Centrify® Server Suite 2017.1 DirectControl® 5.4.1 Release Notes

© 2004-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

1.      About This Release. 1

2.      Feature Changes. 1

2.1.       Feature Changes in DirectControl 5.4.1 (Suite 2017.1). 1

Security Fix. 1

General 1

DirectControl Agent 1

DirectManage Access Manager. 1

Centrify Report Services. 1

Access Module for PowerShell 1

adedit 1

2.2.       Feature Changes in DirectControl 5.4.0 (Suite 2017). 1

Security Fix. 1

General 1

DirectControl Agent 1

Centrify LDAP Proxy. 1

DirectManage Access Manager. 1

Centrify Licensing Report 1

Centrify Report Services. 1

Zone Provisioning Agent 1

Access Module for PowerShell 1

RHEL and CentOS Smartcard. 1

2.3.       Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) February 2017 Update. 1

Security Fix. 1

Feature Fix. 1

2.4.       Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) August 2016 Update. 1

Security Fix. 1

2.5.       Feature Changes in DirectControl 5.3.1 (Suite 2016.1). 1

Security Fix. 1

DirectControl Agent 1

Centrify LDAP Proxy. 1

DirectManage Access Manager. 1

Access Module for PowerShell 1

Centrify Report Services. 1

Deployment Report 1

Group Policies. 1

adedit 1

Centrify OpenSSH.. 1

2.6.       Feature Changes in DirectControl 5.3.0 (Suite 2016). 1

New Features. 1

General 1

DirectManage Access Manager. 1

Report Center. 1

Access Module for PowerShell 1

Zone Provisioning Agent 1

Deployment Manager 1

Group Policies. 1

Deployment Report 1

adedit 1

Centrify LDAP Proxy. 1

Centrify OpenSSH.. 1

Supported Platforms. 1

3.      Bugs Fixed. 1

3.1.       Bugs Fixed in Centrify DirectControl 5.4.1 (Suite 2017.1). 1

DirectControl Agent 1

DirectManage Access Manager. 1

Centrify Report Services. 1

3.2.       Bugs Fixed in Centrify DirectControl 5.4.0 (Suite 2017). 1

DirectControl Agent 1

DirectManage Access Manager. 1

Centrify Report Services. 1

Group Policies. 1

adedit 1

Zone Provisioning Agent 1

Centrify LDAP Proxy. 1

Centrify OpenSSH.. 1

RHEL and CentOS Smartcard. 1

3.3.       Bugs Fixed in Centrify DirectControl 5.3.1 (Suite 2016.1). 1

DirectControl Agent 1

DirectManage Access Manager. 1

Centrify Report Services. 1

Group Policies. 1

adedit 1

3.4.       Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016). 1

DirectControl Agent 1

DirectManage Access Manager. 1

Access Module for PowerShell 1

Group Policies. 1

adedit 1

Centrify Network Information Service. 1

Centrify LDAP Proxy. 1

Centrify OpenSSH.. 1

4.      Known Issues. 1

DirectControl Agent 1

adedit 1

Smart Card. 1

DirectManage Access Manager. 1

Report Services. 1

Access Module for PowerShell 1

Zone Provisioning Agent. 1

5.      Additional Information and Support 1

 

 

1.     About This Release

 

Centrify Server Suite featuring DirectControl centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Server Suite, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify Knowledge Base.

The Centrify Server Suite release notes and documents are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40830)

2.     Feature Changes

 

For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Server Suite release notes.

For a list of platforms that Centrify will remove support in upcoming releases, refer to the “Notice of Termination Support” section in the Centrify Server Suite release notes.

For a complete list of platforms in all currently supported DirectControl releases, refer to the “Centrify Server Suite, Standard Edition” section in the document available from www.centrify.com/platforms.

2.1.          Feature Changes in DirectControl 5.4.1 (Suite 2017.1)

Security Fix

·         The zip files for all Windows components in this release as well as in all releases in Centrify Download Center will now unpack into clean folders that contain only the software installation package. This is to avoid potential DLL hijacking vulnerability. (Ref: CS-42388, CS-42826)

·         Sensitive data is encrypted in the local inter-process communication within Centrify *NIX components. (Ref: CS-42688)

General

 

·          Open Source component upgrade

o    Centrify OpenSSL 5.4.1 is upgraded based on stock OpenSSL 1.0.2k. (Ref: CS-42511)

§  This includes security fixes for CVE-2017-3731, CVE-2017-3732 and CVE-2016-7055.

o    Centrify OpenSSH 5.4.1 is upgraded based on stock OpenSSH 7.4p1. (Ref: CS-42390)

§  This includes security fixes for CVE-2016-10009, CVE-2016-10010, CVE-2016-10011 and CVE-2016-10012.

§  This release removes server support for the SSH v.1 protocol.

o    Centrify libcurl is upgraded based on stock curl 7.53.1. (Ref: CS-42667)

§  This includes security fixes for CVE-2017-2629, CVE-2016-9594, CVE-2016-9586, CVE-2016-9952 and CVE-2016-9953. (Ref: CS-42663)

DirectControl Agent

 

·          By default, the MFA feature now verifies the Centrify Identify Platform server certificate as per HTTPS protocol.  The root CA bundle may not be present in some Unix operating systems, or may not have unexpired certificates for the certificate issues.  If you encounter SSL errors in MFA operations, you need to update the root certificate authorities (CA) bundle for your *nix agents.   Optionally, you can disable HTTPS server validation by setting the parameter adclient.cloud.skip.cert.verification to true.   Also, you can specify an alternate root certificate authorities (CA) bundle using the adclient.cloud.cert.store parameter.  (Ref: CS-39870, CS-42742)

·          For users who require infinite credential renewal (as specified in krb5.cache.infinite.renewal.batch.users and krb5.cache.infinite.renewal.batch.groups), if the user's keytab /var/centrifydc/renewal/keytab_<uid> is available, we will do initial Kerberos cache acquisition in addition to renewal. (Ref: CS-42378)

Configuration Parameters

centrifydc.conf has been updated to add the following parameters:

-    adclient.cloud.cert.store: This parameter specifies the root CA bundle that adclient uses to verify the server certificate presented by Centrify Identity Platform. When it is not set, adclient uses the root CA bundle that openssl uses. When it is set, adclient uses the specified CA bundle instead. Please ensure the file is valid and the store is updated with the required certificates. The default is not set. This parameter is effective only when the parameter adclient.cloud.skip.cert.verification is set to false. (Ref: CS-42742)

-    adclient.cloud.skip.cert.verification: Centrify MFA support in DirectControl requires the use of HTTPS protocol to communicate with Centrify Identity Platform.   Starting in Suite 2017.1, the *nix agent verifies that certificate presented by Centrify Identity Platform as a security feature specified in HTTPS protocol.   This parameter specifies whether to bypass this validation step. The default is false (i.e., always verifies server certificate). (Ref: CS-42742)

-    krb5.conf.k5login.directory: This parameter specifies an alternative location for a user’s .k5login files. It has no default setting. If it is not set, the user’s .k5login file will be set as {%home_dir}/.k5login. For example, if it is set to <k5login_directory>, the user’s .k5login file will be set as <k5login_directory>/<user’s unixname>. (Ref: CS-40289)

DirectManage Access Manager

 

·          Role assignment supports a description field in hierarchical zones and the corresponding support is now added to Access Manager and Report Services in this release. (Ref: CS-38603, CS-38741)

·          DirectControl now allows customers to store their own information as custom attributes in role definition, role assignment and computer role definition. This capability has been added in Access Manager, Report Services, Access Module for PowerShell, DirectControl SDK and adedit command module.

Note: This new feature only applies to hierarchical zones. (Ref: CS-42598, CS-42670, CS-42687, CS-42746, CS-42752, CS-42751, CS-42750, CS-42842)

Centrify Report Services

 

·          Report Services now supports the description field of a role assignment in a hierarchical zone in various report views. (Ref: CS-38741)

·          Report Services now supports the newly added custom attribute in role definition, role assignment and computer role in a hierarchical zone in various report views. (Ref: CS-42842, CS-42598)

·          Additional performance optimization is applied to Login Summary Report in this release. (Ref: CS-42720)

Access Module for PowerShell

 

·          Added a new property, CustomAttributes, to New-CdmRole, Set-CdmRole, New-CdmRoleAssignment, Set-CdmRoleAssignment, New-CdmComputerRole and Set-CdmComputerRole to allow users to manage this record per their needs. (Ref: CS-42750)

adedit

 

·          adedit now supports a new "customattr" field for role assignment, role and computer role in a hierarchical zone. (Ref: CS-42751)

2.2.          Feature Changes in DirectControl 5.4.0 (Suite 2017)

Security Fix

DirectControl 5.4.0 contains the fix for a security issue where a maliciously crafted program may mislead the DirectControl agent to delete any file. This can happen when the program is executed by a logged-in Active Directory user. (Ref: CS-42567)

General

 

·          Centrify Licensing Service

A new component, Centrify Licensing Service, is added to help users better manage their licenses. Instead of using DirectManage Access Manager to manage DirectControl licenses and Audit Manager to manage DirectAudit licenses, this new module provides a central place for Centrify Server Suite license management and viewing license usage. The license management capability in DirectManage Access Manager and Audit Manager is deprecated and will be removed in a future release. (Ref: CS-42019, CS-42081, CS-42194)

Note:

o    You should install and configure Centrify Licensing Service to take advantage of the enhanced license management capability. The DirectManage tools (Access Manager, ADUC extension and GPOE extension) will remind you upon startup if the new service is not running in an Active Directory forest. (Ref: CS-40823, CS-40966)

o    There is no need to install multiple copies of the Licensing service in a forest as each service performs the same task. The best practice is to install at least one copy and additional one(s) as required for redundancy.

·          Kerberos Armoring support

We now support the Flexible Authentication Secure Tunneling (FAST, aka Kerberos armoring) feature in Windows Server 2012 for the following options: (1) Not supported, (2) Supported and (3) Always provide claims. (Ref: CS-28823, CS-40613)

·          Additional data synchronization option in Centrify Report Service

In the Centrify Report Services, users can now choose to synchronize data from Active Directory based on zones instead of the original domain-based synchronization option. (Ref: CS-39513, CS-41245, CS-41254)

·          Audit Trail events

Two new common parameters, DAInst (Audit Installation Name) and DASessID (Audited Session ID), are added in an audit trail record to allow better SIEM integration for session replay. These fields will be N/A if DirectAudit is not installed. (Ref: CS-5698, CS-5711, CS-41965, CS-41995)

A new category “License Management” is added to the “Centrify Server Suite” audit trail events and the following 12 new events are assigned. Please refer to Audit Event Administrators’ Guide for details. (Ref: CS-40971)

o    60100: DirectControl license key added.

o    60101: Fail to add DirectControl license key.

o    60102: DirectControl license key removed.

o    60103: Fail to remove DirectControl license key.

o    60104: DirectControl license container added.

o    60105: Fail to add DirectControl license container.

o    60106: DirectControl license container removed.

o    60107: Fail to remove DirectControl license container.

o    60200: DirectAudit license key added.

o    60201: Fail to add DirectAudit license key.

o    60202: DirectAudit license key removed.

o    60203: Fail to remove DirectAudit license key.

