Centrify® Server Suite 2017 DirectControl® 5.4.0 Release Notes

© 2004-2017 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

1.      About This Release. 3

2.      Feature Changes. 4

2.1.       Feature Changes in DirectControl 5.4.0 (Suite 2017) 4

Security Fix. 4

General 4

DirectControl Agent 8

Centrify LDAP Proxy. 11

DirectManage Access Manager 11

Centrify Licensing Report 12

Centrify Report Services. 12

Zone Provisioning Agent 13

Access Module for PowerShell 13

RHEL and CentOS Smartcard. 13

2.2.       Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) August 2016 Update. 14

Security Fix. 14

2.3.       Feature Changes in DirectControl 5.3.1 (Suite 2016.1) 14

Security Fix. 14

DirectControl Agent 14

DirectManage Access Manager 18

Access Module for PowerShell 18

Centrify Report Services. 19

Deployment Report 20

Group Policies. 20

adedit 21

Centrify OpenSSH.. 21

2.4.       Feature Changes in DirectControl 5.3.0 (Suite 2016) 22

New Features. 22

General 23

DirectManage Access Manager 26

Report Center 26

Access Module for PowerShell 27

Zone Provisioning Agent 27

Deployment Manager 28

Group Policies. 28

Deployment Report 28

adedit 28

Centrify LDAP Proxy. 29

Centrify OpenSSH.. 29

Supported Platforms. 30

3.      Bugs Fixed. 31

3.1.       Bugs Fixed in Centrify DirectControl 5.4.0 (Suite 2017) 31

DirectControl Agent 31

DirectManage Access Manager 33

Centrify Report Services. 34

Group Policies. 34

adedit 34

Zone Provisioning Agent 35

Centrify LDAP Proxy. 35

Centrify OpenSSH.. 35

RHEL and CentOS Smartcard. 36

3.2.       Bugs Fixed in Centrify DirectControl 5.3.1 (Suite 2016.1) 36

DirectControl Agent 36

DirectManage Access Manager 37

Centrify Report Services. 37

Group Policies. 37

adedit 37

3.3.       Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016) 38

DirectControl Agent 38

DirectManage Access Manager 40

Access Module for PowerShell 40

Group Policies. 40

adedit 41

Centrify Network Information Service. 41

Centrify LDAP Proxy. 41

Centrify OpenSSH.. 41

4.      Known Issues. 41

DirectControl Agent 42

DirectAuthorize on Linux/UNIX.. 47

DirectControl Auto Zone mode. 50

Smart Card. 50

DirectManage Access Manager 52

Report Center 54

Report Services. 55

Access Module for PowerShell 55

Zone Migration. 55

Group policies. 55

Centrify Network Information Service. 56

Centrify LDAP Proxy. 56

Centrify OpenSSH.. 57

Interoperability with Centrify Samba. 57

5.      Additional Information and Support 57

 

 

1.    About This Release

 

Centrify Server Suite featuring DirectControl centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Server Suite, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify Knowledge Base.

The Centrify Server Suite release notes and documents are available online at http://docs.centrify.com.

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2, 9,112,846, 9,197,670 and 9,378,391. (Ref: CS-40830)

2.    Feature Changes

 

For a list of the supported platforms by this release, refer to the “Supported Platforms” section in the Centrify Suite release notes.

For a list of platforms that Centrify will remove support in upcoming releases, refer to the “Notice of Termination Support” section in the Centrify Suite release notes.

For a complete list of platforms in all currently supported DirectControl releases, refer to the “Centrify Server Suite, Standard Edition” section in the document available from www.centrify.com/platforms.

2.1.        Feature Changes in DirectControl 5.4.0 (Suite 2017)

Security Fix

DirectControl 5.4.0 contains the fix for a security issue where a maliciously crafted program may mislead the DirectControl agent to delete any file. This can happen when the program is executed by a logged-in Active Directory user. (Ref: CS-42567)

General

 

·        Centrify Licensing Service

A new component, Centrify Licensing Service, is added to help users better manage their licenses. Instead of using DirectManage Access Manager to manage DirectControl licenses and Audit Manager to manage DirectAudit licenses, this new module provides a central place for Centrify Suite license management and viewing license usage. The license management capability in DirectManage Access Manager and Audit Manager is deprecated and will be removed in a future release. (Ref: CS-42019, CS-42081, CS-42194)

Note:

o   You should install and configure Centrify Licensing Service to take advantage of the enhanced license management capability. The DirectManage tools (Access Manager, ADUC extension and GPOE extension) will remind you upon startup if the new service is not running in an Active Directory forest. (Ref: CS-40823, CS-40966)

o   There is no need to install multiple copies of the Licensing service in a forest as each service performs the same task. The best practice is to install at least one copy and additional one(s) as required for redundancy.

·        Kerberos Armoring support

We now support the Flexible Authentication Secure Tunneling (FAST, aka Kerberos armoring) feature in Windows Server 2012 for the following options: (1) Not supported, (2) Supported and (3) Always provide claims. (Ref: CS-28823, CS-40613)

·        Additional data synchronization option in Centrify Report Service

In the Centrify Report Services, users can now choose to synchronize data from Active Directory based on zones instead of the original domain-based synchronization option. (Ref: CS-39513, CS-41245, CS-41254)

·        Audit Trail events

Two new common parameters, DAInst (Audit Installation Name) and DASessID (Audited Session ID), are added in an audit trail record to allow better SIEM integration for session replay. These fields will be N/A if DirectAudit is not installed. (Ref: CS-5698, CS-5711, CS-41965, CS-41995)

A new category “License Management” is added to the “Centrify Server Suite” audit trail events and the following 12 new events are assigned. Please refer to Audit Event Administrators’ Guide for details. (Ref: CS-40971)

o   60100: DirectControl license key added.

o   60101: Fail to add DirectControl license key.

o   60102: DirectControl license key removed.

o   60103: Fail to remove DirectControl license key.

o   60104: DirectControl license container added.

o   60105: Fail to add DirectControl license container.

o   60106: DirectControl license container removed.

o   60107: Fail to remove DirectControl license container.

o   60200: DirectAudit license key added.

o   60201: Fail to add DirectAudit license key.

o   60202: DirectAudit license key removed.

o   60203: Fail to remove DirectAudit license key.

Note: The GP “Centrify Audit Trail Settings” takes care of all the available categories including the new one. (Ref: CS-42268)

·        Feature name change

The following names are changed in Centrify products:

o    Cloud Connector is now Centrify Connector.

o    Centrify Cloud, Cloud Service, Cloud Server are now collectively referred to as Centrify Identify Platform.

o    Cloud Authentication is now Centrify MFA Service authentication.

 

These changes may affect UI, group policies, log messages and documentation in general. (Ref: CS-41743, CS-41749, CS-41750)

·        Feature End of Life notice

With the introduction of the Report Services component in Suite 2016, this is the last supported release for the UNIX/Linux command line report utilities, addbloader and adreport. (Ref: CS-41628, CS-41783)

·        Important Upgrade notice

If you plan to upgrade to Suite 2017, you should upgrade all the components in this suite release. The reason is because of the following major infrastructure changes which may cause compatibility issues with various components of previous versions:

o    DirectControl packaging change.

o    Kerberos library upgrade.

o    OpenSSL upgrade.

o    LRPC2 protocol enhancement.

You may find more details about each of the changes below in this section.

Please note that Centrify OpenSSH version 5.3.1 can still work with Suite 2017 except for AIX platform. You also need to upgrade Centrify OpenSSH to Suite 2017 to make it work on AIX. (Ref: CS-42420)

Please also note that the current versions of DirectSecure as well as DB2 plug-in are not compatible with Suite 2017. Centrify will be releasing new versions that interoperate with Suite 2017.

·        Changes in DirectControl packaging

Starting in Suite 2017, the following open source packages are no longer part of the DirectControl package and are shipped separately. (Ref: CS-40555)

o   CentrifyDC-openssl

o   CentrifyDC-openldap

o   CentrifyDC-curl

Doing so allows Centrify to respond faster to critical security patches from the open source community.

Note: These packages are prerequisites to installing the DirectControl package. Please be aware of this especially if you have your own installation/upgrade automation scripts or if you retrieve Centrify packages from Yum/APT repository.

·        Package name change

The RHEL and SUSE RPM package file names are changed: (Ref: CS-40547)

o   From centrifydc*-<release#>-<OS>-<ARCH>.rpm to CentrifyDC*-<release#>-<OS>.<ARCH>.rpm

Example: CentrifyDC-openssh-7.3p1-5.4.0-rhel4.x86_64.rpm

o   From centrifyda-<release#>-<OS>-<ARCH>.rpm to CentrifyDA-<release#>-<OS>.<ARCH>.rpm

Example: CentrifyDA-3.4.0-suse10.i386.rpm

·        Open Source component upgrade

o   Centrify Kerberos library is upgraded based on stock MIT Kerberos 5-1.14.1. (Ref: CS-31783)

§  This includes security fixes for CVE-2015-2695, CVE-2015-2696, CVE-2015-2697. (Ref: CS-38994)

§  Two additional capabilities in this upgrade also help to address some known Single Sign-On (SSO) issues: (Ref: CS-42156)

·        You can now configure an alternate location for .k5login in krb5.conf. This means Kerberos can look for .k5login in a location other than user home directory.

·        The handling of SSO from SSH is made more secure – The Kerberos codes will now ensure the principal name given in the Kerberos credential resolved to the target user (from the zone mapping); otherwise it will fail the login attempt. This closed the loophole in the default processing where SSO is allowed if target user name matches even just the first part of Kerberos principal.

