHCO_35744 is required. As a preventive measure, we have added a new test case in adcheck to check if the required patch is there. If the required patch is not available, adcheck will show the failed test case and advise users to install the required patch before deploying DirectControl agent.

  

·          PAM messages depend on operating system (Ref: 9880c)

 

Configurable PAM messages from pam.account.locked.mesg parameter in centrifydc.conf may not be shown depending on the login method, daemon version and operating system version.

 

·          Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting. (Ref: 13127a)

 

·          Working with adclient.client.idle.timeout (Ref: 13325c)

 

This property is only read at startup. Hence if it is changed, adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines.

 

·          Use of addns on computers that act as network gateways (Ref: 15381c)

 

UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in /etc/centrifydc/centrifydc.conf 

to the addns command line necessary to select the correct network interface and IP address.

 

·          Working with users defined in a Kerberos realm (Ref: 17977a)

 

DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used.

 

·          Use of rsh and rcp with DirectControl (Ref: 18570c, 17392c)

 

rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances.

 

·          adedit cannot create AIX extended attributes in a SFU zone (Ref: 24421c)

 

·          Failed to login as override user with NSCD running (Ref: 37182c)

 

On Solaris, with NSCD running, attempt to login as override user using <username>@localhost fails.

  

·          Potential issues on Fedora 19 and above (Ref: 47516a, 48825a)

 

There are several potential issues on Fedora 19 and above:

1)  Adcheck will fail if the machine does not have Perl installed.

2)  Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

·          Using DirectControl 4.x agents with DirectControl 5.x (Ref: IN-90001)

 

DirectControl 4.x agents can join classic zones created by DirectControl 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

 

·          Some non-alphanumeric characters are valid for Windows user or group names and are converted to underscore ("_") when changed to be UNIX names in the Access Manager, but cannot be used in adedit. (Ref: IN-90001)

 

The list is:

\ ( ) + ; " , < > =

  

·          Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed a default zone could be created that would be the default zone used when none was specified. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used.

 

·          Change password and rsh / rlogin (Ref: IN-90001)

 

When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.

 

·          Changing the password of an orphan user with adpasswd (Ref: IN-90001)

 

adpasswd should not be used to change the password of an orphan user.  If it is used, an error will be generated as follows:

 

Error: Unsuccessful IPC execute: system error

 

·          Working with /var mounted via NFS (Ref: IN-90009)

 

The directory /var should not be NFS mounted or else DirectControl may not work properly.

 

·          nss.minuid and nss.mingid are no longer used (Ref: IN-90009)

 

These have been replaced by user.ignore and group.ignore.  DirectControl will ignore the local UID and GID values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file.   The values from nss.minuid and nss.mingid will be added to this file during the upgrade process.

 

·         When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: 33718a, 33719a)

 

 

   DirectAuthorize on Linux/UNIX

 

·          Use of common UNIX commands with DirectAuthorize restricted shells

 

The DirectAuthorize restricted shell restricted users to use only a predetermined set of commands; however several common UNIX commands may allow users to execute commands that are not allowed in the restricted shell. The following list provides general guidance and specific examples of the issues to be considered:

 

- The man command (Ref: 14354a)

 

When adding a privileged command for the man command in a restricted environment, Centrify recommends:

 

* selecting Reset Environment Variables to allow users to use the default pager only.

 

* disallow the -P, -C, -B or -H options to allow users to use the default pager and man configuration file only, by adding the following commands in addition to the command for man:

 

!man -[PCBH]*

!man * -[PCBH]*

 

The PAGER, MANPAGER environment variables and -P, -C, -B, or –H option can allow a user to run a command not permitted by DirectAuthorize in the restricted environment.

 

- The Allow nested command execution option (Ref: 14726a)

 

The Allow nested command execution checkbox on the Attributes tab of the property page for a privileged command allows the privileged command to execute another command. This option is deselected by default (so the command is not allowed to execute other commands), but not all operating systems honor this restriction:

 

Solaris           Honored in all cases

AIX 5.3, 6.1, 7.1 Honored except if a program is seteuid

HP-UX             Honored except if a program is seteuid

Linux             Honored except if a program is seteuid and

                  the Run As... user is not root

 

- The tar command (Ref: 14880a)

 

When adding the tar command to a restricted environment, Centrify recommends adding the following commands to prevent the --use-compress-program option to tar in addition to the tar command itself.

 

!tar --use-compress-program*

!tar * --use-compress-program*

 

This prevents the user from using the --use-compress-program option to run other commands not allowed in the restricted environment.

 

- cron jobs (Ref: 14881a)

 

Cron jobs are run by the crontab daemon and this has no dzsh restrictions, meaning that any restrictions placed on the user who created the cron job will not be in force when the job itself is run.