Note: The GP “Centrify Audit Trail Settings” takes care of all the available categories including the new one. (Ref: CS-42268)

·          Feature name change

The following names are changed in Centrify products:

o     Cloud Connector is now Centrify Connector.

o     Centrify Cloud, Cloud Service, Cloud Server are now collectively referred to as Centrify Identify Platform.

o     Cloud Authentication is now Centrify MFA Service authentication.

 

These changes may affect UI, group policies, log messages and documentation in general. (Ref: CS-41743, CS-41749, CS-41750)

·          Feature End of Life notice

With the introduction of the Report Services component in Suite 2016, this is the last supported release for the UNIX/Linux command line report utilities, addbloader and adreport. (Ref: CS-41628, CS-41783)

·          Important Upgrade notice

If you plan to upgrade to Suite 2017, you should upgrade all the components in this suite release. The reason is because of the following major infrastructure changes which may cause compatibility issues with various components of previous versions:

o     DirectControl packaging change.

o     Kerberos library upgrade.

o     OpenSSL upgrade.

o     LRPC2 protocol enhancement.

You may find more details about each of the changes below in this section.

Please note that Centrify OpenSSH version 5.3.1 can still work with Suite 2017 except for AIX platform. You also need to upgrade Centrify OpenSSH to Suite 2017 to make it work on AIX. (Ref: CS-42420)

Please also note that the current versions of DirectSecure as well as DB2 plug-in are not compatible with Suite 2017. Centrify will be releasing new versions that interoperate with Suite 2017.

·          Changes in DirectControl packaging

Starting in Suite 2017, the following open source packages are no longer part of the DirectControl package and are shipped separately. (Ref: CS-40555)

o    CentrifyDC-openssl

o    CentrifyDC-openldap

o    CentrifyDC-curl

Doing so allows Centrify to respond faster to critical security patches from the open source community.

Note: These packages are prerequisites to installing the DirectControl package. Please be aware of this especially if you have your own installation/upgrade automation scripts or if you retrieve Centrify packages from Yum/APT repository.

·          Package name change

The RHEL and SUSE RPM package file names are changed: (Ref: CS-40547)

o    From centrifydc*-<release#>-<OS>-<ARCH>.rpm to CentrifyDC*-<release#>-<OS>.<ARCH>.rpm

Example: CentrifyDC-openssh-7.3p1-5.4.0-rhel4.x86_64.rpm

o    From centrifyda-<release#>-<OS>-<ARCH>.rpm to CentrifyDA-<release#>-<OS>.<ARCH>.rpm

Example: CentrifyDA-3.4.0-suse10.i386.rpm

·          Open Source component upgrade

o    Centrify Kerberos library is upgraded based on stock MIT Kerberos 5-1.14.1. (Ref: CS-31783)

§  This includes security fixes for CVE-2015-2695, CVE-2015-2696, CVE-2015-2697. (Ref: CS-38994)

§  Two additional capabilities in this upgrade also help to address some known Single Sign-On (SSO) issues: (Ref: CS-42156)

·         You can now configure an alternate location for .k5login in krb5.conf. This means Kerberos can look for .k5login in a location other than user home directory.

·         The handling of SSO from SSH is made more secure – The Kerberos codes will now ensure the principal name given in the Kerberos credential resolved to the target user (from the zone mapping); otherwise it will fail the login attempt. This closed the loophole in the default processing where SSO is allowed if target user name matches even just the first part of Kerberos principal.

§  Kerberos armoring options (1) Not supported, (2) Supported, (3) Always provide claims, in Windows Server 2012 or above are also supported with this upgrade. However, we do not support option (4) Fail unarmored auth request (AS-REQ). (Ref: CS-28823, CS-40613)

§  This Kerberos library upgrade may cause some minor behavior changes but in general the SSO behavior remains the same. However, to block SSO for local user, you will need to set krb5.sso.block.local_user to true and the local user should be in user.ignore. (Ref: CS-35892)

§  Kerberos 1.14.x supports ccselect plugin and this causes some issues for KCM ccache collection. We have introduced a new configuration parameter “krb5.conf.plugins.ccselect.disable” and a corresponding group policy to let you manage it. (Ref: CS-40471)

§  Due to the new Kerberos library, previous releases of Centrify products that use an older Kerberos verion (DirectAudit, DirectSecure, DB2 plug-in, SAP SNC plug-in) are not compatible with DirectControl v5.4.0 in Suite 2017. (Ref: DB-144)

o    Centrify OpenSSL 5.4.0 is upgraded based on stock OpenSSL 1.0.2j. (Ref: CS-40275, CS-41499)

§  This includes security fixes for CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 and CVE-2016-7052 (Ref: CS-40460, CS-40461)

§  Patch of CVE-2016-2178 is also applied to openssl-fips-2.0.11. (Ref: CS-40560)

o    Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1.

§  SSHv1 is no longer supported. (Ref: CS-40924)

§  The LAM version of Centrify OpenSSH is no longer shipped as all AIX versions already provide PAM authentication. If you are still using the LAM version of Centrify OpenSSH, you should replace it with the corresponding PAM version for supportability. (Ref: CS-40743)

o    Centrify libcurl is upgraded based on stock curl 7.51.0. (Ref: CS-41954)

§  This includes security fixes for CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625. (Ref: CS-40940, CS-40941, CS-40942, CS-41439)

o    Centrify dzdo is upgraded based on stock sudo 1.8.17p1. (Ref: CS-40683)

o    Centrify Putty is upgraded based on stock putty 0.67. (Ref: CS-39029)

This new version also fixes the following security issues:

§  CVE-2015-5309 Potentially memory-corrupting integer-overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator.

§  CVE-2016-2563 Stack corruption vulnerability in the old-style SCP protocol.

DirectControl Agent

 

·          Transaction control in LRPC2 protocol (Ref: CS-39842)

The LRPC2 protocol has been enhanced for additional transaction control under heavy load. Note: users need to upgrade both DirectControl and DirectAudit to this version to benefit from the added protection.

·          The MFA mechanism (IWA) in the Centrify Admin Portal no longer support HTTP and requires HTTPS for security reason. The diagnostic tool, adcdiag, will fail the test if HTTPS is not available. Please ensure that the Centrify connectors are configured with HTTPS if you use this feature. (Ref: CS-40567, CS-40568, CS-40951)

·          Performance improvement in the DirectControl agent

Additional attributes "_UnixName", "sAMAccountName", "userPrincipalName", "Guid", and "Unixid", are now stored in memory cache for faster lookup when the configuration parameter "capi.cache.enabled" is set to true. (Ref: CS-40067)

·          The support of Alternate UPN suffixes (ALTUPN) is now extended to cover two-way trusted forests. (Ref: CS-40190, CS-41755, CS-41794)

·          The support of AIX extended attributes is now enhanced to support:

o    Additional extended attributes for local users. (Ref: CS-39060)

o    Additional extended attributes for Active Directory users. (Ref: CS-40091)

o    Additional extended attributes for groups. (Ref: CS-40165)

You may find the supported attributes with the commands, "adquery user –X help" and "adquery group –X help". (Ref: CS-42025)

·          Integration with third party password enforcement tool

Four configuration parameters, adclient.random.password.complexity.pattern, adclient.random.password.generate.try, adclient.random.password.length.max, adclient.random.password.length.min, are added for better integration with third party password enforcement tool. (Ref: CS-40164)

Scripts and Command Line Utilities

·          The command adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation. (Ref: CS-40845)

Configuration Parameters

centrifydc.conf has been updated:

New Parameters:

-    adclient.cloud.connector: This parameter specifies a Centrify connector in the current Active Directory forest to provide connectivity between LINUX/UNIX servers and Centrify Identity Platform server for Centrify MFA authentication service. The host specified in this parameter will also be used as the HTTP proxy unless adclient.cloud.iwa.url is specified. If the specified connector is not available, the DirectControl agent will try to find the closest valid connector. Administrators can use either IP address or FQDN in this parameter. For example, "adclient.cloud.connector: 192.168.1.61:8080" or "adclient.cloud.connector: connector.mydomain.com:8080". Note that port 8080 is the default port for Centrify connectors. By default, this parameter is empty. (Ref: CS-41546, CS-42226)

-    adclient.krb5.allow_weak_crypto: This parameter controls if weak encryption types should be allowed in the following parameters: adclient.krb5.tkt.encryption.types adclient.krb5.permitted.encryption.types.

Weak encryption types include: des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp and arcfour-hmac-md5-exp. Note that setting this parameter to false may cause authentication failures in existing Kerberos infrastructure that does not support strong ciphers. The default value is true which allows weak encryption types. (Ref: CS-31783)

-    adclient.random.password.complexity.pattern: This parameter specifies the complexity requirements for the random password, e.g. 1=Upper (upper case characters A-Z), 2=Lower (lower case character a-z), 4=digit (0 to 9), 8=special char (non-alphanumeric characters such as !, $, # and %). The default is 7 (Upper, Lower and digit). (Ref: CS-40164)

-    adclient.random.password.generate.try: This parameter specifies the maximum times of attempts to generate a random password for an Active Directory user. The default value is 10. (Ref: CS-40164)

-    adclient.random.password.length.max: This parameter specifies the maximum length of the random password. The default value is 21. (Ref: CS-40164)

-    adclient.random.password.length.min: This parameter specifies the minimum length of the random password. The default value is 15. (Ref: CS-40164)

-    krb5.conf.plugins.ccselect.disable: This parameter controls whether the DirectControl agent should disable Kerberos built-in ccselect plugins. If it is set to true, ccselect built-in plugins are disabled in krb5.conf. If it is set to false, the [plugin] section remains as is. The default is true. (Ref: CS-40471)

-    nss.shell.emergency.enabled: When you query user's shell through DirectControl NSS module, this option determines if DirectControl emergency shell should be returned for an "Audit Required" user who does not have rescue right. The default value is false, which means nologin shell configured in nss.shell.nologin is returned. (Ref: CS-40008)

Updated Parameters:

-    adclient.binding.refresh.force: The default of this parameter is changed from "true" to "false". (Ref: CS-41084)

-    adclient.krb5.principal: This parameter’s default is changed from "upn" to "sam". This is because an Active Directory user's Kerberos name is generated as sAMAccountName@<AD REALM> by default. To be consistent with this new default setting, for a name format such as <name>@<REALM>, the DirectControl agent will now try sAMAccountName (SAM@DOM) format match first and then UPN. Note: if you really want to set adclient.krb5.principal.name to "upn", be aware of a potential issue when a user’s (userA) UPN matches another user’s (UserB) sAMAccountName and the UPN domain suffix matches the domain realm. In this case, userA will not be able to login using his own password, and userB who logged in using his sAMAccountName could SSO to userA's account because of the confusion induced from matching UPN with SAM@DOM. For an Active Directory user mapped to MIT user, the Kerberos name generation will ignore this setting as before. (Ref: CS-25166, CS-40920, CS-41125)