§  Kerberos armoring options (1) Not supported, (2) Supported, (3) Always provide claims, in Windows Server 2012 or above are also supported with this upgrade. However, we do not support option (4) Fail unarmored auth request (AS-REQ). (Ref: CS-28823, CS-40613)

§  This Kerberos library upgrade may cause some minor behavior changes but in general the SSO behavior remains the same. However, to block SSO for local user, you will need to set krb5.sso.block.local_user to true and the local user should be in user.ignore. (Ref: CS-35892)

§  Kerberos 1.14.x supports ccselect plugin and this causes some issues for KCM ccache collection. We have introduced a new configuration parameter “krb5.conf.plugins.ccselect.disable” and a corresponding group policy to let you manage it. (Ref: CS-40471)

§  Due to the new Kerberos library, previous releases of Centrify products that use an older Kerberos verion (DirectAudit, DirectSecure, DB2 plug-in, SAP SNC plug-in) are not compatible with DirectControl v5.4.0 in Suite 2017. (Ref: DB-144)

o   Centrify OpenSSL 5.4.0 is upgraded based on stock OpenSSL 1.0.2j. (Ref: CS-40275, CS-41499)

§  This includes security fixes for CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6306 and CVE-2016-7052 (Ref: CS-40460, CS-40461)

§  Patch of CVE-2016-2178 is also applied to openssl-fips-2.0.11. (Ref: CS-40560)

o   Centrify OpenSSH 5.4.0 is upgraded based on stock OpenSSH 7.3p1.

§  SSHv1 is no longer supported. (Ref: CS-40924)

§  The LAM version of Centrify OpenSSH is no longer shipped as all AIX versions already provide PAM authentication. If you are still using the LAM version of Centrify OpenSSH, you should replace it with the corresponding PAM version for supportability. (Ref: CS-40743)

o   Centrify libcurl is upgraded based on stock curl 7.51.0. (Ref: CS-41954)

§  This includes security fixes for CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-7167, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625. (Ref: CS-40940, CS-40941, CS-40942, CS-41439)

o   Centrify dzdo is upgraded based on stock sudo 1.8.17p1. (Ref: CS-40683)

o   Centrify Putty is upgraded based on stock putty 0.67. (Ref: CS-39029)

This new version also fixes the following security issues:

§  CVE-2015-5309 Potentially memory-corrupting integer-overflow in the handling of the ECH (erase characters) control sequence in the terminal emulator.

§  CVE-2016-2563 Stack corruption vulnerability in the old-style SCP protocol.

DirectControl Agent

 

·        Transaction control in LRPC2 protocol (Ref: CS-39842)

The LRPC2 protocol has been enhanced for additional transaction control under heavy load. Note: users need to upgrade both DirectControl and DirectAudit to this version to benefit from the added protection.

·        The MFA mechanism (IWA) in the Centrify Admin Portal no longer support HTTP and requires HTTPS for security reason. The diagnostic tool, adcdiag, will fail the test if HTTPS is not available. Please ensure that the Centrify connectors are configured with HTTPS if you use this feature. (Ref: CS-40567, CS-40568, CS-40951)

·        Performance improvement in the DirectControl agent

Additional attributes "_UnixName", "sAMAccountName", "userPrincipalName", "Guid", and "Unixid", are now stored in memory cache for faster lookup when the configuration parameter "capi.cache.enabled" is set to true. (Ref: CS-40067)

·        The support of Alternate UPN suffixes (ALTUPN) is now extended to cover two-way trusted forests. (Ref: CS-40190, CS-41755, CS-41794)

·        The support of AIX extended attributes is now enhanced to support:

o   Additional extended attributes for local users. (Ref: CS-39060)

o   Additional extended attributes for Active Directory users. (Ref: CS-40091)

o   Additional extended attributes for groups. (Ref: CS-40165)

You may find the supported attributes with the commands, "adquery user –X help user" and "adquery group –X help group". (Ref: CS-42025)

·        Integration with third party password enforcement tool

Four configuration parameters, adclient.random.password.complexity.pattern, adclient.random.password.generate.try, adclient.random.password.length.max, adclient.random.password.length.min, are added for better integration with third party password enforcement tool. (Ref: CS-40164)

Scripts and Command Line Utilities

·        The command adjoin has a new option “-F/--forceDeleteObj” to clean up the existing computer object and extension object in Active Directory before performing the adjoin operation. (Ref: CS-40845)

Configuration Parameters

centrifydc.conf has been updated:

New Parameters:

-   adclient.cloud.connector: This parameter specifies a Centrify connector in the current Active Directory forest to provide connectivity between LINUX/UNIX servers and Centrify Identity Platform server for Centrify MFA authentication service. The host specified in this parameter will also be used as the HTTP proxy unless adclient.cloud.iwa.url is specified. If the specified connector is not available, the DirectControl agent will try to find the closest valid connector. Administrators can use either IP address or FQDN in this parameter. For example, "adclient.cloud.connector: 192.168.1.61:8080" or "adclient.cloud.connector: connector.mydomain.com:8080". Note that port 8080 is the default port for Centrify connectors. By default, this parameter is empty. (Ref: CS-41546, CS-42226)

-   adclient.krb5.allow_weak_crypto: This parameter controls if weak encryption types should be allowed in the following parameters: adclient.krb5.tkt.encryption.types adclient.krb5.permitted.encryption.types.

Weak encryption types include: des-cdc-crc, des-cbc-md4, dec-cbc-md5, dec-cbc-raw, des3-cbc-raw, des-hmac-sha1, arcfour-hmac-exp, rc4-hmac-exp and arcfour-hmac-md5-exp. Note that setting this parameter to false may cause authentication failures in existing Kerberos infrastructure that does not support strong ciphers. The default value is true which allows weak encryption types. (Ref: CS-31783)

-   adclient.random.password.complexity.pattern: This parameter specifies the complexity requirements for the random password, e.g. 1=Upper (upper case characters A-Z), 2=Lower (lower case character a-z), 4=digit (0 to 9), 8=special char (non-alphanumeric characters such as !, $, # and %). The default is 7 (Upper, Lower and digit). (Ref: CS-40164)

-   adclient.random.password.generate.try: This parameter specifies the maximum times of attempts to generate a random password for an Active Directory user. The default value is 10. (Ref: CS-40164)

-   adclient.random.password.length.max: This parameter specifies the maximum length of the random password. The default value is 21. (Ref: CS-40164)

-   adclient.random.password.length.min: This parameter specifies the minimum length of the random password. The default value is 15. (Ref: CS-40164)

-   krb5.conf.plugins.ccselect.disable: This parameter controls whether the DirectControl agent should disable Kerberos built-in ccselect plugins. If it is set to true, ccselect built-in plugins are disabled in krb5.conf. If it is set to false, the [plugin] section remains as is. The default is true. (Ref: CS-40471)

-   nss.shell.emergency.enabled: When you query user's shell through DirectControl NSS module, this option determines if DirectControl emergency shell should be returned for an "Audit Required" user who does not have rescue right. The default value is false, which means nologin shell configured in nss.shell.nologin is returned. (Ref: CS-40008)

Updated Parameters:

-   adclient.binding.refresh.force: The default of this parameter is changed from "true" to "false". (Ref: CS-41084)

-   adclient.krb5.principal: This parameter’s default is changed from "upn" to "sam". This is because an Active Directory user's Kerberos name is generated as sAMAccountName@<AD REALM> by default. To be consistent with this new default setting, for a name format such as <name>@<REALM>, the DirectControl agent will now try sAMAccountName (SAM@DOM) format match first and then UPN. Note: if you really want to set adclient.krb5.principal.name to "upn", be aware of a potential issue when a user’s (userA) UPN matches another user’s (UserB) sAMAccountName and the UPN domain suffix matches the domain realm. In this case, userA will not be able to login using his own password, and userB who logged in using his sAMAccountName could SSO to userA's account because of the confusion induced from matching UPN with SAM@DOM. For an Active Directory user mapped to MIT user, the Kerberos name generation will ignore this setting as before. (Ref: CS-25166, CS-40920, CS-41125)

-   adclient.krb5.service.principals: The default property value of this parameter has been changed from 'http nfs ftp cifs' to 'ftp cifs' on all platforms except Mac OS X. Note: when performing self-join, "adjoin –S", the DirectControl agent will respect any existing SPNs in the computer object. (Ref: CS-40350)

-   pam.mfa.program.ignore: This parameter specifies a list of programs which do not support MFA. Programs using Centrify PAM for authentication are required to support MFA for users that have "MFA required" sysrights. For programs that do not support this feature, administrators can add the program names in this parameter to bypass MFA. The default list is now "ftpd proftpd vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd". (Ref: CS-40569)

Centrify LDAP Proxy

 

·        Performance improvement in ldapproxy

1.  To minimize unnecessary traffic to Active Directory, ldapproxy has implemented a local cache to handle authentication which may double the performance in some scenarios. This cache authentication data is used by default if it is available and unexpired. (Ref: CS-39941)

2.  To further minimize the traffic to adclient and subsequently to Active Directory, ldapproxy has implemented an optional client side cache in slapd that handles repeated (same) searches. It is disabled by default in slapd.conf (ldapproxy.cache.enabled false). (Ref: CS-40368)

DirectManage Access Manager

 

·        DirectManage Windows installer now provides an option to install Microsoft SQL Server Compact 3.5. If there is no Microsoft SQL Server Compact 3.5 installed, DirectManage Access Manager will disable the Sudoers Import feature and DirectManage Deployment Manager will not be allowed to install. (Ref: CS-39945)

·        Password Synchronization Extension has not changed in this release. It is the same package with the version number 5.3.1 as in the previous Suite 2016.1 release, i.e., CentrifyDC_PasswordSync-5.3.1-win64.msi. (Ref: CS-40880)

Centrify Licensing Report

 

·        Deployment Report is now called Centrify Licensing Report and is part of the new Licensing Service component. (Ref: CS-41405, CS-40961)

·        To further enhance readability, there are a few changes in the report layout. The detailed system report in the bottom part of the report is also re-organized to make it easier to correlate with the deployment summary on top. You can also easily identify a license key that is being used by multiple DirectAudit installations by looking at the new “shared” column. (Ref: CS-40349, CS-40984)

Centrify Report Services

 

·        Centrify Report Services provides another option to synchronize Centrify data from Active Directory to local SQL store. The new option allows users to specify individual or all Centrify zones for data synchronization, whereas the original option is domain based. (Ref: CS-39513, CS-41245, CS-41254)

·        Centrify Report Services now supports SQL Server 2016. (Ref: CS-40735)