 

For this reason, Centrify recommends that users who run in the dzsh restricted shell are not given access to the crontab cmmand.

 

- Editors that allow shell escapes (Ref: 14883a)

 

When adding the vi or view command to a restricted shell, the shell escape feature of the command can allow the user to execute a command not allowed in the restricted shell.

 

In addition, the perl, python and ruby support feature of vim, if available, can allow a user to execute a command not allowed in the restricted shell. To check if your version of vim command has perl, python or ruby support, run vim --version, and look for +perl, +python, or +ruby.

 

Centrify recommends the following:

 

* Configure the command to not allow nested command execution (this is the default) to prevent shell escapes

 

* Use the rvi or rview command instead if available.

 

Vim is used as an example here, this applies to other editors that include the ability to escape to the shell and/or include scripting language support.

 

- The rsync command (Ref: 14885a)

 

When adding the rsync command to a restricted environment, Centrify recommends adding the following commands, in addition to adding the rsync command itself, to prevent usage of the -e and --rsh options:

 

!rsync -e*

!rsync * -e*

!rsync --rsh*

!rsync * --rsh*

 

This prevents the user from using the -e or --rsh options to run commands not allowed in the restricted environment.

 

·          Cannot add cross domain or cross forest users to roles in classic zone (Ref: IN-90001)

 

DirectAuthorize does not currently support adding users from other domains into roles when the domain controllers are running Windows Server 2003 with security update 926122 or service pack 2.  This is a Microsoft issue and a hot fix is available to install on computers running the DirectAuthorize console that need to run in these domains. More information may be found here:

 

http://support.microsoft.com/kb/943875

 

·          Cannot add cross forest groups to a role in classic zones (Ref: IN-90001)

 

DirectAuthorize does not support adding groups from a trusted forest into roles at this time; all groups added to roles should be defined in the local forest. However, users from a trusted forest may be added to groups in the local forest and then added to a role, or they may be directly added to a role.

 

·          DirectAuthorize reports do not include users in remote forest (Ref: IN-90001)

 

In this release the "Classic Zone - User Role Assignments Grouped by Zone" and “Classic Zone - User Privilege Command Rights Grouped by Zone" reports only show users in the local forest; any users in remote (trusted) forests are not included in the report.

 

·          UI elements occasionally do not appear when expected (Ref: IN-90009)

 

On occasion, the DirectAuthorize console does not show the expected results, or nodes do not appear in the tree on the left side of the console screen. When this happens, choose Refresh from the right-click menu and the screen should refresh to show the expected results. If this does not fix the problem, choose Refresh from the next higher point up the tree from where you expect the result to be shown and that should cure the problem.

 

   DirectControl Auto Zone mode

 

·          One-way cross forest trusts are not supported in Auto Zone mode (Ref: AG-0403)

 

   Smart Card

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in nss package. (Ref: 75243a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", screen will be locked several seconds after login with smart card. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in nss package. (Ref: 65466a)

 

·          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: 31765a)

 

·          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: 33482c)

 

·          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: 33666a )

 

·          In order to login successfully in disconnected mode (Ref: 34372a):

o   For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other CDC Unix behavior)

o   For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

·          After upgrading from Centrify DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: 37872c)

 

·          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the after GP Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: 38080c)

 

·          After upgrading from Centrify DirectControl Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: 39004c)

 

·          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: 46199c)

 

·          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: 39693c)

 

·          Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: 46172c)

 

·         Screen saver shows password not PIN prompt (Ref: 47625a)

Most smart card users are allowed to log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

 

    DirectManage Access Manager

 

·          After upgrading Access Manager from Centrify Suite 2013 to Centrify Server Suite 2014, the category screen in Windows 8 or Windows Server 2012 still does not show “Centrify Server Suite 2014. The change takes effect after a reboot. (Ref: 58351a)

 

·          Calculating effective users (Show Effective User Rights menu or reports) in large environment may fail or take a very long time. (Ref: 37496c)

 

·          Import users and groups before importing sudoers file (Ref: IN-90001)

 

Sudoers Import creates user roles but not the users. It is recommended that you import users and groups prior to importing the sudoers file.  Otherwise, no sysRights are created for the users.

 

·          Pre-create computers before importing computer role from sudoers file (Ref: IN-90001)

 

The computers contained in the sudoers file must either be joined to a zone or pre-created. 

 

·          Delegating zone administration permissions for SFU zones (Ref: IN-90001)

 

Delegate permissions to add, remove or modify users for SFU zone are not supported.

 

·          Users with rights to import user and groups into a zone also gain rights to modify profiles (Ref: IN-90001)

 

Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles".

 

·          Using domain local groups to manage resources (Ref: IN-90001)

 

Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains.