-    adclient.krb5.service.principals: The default property value of this parameter has been changed from 'http nfs ftp cifs' to 'ftp cifs' on all platforms except Mac OS X. Note: when performing self-join, "adjoin –S", the DirectControl agent will respect any existing SPNs in the computer object. (Ref: CS-40350)

-    pam.mfa.program.ignore: This parameter specifies a list of programs which do not support MFA. Programs using Centrify PAM for authentication are required to support MFA for users that have "MFA required" sysrights. For programs that do not support this feature, administrators can add the program names in this parameter to bypass MFA. The default list is now "ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd". (Ref: CS-40569)

Centrify LDAP Proxy

 

·          Performance improvement in ldapproxy

1.  To minimize unnecessary traffic to Active Directory, ldapproxy has implemented a local cache to handle authentication which may double the performance in some scenarios. This cache authentication data is used by default if it is available and unexpired. (Ref: CS-39941)

2.  To further minimize the traffic to adclient and subsequently to Active Directory, ldapproxy has implemented an optional client side cache in slapd that handles repeated (same) searches. It is disabled by default in slapd.conf (ldapproxy.cache.enabled false). (Ref: CS-40368)

DirectManage Access Manager

 

·          DirectManage Windows installer now provides an option to install Microsoft SQL Server Compact 3.5. If there is no Microsoft SQL Server Compact 3.5 installed, DirectManage Access Manager will disable the Sudoers Import feature and DirectManage Deployment Manager will not be allowed to install. (Ref: CS-39945)

·          Password Synchronization Extension has not changed in this release. It is the same package with the version number 5.3.1 as in the previous Suite 2016.1 release, i.e., CentrifyDC_PasswordSync-5.3.1-win64.msi. (Ref: CS-40880)

Centrify Licensing Report

 

·          Deployment Report is now called Centrify Licensing Report and is part of the new Licensing Service component. (Ref: CS-41405, CS-40961)

·          To further enhance readability, there are a few changes in the report layout. The detailed system report in the bottom part of the report is also re-organized to make it easier to correlate with the deployment summary on top. You can also easily identify a license key that is being used by multiple DirectAudit installations by looking at the new “shared” column. (Ref: CS-40349, CS-40984)

Centrify Report Services

 

·          Centrify Report Services provides another option to synchronize Centrify data from Active Directory to local SQL store. The new option allows users to specify individual or all Centrify zones for data synchronization, whereas the original option is domain based. (Ref: CS-39513, CS-41245, CS-41254)

·          Centrify Report Services now supports SQL Server 2016. (Ref: CS-40735)

·          The PCI/SOX reports below now provide an option to skip building and rendering charts. You may want to do so if you have a very large environment. (Ref: CS-40109)

o    SOX/PCI-Login Report-By Computer

o    SOX/PCI-Login Report-By Group

o    SOX/PCI-Login Report-By Role

o    SOX/PCI-Login Report-By User

o    SOX/PCI-Login Summary Report

o    SOX/PCI-Rights Report-By Computer

o    SOX/PCI-Rights Report-By Group

o    SOX/PCI-Rights Report-By Role

o    SOX/PCI-Rights Report-By User

o    SOX/PCI-Rights Summary Report

·          In this release, the following new views are added:

o    ReportView.EffectiveAuthorizedLocalUsers_Computer – it lists effective authorized local users for each computer. (Ref: CS-40065)

o    ReportView.EffectiveLocalUsersRoleAssignment – it lists effective role assignments for local users for each computer. (Ref: CS-40065)

o    ReportView.ZoneHierarchy – it lists all the Hierarchical zones and their effective child zones. (Ref: CS-38856)

Zone Provisioning Agent

 

·          A few performance improvements are added in this release:

o    When a lot of zones are being provisioned, there may be a burst of traffic to the domain controller. We have introduced a configurable delay between each zone provisioning to throttle this traffic. The delay is controlled by a registry key 'ProvisioningDelay' in 'HKLM\SOFTWARE\Centrify ZPA'. For example, setting the key 'ProvisioningDelay' to 'Type: DWORD; Value: 5' will add 5 seconds delay between each zone provisioning. The default is no delay. (Ref: CS-41985)

o    Zone Provisioning Agent typically runs a full provisioning cycle each time based on schedule. There is a new option that will skip full provisioning if there is no change in the source group. This is enabled by setting a registry key 'CheckSourceChange' to 'Type: DWORD; Value: 1' in 'HKLM\SOFTWARE\Centrify ZPA'. (Ref: CS-41981)

o    When provisioning multiple users from another domain, Zone Provisioning Agent will do unnecessary bind requests to the same domain causing performance issue in large deployments. This is now improved with a connection cache. (Ref: CS-39877)

Access Module for PowerShell

 

·          Local accounts support is added to Access Module for PowerShell. You can create, change, read and delete local account objects using the following cmdlets:

New-CdmLocalUserProfile, Remove-CdmLocalUserProfile,

Set-CdmLocalUserProfile, Get-CdmLocalUserProfile,

New-CdmLocalGroupProfile, Remove-CdmLocalGroupProfile,

Set-CdmLocalGroupProfile and Get-CdmLocalGroupProfile. (Ref: CS-39626)

RHEL and CentOS Smartcard

 

·          Added an option (-K --check-kdc-eku) to the command-line utility sctool to allow sctool to check the KDC certificate for the Extended Key Usage (EKU) attribute "Kerberos Authentication". This option was added because EKU checking is disabled by default. (Ref: CC-38917)

·          RC4 and DES encryption for SmartCard Kerberos authentication is no longer supported. Please configure your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure future compatibility. (Ref: CC-39271)

·          This release includes a Kerberos library upgrade allowing support for newly-provisioned smart cards with SHA-256 encryption. Centrify has tested the following SHA-256 smart cards: (Ref: CC-42494)

o    Oberthur ID One 128 v5.5 Dual SHA256 Cards

o    G&D FIPS 201 SCE 3.2 SHA256 Cards

2.3.          Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) February 2017 Update

Security Fix

DirectControl 5.3.1 February 2017 Update contains the fix for a security issue where a maliciously crafted program may mislead the DirectControl agent to delete any file. This can happen when the program is executed by a logged-in Active Directory user. (Ref: CS-42569)

It is highly recommended for customers who use DirectControl to apply this update.

Feature Fix

·          The background process in the DirectControl agent that updates ALTUPN will now skip an unreachable domain. (Ref: CS-42582, CS-40665)

·          The Local Account Management feature will now update etc/passwd and etc/group only if changes are required. (Ref: CS-42408, CS-42083)

·          DirectControl can now authenticate one-way trust user when only KDC and Kpasswd ports are opened in user domain’s domain controller. Note: this fix is NOT in DirectControl 5.4.0 (Suite 2017). (Ref: CS-42509, CS-42516)

2.4.          Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) August 2016 Update

Security Fix

DirectControl 5.3.1 August 2016 Update contains the fix of the following DirectControl issue: Multi-Factor Authentication (MFA) feature together with Integrated Windows Authentication (IWA) feature in theory could be susceptible to a Man-in-the-Middle attack because of the use of http protocol. The fix is to remove the support of http and instead use https as the default protocol.

It is highly recommended for customers who are using MFA feature with IWA, whether in Suite 2016 or Suite 2016.1, to upgrade to this Suite 2016.1 August 2016 Update.

2.5.          Feature Changes in DirectControl 5.3.1 (Suite 2016.1)

Security Fix

DirectControl 5.3.1 contains the fix of the following DirectAudit issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit shell auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

This fix has already been retrofitted to Suite 2016 and Suite 2015.1 on March 2016.  This issue does not happen in Suite 2015 and prior releases.

DirectControl Agent

 

·          Additional Multi-Factor Authentication (MFA) Support

MFA is supported for Active Directory users on AIX, Solaris and HP-UX. MFA can be required for all dzdo commands and for PAM applications that natively support MFA, except GUI login and applications specified in the pam.mfa.program.ignore configuration parameter.

For details, refer to the Administrator’s Guide for Linux and UNIX and the Configuration and Tuning Reference Guide. (Ref: CS-39363, CS-39415, CS-39416, CS-39417)

In addition to hierarchical zone, MFA is now supported for Classic zone and Auto zone. (Ref: CS-38588)

MFA using OATH is supported. (Ref: CS-39598)

MFA using RSA SecurID is supported. (Ref: CS-39858)

·          A new category “MFA” is added to the “Centrify Server Suite” audit trail events.  In this release, two Centrify event IDs are assigned: (Ref: CS-39984)

o    54100: MFA Challenge Succeeded

o    54101: MFA Challenge Failed. The reason field indicates the failure reason.

·          OpenSSL is upgraded to 1.0.2g and the fix of CVE-2016-2107 is also incorporated in this release. (Ref: CS-39736, CS-40301)

·          TLS v1.2 is supported now in ldapproxy and it can be enforced by the TLSProtocolMin option. (Ref: CS-39635)

·          The fix of CVE-2016-0755 is incorporated in Centrify libcurl, which is based on 7.44.0 stock libcurl. (Ref: CS-39554)

·          We will now support authenticating cross-forest users using alternative UPN suffix. (Ref: CS-32538)

·          We now support Microsoft “Define host name-to-Kerberos realm mappings” group policy. The DirectControl agent will read the mapping and update the krb5.conf file. (Ref: CS-34176).

·          This release adds a watchdog process (niswatch) to restart adnisd if necessary. (Ref: CS-35720)

·          Centrify Standard license is required to run adnisd and ldapproxy. (Ref: CS-39615, CS-39616)

·          Starting from this release, Centrify supports the DirectControl agent on the latest Amazon Linux AMI release. However, Deployment Manager does not support installing or upgrading the agent in the Amazon Cloud environment. (Ref: CS-40072)

·          There is a new attribute in hierarchical zone Unix Command Right to allow dzdo/dzsh to check all command arguments and prevent navigation up a path hierarchy. Please refer to the 'Prevent navigation up a path hierarchy' checkbox in Access Manager. (Ref: CS-39063)

·          We fixed sudo issues as reported in CVE-2016-5602 in dzedit. See dzdo.edit.checkdir and dzdo.edit.follow configuration parameters.

Hadoop Support

·          In this release, the sample script kerberos_security_setup.pl can support the new Ambari v2.1.2 CSV file format in addition to the original Ambari v1.6.1 format . (Ref: CS-36553)

·          You can configure the sample script kerberos_security_setup.pl to remove HTTP, NFS, CIFS and FTP SPNs in computer objects.