·        The PCI/SOX reports below now provide an option to skip building and rendering charts. You may want to do so if you have a very large environment. (Ref: CS-40109)

o   SOX/PCI-Login Report-By Computer

o   SOX/PCI-Login Report-By Group

o   SOX/PCI-Login Report-By Role

o   SOX/PCI-Login Report-By User

o   SOX/PCI-Login Summary Report

o   SOX/PCI-Rights Report-By Computer

o   SOX/PCI-Rights Report-By Group

o   SOX/PCI-Rights Report-By Role

o   SOX/PCI-Rights Report-By User

o   SOX/PCI-Rights Summary Report

·        In this release, the following new views are added:

o   ReportView.EffectiveAuthorizedLocalUsers_Computer – it lists effective authorized local users for each computer. (Ref: CS-40065)

o   ReportView.EffectiveLocalUsersRoleAssignment – it lists effective role assignments for local users for each computer. (Ref: CS-40065)

o   ReportView.ZoneHierarchy – it lists all the Hierarchical zones and their effective child zones. (Ref: CS-38856)

Zone Provisioning Agent

 

·        A few performance improvements are added in this release:

o   When a lot of zones are being provisioned, there may be a burst of traffic to the domain controller. We have introduced a configurable delay between each zone provisioning to throttle this traffic. The delay is controlled by a registry key 'ProvisioningDelay' in 'HKLM\SOFTWARE\Centrify ZPA'. For example, setting the key 'ProvisioningDelay' to 'Type: DWORD; Value: 5' will add 5 seconds delay between each zone provisioning. The default is no delay. (Ref: CS-41985)

o   Zone Provisioning Agent typically runs a full provisioning cycle each time based on schedule. There is a new option that will skip full provisioning if there is no change in the source group. This is enabled by setting a registry key 'CheckSourceChange' to 'Type: DWORD; Value: 1' in 'HKLM\SOFTWARE\Centrify ZPA'. (Ref: CS-41981)

o   When provisioning multiple users from another domain, Zone Provisioning Agent will do unnecessary bind requests to the same domain causing performance issue in large deployments. This is now improved with a connection cache. (Ref: CS-39877)

Access Module for PowerShell

 

·        Local accounts support is added to Access Module for PowerShell. You can create, change, read and delete local account objects using the following cmdlets:

New-CdmLocalUserProfile, Remove-CdmLocalUserProfile,

Set-CdmLocalUserProfile, Get-CdmLocalUserProfile,

New-CdmLocalGroupProfile, Remove-CdmLocalGroupProfile,

Set-CdmLocalGroupProfile and Get-CdmLocalGroupProfile. (Ref: CS-39626)

RHEL and CentOS Smartcard

 

·        Added an option (-K --check-kdc-eku) to the command-line utility sctool to allow sctool to check the KDC certificate for the Extended Key Usage (EKU) attribute "Kerberos Authentication". This option was added because EKU checking is disabled by default. (Ref: CC-38917)

·        RC4 and DES encryption for SmartCard Kerberos authentication is no longer supported. Please configure your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure future compatibility. (Ref: CC-39271)

·        This release includes a Kerberos library upgrade allowing support for newly-provisioned smart cards with SHA-256 encryption. Centrify has tested the following SHA-256 smart cards: (Ref: CC-42494)

o   Oberthur ID One 128 v5.5 Dual SHA256 Cards

o   G&D FIPS 201 SCE 3.2 SHA256 Cards

·        Centrify Server Suite 2016.1 (February 2017 Update) DirectControl 5.3.1-xxx(?) addresses a security vulnerability that a valid user may mislead DirectControl agent to delete a file that this user does not have permission to access. Customers who use DirectControl are recommended to apply this update. Security rating is high(?). (Ref: CS-42569)

2.2.        Feature Changes in DirectControl 5.3.1 (Suite 2016.1 ) August 2016 Update

Security Fix

DirectControl 5.3.1 August 2016 Update contains the fix of the following DirectControl issue: Multi-Factor Authentication (MFA) feature together with Integrated Windows Authentication (IWA) feature in theory could be susceptible to a Man-in-the-Middle attack because of the use of http protocol. The fix is to remove the support of http and instead use https as the default protocol.

It is highly recommended for customers who are using MFA feature with IWA, whether in Suite 2016 or Suite 2016.1, to upgrade to this Suite 2016.1 August 2016 Update.

2.3.        Feature Changes in DirectControl 5.3.1 (Suite 2016.1)

Security Fix

DirectControl 5.3.1 contains the fix of the following DirectAudit issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit shell auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

This fix has already been retrofitted to Suite 2016 and Suite 2015.1 on March 2016.  This issue does not happen in Suite 2015 and prior releases.

DirectControl Agent

 

·        Additional Multi-Factor Authentication (MFA) Support

MFA is supported for Active Directory users on AIX, Solaris and HP-UX. MFA can be required for all dzdo commands and for PAM applications that natively support MFA, except GUI login and applications specified in the pam.mfa.program.ignore configuration parameter.

For details, refer to the Administrator’s Guide for Linux and UNIX and the Configuration and Tuning Reference Guide. (Ref: CS-39363, CS-39415, CS-39416, CS-39417)

In addition to hierarchical zone, MFA is now supported for Classic zone and Auto zone. (Ref: CS-38588)

MFA using OATH is supported. (Ref: CS-39598)

MFA using RSA SecurID is supported. (Ref: CS-39858)

·        A new category “MFA” is added to the “Centrify Server Suite” audit trail events.  In this release, two Centrify event IDs are assigned: (Ref: CS-39984)

o   54100: MFA Challenge Succeeded

o   54101: MFA Challenge Failed. The reason field indicates the failure reason.

·        OpenSSL is upgraded to 1.0.2g and the fix of CVE-2016-2107 is also incorporated in this release. (Ref: CS-39736, CS-40301)

·        TLS v1.2 is supported now in ldapproxy and it can be enforced by the TLSProtocolMin option. (Ref: CS-39635)

·        The fix of CVE-2016-0755 is incorporated in Centrify libcurl, which is based on 7.44.0 stock libcurl. (Ref: CS-39554)

·        We will now support authenticating cross-forest users using alternative UPN suffix. (Ref: CS-32538)

·        We now support Microsoft “Define host name-to-Kerberos realm mappings” group policy. The DirectControl agent will read the mapping and update the krb5.conf file. (Ref: CS-34176).

·        This release adds a watchdog process (niswatch) to restart adnisd if necessary. (Ref: CS-35720)

·        Centrify Standard license is required to run adnisd and ldapproxy. (Ref: CS-39615, CS-39616)

·        Starting from this release, Centrify supports the DirectControl agent on the latest Amazon Linux AMI release. However, Deployment Manager does not support installing or upgrading the agent in the Amazon Cloud environment. (Ref: CS-40072)

·        There is a new attribute in hierarchical zone Unix Command Right to allow dzdo/dzsh to check all command arguments and prevent navigation up a path hierarchy. Please refer to the 'Prevent navigation up a path hierarchy' checkbox in Access Manager. (Ref: CS-39063)

·        We fixed sudo issues as reported in CVE-2016-5602 in dzedit. See dzdo.edit.checkdir and dzdo.edit.follow configuration parameters.

Hadoop Support

·        In this release, the sample script kerberos_security_setup.pl can support the new Ambari v2.1.2 CSV file format in addition to the original Ambari v1.6.1 format . (Ref: CS-36553)

·        You can configure the sample script kerberos_security_setup.pl to remove HTTP, NFS, CIFS and FTP SPNs in computer objects.

Four new configuration parameters are introduced in hadoop.conf to support this feature:

o   hadoop.adclient.krb5.service.principal.http.remove (default is true)

o   hadoop.adclient.krb5.service.principal.nfs.remove (default is false)

o   hadoop.adclient.krb5.service.principal.cifs.remove (default is false)

o   hadoop.adclient.krb5.service.principal.ftp.remove (default is false)

A new command option, --remove-spn, is also added. It will read the configuration file to remove the configured SPNs. By default only the HTTP SPN will be removed. (Ref: CS-39445)

Smart Card and Certificate Management

·        Certificate management and auto-enrollment now support Elliptic Curve algorithms. When ECDH_P256, ECDH_P384 or ECDH_P521 algorithm is selected in a version 3 Certificate template, the corresponding EC algorithm will be used to generate the key pair for the certificate. However, there is a limitation that when EC algorithm is selected, only SHA1 can be used as the signature algorithm.(Ref: CS-35787)

Scripts and Command Line Utilities

·        adcert -r --ntlm option is removed in this release. (Ref: CS-40148)

·        If DirectAudit is installed in current system, adinfo –t --support option will also invoke “dainfo –t” and include its output in the final zip files. (Ref: CS-39123)

·        A new command, adobjectrefresh, is added to update the cache for a specific user or group object instead of the entire zone. Please use the help option for information on its usage and available options. (Ref: CS-39333)

centrifydc.conf has been updated:

New Parameters:

-   adclient.legacyzone.mfa.background.fetch.interval: This parameter specifies, in minutes, how often the DirectControl agent updates its cache with Active Directory groups whose members require multi-factor authentication in classic zones or Auto zones.  The default is 30 minutes. (Ref: CS-38588)

-   adclient.legacyzone.mfa.cloudurl: This parameter specifies the URL of the cloud instance that the DirectControl agent will access in order to implement multi-factor authentication for users in classic zones and Auto Zones. (Ref: CS-38588)

-   adclient.legacyzone.mfa.enabled: This parameter specifies whether MFA is enabled for a classic zone or an Auto zone. The default is false. (Ref: CS-38588)

-   adclient.legacyzone.mfa.required.groups: This parameter specifies a list of Active Directory groups in a classic zone or an Auto zone whose members are required to use multi-factor authentication when logging on or using privileged command. The default is none. (Ref: CS-38588)

-   adclient.legacyzone.mfa.required.users: This parameter specifies a list of Active Directory users in a classic zone or an Auto Zone that are required to use multi-factor authentication when logging on or using privileged commands. The default is none. (Ref: CS-38588)

-   adclient.legacyzone.mfa.rescue.users: This parameter specifies a list of Active Directory users who can logon to computers in a classic zone or an Auto zone   when multi-factor authentication is required, but the DirectControl agent cannot connect to the Centrify cloud service. (Ref: CS-38588)

-   dzdo.edit.checkdir: This parameter is used to prevent dzedit from editing files located in a directory that is writable by the invoking user unless it is run by root. The default is true. (Ref: CS-39479)

-   dzdo.edit.follow: This parameter is used to prevent dzedit from following symbolic links to edit files. The default is false. (Ref: CS-39479, CS-39918)

