Centrify® ADBindProxy 5.4.0 Release Notes

© 2004-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

Table of Contents

1.      About This Release. 1

2.      Package Contents. 2

3.      Supported Platforms. 2

4.      Feature Changes. 3

4.1.       Feature Changes in ADBindProxy 5.4.0. 3

4.2.       Feature Changes in ADBindProxy 5.3.0. 3

5.      Bugs Fixed. 3

5.1.       Bug Fixed in ADBindProxy 5.4.0. 3

5.2.       Bug Fixed in ADBindProxy 5.3.0. 3

6.      Getting Started. 4

7.      Known Issues. 5

8.      Additional Information and Support 6

 

1. About This Release

Centrify ADBindProxy is a proxy agent package that seamlessly integrates the DirectControl agent in Centrify Server Suite with open source Samba (referred to as stock Samba in this document), enabling the two products to share Active Directory user and group membership and to agree upon Unix identity attributes for Active Directory users. It is a proxy that passes identity management requests from Samba to DirectControl.

This Centrify ADBindProxy release supports stock Samba version 4.x. You are strongly advised to apply the latest security patches from Samba first before deploying Centrify ADBindProxy.

Documentation, Samba Integration Guide (centrify-adbindproxy-guide.pdf), is available online to guide customers through the setup and configuration of Centrify ADBindProxy in both new and existing environments.

The latest copies of this release notes as well as the above-mentioned documentation are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391.

2. Package Contents

The Centrify ADBindProxy bundle package contains the following resources:

·         Centrify ADBindProxy software package (e.g. rpm, or deb file)

·         Centrify ADBindProxy Release Notes (Centrify-Adbindproxy-Release-Notes.html – this release notes)

3. Supported Platforms

The Centrify ADBindProxy bundle package is available on the following OS/platforms in this release:

·        HPUX on Itanium

·        HPUX on PA-RISC

·        IBM AIX on PPC

·        Oracle Solaris on SPARC

·        Oracle Solaris on x86

·        Debian on i386

·        Debian on x86_64

·        Red Hat Enterprise Linux on PPC

·        Red Hat Enterprise Linux on i386

·        Red Hat Enterprise Linux on x86_64

·        SUSE Linux Enterprise Server on i386

·        SUSE Linux Enterprise Server on x86_64

 

This release supports stock Samba version 4.x.

For the OS versions that a particular Centrify ADBindProxy bundle package supports, please refer to the supported OS versions of the matching DirectControl agent package of the corresponding Centrify Server Suite release. Similarly, Centrify ADBindProxy also follows Centrify DirectControl’s schedule for End-of-Support platforms and hence please refer to the announcements there.

4. Feature Changes

4.1.  Feature Changes in ADBindProxy 5.4.0

This release of Centrify ADBindProxy works with Centrify Server Suite 2017. Note: It does not work with previous Centrify Server Suite releases and previous version of ADBindProxy does not work with Centrify Server Suite 2017 on AIX and HPUX.

No new package is introduced in this release.

4.2.  Feature Changes in ADBindProxy 5.3.0

This is the first release of the standalone Centrify ADBindProxy package that works directly with stock Samba version 4.x.

Starting with this release, Centrify Samba package, based on stock Samba version 3.x, is no longer available because version 3.x is end-of-life by samba.org, which means no more security patches or support.

With the release of this product, all previous Centrify Samba packages are end-of-life immediately.

To get information on the release history of stock Samba, please go to:

http://www.samba.org/samba/history/

This Centrify ADBindProxy release supports Centrify Server Suite 2013.3 or above on the same set of OS platforms/versions that are supported by the previous Centrify Samba version 4.5.9 and Centrify DirectControl agent. Please refer to the supported platform list of Centrify DirectControl agent for the complete list. In addition, RHEL on PowerPC architecture is a newly supported platform.

5. Bugs Fixed

5.1.  Bug Fixed in ADBindProxy 5.4.0

·        Fixed a bug that ADBindProxy accidentally removed samba from system startup. (Ref: SAMBA-976)

·        Fixed a bug on AIX that ADBindProxy accidentally removed the executable bit from /etc/rc.tcpip. (Ref: SAMBA-985)

5.2.  Bug Fixed in ADBindProxy 5.3.0

·        This is the first release of the standalone Centrify ADBindProxy package.

6. Getting Started

·         Read the centrify-adbindproxy-guide.pdf that is included in this package.

 

·         The following is a summary of the steps to install and configure Centrify ADBindProxy. Please refer to the instructions in centrify-adbindproxy-guide.pdf for details.