Four new configuration parameters are introduced in hadoop.conf to support this feature:

o    hadoop.adclient.krb5.service.principal.http.remove (default is true)

o    hadoop.adclient.krb5.service.principal.nfs.remove (default is false)

o    hadoop.adclient.krb5.service.principal.cifs.remove (default is false)

o    hadoop.adclient.krb5.service.principal.ftp.remove (default is false)

A new command option, --remove-spn, is also added. It will read the configuration file to remove the configured SPNs. By default only the HTTP SPN will be removed. (Ref: CS-39445)

Smart Card and Certificate Management

·          Certificate management and auto-enrollment now support Elliptic Curve algorithms. When ECDH_P256, ECDH_P384 or ECDH_P521 algorithm is selected in a version 3 Certificate template, the corresponding EC algorithm will be used to generate the key pair for the certificate. However, there is a limitation that when EC algorithm is selected, only SHA1 can be used as the signature algorithm.(Ref: CS-35787)

Scripts and Command Line Utilities

·          adcert -r --ntlm option is removed in this release. (Ref: CS-40148)

·          If DirectAudit is installed in current system, adinfo –t --support option will also invoke “dainfo –t” and include its output in the final zip files. (Ref: CS-39123)

·          A new command, adobjectrefresh, is added to update the cache for a specific user or group object instead of the entire zone. Please use the help option for information on its usage and available options. (Ref: CS-39333)

centrifydc.conf has been updated:

New Parameters:

-    adclient.legacyzone.mfa.background.fetch.interval: This parameter specifies, in minutes, how often the DirectControl agent updates its cache with Active Directory groups whose members require multi-factor authentication in classic zones or Auto zones.  The default is 30 minutes. (Ref: CS-38588)

-    adclient.legacyzone.mfa.cloudurl: This parameter specifies the URL of the cloud instance that the DirectControl agent will access in order to implement multi-factor authentication for users in classic zones and Auto Zones. (Ref: CS-38588)

-    adclient.legacyzone.mfa.enabled: This parameter specifies whether MFA is enabled for a classic zone or an Auto zone. The default is false. (Ref: CS-38588)

-    adclient.legacyzone.mfa.required.groups: This parameter specifies a list of Active Directory groups in a classic zone or an Auto zone whose members are required to use multi-factor authentication when logging on or using privileged command. The default is none. (Ref: CS-38588)

-   adclient.legacyzone.mfa.required.users: This parameter specifies a list of Active Directory users in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. The default is none. (Ref: CS-38588)

-    adclient.legacyzone.mfa.rescue.users: This parameter specifies a list of Active Directory users who can logon to computers in a classic zone or an Auto zone   when multi-factor authentication is required, but the DirectControl agent cannot connect to the Centrify cloud service. (Ref: CS-38588)

-    dzdo.edit.checkdir: This parameter is used to prevent dzedit from editing files located in a directory that is writable by the invoking user unless it is run by root. The default is true. (Ref: CS-39479)

-    dzdo.edit.follow: This parameter is used to prevent dzedit from following symbolic links to edit files. The default is false. (Ref: CS-39479, CS-39918)

-    dzdo.legacyzone.mfa.enabled: This parameter specifies if multi-factor authentication is required for users to run the dzdo command in a classic zone.  The default is false. (Ref: CS-39471)

-    krb5.cache.clean.force.max: This parameter specifies the maximum lifetime of TGT (in days) before the DirectControl agent removes the Kerberos credential cache.  The default is 0, which means never. (Ref: CS-39399)

Updated Parameters:

-    adclient.cloud.auth.conn.max: this parameter is renamed from adclient.cloud.auth.token.max.  Its default value and group policy are not changed. (Ref: CS-39326, CS-39746)

-    adclient.local.account.manage: This configuration parameter specifies whether the DirectControl agent manages local users and local group accounts. The default was true in previous release.  It is changed to false from this release going forth.  However, if you enabled this in previous release, the setting is preserved. (Ref: CS-39397)

In this release, there is stricter enforcement of syntax in centrifydc.conf and centrifyda.conf. (Ref: CS-36112)

 

Centrify LDAP Proxy

 

·          TBD - A new configuration option is added to allow for LDAP search of AD users/groups even though the filter does not explicitly specify posixAccount/posixGroup. This is added to support better integration with Hadoop/Ambari.(Ref: CS-42084)

DirectManage Access Manager

 

·          License summary is no longer displayed in the Manage Licenses dialog. (Ref: CS-36511)

·          Access Manager now supports requiring Multi-Factor Authentication (MFA) during re-authentication for Desktops, Applications and Network Access Windows rights. (Ref: CS-39453)

·          Starting from this release, you can select RFC2307-compatible zone to store UNIX properties using the Active Directory RFC2307-compatible schema. (Ref: CS-40244)

·          The 'Prevent navigation up a path hierarchy' checkbox is added to the 'Attributes' tab of the Command Right property page to specify whether path traversal should be disabled in command right.  The default is not checked. (Ref: CS-39362)

·          Password Synchronization now supports MD5 hash. The hash starting with "$1$" is generated using the crypt(3)-MD5 algorithm method. MD5 hash can be controlled using the registry setting (Registry Key: HKLM/Software/Centrify/MD5Encryption Type: REG_DWORD). If this registry key does not exist or the value of this registry key is '0', then MD5 hash is disabled. (Ref: CS-34863)

Access Module for PowerShell

·         The RequireMfa parameter is added to the following cmdlets.  If the parameter is true, then MFA is required.  The default is MFA not required. (Ref: CS-39440, CS-39558)

o   New-CdmZone

o   Set-CdmZone

o   New-CdmCommandRight

o   Set-CdmCommandRight

o   New-CdmDesktopRight

o   Set-CdmDesktopRight

o   New-CdmApplicationRight

o   Set-CdmApplicationRight

o   New-CdmNetworkAccessRight

o   Set-CdmNetworkAccessRight

·         The BlockGroupInheritance parameter is added to the New-CdmZone and Set-CmdZone cmdlets.  If the parameter is true, then the Active Directory groups in the parent zones that are not used by the joined machines in the child zone are not visible at that child zone.  If the parameter is false, then all groups are visible.  The default is false. (Ref: CS-39452)

·         The Force option is added to the New-CdmUserProfile or Set-CdmUserProfile cmdlets.  If the option is true, then the creation or modification of user profile is allowed even if its UNIX name is the same as the samAccountName of another AD user in zone's domain.  Default is not allowed. (Ref: CS-38788)

·         The DisablePathTraverse parameter is added to the New-CdmCommandRight and Set-CdmCommandRight cmdlets to specify whether path traversal is disabled in command right.  The default is false.  Also, the IsDisablePathTraverse property is added to the CdmCommandRight object. (Ref: CS-39391)

Centrify Report Services

 

·         You can specify the name of the report database in the Configuration Wizard. (Ref: CS-39637)

·          Starting from Suite 2016.1, the following reports support local accounts: (Ref: CS-36155, CS-36156, CS-39999)

o    Authorization report

o    PCI - Login Summary report

o    PCI - Rights Summary report

o    SOX - Login Summary report

o    SOX - Rights Summary report

o    Hierarchical Zone - Users report

o    Users report

o    Groups report

 

·         In Suite 2016.1, the following new views are added: (Ref: CS-36155, CS-36156, CS-39999)

o     ComputerRoleEffectiveMembers

o     EffectiveAuthorizedLocalUserPrivileges_Computer

o     EffectiveAuthorizedUserPrivileges_Computer

o     EffectiveAuthorizedUsers_Computer

o     EffectiveAuthorizedUsers_Computer_Classic

o     EffectiveAuthorizedUsers_Computer_Hierarchical

o     EffectiveAuthorizedZoneLocalUsers

o     EffectiveAuthorizedZoneUsers

o     EffectiveRoleAssignment

o     EffectiveRoleAssignment_Classic

o     EffectiveRoleAssignment_Hierarchical

o     EffectiveSysRights

o     EffectiveZoneLocalGroupMembers

o     EffectiveZoneLocalGroups

o     EffectiveZoneLocalUsers

o     RoleRights

o     ZoneLocalGroupMembers

o     ZoneLocalGroups

o     ZoneLocalUsers

 

New columns are added to the view ZoneComputers

 

Note: EffectiveAuthorizedUserPrivileges_Computer view’s output is same as the current EffectiveLoginUserPrivileges_Computer report view.

·         Centrify Report Services utilizes the Reporting Services component which is a part of Microsoft SQL Server. Below are all the currently Supported SQL Server versions and platforms:

o    SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)

o    SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)

o    SQL Server 2012 Express with Advanced Services

o    SQL Server 2012 Standard or Enterprise

o    SQL Server 2014 Express with Advanced Services

o    SQL Server 2014 Standard or Enterprise

 

Note: Microsoft SQL Server 2008 R2 is not compatible with Windows 10.

 

Note: All versions of 32-bit Microsoft SQL Servers are not supported.

Deployment Report

 

·          Under the Deployment Summary, the count of agents for Mac for each zone type is now displayed separately from agents for *NIX. (Ref: CS-39571)

·          The Deployment Report Wizard for Centrify Server Suite Enterprise Edition now supports report preview that was available previously only for Standard Edition. (Ref: CS-39653, CS-39654, CS-39655)

·          If a user fails to send the generated report to Centrify Support Portal, the report is automatically saved and a warning message is prompted. (Ref: CS-39653, CS-39654, CS-39655)

·          When invoking the Deployment Report utility, there is a new switch, ‘/plaindata’, which allows the user to specify that host, zone and installation names need not be obfuscated in generated report. (Ref: 36099)

Group Policies

 

·          The “Notification Command Line” computer configuration group policy under “Centrify Settings > DirectControl Settings > Local Account Management” is added to invoke a user-provided post-processing program. (Ref: CS-39374)

·          Four computer configuration group policies under “Centrify Settings > DirectControl Settings > Addns Settings” are added to manage addns configuration: (Ref: CS-34903)

o    Enable addns invoked by adclient

o    Set command line options used by adclient

o    Set DNS records update interval

o    Set wait response interval for update requests

For details of the group policy, refer to the explanation text.

adedit

 

·          The “delegate_zone_right” command adds a list of new rights to delegate: (Ref: CS-35329)

o    add_user_group_to_computer_zone

o    delete_user_group_from_computer_zone

o    modify_user_group_in_computer_zone

o    add_computer_zone

o    add_computer_role

o    delete_computer_zone

o    delete_computer_role

o    delegate_permission_for_computer_zone

o    add_nismap

Additionally, the 'manage_role_assignments' right now supports managing role assignments from zone, computer zone and computer role.

·          The “get_zone_field” and “set_zone_field” commands support the hierarchical zone field 'block.parent.zgroup'.  If the value is set to true, then it displays only the UNIX groups that are used in the joined servers in the zone.  If the value is set to false, then it displays all the UNIX groups. (Ref: CS-39450)

·          The get_role_assignment_field and set_role_assignment_field commands support the description field. (Ref: CS-38742)

Centrify OpenSSH

 

·          Centrify OpenSSH 5.3.1 is upgraded based on OpenSSH 7.2p2. (Ref: CS-39757)

Note: The symbolic link file of slogin is removed in the stock OpenSSH.  It is retained in the Centrify OpenSSH.