-   dzdo.legacyzone.mfa.enabled: This parameter specifies if multi-factor authentication is required for users to run the dzdo command in a classic zone.  The default is false. (Ref: CS-39471)

-   krb5.cache.clean.force.max: This parameter specifies the maximum lifetime of TGT (in days) before the DirectControl agent removes the Kerberos credential cache.  The default is 0, which means never. (Ref: CS-39399)

Updated Parameters:

-   adclient.cloud.auth.conn.max: this parameter is renamed from adclient.cloud.auth.token.max.  Its default value and group policy are not changed. (Ref: CS-39326, CS-39746)

-   adclient.local.account.manage: This configuration parameter specifies whether the DirectControl agent manages local users and local group accounts. The default was true in previous release.  It is changed to false from this release going forth.  However, if you enabled this in previous release, the setting is preserved. (Ref: CS-39397)

In this release, there is stricter enforcement of syntax in centrifydc.conf and centrifyda.conf. (Ref: CS-36112)

 

DirectManage Access Manager

 

·        License summary is no longer displayed in the Manage Licenses dialog. (Ref: CS-36511)

·        Access Manager now supports requiring Multi-Factor Authentication (MFA) during re-authentication for Desktops, Applications and Network Access Windows rights. (Ref: CS-39453)

·        Starting from this release, you can select RFC2307-compatible zone to store UNIX properties using the Active Directory RFC2307-compatible schema. (Ref: CS-40244)

·        The 'Prevent navigation up a path hierarchy' checkbox is added to the 'Attributes' tab of the Command Right property page to specify whether path traversal should be disabled in command right.  The default is not checked. (Ref: CS-39362)

·        Password Synchronization now supports MD5 hash. The hash starting with "$1$" is generated using the crypt(3)-MD5 algorithm method. MD5 hash can be controlled using the registry setting (Registry Key: HKLM/Software/Centrify/MD5Encryption Type: REG_DWORD). If this registry key does not exist or the value of this registry key is '0', then MD5 hash is disabled. (Ref: CS-34863)

Access Module for PowerShell

·        The RequireMfa parameter is added to the following cmdlets.  If the parameter is true, then MFA is required.  The default is MFA not required. (Ref: CS-39440, CS-39558)

o   New-CdmZone

o   Set-CdmZone

o   New-CdmCommandRight

o   Set-CdmCommandRight

o   New-CdmDesktopRight

o   Set-CdmDesktopRight

o   New-CdmApplicationRight

o   Set-CdmApplicationRight

o   New-CdmNetworkAccessRight

o   Set-CdmNetworkAccessRight

·        The BlockGroupInheritance parameter is added to the New-CdmZone and Set-CmdZone cmdlets.  If the parameter is true, then the Active Directory groups in the parent zones that are not used by the joined machines in the child zone are not visible at that child zone.  If the parameter is false, then all groups are visible.  The default is false. (Ref: CS-39452)

·        The Force option is added to the New-CdmUserProfile or Set-CdmUserProfile cmdlets.  If the option is true, then the creation or modification of user profile is allowed even if its UNIX name is the same as the samAccountName of another AD user in zone's domain.  Default is not allowed. (Ref: CS-38788)

·        The DisablePathTraverse parameter is added to the New-CdmCommandRight and Set-CdmCommandRight cmdlets to specify whether path traversal is disabled in command right.  The default is false.  Also, the IsDisablePathTraverse property is added to the CdmCommandRight object. (Ref: CS-39391)

Centrify Report Services

 

·        You can specify the name of the report database in the Configuration Wizard. (Ref: CS-39637)

·        Starting from Suite 2016.1, the following reports support local accounts: (Ref: CS-36155, CS-36156, CS-39999)

o   Authorization report

o   PCI - Login Summary report

o   PCI - Rights Summary report

o   SOX - Login Summary report

o   SOX - Rights Summary report

o   Hierarchical Zone - Users report

o   Users report

o   Groups report

 

·        In Suite 2016.1, the following new views are added: (Ref: CS-36155, CS-36156, CS-39999)

o    ComputerRoleEffectiveMembers

o    EffectiveAuthorizedLocalUserPrivileges_Computer

o    EffectiveAuthorizedUserPrivileges_Computer

o    EffectiveAuthorizedUsers_Computer

o    EffectiveAuthorizedUsers_Computer_Classic

o    EffectiveAuthorizedUsers_Computer_Hierarchical

o    EffectiveAuthorizedZoneLocalUsers

o    EffectiveAuthorizedZoneUsers

o    EffectiveRoleAssignment

o    EffectiveRoleAssignment_Classic

o    EffectiveRoleAssignment_Hierarchical

o    EffectiveSysRights

o    EffectiveZoneLocalGroupMembers

o    EffectiveZoneLocalGroups

o    EffectiveZoneLocalUsers

o    RoleRights

o    ZoneLocalGroupMembers

o    ZoneLocalGroups

o    ZoneLocalUsers

 

New columns are added to the view ZoneComputers

 

Note: EffectiveAuthorizedUserPrivileges_Computer view’s output is same as the current EffectiveLoginUserPrivileges_Computer report view.

·        Centrify Report Services utilizes the Reporting Services component which is a part of Microsoft SQL Server. Below are all the currently Supported SQL Server versions and platforms:

o   SQL Server 2008 R2 Express with Advanced Services (Service Pack 2 or higher recommended)

o   SQL Server 2008 R2 Standard or Enterprise or Datacenter (Service Pack 2 or higher recommended)

o   SQL Server 2012 Express with Advanced Services

o   SQL Server 2012 Standard or Enterprise

o   SQL Server 2014 Express with Advanced Services

o   SQL Server 2014 Standard or Enterprise

 

Note: Microsoft SQL Server 2008 R2 is not compatible with Windows 10.

 

Note: All versions of 32-bit Microsoft SQL Servers are not supported.

Deployment Report

 

·        Under the Deployment Summary, the count of agents for Mac for each zone type is now displayed separately from agents for *NIX. (Ref: CS-39571)

·        The Deployment Report Wizard for Centrify Server Suite Enterprise Edition now supports report preview that was available previously only for Standard Edition. (Ref: CS-39653, CS-39654, CS-39655)

·        If a user fails to send the generated report to Centrify Support Portal, the report is automatically saved and a warning message is prompted. (Ref: CS-39653, CS-39654, CS-39655)

·        When invoking the Deployment Report utility, there is a new switch, ‘/plaindata’, which allows the user to specify that host, zone and installation names need not be obfuscated in generated report. (Ref: 36099)

Group Policies

 

·        The “Notification Command Line” computer configuration group policy under “Centrify Settings > DirectControl Settings > Local Account Management” is added to invoke a user-provided post-processing program. (Ref: CS-39374)

·        Four computer configuration group policies under “Centrify Settings > DirectControl Settings > Addns Settings” are added to manage addns configuration: (Ref: CS-34903)

o   Enable addns invoked by adclient

o   Set command line options used by adclient

o   Set DNS records update interval

o   Set wait response interval for update requests

For details of the group policy, refer to the explanation text.

adedit

 

·        The “delegate_zone_right” command adds a list of new rights to delegate: (Ref: CS-35329)

o   add_user_group_to_computer_zone

o   delete_user_group_from_computer_zone

o   modify_user_group_in_computer_zone

o   add_computer_zone

o   add_computer_role

o   delete_computer_zone

o   delete_computer_role

o   delegate_permission_for_computer_zone

o   add_nismap

Additionally, the 'manage_role_assignments' right now supports managing role assignments from zone, computer zone and computer role.

·        The “get_zone_field” and “set_zone_field” commands support the hierarchical zone field 'block.parent.zgroup'.  If the value is set to true, then it displays only the UNIX groups that are used in the joined servers in the zone.  If the value is set to false, then it displays all the UNIX groups. (Ref: CS-39450)

·        The get_role_assignment_field and set_role_assignment_field commands support the description field. (Ref: CS-38742)

Centrify OpenSSH

 

·        Centrify OpenSSH 5.3.1 is upgraded based on OpenSSH 7.2p2. (Ref: CS-39757)

Note: The symbolic link file of slogin is removed in the stock OpenSSH.  It is retained in the Centrify OpenSSH.

Note: The support of SSH protocol version 1 is removed in the stock OpenSSH.  It is still supported by the Centrify OpenSSH.

·        Centrify OpenSSH 5.3.1 is not compatible with previous Centrify DirectControl releases due to the major upgrade of OpenSSL in this release. (Ref: CS-39521)

·        A new keyword, SSOMFA, is added to Centrify sshd_config to require multi-factor authentication (MFA) for secure shell connections even for single sign-on access to remote computers.  This keyword works only when USEPAM is enabled. This option can also be enabled by the group policy “Enable SSO MFA” under “SSH Settings”. The default is ‘no’ (disabled).

Please note that MFA is not supported for authentication using public key. (Ref: CS-39524, CS-36193)

2.4.        Feature Changes in DirectControl 5.3.0 (Suite 2016)

New Features

·        Multi-Factor Authentication (MFA)

MFA is supported for Active Directory users in hierarchical zone on Linux systems.  MFA can be required for all PAM applications (including login) and execution of dzdo commands. The “Require multi-factor authentication” System Rights flag and the “required MFA for Login” role are added to support MFA requirement for login and PAM applications.   You can also specify to require MFA as re-authentication mechanism in a UNIX command right.

For details, refer to the Administrator’s Guide for Linux and UNIX and the Configuration and Tuning Reference Guide. (Ref: CS-36181, CS-36455, CS-38550, CS-38708, CS-38804)

Note:

·        The version of Centrify Cloud connector required is 15.11.137 or above. (Ref: CS-38574).