 

·          Domain local groups from other domains shown in search dialog (Ref: IN-90001)

 

When using the search dialog in the Access Manager to delegate zone control to a group, domain local groups from child domains will be shown incorrectly in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups.

 

·          Analyze forest and SFU zones (Ref: IN-90001)

 

The analyze forest feature in the Access Manager does not report empty zones or duplicated users or groups in a SFU zone.

 

·          Working with users that have more than one UNIX mapping (Ref: IN-90001)

 

DirectControl supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with more than one UNIX mapping, you should use DirectControl Access Manager 5.0.0 or later to remove all but one of the UNIX profiles for each of these AD users and then re-add them.

 

In addition, you should always use DirectControl console 5.0.0 or later when modifying these users.

 

·          In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such limitations with a computer joined to a classic zone. (Ref: IN-90001)

 

·          Extra results when analyzing duplicate service principal names (Ref: IN-90001)

 

When running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly returned as a duplicate.  The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains.

  

·          Secondary groups not imported from XML files (Ref: IN-90009)

 

Using the Import Wizard to import user information from XML files does not import secondary group membership.

  

·          Application rights created by Centrify Server Suite 2014 Access Manager console won't be usable by Suite 2013 Windows Agent. (Ref: 56555a)

 

    Report Center

 

·          Color and font change in Report Center occasionally fails (Ref: IN-90009)

 

Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report.

  

    Zone Migration

 

·          admigrate does not migrate classic SFU zone. (Ref: 31712a)

 

·          admigrate does not migrate zone delegation rights. (Ref: IN-90002)

 

    Group policies

 

·          You may find warning message "…Kerberos credentials not found for current user." in syslog on certain OS platforms when you run cron jobs. This is because of the line "session    include    system-auth" in /etc/pam.d/crond causing cron job to open session resulting in GP processing check which fails to find Kerberos credentials as it is not a real login. A workaround is to comment out that line to avoid unnecessary warning message. (Ref: 70845a)

 

·          There are four group policies (run command, sudo, crontab entries and Linux firewall) that can merge the lines of different GPOs to a resulting group policy. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. (Ref: 16638a)

 

·          Entering multi-line password prompt group policies (Ref: 26285c)

 

Multi-line group policies are supported; however an escape newline character "\\n" must be used.

 

·          Checking the location of the Perl environment (Ref: 45493a)

 

DirectControl group policies require a version of Perl to be installed and located in the path. If Perl is not found in the path or has been installed in a non-standard location, you may encounter errors when you attempt to set group policies or leave the domain. If Perl is installed on the local computer but not included in the path by default, you can manually edit the shell script /usr/share/centrifydc/perl/run to add the correct path to the front of the PERL_DIRS environment variable.

 

·          Disable does not function with “Allow Groups” group policy (Ref: IN-90001)

 

Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the groups should be removed from the Group Policy Object.

 

    Centrify Network Information Service

 

·          A problem of the start up and kill sequence of adnisd during system start up and shutdown related to ypbind has been fixed.  New installation of CentrifyDC-nis runs chkconfig and the sequence is automatically updated.  Upgrade of CentrifyDC-nis, however, will not run chkconfig. This is to ensure any modification made to the start up or kill sequence by system administrators is preserved.  User can run "chkconfig adnisd on" after the upgrade if the system default is preferred. (Ref: 54501a)

 

·          adnisd daemon fails to start on WPAR (Ref: 39911c)

 

The adnisd service is not currently defined in the WPAR.

 

    Centrify LDAP Proxy

 

·          Wildcard use is not supported with LDAP Proxy (Ref: 26721c)

 

This release of the LDAP Proxy does not support searches using wildcards in rfc2307 mode.

 

·          Require the prefix “auto” in the automount map (Ref: IN-90001)

 

If an automount map created with a 4.x or earlier version of the DirectControl Console does not start with the string "auto" (i.e. auto.home, auto_master, auto_net, etc), it will not be recognized by this release of the DirectControl LDAP Proxy as an automount map. Automount maps which do not start with the string "auto" must be exported and imported using this version of the DirectControl Console or adedit.

 

    Centrify OpenSSH

 

·          Starting from version 5.1.2, Centrify OpenSSH requires DirectControl version 5.1.2 or above. (Ref: 51889a)

 

    Interoperability with Centrify Samba

 

·          Centrify Samba 4.5.4 or above (Ref: 35573a, 33146a)

 

Starting with version 5.1.0, DirectControl Agent does not work with any earlier Centrify Samba versions on AIX and SuSE 8. It only works with Centrify Samba 4.5.4 or above. 

5.     Additional Information and Support

 

In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately.  For more information, see the Centrify Resource Center Web site:

 

http://www.centrify.com/resources/overview.asp

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Server Suite, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.