Note: The support of SSH protocol version 1 is removed in the stock OpenSSH.  It is still supported by the Centrify OpenSSH.

·          Centrify OpenSSH 5.3.1 is not compatible with previous Centrify DirectControl releases due to the major upgrade of OpenSSL in this release. (Ref: CS-39521)

·          A new keyword, SSOMFA, is added to Centrify sshd_config to require multi-factor authentication (MFA) for secure shell connections even for single sign-on access to remote computers.  This keyword works only when USEPAM is enabled. This option can also be enabled by the group policy “Enable SSO MFA” under “SSH Settings”. The default is ‘no’ (disabled).

Please note that MFA is not supported for authentication using public key. (Ref: CS-39524, CS-36193)

2.6.          Feature Changes in DirectControl 5.3.0 (Suite 2016)

New Features

·          Multi-Factor Authentication (MFA)

MFA is supported for Active Directory users in hierarchical zone on Linux systems.  MFA can be required for all PAM applications (including login) and execution of dzdo commands. The “Require multi-factor authentication” System Rights flag and the “required MFA for Login” role are added to support MFA requirement for login and PAM applications.   You can also specify to require MFA as re-authentication mechanism in a UNIX command right.

For details, refer to the Administrator’s Guide for Linux and UNIX and the Configuration and Tuning Reference Guide. (Ref: CS-36181, CS-36455, CS-38550, CS-38708, CS-38804)

Note:

·         The version of Centrify Cloud connector required is 15.11.137 or above. (Ref: CS-38574).

·         If a user is configured to require MFA for login, the user cannot login if the Linux system cannot reach Centrify Cloud via the Centrify Cloud Connector.  An exception is made for users who also have the effective “rescue/always permit login” sysright; and such user can login in this situation.  Note that the “rescue/always permit login” affects both DirectAudit and MFA.  Also, regardless of whether “rescue/always permit login” sysright is effective for a user or not, all dzdo commands that require MFA will always be denied when Centrify Cloud is not accessible by the Linux system.(Ref: CS-36248)

·         If an Active Directory user is configured to use both password and MFA to login or dzdo command, DirectControl agent will always continue with MFA authentication regardless of whether the password is correct or not. The user cannot login or continue with dzdo unless both mechanisms succeed.  This is done for security reason.(Ref: CS-36494)

·         The DirectControl agent ignores the "Challenge Pass-Through Duration" option under the "Authentication Profile" setting in the Centrify Cloud Manager Portal.  The user is always challenged.  This behavior is the same as setting the option to "No Pass-Through". (Ref: CS-38592)

·         Local Account Management

 

Starting from Suite 2016, you can also use Active Directory to manage local user, local group and local service accounts in hierarchical zones.  For details, refer to the Administrator’s Guide for Linux and UNIX. (Ref: CS-35503)

·          Report Services

 

Centrify Report Services, packaged with DirectManage Access, greatly improves report performance by reading the data from a SQL database instead of querying the Active Directory via LDAP. You can schedule to synchronize the Active Directory information periodically to your reporting database, and the report service will populate views based on the data in tables, creating a default set of Access Manager reports as well as SOX and PCI attestation reports. You can also create custom reports based on these views. 

Note: There is a significant difference from the Access Manager Report Center in that you need to install only one instance of Centrify Report Services per Active Directory forest. There is also no need for auditors to install any Centrify software to view the reports because the SSRS reports are Internet Explorer browser-based. (Ref: CS-36440)

Please refer to the Report Administrator’s Guide for details.

For Reporting Services Early Access customers, the view ReportView.UserAccount in Suite 2016 Early Access is no longer available.  The same data can be accessed through the view ReportView.ADUser. New columns are added to the view ReportView.ADUser to provide the additional information that is previously available in ReportView.UserAccount. It only lists Active Directory users but no local users.   Please contact Centrify Technical Support if you need more information about this change. (Ref: CS-38602)

General

·          A new System Rights, “User is visible” is introduced.  If a role assignment contains this right, then the user is visible to all computers in the scope of the role assignment (zone, computer role, or computer).  Like the other rights, the visible right is additive. When a user is assigned to a set of roles, as long as there is one role that has the visible right set to true, then the user becomes visible in the zone. (Ref: CS-35921)

o    dzinfo is enhanced to show whether the user’s effective rights contains the visible flag or not. (Ref: CS-36105)

·          We now have an option to select between RFC 2307 and MS SFU schema. (Ref: CS-34973)

 

Scripts and Command Line Utilities

·          adinfo –y –sysinfo is enhanced to add the ‘cloud’ keyword to show information related to MFA support.. Note this is supported on Linux only. (Ref: CS-38926)

·          A new CLI, admanagelocal, is added to manage local user and group accounts. (Ref: CS-35503, CS-36096)

·          adkeytab -t, --pwdtime is added to report the last password change attempt time and results. (Ref: CS-35847)

·          adflush –c --connectors is added to flush the cloud connectors information in DirectControl agent.  Note it is supported on Linux only. (Ref: CS-38920)

Smart Card and Certificate Management

·          OpenSSL is upgraded to 0.9.8zg in this release. (Ref: CS-35922)

·          cURL is upgraded to 7.44.0 in this release. (Ref: CS-35702)

·          On Centrify managed RHEL systems, we now can append CA root certificate to the system default store, i.e. /etc/pki/tls/certs/ca-bundle.crt. (Ref: CS-38412)

Configuration Parameters

·        centrifydc.conf has been updated:

New Parameters:

-    adclient.cloud.auth.token.max: This parameter specifies the maximum number of cloud authentication requests that can be processed simultaneously.  The default is 10. (Ref: CS-36247)

-    adclient.krb5.password.change.verify.retries: This parameter controls how many times adkeytab tries to verify password changes running in the background.  The default is zero (no attempts). (Ref: CS-35847)

-    adclient.krb5.password.change.verify.interval: This parameter controls how long (in seconds) adkeytab waits between attempts to verify passwords. The default is 300 seconds (five minutes). (Ref: CS-35847)

-    adclient.krb5.principal.lower: This parameter controls whether the principal name in Kerberos ticket should be converted to lowercase.  The default is false. (Ref: CC-32641)

-    adclient.local.account.manage: This parameter specifies whether the DirectControl agent should manage local user and local group accounts on computers where the agent is installed.  The default is true. (Ref: CS-36096)

-    adclient.local.account.notification.cli: When this parameter is configured, the DirectControl agent will invoke the specified executable in a different process and pass the comma separated UNIX name list to it for further processing.  The default is "". (Ref: CS-36409)

-    adclient.refresh.interval.dz: This configuration parameter specifies the maximum number of minutes to keep access control (DirectAuthorize) information in the authorization cache before refreshing the data from Active Directory.  If local account management feature is enabled, this configuration parameter also specifies how often /etc/passwd and /etc/group are updated on individual computers based on the local user and local group settings configured in Access Manager.

-    adclient.skip.unused.outbound.trusts: This configuration parameter specifies whether you want to prevent the DirectControl agent from sending network queries to outbound trust domains that do not have users in Centrify zones.  The default is false. (Ref: CS-35705)

-    cloud.connector.refresh.interval: This parameter specifies how frequently (in hours) a background process will be run to search for the nearest available cloud connector to use for connectivity to Centrify Cloud service.  The default is 8 hours. (Ref: CS-36181)

-    pam.homedir.create.follow.symlink: If this parameter is set to true, the DirectControl agent will copy the de-referenced symbolic links (symlinks) in the skeleton directory (/etc/skel) when creating home directory for an Active Directory user.  If it is set to false, then only the symlinks are copied.  The default is true. (Ref: CS-30646)

-    pam.mfa.program.ignore: Use this parameter to specify a list of programs that do not support or require Multi-Factor Authentication. The default value is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd" (Ref: CS-36192, CS-39101)

-    pam.setcred.program.create.creds: This parameter specifies the list of programs for which the DirectControl agent will always create new krb5ccache and update KRB5CCNAME in PAM sessions.  The default list contains only 'su'. (Ref: CS-36029)

Updated Parameters:

-    adclient.ldap.packet.encrpt: (Ref: CS-33456)

SignOnly is a new security option added in this release.  When set, all LDAP traffic is required to be signed (but not encrypted) to ensure packet integrity.

-    adclient.krb5.conf.file.custom: (Ref: CS-35645)

This release adds the following additional directives for the adclient.krb5.conf.file.custom configuration parameter.  Please note that these sections are copied as-is from the custom krb5.conf:

o    [login]

o    [logging]

o    [dbdefaults]

o    [dbmodules]

o    [kdcdefaults]

o    [kdc]

o    [kadmin]

o    [password_quality],

o    [otp]

Obsolete Parameters:

-    none

Refer to the Configuration and Tuning Reference Guide for details.

DirectManage Access Manager

 

·          If you install DirectManage Access Manager and Access Module for PowerShell on Windows 7 or Windows Server 2008 R2, you need to install SP1 or above for Windows 7 or Windows Server 2008 R2 starting from this release. (Ref: CS-36146)

·          DirectManage Access no longer installs documents and release notes starting from Suite 2016.  You can find them in the ISO Documentation folder or in http://docs.centrify.com (Ref: CS-36401)

·          This release introduces the “user is visible” system right, which controls whether a user is visible to all computers in a zone. By default, a user is visible in any new created role and also roles created before Suite 2016. (Ref: CS-36007)

·          This release provides support for managed service accounts (MSA) which were made available in Windows 7 and Windows 2008 R2. Also, Access Manager is enhanced to support zone delegation to MSA account. (Ref: CS-34492)

·          From the Access Manager result pane, you can now select multiple zones and apply the "Delegate Zone Control ..." action to them.  If different zone types are selected, then only the common tasks will be enabled. (Ref: CS-33843)

·          The “Generate Centrify Recommended Deployment Structure” Wizard is now merged with the Setup Wizard. So a user will be able to create deployment structure under the domain root object or from the organization unit object before running the Setup Wizard. (Ref: CS-35392, CS-35393)

Report Center

·         Report Center is now deprecated and will be removed in future Centrify Server Suite.  It is no longer displayed by default in the Access Manager tree node but can be made available via the drop down menu and context menu.  Report Center is being replaced by the Report Services in Suite 2016. (Ref: CS-36388)

Access Module for PowerShell

·         Access Module for PowerShell is built on .NET Framework 4.5 starting from this release. It requires PowerShell v4 or above to run. (Ref: CS-36376)

·         You can use Access Module for PowerShell to configure settings for Zone Provisioning Agent (ZPA). There is a new object type 'CdmZpaSetting' (Ref: CS-34792)

o   Add a cmdlet named 'Get-CdmZpaSetting' with the following parameters:

- DN

- Name

– Domain

o   Add a cmdlet named 'Set-CdmZpaSetting' with the following parameters:

- Zone

- UserUid

- UserName

- UserShell

- UserHomeDirectory

- UserPrimaryGroup

- UserGecos

- GroupGid

- GroupName

- UserSource

- GroupSource

- IgnoreDisabledAccount

- EnableUserProvisioning

- EnableGroupProvisioning

- GroupPriority

·         Add support for user visible system right in role definition. User can set the right using the New-CdmRole and Set-CdmRole cmdlet. (Ref: CS-36058)

·         Get-CdmManagedComputer is enhanced to show two more new properties (Ref: CS-34190, CS-35028):

o   Preferred Site: <the site that the machine is connected to>

o   Subnet Site: <the site that the machine should be connected to>

Zone Provisioning Agent

 

·          Starting from this release, you can now select managed service accounts (MSA) and group managed service accounts (gMSA) as the provisioning service account. (Ref: CS-34492)

Deployment Manager

 

·          Deployment Manager has been updated to version 5.3.0.  Please refer to the Deployment Manager release notes for information on enhancements and bug fixes in this release.