·        If a user is configured to require MFA for login, the user cannot login if the Linux system cannot reach Centrify Cloud via the Centrify Cloud Connector.  An exception is made for users who also have the effective “rescue/always permit login” sysright; and such user can login in this situation.  Note that the “rescue/always permit login” affects both DirectAudit and MFA.  Also, regardless of whether “rescue/always permit login” sysright is effective for a user or not, all dzdo commands that require MFA will always be denied when Centrify Cloud is not accessible by the Linux system.(Ref: CS-36248)

·        If an Active Directory user is configured to use both password and MFA to login or dzdo command, DirectControl agent will always continue with MFA authentication regardless of whether the password is correct or not. The user cannot login or continue with dzdo unless both mechanisms succeed.  This is done for security reason.(Ref: CS-36494)

·        The DirectControl agent ignores the "Challenge Pass-Through Duration" option under the "Authentication Profile" setting in the Centrify Cloud Manager Portal.  The user is always challenged.  This behavior is the same as setting the option to "No Pass-Through". (Ref: CS-38592)

·        Local Account Management

 

Starting from Suite 2016, you can also use Active Directory to manage local user, local group and local service accounts in hierarchical zones.  For details, refer to the Administrator’s Guide for Linux and UNIX. (Ref: CS-35503)

·        Report Services

 

Centrify Report Services, packaged with DirectManage Access, greatly improves report performance by reading the data from a SQL database instead of querying the Active Directory via LDAP. You can schedule to synchronize the Active Directory information periodically to your reporting database, and the report service will populate views based on the data in tables, creating a default set of Access Manager reports as well as SOX and PCI attestation reports. You can also create custom reports based on these views. 

Note: There is a significant difference from the Access Manager Report Center in that you need to install only one instance of Centrify Report Services per Active Directory forest. There is also no need for auditors to install any Centrify software to view the reports because the SSRS reports are Internet Explorer browser-based. (Ref: CS-36440)

Please refer to the Report Administrator’s Guide for details.

For Reporting Services Early Access customers, the view ReportView.UserAccount in Suite 2016 Early Access is no longer available.  The same data can be accessed through the view ReportView.ADUser. New columns are added to the view ReportView.ADUser to provide the additional information that is previously available in ReportView.UserAccount. It only lists Active Directory users but no local users.   Please contact Centrify Technical Support if you need more information about this change. (Ref: CS-38602)

General

·        A new System Rights, “User is visible” is introduced.  If a role assignment contains this right, then the user is visible to all computers in the scope of the role assignment (zone, computer role, or computer).  Like the other rights, the visible right is additive. When a user is assigned to a set of roles, as long as there is one role that has the visible right set to true, then the user becomes visible in the zone. (Ref: CS-35921)

o   dzinfo is enhanced to show whether the user’s effective rights contains the visible flag or not. (Ref: CS-36105)

·        We now have an option to select between RFC 2307 and MS SFU schema. (Ref: CS-34973)

 

Scripts and Command Line Utilities

·        adinfo –y –sysinfo is enhanced to add the ‘cloud’ keyword to show information related to MFA support.. Note this is supported on Linux only. (Ref: CS-38926)

·        A new CLI, admanagelocal, is added to manage local user and group accounts. (Ref: CS-35503, CS-36096)

·        adkeytab -t, --pwdtime is added to report the last password change attempt time and results. (Ref: CS-35847)

·        adflush –c --connectors is added to flush the cloud connectors information in DirectControl agent.  Note it is supported on Linux only. (Ref: CS-38920)

Smart Card and Certificate Management

·        OpenSSL is upgraded to 0.9.8zg in this release. (Ref: CS-35922)

·        cURL is upgraded to 7.44.0 in this release. (Ref: CS-35702)

·        On Centrify managed RHEL systems, we now can append CA root certificate to the system default store, i.e. /etc/pki/tls/certs/ca-bundle.crt. (Ref: CS-38412)

Configuration Parameters

·        centrifydc.conf has been updated:

New Parameters:

-   adclient.cloud.auth.token.max: This parameter specifies the maximum number of cloud authentication requests that can be processed simultaneously.  The default is 10. (Ref: CS-36247)

-   adclient.krb5.password.change.verify.retries: This parameter controls how many times adkeytab tries to verify password changes running in the background.  The default is zero (no attempts). (Ref: CS-35847)

-   adclient.krb5.password.change.verify.interval: This parameter controls how long (in seconds) adkeytab waits between attempts to verify passwords. The default is 300 seconds (five minutes). (Ref: CS-35847)

-   adclient.krb5.principal.lower: This parameter controls whether the principal name in Kerberos ticket should be converted to lowercase.  The default is false. (Ref: CC-32641)

-   adclient.local.account.manage: This parameter specifies whether the DirectControl agent should manage local user and local group accounts on computers where the agent is installed.  The default is true. (Ref: CS-36096)

-   adclient.local.account.notification.cli: When this parameter is configured, the DirectControl agent will invoke the specified executable in a different process and pass the comma separated UNIX name list to it for further processing.  The default is "". (Ref: CS-36409)

-   adclient.refresh.interval.dz: This configuration parameter specifies the maximum number of minutes to keep access control (DirectAuthorize) information in the authorization cache before refreshing the data from Active Directory.  If local account management feature is enabled, this configuration parameter also specifies how often /etc/passwd and /etc/group are updated on individual computers based on the local user and local group settings configured in Access Manager.

-   adclient.skip.unused.outbound.trusts: This configuration parameter specifies whether you want to prevent the DirectControl agent from sending network queries to outbound trust domains that do not have users in Centrify zones.  The default is false. (Ref: CS-35705)

-   cloud.connector.refresh.interval: This parameter specifies how frequently (in hours) a background process will be run to search for the nearest available cloud connector to use for connectivity to Centrify Cloud service.  The default is 8 hours. (Ref: CS-36181)

-   pam.homedir.create.follow.symlink: If this parameter is set to true, the DirectControl agent will copy the de-referenced symbolic links (symlinks) in the skeleton directory (/etc/skel) when creating home directory for an Active Directory user.  If it is set to false, then only the symlinks are copied.  The default is true. (Ref: CS-30646)

-   pam.mfa.program.ignore: Use this parameter to specify a list of programs that do not support or require Multi-Factor Authentication. The default value is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd" (Ref: CS-36192, CS-39101)

-   pam.setcred.program.create.creds: This parameter specifies the list of programs for which the DirectControl agent will always create new krb5ccache and update KRB5CCNAME in PAM sessions.  The default list contains only 'su'. (Ref: CS-36029)

Updated Parameters:

-   adclient.ldap.packet.encrpt: (Ref: CS-33456)

SignOnly is a new security option added in this release.  When set, all LDAP traffic is required to be signed (but not encrypted) to ensure packet integrity.

-   adclient.krb5.conf.file.custom: (Ref: CS-35645)

This release adds the following additional directives for the adclient.krb5.conf.file.custom configuration parameter.  Please note that these sections are copied as-is from the custom krb5.conf:

o   [login]

o   [logging]

o   [dbdefaults]

o   [dbmodules]

o   [kdcdefaults]

o   [kdc]

o   [kadmin]

o   [password_quality],

o   [otp]

Obsolete Parameters:

-   none

Refer to the Configuration and Tuning Reference Guide for details.

DirectManage Access Manager

 

·        If you install DirectManage Access Manager and Access Module for PowerShell on Windows 7 or Windows Server 2008 R2, you need to install SP1 or above for Windows 7 or Windows Server 2008 R2 starting from this release. (Ref: CS-36146)

·        DirectManage Access no longer installs documents and release notes starting from Suite 2016.  You can find them in the ISO Documentation folder or in http://docs.centrify.com (Ref: CS-36401)

·        This release introduces the “user is visible” system right, which controls whether a user is visible to all computers in a zone. By default, a user is visible in any new created role and also roles created before Suite 2016. (Ref: CS-36007)

·        This release provides support for managed service accounts (MSA) which were made available in Windows 7 and Windows 2008 R2. Also, Access Manager is enhanced to support zone delegation to MSA account. (Ref: CS-34492)

·        From the Access Manager result pane, you can now select multiple zones and apply the "Delegate Zone Control ..." action to them.  If different zone types are selected, then only the common tasks will be enabled. (Ref: CS-33843)

·        The “Generate Centrify Recommended Deployment Structure” Wizard is now merged with the Setup Wizard. So a user will be able to create deployment structure under the domain root object or from the organization unit object before running the Setup Wizard. (Ref: CS-35392, CS-35393)

Report Center

·        Report Center is now deprecated and will be removed in future Centrify Server Suite.  It is no longer displayed by default in the Access Manager tree node but can be made available via the drop down menu and context menu.  Report Center is being replaced by the Report Services in Suite 2016. (Ref: CS-36388)

Access Module for PowerShell

·        Access Module for PowerShell is built on .NET Framework 4.5 starting from this release. It requires PowerShell v4 or above to run. (Ref: CS-36376)

·        You can use Access Module for PowerShell to configure settings for Zone Provisioning Agent (ZPA). There is a new object type 'CdmZpaSetting' (Ref: CS-34792)

o   Add a cmdlet named 'Get-CdmZpaSetting' with the following parameters:

- DN

- Name

– Domain

o   Add a cmdlet named 'Set-CdmZpaSetting' with the following parameters:

- Zone

- UserUid

- UserName

- UserShell

- UserHomeDirectory

- UserPrimaryGroup

- UserGecos

- GroupGid

- GroupName

- UserSource

- GroupSource

- IgnoreDisabledAccount

- EnableUserProvisioning

- EnableGroupProvisioning

- GroupPriority

·        Add support for user visible system right in role definition. User can set the right using the New-CdmRole and Set-CdmRole cmdlet. (Ref: CS-36058)

·        Get-CdmManagedComputer is enhanced to show two more new properties (Ref: CS-34190, CS-35028):

o   Preferred Site: <the site that the machine is connected to>

o   Subnet Site: <the site that the machine should be connected to>

Zone Provisioning Agent

 

·        Starting from this release, you can now select managed service accounts (MSA) and group managed service accounts (gMSA) as the provisioning service account. (Ref: CS-34492)

Deployment Manager

 

·        Deployment Manager has been updated to version 5.3.0.  Please refer to the Deployment Manager release notes for information on enhancements and bug fixes in this release.