-   Preparation

-   If there is no Samba installed, install stock Samba first. Many Linux OS already include Samba.

-   If you are doing a fresh ADBindProxy installation in an environment with stock Samba running, back up smb.conf just in case.

-   If you are upgrading from an existing Centrify Samba environment:

-   Back up your smb.conf.

-   Uninstall Centrify Samba.

-   Install stock Samba and make sure it works in your environment (Note that you will need to replace or merge the smb.conf from stock Samba with your back-up copy. This is especially important if you have file path settings in the original smb.conf).

-   Install and configure ADBindProxy

-   Install Centrify DirectControl agent if you have not already done it.

-   Install Centrify ADBindProxy package.

-   If you are using Centrify DirectControl agent from Centrify Server Suite 2016 on a Redhat 7.x platform, you need to do these extra steps:

-   Open a command terminal and run the following commands:

vi /etc/centrifydc/scripts/functions.cdc

-   Comment out the two lines containing LD_LIBRARY_PATH, e.g.

-   # LD_LIBRARY_PATH=/usr/share/centrifydc/lib64:/user/share/centrifydc/kerberos/lib64:$LD_LIBRARY_PATH

-   # export LD_LIBRARY_PATH

-   Save the file with the changes

-   Modify the symbolic link of adkeytab utility

-   cd /sbin

-   ls –l adkeytab

-   rm adkeytab

-   ln –s /usr/share/centrifydc/libexec/adkeytab /sbin/adkeytab

-   Join the machine to a zone using adjoin.

-   Run adbindproxy.pl to configure the proxy environment.

-   Additional steps

-   If you have customized any existing smb.conf settings, verify that the new smb.conf still have all the relevant settings.

-   Restart stock Samba and ADBindProxy by running either one of the following commands

-   /etc/init.d/centrifydc-samba restart

-   service centrifydc-samba restart

-   You may want to ensure stock samba’s sbin and bin paths have been set in PATH environment variables

7. Known Issues

The following sections describe common known issues or limitations associated with this ADBindProxy release from Centrify.

·         Limitations with stock Samba

 

In previous Centrify Samba, we modified the following in stock Samba for interoperability. Using stock Samba instead of Centrify Samba, you may see related issues.

-   Default Kerberos keytab location, KEYTAB_DEFAULT, from /etc/krb5.keytab to /etc/krb5/krb5.keytab on Solaris (SAMBA-890).

-   Default Kerberos cache location, CCNAME, from /tmp/krb5cc_%{uid} to /var/krb5/security/creds/krb5cc_%{uid}" on AIX (SAMBA-892).

 

·         Limitations with RHEL 7.2 PPC (SAMBA-965)

 

If you are using 64bit Samba on a RHEL 7.2 PPC machine, you may have problem with adclient failed to use the 64bit tdb library come with 64 bit Samba. The symptom can be shown in the error message while trying to access samba server - “session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO”.

You need to install a 32bit tdb library, e.g. libtdb-1.3.6-2.el7.ppc.rpm in rhel-server-7.2-ppc64-dvd.iso, for adclient to work with, and you need to tell adclient where to get this library by adding a parameter “samba.libtdb.path: /usr/lib/libtdb.so.1” into centrifydc.conf, assuming the path to libtdb is /usr/lib/libtdb.so.1.

 

·         Limitations with AIX7.1 (SAMBA-966)

 

If you are using ADBindProxy with stock Samba and Centrify Server Suite 2014 or 2013.3 on an AIX machine, it may not work well due to library problem. The symptom can be shown in the error message while trying to access samba server - “session setup failed: NT_STATUS_NO_LOGON_SERVERS”.

You may try the following changes on Samba tools, e.g. smbd, smbstatus and testparm, to get around it:

-   mv /usr/local/samba/sbin/smbd /usr/local/samba/sbin/smbd.x

-   vi /usr/local/samba/sbin/smbd

#! /bin/sh

unset _ LD_LIBRARY_PATH

unset _ LD_PRELOAD

LIBPATH=/usr/local/samba/lib:/usr/local/samba/lib/private

export LIBPATH

exec /usr/local/samba/sbin/smbd.x "$@"

 

·         Limitations with wbinfo command (SAMBA-971)

 

Using wbinfo command to look up user or group information does not work properly, e.g. wbinfo –n username, wbinfo –s sid, wbinfo –g, wbinfo –u. You may use adquery command instead.

8. Additional Information and Support

In addition to the documentation provided for this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

http://www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Samba, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.