Group Policies

 

·          Starting from this release, group policies in ADMX (Administrative Template File XML based) format are shipped and ADM (Administrative Template File) format will not be provided. (Ref: CS-6821, CS-30836)

Deployment Report

 

·          Installation information for the Centrify Server Suite Enterprise Edition is now stored in Active Directory in addition to the existing DirectAudit database. This allows an authenticated Active Directory user to run Deployment Report without having to provide the DirectAudit database credential. (Ref: CS-36265)

·          New usage count information grouped by Server/Workstation license type is added to the Deployment Summary section of the report. (Ref: CS-38619)

adedit

 

·          adedit is enhanced to support local users and local groups with the following new function calls: (Ref: CS-36090, CS-38488)

o    list_local_users_profile

o    new_local_user_profile <UNIX user name>

o    select_local_user_profile <UNIX user name>

o    delete_local_user_profile <UNIX user name>

o    get_local_user_profile

o    get_local_user_profile_field <field name>

o    set_local_user_profile_field <field name> <value>

o    save_local_user_profile

o    list_local_groups_profile

o    new_local_group_profile <UNIX group name>

o    get_local_group_profile

o    select_local_group_profile <UNIX group name>

o    delete_local_group_profile <UNIX group name>

o    get_local_group_profile_field <field name>

o    set_local_group_profile_field <field name> <value>

o    save_local_group_profile

Refer to adedit Administrator’s guide for usage and details.

·          CreateRole function adds a Boolean input parameter, visible, to indicate whether the visible system right is enabled when this role is created. (Ref: CS-36066)

·          The “get_zone_field parent” function adds the new option "-raw" in the TCL ade_lib library to return the parentLink in <GUID>@<DOMAIN> format. This is for hierarchical zone only. (Ref: CS-31010)

·          The “get_zone_field cloudurl” function returns the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·          The “set_zone_field cloudurl <value>” function sets the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·          The get_zone_field and set_zone_field functions are enhanced to support computer zone: (Ref: CS-35950)

o    get_zone_field dn: returns the Distinguished Name (DN) of the current msDS-AzScope Active Directory object associated with the computer zone.

o    get_zone_field description: returns the computer zone description.

o    set_zone_field description <value>: sets the Active Directory description attribute for the msds-AzScope object.

·          There is a new TCL script, adlistnismaps which can be found in /usr/share/centrifydc/adedit directory. It lists the NIS maps stored in Centrify zones. Please refer to adauto.pl and adautouser.pl scripts for its usage. (Ref: CS-36021)

Centrify LDAP Proxy

 

·          ldapsearch adds extendedDN to the –e or –E option to return the extended distinguished name of the object. (Ref: CS-36318)

Centrify OpenSSH

 

·          Centrify OpenSSH 5.3.0 is upgraded to OpenSSH 7.1p1. Unlike the stock OpenSSH, Centrify OpenSSH still supports SSH version 1 protocol in this version. (Ref: CS-8245)

In addition, there are a few behavior changes from Centrify OpenSSH 5.2.3, which is based on OpenSSH 6.7p1:

o    The default for the sshd_config(5) PermitRootLogin option is changed from "yes" to "prohibit-password".

o    Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time.  This means the user with RSA public key will fail to login now as default.

o    UseDNS now defaults to 'no'.

o    Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time.

o    Support for tcpwrappers/libwrap is removed.

For details, refer to the stock OpenSSH 7.1p1 release notes.

·          A new keyword, 'Krb5ccUnique' is added to Centrify sshd_config to specify whether Centrify sshd should generate a unique credential cache name when storing the Kerberos credentials cache.  The default is “yes” (enabled). If it is “no” (disabled), the old style credential cache name, krb5cc_<uid> or KCM:<uid>, is used. (Ref: CS-8250)

·          Starting with Suite 2016, install.sh no longer installs Centrify OpenSSH by default. To do so, please use the Custom installation option. However, if Centrify OpenSSH is already installed, it will be automatically upgraded. (Ref CS-32389, CS-38266)

Please note that, you will still need to install Centrify OpenSSH on AIX in the following cases:

o    If you use DirectAudit. Otherwise local users will not be audited.

o    If you have local user and AD user with the same name but different UNIX profiles. Centrify OpenSSH will resolve this whereas AIX SSH will not handle this.

Supported Platforms

 

·          Support has been added for the following operating systems (Ref: CS-7155, CS-36163, CS-36361, CS-36418):

o  Windows 10 (x86_64)

o  Mac OS X 10.11 (x86_64)

o  Fedora 23 (x86, x86_64)

o  CentOS 6.7 (x86, x86_64)

o  Oracle Enterprise Linux 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Server 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)

o  Red Hat Enterprise Linux Desktop 7.2 (x86_64)

o  Red Hat Enterprise Linux Server 7.2 (x86_64)

o  Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)

o  Scientific Linux 6.7 (x86, x86_64)

o  Ubuntu Desktop 15.10 (x86, x86_64)

o  Ubuntu Server 15.10 (x86, x86_64)

o  SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

o  SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)

o  Oracle Solaris 11.3 (x86_64, SPARC)

 

 

·          Support is removed for the following operating systems (Ref: CS-34860):

o  All 32-bit Windows platforms

o  Mac OS X 10.8

o  Fedora 19 (32-bit and 64-bit)

o  Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o  openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o  Oracle Solaris 8 SPARC

 

·          This is the last release for the support of the following operating (Ref: CS-35417):

o  Debian Linux 6.x (32-bit and 64-bit)

o  Fedora 20 (32-bit and 64-bit)

o  HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o  HP-UX 11.23 Itanium (Normal and Trusted modes)

o  Oracle Solaris 9 (32-bit and 64-bit)

o  Ubuntu Desktop 14.10 (32-bit and 64-bit)

o  Ubuntu Server 14.10 (32-bit and 64-bit)

 

·          Support will be discontinued soon (the next release will be the last release with support) for the following operating systems:

o  Fedora 21 (32-bit and 64-bit)

o  Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

o  Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

o  SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

o  SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

o  openSUSE 13.1 (32-bit and 64-bit)

3.     Bugs Fixed

3.1.          Bugs Fixed in Centrify DirectControl 5.4.1 (Suite 2017.1)

DirectControl Agent

 

·          If a user was previously locked out in connected mode due to maximum password attempts, he is not allowed to login in disconnected mode even after the lockout duration has passed. This is now fixed. (Ref: CS-42236)

·          The DirectControl agent may fail to start in FIPS enabled mode when the configuration parameter, adclient.krb5.keytab.clean.nonfips.enctypes, is set to true. This is now fixed. (Ref: CS-42970)

·          Fixed an issue that even though the DirectControl agent updates the users and services accounts' Kerberos ccache at regular interval, the Kerberos ccache still expires before the next renewal cycle. (Ref: CS-42995)

·          If a value specified in the Windows hostname-to-kerberos realm mappings Group Policy setting contains extra whitespace after the multi-value separator, it could cause duplicated entries in the domain realm section in the krb5.conf. This is now fixed. (Ref: CS-42537)

·          Password expiration for one-way trust user will now be based on the Kerberos ticket upon user first login. If the Kerberos ticket is not available, it is computed using the joined domain’s password expiration policy.  (Ref: CS-42658)

·          The following feature fix in DirectControl 5.3.1 (Suite 2016.1) February 2017 Update is also in DirectControl 5.4.1 (Suite 2017.1):

o    DirectControl can now authenticate one-way trust users when only KDC and Kpasswd ports are opened in user domain’s domain controller. Note: this fix is NOT in DirectControl 5.4.0 (Suite 2017). (Ref: CS-42509, CS-42516)

DirectManage Access Manager

 

·          A new predefined application right, Centrify Utility - Network Manager, is introduced in Access Manager to grant access to run Network Manager. (Ref: CS-42674)

·          Access Manager may generate a warning message "Failed to resolve assembly ..." in the console log. This warning message does not affect the operations of the Access Manager console. It is now fixed. (Ref: CS-40909)

·          Zone loading may be slow in an environment where the response of Global Catalog is slow. The performance is enhanced in this release by caching and optimizing Global Catalog accesses. (Ref: CS-42711)

Centrify Report Services

 

·          Fixed a bug that caused an unexpected error while running Report Services Configuration Wizard on a machine with Windows 10 version 1703. Note: If you are using Windows 10 version 1703, Centrify recommends you to use Task Manager to verify that the process Centrify.Report.TempService is not running, and terminate such process before upgrading Centrify Report Services. (Ref: CS-43004)

3.2.          Bugs Fixed in Centrify DirectControl 5.4.0 (Suite 2017)

DirectControl Agent

 

·          In previous versions, if the DirectControl Agent is installed on Ubuntu 16.04, the GUI login service (lightdm) cannot start. This problem has been fixed. (Ref: CS-40556)

·          Changelog is now supported in RPM. (Ref: CS-40525)

·          The Local Account Management feature will now update etc/passwd and etc/group only if changes are required. (Ref: CS-42083)

·          The DBM files for local cache of automaps are not lock-protected and could result in empty map entry being returned. The affected scripts are adauto.pl and adautouser.pl. They are now lock protected. (Ref: CS-41977, CS-42154)

·          “adcdiag –f” now only supports the “mfa” argument. (Ref: CS-40152)

·          The command adcert can now handle special character “/” in the certificate template name. (Ref: CS-41989)

·          The command adflush may induce zombie nscdrestart.sh processes in busy condition. It is now fixed. (Ref: CS-41610)

·          The adflush –f incorrectly removes entries in /etc/security/limits for Centrify managed local users. It is now fixed. (Ref: CS-40907)

·          The command adinfo –y cloud now can show the correct connector in use. (Ref: CS-41546)

·          Fixed the issue that adquery incorrectly displays a user account as unlocked (accountLocked:false) when it is locked. (Ref: CS-40944)

·          The curl command in Centrify package may not work well on different RHEL versions because of the inconsistent usage of the certificate store location. It is now fixed. (Ref: CS-40923)

·          Previously, when env_reset was enabled (the default) and the -s option was not used, the SHELL environment variable was set to the shell of the invoking user. Now, when env_reset is enabled and the -s option is not used, SHELL is set to the shell of the target user. (Ref: CS-40885)