Group Policies

 

·        Starting from this release, group policies in ADMX (Administrative Template File XML based) format are shipped and ADM (Administrative Template File) format will not be provided. (Ref: CS-6821, CS-30836)

Deployment Report

 

·        Installation information for the Centrify Server Suite Enterprise Edition is now stored in Active Directory in addition to the existing DirectAudit database. This allows an authenticated Active Directory user to run Deployment Report without having to provide the DirectAudit database credential. (Ref: CS-36265)

·        New usage count information grouped by Server/Workstation license type is added to the Deployment Summary section of the report. (Ref: CS-38619)

adedit

 

·        adedit is enhanced to support local users and local groups with the following new function calls: (Ref: CS-36090, CS-38488)

o   list_local_users_profile

o   new_local_user_profile <UNIX user name>

o   select_local_user_profile <UNIX user name>

o   delete_local_user_profile <UNIX user name>

o   get_local_user_profile

o   get_local_user_profile_field <field name>

o   set_local_user_profile_field <field name> <value>

o   save_local_user_profile

o   list_local_groups_profile

o   new_local_group_profile <UNIX group name>

o   get_local_group_profile

o   select_local_group_profile <UNIX group name>

o   delete_local_group_profile <UNIX group name>

o   get_local_group_profile_field <field name>

o   set_local_group_profile_field <field name> <value>

o   save_local_group_profile

Refer to adedit Administrator’s guide for usage and details.

·        CreateRole function adds a Boolean input parameter, visible, to indicate whether the visible system right is enabled when this role is created. (Ref: CS-36066)

·        The “get_zone_field parent” function adds the new option "-raw" in the TCL ade_lib library to return the parentLink in <GUID>@<DOMAIN> format. This is for hierarchical zone only. (Ref: CS-31010)

·        The “get_zone_field cloudurl” function returns the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·        The “set_zone_field cloudurl <value>” function sets the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·        The get_zone_field and set_zone_field functions are enhanced to support computer zone: (Ref: CS-35950)

o   get_zone_field dn: returns the Distinguished Name (DN) of the current msDS-AzScope Active Directory object associated with the computer zone.

o   get_zone_field description: returns the computer zone description.

o   set_zone_field description <value>: sets the Active Directory description attribute for the msds-AzScope object.

·        There is a new TCL script, adlistnismaps which can be found in /usr/share/centrifydc/adedit directory. It lists the NIS maps stored in Centrify zones. Please refer to adauto.pl and adautouser.pl scripts for its usage. (Ref: CS-36021)

Centrify LDAP Proxy

 

·        ldapsearch adds extendedDN to the –e or –E option to return the extended distinguished name of the object. (Ref: CS-36318)

Centrify OpenSSH

 

·        Centrify OpenSSH 5.3.0 is upgraded to OpenSSH 7.1p1. Unlike the stock OpenSSH, Centrify OpenSSH still supports SSH version 1 protocol in this version. (Ref: CS-8245)

In addition, there are a few behavior changes from Centrify OpenSSH 5.2.3, which is based on OpenSSH 6.7p1:

o   The default for the sshd_config(5) PermitRootLogin option is changed from "yes" to "prohibit-password".

o   Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time.  This means the user with RSA public key will fail to login now as default.

o   UseDNS now defaults to 'no'.

o   Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time.

o   Support for tcpwrappers/libwrap is removed.

For details, refer to the stock OpenSSH 7.1p1 release notes.

·        A new keyword, 'Krb5ccUnique' is added to Centrify sshd_config to specify whether Centrify sshd should generate a unique credential cache name when storing the Kerberos credentials cache.  The default is “yes” (enabled). If it is “no” (disabled), the old style credential cache name, krb5cc_<uid> or KCM:<uid>, is used. (Ref: CS-8250)

·        Starting with Suite 2016, install.sh no longer installs Centrify OpenSSH by default. To do so, please use the Custom installation option. However, if Centrify OpenSSH is already installed, it will be automatically upgraded. (Ref CS-32389, CS-38266)

Please note that, you will still need to install Centrify OpenSSH on AIX in the following cases:

o   If you use DirectAudit. Otherwise local users will not be audited.

o   If you have local user and AD user with the same name but different UNIX profiles. Centrify OpenSSH will resolve this whereas AIX SSH will not handle this.

Supported Platforms

 

·        Support has been added for the following operating systems (Ref: CS-7155, CS-36163, CS-36361, CS-36418):

o  Windows 10 (x86_64)

o  Mac OS X 10.11 (x86_64)

o  Fedora 23 (x86, x86_64)

o  CentOS 6.7 (x86, x86_64)

o  Oracle Enterprise Linux 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Server 6.7 (x86, x86_64)

o  Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)

o  Red Hat Enterprise Linux Desktop 7.2 (x86_64)

o  Red Hat Enterprise Linux Server 7.2 (x86_64)

o  Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)

o  Scientific Linux 6.7 (x86, x86_64)

o  Ubuntu Desktop 15.10 (x86, x86_64)

o  Ubuntu Server 15.10 (x86, x86_64)

o  SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

o  SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)

o  Oracle Solaris 11.3 (x86_64, SPARC)

 

 

·        Support is removed for the following operating systems (Ref: CS-34860):

o  All 32-bit Windows platforms

o  Mac OS X 10.8

o Fedora 19 (32-bit and 64-bit)

o Oracle Enterprise Linux 4.x (32-bit and 64-bit)

o openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

o  Oracle Solaris 8 SPARC

 

·        This is the last release for the support of the following operating (Ref: CS-35417):

o Debian Linux 6.x (32-bit and 64-bit)

o Fedora 20 (32-bit and 64-bit)

o HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

o HP-UX 11.23 Itanium (Normal and Trusted modes)

o  Oracle Solaris 9 (32-bit and 64-bit)

o Ubuntu Desktop 14.10 (32-bit and 64-bit)

o Ubuntu Server 14.10 (32-bit and 64-bit)

 

·        Support will be discontinued soon (the next release will be the last release with support) for the following operating systems:

o Fedora 21 (32-bit and 64-bit)

o Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

o Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

o SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

o SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

o openSUSE 13.1 (32-bit and 64-bit)

3.    Bugs Fixed

3.1.        Bugs Fixed in Centrify DirectControl 5.4.0 (Suite 2017)

DirectControl Agent

 

·        In previous versions, if the DirectControl Agent is installed on Ubuntu 16.04, the GUI login service (lightdm) cannot start. This problem has been fixed. (Ref: CS-40556)

·        Changelog is now supported in RPM. (Ref: CS-40525)

·        The Local Account Management feature will now update etc/passwd and etc/group only if changes are required. (Ref: CS-42083)

·        The DBM files for local cache of automaps are not lock-protected and could result in empty map entry being returned. The affected scripts are adauto.pl and adautouser.pl. They are now lock protected. (Ref: CS-41977, CS-42154)

·        “adcdiag –f” now only supports the “mfa” argument. (Ref: CS-40152)

·        The command adcert can now handle special character “/” in the certificate template name. (Ref: CS-41989)

·        The command adflush may induce zombie nscdrestart.sh processes in busy condition. It is now fixed. (Ref: CS-41610)

·        The adflush –f incorrectly removes entries in /etc/security/limits for Centrify managed local users. It is now fixed. (Ref: CS-40907)

·        The command adinfo –y cloud now can show the correct connector in use. (Ref: CS-41546)

·        Fixed the issue that adquery incorrectly displays a user account as unlocked (accountLocked:false) when it is locked. (Ref: CS-40944)

·        The curl command in Centrify package may not work well on different RHEL versions because of the inconsistent usage of the certificate store location. It is now fixed. (Ref: CS-40923)

·        Previously, when env_reset was enabled (the default) and the -s option was not used, the SHELL environment variable was set to the shell of the invoking user. Now, when env_reset is enabled and the -s option is not used, SHELL is set to the shell of the target user. (Ref: CS-40885)

·        Fixed an issue that the validator fails to get the dzdo command line string due to some special characters, thus causing the dzdo command to fail. (Ref: CS-40360)

·        Fixed an issue where the DirectControl agent may crash when retrieving a large number of local users or groups. (Ref: CS-41127)

·        The background process in that DirectControl agent that updates ALTUPN will now skip an unreachable domain. (Ref: CS-40665)

·        Sometimes the DirectControl agent fails to recover from disconnected mode because the background recovery thread is busy. This is now fixed. (Ref: CS-41268)

·        On RHEL 7.2 using systemd, the DirectControl agent now starts with the correct options that we passed to /usr/share/centrifydc/bin/centrifydc. (Ref: CS-40727)

·        The DirectControl watch dog sometimes incorrectly restarts a normally shutting down adclient process. It is now fixed. (Ref: CS-40636, CS-41653)

·        Fixed a bug that caused a failure in cross-domain group query using both configuration parameters adclient.preferred.login.domains and adclient.cache.upn.index:true. (Ref: CS-39834)

·        Fixed a bug that caused zone users to disappear if a DirectAuthorize role is renamed. (Ref: CS-40120)

·        Computer account authentication is not working if "adclient.user.computers" is set to "true". It is now fixed. (Ref: CS-41202)

·        Fixed a bug that setting "pam.auth.create.krb5.cache" to "false" will get unexpected value in the 'KRB5CCNAME' environment variable. (Ref: CS-40381)

·        Fixed a bug in the DirectControl SELinux module so that logrotate can work well with /var/log/centrify_client.log. (Ref: CS-40170)

·        A bug in handling the ACL of krb5.keytab causes Kerberos to fail when connecting Oracle database to Active Directory between two domains with one way trust. It is now fixed. (Ref: CS-40605)

·        Fixed a DirectControl agent inoperable problem on AIX VIOS version >= 2.2.2. The DirectControl AIX package is changed to 64-bit to solve this problem. (Ref: CS-40107)

·        Because of the change of DirectControl AIX package from 32-bit to 64-bit, the system script /etc/rc.tcpip will be changed during upgrade. The sections added to /etc/rc.tcpip by previous DirectControl releases will be replaced. This applies to AIX environment only. (Ref: CS-42557)

·        On AIX, the log rotation script generates an error-level syslog message if /var/log/centrify_client.log does not exist. This is now changed to an info-level message. (Ref: CS-40959)

·        On AIX, there was a memory leak in the DirectControl authentication module in LAM mode affecting AIX authentication process such as db2ckpwd in DB2 plug-in. It is now fixed. (Ref: CS-40810)

·        NSCD on Solaris is not thread-safe doing enumeration and hence the DirectControl NSS module may cause potential core dump. It is now fixed with new mutex logic. (Ref: CS-40485)

DirectManage Access Manager

 

·        In the "Browse for Container" dialog, one-way trusted domains are not displayed if there is no global catalog server in the trusted domains. Hence Active Directory users from trusted domains cannot be added to a zone in trusting domain in a one-way trust environment. This issue is now fixed. (Ref: CS-42105)

·        Access Manager may throw an erroneous message, “Insufficient access right to create or modify the zone” even though the user is not creating a new zone. This is now fixed. (Ref: CS-40976)