·          Fixed an issue that the validator fails to get the dzdo command line string due to some special characters, thus causing the dzdo command to fail. (Ref: CS-40360)

·          Fixed an issue where the DirectControl agent may crash when retrieving a large number of local users or groups. (Ref: CS-41127)

·          The background process in that DirectControl agent that updates ALTUPN will now skip an unreachable domain. (Ref: CS-40665)

·          Sometimes the DirectControl agent fails to recover from disconnected mode because the background recovery thread is busy. This is now fixed. (Ref: CS-41268)

·          On RHEL 7.2 using systemd, the DirectControl agent now starts with the correct options that we passed to /usr/share/centrifydc/bin/centrifydc. (Ref: CS-40727)

·          The DirectControl watch dog sometimes incorrectly restarts a normally shutting down adclient process. It is now fixed. (Ref: CS-40636, CS-41653)

·          Fixed a bug that caused a failure in cross-domain group query using both configuration parameters adclient.preferred.login.domains and adclient.cache.upn.index:true. (Ref: CS-39834)

·          Fixed a bug that caused zone users to disappear if a DirectAuthorize role is renamed. (Ref: CS-40120)

·          Computer account authentication is not working if "adclient.user.computers" is set to "true". It is now fixed. (Ref: CS-41202)

·          Fixed a bug that setting "pam.auth.create.krb5.cache" to "false" will get unexpected value in the 'KRB5CCNAME' environment variable. (Ref: CS-40381)

·          Fixed a bug in the DirectControl SELinux module so that logrotate can work well with /var/log/centrify_client.log. (Ref: CS-40170)

·          A bug in handling the ACL of krb5.keytab causes Kerberos to fail when connecting Oracle database to Active Directory between two domains with one way trust. It is now fixed. (Ref: CS-40605)

·          Fixed a DirectControl agent inoperable problem on AIX VIOS version >= 2.2.2. The DirectControl AIX package is changed to 64-bit to solve this problem. (Ref: CS-40107)

·          Because of the change of DirectControl AIX package from 32-bit to 64-bit, the system script /etc/rc.tcpip will be changed during upgrade. The sections added to /etc/rc.tcpip by previous DirectControl releases will be replaced. This applies to AIX environment only. (Ref: CS-42557)

·          On AIX, the log rotation script generates an error-level syslog message if /var/log/centrify_client.log does not exist. This is now changed to an info-level message. (Ref: CS-40959)

·          On AIX, there was a memory leak in the DirectControl authentication module in LAM mode affecting AIX authentication process such as db2ckpwd in DB2 plug-in. It is now fixed. (Ref: CS-40810)

·          NSCD on Solaris is not thread-safe doing enumeration and hence the DirectControl NSS module may cause potential core dump. It is now fixed with new mutex logic. (Ref: CS-40485)

DirectManage Access Manager

 

·          In the "Browse for Container" dialog, one-way trusted domains are not displayed if there is no global catalog server in the trusted domains. Hence Active Directory users from trusted domains cannot be added to a zone in trusting domain in a one-way trust environment. This issue is now fixed. (Ref: CS-42105)

·          Access Manager may throw an erroneous message, “Insufficient access right to create or modify the zone” even though the user is not creating a new zone. This is now fixed. (Ref: CS-40976)

·          The Sudoers Import feature in Access Manager will now be disabled if the Microsoft SQL Server Compact 3.5 SP2 is not installed. (Ref: CS-40279)

·          Sometimes after performing sudo import, the Pending Import node is missing from the Users and Groups node of computers joined to a hierarchical zone. This issue is now fixed. (Ref: CS-40514)

·          Fix the issue that Access Manager and PowerShell do not return UNIX profile after moving an Active Directory user account from one trusted domain to another. (Ref: CS-41406, CS-41407)

·          The default login name when creating user profile in a hierarchical SFU zone is now inherited from User Default settings. (Ref: CS-29682)

·          MFA Group Policy "Enable multi-factor authentication for express, autozone, and classic zone" is changed to "Enable multi-factor authentication for autozone and classic zone". (Ref: CS-40299)

·          Fixed the problem that effective UNIX user rights for hierarchical SFU zones are not displayed in the 'Effective User Rights' dialog. (Ref: CS-40756)

·          Effective UNIX User Rights may fail to show any result if the LocalUsers or LocalGroups container does not exist under zone or computer zone (e.g. zones created before Suite 2016). This issue is now fixed. (Ref: CS-40908)

·          Effective UNIX User Rights may fail to show any result if there are two computer zones with the same computer scope name under the same parent zone. The issue is fixed and a warning message, "Conflicted computer scope: <scope name>, scope path: <scope path>.", is also logged. (Ref: CS-41442)

Centrify Report Services

 

·          Fixed a bug that generates an event log message about starting up database ‘ReportServer$XXTempDB’ every 10 minutes. (Ref: CS-39053)

Group Policies

 

·          XML-based group policy processor has a bug in handling deletion of value especially in the scenario when a GP value is enabled in a higher level global GP and is deleted in a lower level delta GP. This is now fixed. (Ref: CS-42031)

·          The User Group Policy RunCommand can now know which user it is invoked for. The run command for user group policy is run under root, but it did not provide which user it is running for. With this fix, we provide the user name in the environment variable, user. In Perl, it is $ENV{user}. (Ref: CS-42264)

adedit

 

·          adedit now supports AIX group extended attributes with the following commands: set_zone_group_field, get_zone_group_field. (Ref: CS-40220)

·          adedit now also supports AIX extended attributes for local user management. (Ref: CS-41844)

·          We now provide a warning when the user’s UNIX name in a UNIX profile being created is the same as the sAMAccountName of another Active Directory user in the current domain. The following message, “Warning: zone user is created, but has the name same as another AD user in current domain”, is output. (Ref: CS-38789)

·          Fixed the issue that the TCL procedure in ade_lib.tcl, is_user_effective, does not break out of the traversal loop. (Ref: CS-42169)

·          Fixed a bug that an Active Directory user is not created correctly via adedit when the domain controller is not set in kset.dc.domain file. (Ref: CS-41793)

Zone Provisioning Agent

  

·          The length of the message string in event log is updated from 32,766 bytes to 31,839 bytes. If the message string is longer than 31,839 bytes, it will be extended into several records. (Ref: CS-41983)

Centrify LDAP Proxy

 

·          ldapproxy may not return a user record if the user entry has any binary attribute, e.g. userCertificate. It is now fixed. (Ref: CS-41046)

·          ldapproxy now supports more complex searches, such as search by member with posixGroup, and search by sAMAccountName with posixAccount/posixGroup. (Ref: CS-34621, CS-39880, CS-40242)

The following are some examples:

·          "(&(objectClass=posixAccount)(samAccountName=<user's samAccoutName>))"

·          "(&(objectClass=posixGroup)(samAccountName=<group's samAccountName))"

·          "(&(objectClass=posixGroup)(|(memberuid=<user's unix name>)(member=<user's DN>)))"

·          "(&(objectClass=posixGroup)(|(memberuid=<user's unix name>)(uniqueMember=<user's DN>)))"

Please note

·          These searches look for UNIX-enabled users and groups only.

·          'posixGroup.member' and 'posixGroup.uniqueMember' both map to _MemberDN attribute in rfc2307.map.

Centrify OpenSSH

 

·          Fixed an issue so that Centrify sshd session process may be granted the correct "OOM score". (Ref: CS-41734)

·          An issue causing sshd to hang on AIX when running “ssh –t” is now fixed. (Ref: CS-40488)

·          In previous releases Centrify OpenSSH will deny SFTP access for normal users if 'rlogin = false' is set in '/etc/security/user' on AIX. A new sshd_config option, 'RloginControlSftp', is provided to control this behavior. The default is 'yes' which means sftp access will be denied as in previous releases. Setting this new option to 'no' will grant the user SFTP access while still denying SSH login. Note that root login via SSH does not respect either 'rlogin' or 'RloginControlSftp' settings - it is controlled by the 'PermitRootLogin' setting in sshd_config. In addition, the sshd_config 'AllowUsers' setting will always take precedence over the AIX 'rlogin' settings; as an example, if a user is listed in 'AllowedUser', he can still login even when 'rlogin' is set to 'false'. (Ref: CS-40484)

RHEL and CentOS Smartcard

 

·          Fixed an issue that could cause Smart Card name mapping to malfunction due to Serial Numbers and CN values being merged in the certificate subject name. (Ref: CC-42564)

3.3.          Bugs Fixed in Centrify DirectControl 5.3.1 (Suite 2016.1)

DirectControl Agent

 

·          In this release, ldapsearch returns the distinguished name of the searched object if the attribute to be searched is the objectIdentifier (1.1).  No attribute was returned previously. (Ref: CS-39572)

·          For an Active Directory user from a cross forest with one-way outbound trust, his password hash cached by the DirectControl agent is erased after it expires; resulting in the user not being able to login in disconnected mode. This issue is now fixed. (Ref: CS-39712)

·          The password prompt does not include the user name.  In this release, the environment variable CDC_USER is added to show the login user name. (Ref: CS-38474)

·          Adds a new rule for “krb5.ccache” in the SELinux definition for DirectControl agent. (Ref: CS-39599)

·          Fix a parsing issue in the DirectControl agent that leads to skipping DirectAuthorize commands containing '|' in the fields. (Ref: CS-39308)

·          In previous releases, an Active Directory user in the AIX logical partition on VIO server cannot run VIO server commands such as ioslevel.  This is because the AIX extended attribute default_roles is not supported.  It is fixed in this release.  Note that you need to run the adedit set_zone_user_field command to set the desired role to the default_roles.  This is not automatic. (Ref: CS-39819)

DirectManage Access Manager

 

·         In previous release, if another MMC application is running, the DirectManage installer prompts a message “An existing MMC.exe is running. Please close all the existing MMC.exe”.  The dialog now lists the running applications and allows users to retry after closing the opportunity. (Ref: CS-36116)

Centrify Report Services

 

·          Improved report performance and scalability to support large environments. (Ref: CS-38802)

·          Since roles and privileges are stored and calculated differently for classic and hierarchical zones, separate views are created for classic and hierarchical zones.  These views are:

o    EffectiveAuthorizedUsers_Computer_Classic

o    EffectiveAuthorizedUsers_Computer_Hierarchical

o    EffectiveRoleAssignment_Classic

o    EffectiveRoleAssignment_Hierarchical

Please use these zone-type specific views if your environment has only one zone type.