·        The Sudoers Import feature in Access Manager will now be disabled if the Microsoft SQL Server Compact 3.5 SP2 is not installed. (Ref: CS-40279)

·        Sometimes after performing sudo import, the Pending Import node is missing from the Users and Groups node of computers joined to a hierarchical zone. This issue is now fixed. (Ref: CS-40514)

·        Fix the issue that Access Manager and PowerShell do not return UNIX profile after moving an Active Directory user account from one trusted domain to another. (Ref: CS-41406, CS-41407)

·        The default login name when creating user profile in a hierarchical SFU zone is now inherited from User Default settings. (Ref: CS-29682)

·        MFA Group Policy "Enable multi-factor authentication for express, autozone, and classic zone" is changed to "Enable multi-factor authentication for autozone and classic zone". (Ref: CS-40299)

·        Fixed the problem that effective UNIX user rights for hierarchical SFU zones are not displayed in the 'Effective User Rights' dialog. (Ref: CS-40756)

·        Effective UNIX User Rights may fail to show any result if the LocalUsers or LocalGroups container does not exist under zone or computer zone (e.g. zones created before Suite 2016). This issue is now fixed. (Ref: CS-40908)

·        Effective UNIX User Rights may fail to show any result if there are two computer zones with the same computer scope name under the same parent zone. The issue is fixed and a warning message, "Conflicted computer scope: <scope name>, scope path: <scope path>.", is also logged. (Ref: CS-41442)

Centrify Report Services

 

·        Fixed a bug that generates an event log message about starting up database ‘ReportServer$XXTempDB’ every 10 minutes. (Ref: CS-39053)

Group Policies

 

·        XML-based group policy processor has a bug in handling deletion of value especially in the scenario when a GP value is enabled in a higher level global GP and is deleted in a lower level delta GP. This is now fixed. (Ref: CS-42031)

·        The User Group Policy RunCommand can now know which user it is invoked for. The run command for user group policy is run under root, but it did not provide which user it is running for. With this fix, we provide the user name in the environment variable, user. In Perl, it is $ENV{user}. (Ref: CS-42264)

adedit

 

·        adedit now supports AIX group extended attributes with the following commands: set_zone_group_field, get_zone_group_field. (Ref: CS-40220)

·        adedit now also supports AIX extended attributes for local user management. (Ref: CS-41844)

·        We now provide a warning when the user’s UNIX name in a UNIX profile being created is the same as the sAMAccountName of another Active Directory user in the current domain. The following message, “Warning: zone user is created, but has the name same as another AD user in current domain”, is output. (Ref: CS-38789)

·        Fixed the issue that the TCL procedure in ade_lib.tcl, is_user_effective, does not break out of the traversal loop. (Ref: CS-42169)

·        Fixed a bug that an Active Directory user is not created correctly via adedit when the domain controller is not set in kset.dc.domain file. (Ref: CS-41793)

Zone Provisioning Agent

  

·        The length of the message string in event log is updated from 32,766 bytes to 31,839 bytes. If the message string is longer than 31,839 bytes, it will be extended into several records. (Ref: CS-41983)

Centrify LDAP Proxy

 

·        ldapproxy may not return a user record if the user entry has any binary attribute, e.g. userCertificate. It is now fixed. (Ref: CS-41046)

·        ldapproxy now supports more complex searches, such as search by member with posixGroup, and search by sAMAccountName with posixAccount/posixGroup. (Ref: CS-34621, CS-39880, CS-40242)

The following are some examples:

·        "(&(objectClass=posixAccount)(samAccountName=<user's samAccoutName>))"

·        "(&(objectClass=posixGroup)(samAccountName=<group's samAccountName))"

·        "(&(objectClass=posixGroup)(|(memberuid=<user's unix name>)(member=<user's DN>)))"

·        "(&(objectClass=posixGroup)(|(memberuid=<user's unix name>)(uniqueMember=<user's DN>)))"

Please note

·        These searches look for UNIX-enabled users and groups only.

·        'posixGroup.member' and 'posixGroup.uniqueMember' both map to _MemberDN attribute in rfc2307.map.

Centrify OpenSSH

 

·        Fixed an issue so that Centrify sshd session process may be granted the correct "OOM score". (Ref: CS-41734)

·        An issue causing sshd to hang on AIX when running “ssh –t” is now fixed. (Ref: CS-40488)

·        In previous releases Centrify OpenSSH will deny SFTP access for normal users if 'rlogin = false' is set in '/etc/security/user' on AIX. A new sshd_config option, 'RloginControlSftp', is provided to control this behavior. The default is 'yes' which means sftp access will be denied as in previous releases. Setting this new option to 'no' will grant the user SFTP access while still denying SSH login. Note that root login via SSH does not respect either 'rlogin' or 'RloginControlSftp' settings - it is controlled by the 'PermitRootLogin' setting in sshd_config. In addition, the sshd_config 'AllowUsers' setting will always take precedence over the AIX 'rlogin' settings; as an example, if a user is listed in 'AllowedUser', he can still login even when 'rlogin' is set to 'false'. (Ref: CS-40484)

RHEL and CentOS Smartcard

 

·        Fixed an issue that could cause Smart Card name mapping to malfunction due to Serial Numbers and CN values being merged in the certificate subject name. (Ref: CC-42564)

3.2.        Bugs Fixed in Centrify DirectControl 5.3.1 (Suite 2016.1)

DirectControl Agent

 

·        In this release, ldapsearch returns the distinguished name of the searched object if the attribute to be searched is the objectIdentifier (1.1).  No attribute was returned previously. (Ref: CS-39572)

·        For an Active Directory user from a cross forest with one-way outbound trust, his password hash cached by the DirectControl agent is erased after it expires; resulting in the user not being able to login in disconnected mode. This issue is now fixed. (Ref: CS-39712)

·        The password prompt does not include the user name.  In this release, the environment variable CDC_USER is added to show the login user name. (Ref: CS-38474)

·        Adds a new rule for “krb5.ccache” in the SELinux definition for DirectControl agent. (Ref: CS-39599)

·        Fix a parsing issue in the DirectControl agent that leads to skipping DirectAuthorize commands containing '|' in the fields. (Ref: CS-39308)

·        In previous releases, an Active Directory user in the AIX logical partition on VIO server cannot run VIO server commands such as ioslevel.  This is because the AIX extended attribute default_roles is not supported.  It is fixed in this release.  Note that you need to run the adedit set_zone_user_field command to set the desired role to the default_roles.  This is not automatic. (Ref: CS-39819)

DirectManage Access Manager

 

·        In previous release, if another MMC application is running, the DirectManage installer prompts a message “An existing MMC.exe is running. Please close all the existing MMC.exe”.  The dialog now lists the running applications and allows users to retry after closing the opportunity. (Ref: CS-36116)

Centrify Report Services

 

·        Improved report performance and scalability to support large environments. (Ref: CS-38802)

·        Since roles and privileges are stored and calculated differently for classic and hierarchical zones, separate views are created for classic and hierarchical zones.  These views are:

o   EffectiveAuthorizedUsers_Computer_Classic

o   EffectiveAuthorizedUsers_Computer_Hierarchical

o   EffectiveRoleAssignment_Classic

o   EffectiveRoleAssignment_Hierarchical

Please use these zone-type specific views if your environment has only one zone type.

·        In prior release, Report Service cannot complete synchronization from Active Directory when it encounters any Active Directory object with a malformed timestamp. In this release, Report Service detects and logs all relevant information about the object with malformed timestamp, and continues with other Active Directory objects. (Ref: CS-39486)

·        In prior release, empty strings are not allowed in any textbox report filters. They are allowed in this release and behave as if the filter is not used. (Ref: CS-36211)

Group Policies

 

·        Group policies "Computer Configurations" -> "Centrify Settings" -> "DirectControl Settings" -> "Allow adclient to lookup user by common name" and "Allow adclient to lookup user by display name" are removed. Please use group policies "Computer Configurations" -> "Centrify Settings" -> "DirectControl Settings" -> "Network and Cache Settings" -> "Enable user lookup and login by CN" and "Enable user lookup and login by displayName" for the same configuration.  (Ref: CS-39212)

adedit

 

·        The “create_zone”, “get_zone_field” and “set_zone_field” commands do not return the default user name and group name if they are not initialized.  This is now fixed. (Ref: CS-38947)

3.3.        Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016)

DirectControl Agent

 

·        The Kerberos credentials of logged-in users are now renewed when the machine goes back to connected mode after a reboot in disconnected mode. (Ref: CS-39183)

·        The issue of mapped users set in passwd.ovr not able to login intermittently is now fixed. (Ref: CS-36108)

·        Due to an error when parsing PAC (Privilege Attribute Certificate) that has SID compressed in the resource group field, zoned users are not able to login and adquery reports NULL SID for these users. The issue is fixed. (Ref: CSSUP-6606, CS-36209)

·        With NTLM authentication turned on, if the user principal name is different from the canonical name (also known as pre-Windows 2000 login name), the user cannot login.  This problem is fixed. (Ref: CS-36231)

·        Some applications like Apache Tomcat may send an empty NTLM Challenge packet to check whether the DirectControl agent supports NTLM authentication or not. This will crash the DirectControl agent.  In this release, it returns an error "Bad packet" to the sender. (Ref: CS-35958)

·        For an Active Directory user from a one-way cross forest outbound trust, if a role assignment is added or removed after his zone user profile is cached by the DirectControl agent, the user cannot be displayed or removed from the UNIX machine unless the local cache is flushed. This issue is now fixed. (Ref: CS-38628)

·        When using passwd override in passwd.ovr, if the user's UNIX account name is different from its Active Directory account name, then the user cannot login. This problem is fixed. (Ref: CS-36301)

·        The current auto mount map inheritance scheme in adauto.pl supports only zone hierarchy in the same domain. Thus, if the automount maps are defined in a parent domain, the child domain cannot read the automount maps and cannot inherit the automount maps.  This is now fixed.  (Ref: CS-35343)

·        When there are a large number of NIS map entries in Active Directory, the auto_maps cache keeps growing. This is due to deleted entries in the underlying database not being purged. This release fixes this issue. (Ref: CS-35959)