·          In prior release, Report Service cannot complete synchronization from Active Directory when it encounters any Active Directory object with a malformed timestamp. In this release, Report Service detects and logs all relevant information about the object with malformed timestamp, and continues with other Active Directory objects. (Ref: CS-39486)

·          In prior release, empty strings are not allowed in any textbox report filters. They are allowed in this release and behave as if the filter is not used. (Ref: CS-36211)

Group Policies

 

·          Group policies "Computer Configurations" -> "Centrify Settings" -> "DirectControl Settings" -> "Allow adclient to lookup user by common name" and "Allow adclient to lookup user by display name" are removed. Please use group policies "Computer Configurations" -> "Centrify Settings" -> "DirectControl Settings" -> "Network and Cache Settings" -> "Enable user lookup and login by CN" and "Enable user lookup and login by displayName" for the same configuration.  (Ref: CS-39212)

adedit

 

·          The “create_zone”, “get_zone_field” and “set_zone_field” commands do not return the default user name and group name if they are not initialized.  This is now fixed. (Ref: CS-38947)

3.4.          Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016)

DirectControl Agent

 

·          The Kerberos credentials of logged-in users are now renewed when the machine goes back to connected mode after a reboot in disconnected mode. (Ref: CS-39183)

·          The issue of mapped users set in passwd.ovr not able to login intermittently is now fixed. (Ref: CS-36108)

·          Due to an error when parsing PAC (Privilege Attribute Certificate) that has SID compressed in the resource group field, zoned users are not able to login and adquery reports NULL SID for these users. The issue is fixed. (Ref: CSSUP-6606, CS-36209)

·          With NTLM authentication turned on, if the user principal name is different from the canonical name (also known as pre-Windows 2000 login name), the user cannot login.  This problem is fixed. (Ref: CS-36231)

·          Some applications like Apache Tomcat may send an empty NTLM Challenge packet to check whether the DirectControl agent supports NTLM authentication or not. This will crash the DirectControl agent.  In this release, it returns an error "Bad packet" to the sender. (Ref: CS-35958)

·          For an Active Directory user from a one-way cross forest outbound trust, if a role assignment is added or removed after his zone user profile is cached by the DirectControl agent, the user cannot be displayed or removed from the UNIX machine unless the local cache is flushed. This issue is now fixed. (Ref: CS-38628)

·          When using passwd override in passwd.ovr, if the user's UNIX account name is different from its Active Directory account name, then the user cannot login. This problem is fixed. (Ref: CS-36301)

·          The current auto mount map inheritance scheme in adauto.pl supports only zone hierarchy in the same domain. Thus, if the automount maps are defined in a parent domain, the child domain cannot read the automount maps and cannot inherit the automount maps.  This is now fixed.  (Ref: CS-35343)

·          When there are a large number of NIS map entries in Active Directory, the auto_maps cache keeps growing. This is due to deleted entries in the underlying database not being purged. This release fixes this issue. (Ref: CS-35959)

·          Previously, dzinfo displays the same role and the role assignment multiple times for a user if the role is assigned via multiple role assignments.  In this release, dzinfo now shows only one role with multiple role assignments. (Ref: CS-35763)

·          In this release, the customizing environment variables for command execution through dzdo commands settings or centrifydc.conf options, the listed set values replaces the existing list rather than be added onto them in prior releases.  Please note this may affect the current dzdo use, for example, if a machine has centrifydc.conf option 'dzdo.env_keep' set as 'dzdo.env_keep: VAR', then now only 'VAR' is in the list to be kept, all others in the default list such as 'PATH', 'KRB5CCNAME' will be removed. User may need to check and update them for this. (Ref: CS-36094)

·          This release fixed the long delay to display password prompt in Solaris and HPUX during dzdo command execution when there is a large number of groups in the current zone. (Ref: CS-39064)

·          This release fixed the slow login or timeout issue on Solaris and HPUX that may happen when sshd_config has group checking related options such as 'DenyGroups'), and the zone has many groups. (Ref: CS-8246)

·          In previous release, when command level auditing is enabled, then "dzdo -i" will fail until unless the right to run /bin/centrifyda or the audited shells command rights are granted to the role.  The issue is fixed to work with command auditing for in DirectAudit v3.2.2 (in Suite 2015) or newer. Note that you still need to grant command rights to /bin/centrifyda when unknown shell is used. (Ref: CS-35465)

·          Starting in this release, Centrify OpenSSH ssh-keygen program will always links with the Centrify libcrypto.so.  In previous releases, due to the order in $LIBPATH settings, it may link to a non- Centrify libcrypto.so, resulting in missing symbols or unexpected results. (Ref: CS-8238)

·          In this release, we will no longer replace the customer’s copy of /etc/dzshrc with the one in the package during upgrade. (Ref: CS-35980)

·          If ‘compat’ is added before ‘centridydc’ in the passwd section in nsswitch.conf, getent passwd <user> fails to return zoned AD user information when NSCD is running. This problem is fixed. (Ref: CS-35899)

·          When an Active Directory user without root permission runs adinfo, it prints out "WARN  base.nocachemode Disabling the agent directory cache" message in centrifydc.log. This problem it is fixed. (Ref: CS-36444)

·          This release adds new SELinux rule to support automount to avoid the intermittent automount disconnect issue. (Ref: CS-36399)

·          Amazon Linux AMI is not a supported OS but it passes adcheck and the install script in previous releases. It is now fixed. (Ref: CS-38472)

·          Starting with this release, the "R" option in install.sh will install an add-on package (such as CentridyDA or Centridy OpenSSH) if it is not already present. (Ref: CS-38529)

·          In previous releases, syslog facility other than ‘auth’ in the ‘logger.facility.*’ parameter is ignored.  This release allows any syslog facilities to be added, one facility per line. (Ref: CS-35902)

DirectManage Access Manager

 

·          To support the new features in DirectManage Access Manager, it will overwrite %windir%\System32\Mmc.exe.config after upgrade.  The original file is backup to %APPDATA%\DirectManage Access Manager\Mmc.exe.config.  If you have customized Mmc.exe.config, you need to manually consolidate your changes to the new configuration file. (Ref: CS-34553, CS-38329)

·          Running the “Hierarchical zone – Windows User Effective Rights” from Report Center takes a long time, or may even fail. This report is now replaced by “Hierarchical Zone- Effective Rights Report” from Reporting Services. (Ref: CS-29910)

·          In previous releases, the registry value "Notification Packages" under registry key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" is overwritten when Password Synchronization Extension is installed.  The registry value should be appended and is fixed in this release. (Ref: CS-36138)

·          Instead of removing all existing members from target group and then add again, the tool CopyGroup.exe is fixed to add or remove only members according to the differences from source group. (Ref: CS-38918)

·          In this release, we no longer automatically install Microsoft SQL Server Compact 3.5. (Ref: CS-38693)

Access Module for PowerShell

 

·         PowerShell scripts using Centrify Access Module may use up a lot of memory if the PowerShell is running in STA mode.  This is because COM (Component Object Model) objects being used in Centrify Access Module for PowerShell cannot be released in timely manner.  This release enables MTA mode to eliminate this problem. (Ref: CS-35744)

Group Policies

 

·          The .NET default maxLength value for a textbox is 32767 characters, which is not enough for the sudoer content textbox of the sudo rights group policy. This release changes the maxLength to 10485760 characters. (Ref: CS-35918)

adedit

 

·          The get_user_role_assignments command returns error "Malformed DN" if the user’s distinguished name contains white spaces.  This issue is fixed. (Ref: CS-35950)

·          The PAM autoedit scripts for adjoin and adleave are updated to continue even when errors are encountered during processing.  The errors are reported at the end of processing. (Ref: CS-36492)

Centrify Network Information Service

 

·         adnisd stops functioning in AIX sporadically with multiple interfaces.  The adnisd service is hanging at times and ypwhich and ypcat commands from the client systems get the error "Domain not Bound".  This is fixed in this release. (Ref: CS-35880, CS-35890)

Centrify LDAP Proxy

 

·          In DirectControl agent 5.2.3, ldapsearch can only find auto-private group through its group ID.  You can now search the auto-private group by its group name. (Ref: CS-36468)

Centrify OpenSSH

 

·          When doing 'remote to remote' scp, such as 'scp host1:/path/file1 host2:/path2/file2', that requires password authentication for both hosts, scp session fails to authenticate the second host.  This problem is fixed in this release. (Ref: CS-8240)

·          If a local user adds '/usr/sbin:/sbin' in its PATH environment, after Centrify OpenSSH is installed, these two paths will be removed from the PATH environment when a bash shell is opened. This problem happens only in Red Hat Linux family OS and it is now fixed. (Ref: CS-38398)

·          Fixed the issue in HPUX that its service startup log, /etc/rc.log reports 'FAILED' for disabled stock ssh service. (Ref: CS-8258)

4.     Known Issues

 

The following sections describe common known issues or limitations associated with this Centrify Server Suite release.

 

For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

DirectControl Agent

 

·          If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

·          On AIX, upgrading DirectControl in disconnected mode may cause unexpected behavior (Ref: CS-30494a)

 

On AIX, upgrading DirectControl from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl in disconnected mode.

 

·          On some versions of AIX, user may not be able to login if LOGIN_NAME_MAX is set to 9 (Ref: CS-30789a)

 

Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in adcheck to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it.

 

·          Potential issues on Fedora 19 and above (Ref: CS-31549a, CS-31730a)

 

There are several potential issues on Fedora 19 and above:

1)  Adcheck will fail if the machine does not have Perl installed.

2)  Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

·          Using DirectControl 4.x agents with DirectControl 5.x (Ref: IN-90001)

 

DirectControl 4.x agents can join classic zones created by DirectControl 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

·          Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used.

 

·          Change password and rsh / rlogin (Ref: IN-90001)

 

When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.

 

·         When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

adedit

 

·          adedit command, set_local_group_profile_field, may not work well if there are too many members in a local group; i.e. if the resulting string is more than 256 characters long. Please refer to Knowledge Base for work-around. (Ref: CS-42823)

Smart Card

 

·          There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login.  When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

 

·          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

 

·          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

 

·          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a )

 

·          In order to login successfully in disconnected mode (Ref: CS-29111a):

o    For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other CDC Unix behavior)

o    For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

·          After upgrading from Centrify DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: CS-30025c)

 

·          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

 

·          After upgrading from Centrify DirectControl Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: CS-30353c)

 

·          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

 

·          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

 

·          Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

·         Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users are allowed to log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed.   This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342.  This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

DirectManage Access Manager

 

·          Access Manager may have an issue handling a local group profile if there are more than 1000 members in a local group. Similar issue also exists in the corresponding commands in Access Module for PowerShell and adedit. (Ref: CS-42949, CS-42950, CS-42823)

Report Services

 

·          The SQL Server Availability Group feature in SQL Server 2012 is not supported. (Ref: CS-39674)

·          When Report Services is configured to Domain mode, the report data of a deleted domains' cannot be cleaned up if Microsoft Distributed Transaction Coordinator (MSDTC) is turned off on the machines running Report Services or Report database. (Ref: CS-43130)

Access Module for PowerShell

 

·          Local group profile update command may not work well if there are too many users in a local group (i.e. if the resulting string is more than 256 characters long). (Ref: CS-42950)

Zone Provisioning Agent

 

·          The commands, copyGroup and copyGroupNested, may fail due to Active Directory replication delay. (Ref: CS-42590)

5.     Additional Information and Support

 

In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Server Suite, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.