·        Previously, dzinfo displays the same role and the role assignment multiple times for a user if the role is assigned via multiple role assignments.  In this release, dzinfo now shows only one role with multiple role assignments. (Ref: CS-35763)

·        In this release, the customizing environment variables for command execution through dzdo commands settings or centrifydc.conf options, the listed set values replaces the existing list rather than be added onto them in prior releases.  Please note this may affect the current dzdo use, for example, if a machine has centrifydc.conf option 'dzdo.env_keep' set as 'dzdo.env_keep: VAR', then now only 'VAR' is in the list to be kept, all others in the default list such as 'PATH', 'KRB5CCNAME' will be removed. User may need to check and update them for this. (Ref: CS-36094)

·        This release fixed the long delay to display password prompt in Solaris and HPUX during dzdo command execution when there is a large number of groups in the current zone. (Ref: CS-39064)

·        This release fixed the slow login or timeout issue on Solaris and HPUX that may happen when sshd_config has group checking related options such as 'DenyGroups'), and the zone has many groups. (Ref: CS-8246)

·        In previous release, when command level auditing is enabled, then "dzdo -i" will fail until unless the right to run /bin/centrifyda or the audited shells command rights are granted to the role.  The issue is fixed to work with command auditing for in DirectAudit v3.2.2 (in Suite 2015) or newer. Note that you still need to grant command rights to /bin/centrifyda when unknown shell is used. (Ref: CS-35465)

·        Starting in this release, Centrify OpenSSH ssh-keygen program will always links with the Centrify libcrypto.so.  In previous releases, due to the order in $LIBPATH settings, it may link to a non- Centrify libcrypto.so, resulting in missing symbols or unexpected results. (Ref: CS-8238)

·        In this release, we will no longer replace the customer’s copy of /etc/dzshrc with the one in the package during upgrade. (Ref: CS-35980)

·        If ‘compat’ is added before ‘centridydc’ in the passwd section in nsswitch.conf, getent passwd <user> fails to return zoned AD user information when NSCD is running. This problem is fixed. (Ref: CS-35899)

·        When an Active Directory user without root permission runs adinfo, it prints out "WARN  base.nocachemode Disabling the agent directory cache" message in centrifydc.log. This problem it is fixed. (Ref: CS-36444)

·        This release adds new SELinux rule to support automount to avoid the intermittent automount disconnect issue. (Ref: CS-36399)

·        Amazon Linux AMI is not a supported OS but it passes adcheck and the install script in previous releases. It is now fixed. (Ref: CS-38472)

·        Starting with this release, the "R" option in install.sh will install an add-on package (such as CentridyDA or Centridy OpenSSH) if it is not already present. (Ref: CS-38529)

·        In previous releases, syslog facility other than ‘auth’ in the ‘logger.facility.*’ parameter is ignored.  This release allows any syslog facilities to be added, one facility per line. (Ref: CS-35902)

DirectManage Access Manager

 

·        To support the new features in DirectManage Access Manager, it will overwrite %windir%\System32\Mmc.exe.config after upgrade.  The original file is backup to %APPDATA%\DirectManage Access Manager\Mmc.exe.config.  If you have customized Mmc.exe.config, you need to manually consolidate your changes to the new configuration file. (Ref: CS-34553, CS-38329)

·        Running the “Hierarchical zone – Windows User Effective Rights” from Report Center takes a long time, or may even fail. This report is now replaced by “Hierarchical Zone- Effective Rights Report” from Reporting Services. (Ref: CS-29910)

·        In previous releases, the registry value "Notification Packages" under registry key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" is overwritten when Password Synchronization Extension is installed.  The registry value should be appended and is fixed in this release. (Ref: CS-36138)

·        Instead of removing all existing members from target group and then add again, the tool CopyGroup.exe is fixed to add or remove only members according to the differences from source group. (Ref: CS-38918)

·        In this release, we no longer automatically install Microsoft SQL Server Compact 3.5. (Ref: CS-38693)

Access Module for PowerShell

 

·        PowerShell scripts using Centrify Access Module may use up a lot of memory if the PowerShell is running in STA mode.  This is because COM (Component Object Model) objects being used in Centrify Access Module for PowerShell cannot be released in timely manner.  This release enables MTA mode to eliminate this problem. (Ref: CS-35744)

Group Policies

 

·        The .NET default maxLength value for a textbox is 32767 characters, which is not enough for the sudoer content textbox of the sudo rights group policy. This release changes the maxLength to 10485760 characters. (Ref: CS-35918)

adedit

 

·        The get_user_role_assignments command returns error "Malformed DN" if the user’s distinguished name contains white spaces.  This issue is fixed. (Ref: CS-35950)

·        The PAM autoedit scripts for adjoin and adleave are updated to continue even when errors are encountered during processing.  The errors are reported at the end of processing. (Ref: CS-36492)

Centrify Network Information Service

 

·        adnisd stops functioning in AIX sporadically with multiple interfaces.  The adnisd service is hanging at times and ypwhich and ypcat commands from the client systems get the error "Domain not Bound".  This is fixed in this release. (Ref: CS-35880, CS-35890)

Centrify LDAP Proxy

 

·        In DirectControl agent 5.2.3, ldapsearch can only find auto-private group through its group ID.  You can now search the auto-private group by its group name. (Ref: CS-36468)

Centrify OpenSSH

 

·        When doing 'remote to remote' scp, such as 'scp host1:/path/file1 host2:/path2/file2', that requires password authentication for both hosts, scp session fails to authenticate the second host.  This problem is fixed in this release. (Ref: CS-8240)

·        If a local user adds '/usr/sbin:/sbin' in its PATH environment, after Centrify OpenSSH is installed, these two paths will be removed from the PATH environment when a bash shell is opened. This problem happens only in Red Hat Linux family OS and it is now fixed. (Ref: CS-38398)

·        Fixed the issue in HPUX that its service startup log, /etc/rc.log reports 'FAILED' for disabled stock ssh service. (Ref: CS-8258)

4.    Known Issues

 

The following sections describe common known issues or limitations associated with this Centrify Server Suite release; they are categorized as follows:

 

- DirectManage Access Manager

- Group policies

- Zone Provisioning Agent

- DirectControl Agent

- Centrify NIS server (adnisd)

- Centrify Network Information Service

- Centrify LDAP Proxy

- Smart Card

- Zone Migration

- Interoperability with Centrify Samba

- Deployment Report

 

In addition to the known issues described in these sections, you should review the appropriate platform-specific release-notes-agent.txt file for the operating environments you support.

 

For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

DirectControl Agent

 

·        If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

·        Centrify MFA Compatibility Issues with Linux GUI Desktop

 

Some versions of Linux Desktop GUI are not compatible with additional user interaction required for MFA. The following are some examples:

 

o   On the system such as RHEL 5 that uses an old version of gdmgreeter, the MFA challenge message may be overlapped by the username/password input box. To avoid this issue, the user can change positions for "user-pw-entry" and "pam-prompt" entries in the theme file /usr/share/gdm/themes/RHEL/RHEL.xml, or directly install and set gdm login to use a newer version of gdm-simple-greeter such as gdm-2.24.0-24.101.19. (Ref: CS-38946a)

o   For Linux OS such as SLES 11 SP3 that use old gdm-simple-greeter for console login authentication, the incorrect behavior in this program will cause MFA login to fail. SLES 11 SP4 has fixed this issue. (Ref: CS-38898a)

o   On systems such as SLES 11 where screen unlock is handled by the program unix2_chkpwd, users will not be challenged for MFA when they unlock the screen. (Ref: CS-38896a)

o   In systems such as SLES 10 where the screen unlock is handled by the program gnome-screensaver.  Some versions of gnome-screensaver cannot handle the additional challenge/response interaction required for MFA and hang during unlock.  In this case, please add 'gnome-screensav' to the pam.mfa.program.ignore list in centrifydc.conf to disable MFA functionality for this screen saver. (Ref: CS-39220b)

o   In systems such as Ubuntu 15.04 where screen unlock is handled by the program compiz, MFA does not work because compiz does not support the additional Challenge/Response interactions. Please add 'compiz' to the "pam.mfa.program.ignore" list in centrifydc.conf to disable MFA functionality for this program. (Ref: CS-38891b)

o   MFA is disabled in KDE Display Manager (kdm) environment in openSUSE due to issues with the native generic plugin module.  Please refer to the following links:

https://bugs.kde.org/show_bug.cgi?id=329523

https://bugs.kde.org/show_bug.cgi?id=105631

(Ref: CS-38898a)

o   If you need to modify the parameter "pam.mfa.program.ignore" list in centrifydc.conf, please note that you need to specify the default values in the parameter.   The default list is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd".  For example, if you need to add compiz to this list, the line should be:

pam.mfa.program.ignore: vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd compiz

Please check with Centrify Support if you need more information about Linux desktop (especially screensaver) compatibility issues.

 

·        SmartCard user logging in via PIN will not be authenticated by MFA. (Ref: CS-38641)

 

·        Centrify Privilege Service (CPS) cannot manage the password for a user if MFA is required for the user to login.  You can still add a MFA-required user account to CPS resource – with “Manage this password” unchecked - to do login from CPS.  However, you may see the status as “Failed” due to system delay.  If the operation is successful, then no status will be shown for this user. (Ref: CS-38767)

 

·        Local account management is not supported for the following: 

 

o   AIX Secure Mode (Ref: CS-39082)

o   Solaris RBAC (Ref: CS-39365)

o   HPUX trusted mode (Ref: CS-38396)

 

·        Issue with RHEL 7 (Ref: CS-33833a)

 

DirectControl is supported on RHEL 7. However, due to a RHEL 7 issue, you need to reboot the machine or run the following commands from the ssh console in order to make GDM UI login work.

$ sudo systemctl restart messagebus

$ sudo systemctl restart gdm

 

·        pam.allow.override is not working on AIX (Ref: CS-33506a)

  

This is because using username with suffix @localhost is not supported on AIX. The LAMGetEntry call that is used to get user information and extended attribute information does not support login name change. Hence login fails as there is no way to find the user or authenticate the user.

 

·        Issue on interoperability with DirectAudit (Ref: CS-33803a)

  

In DirectAudit 2.x, there is a configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf that holds a list of users who can start a session even when the DirectAudit agent cannot perform auditing. However, this parameter is not honored by the DirectControl agent when DirectAudit is not functional.

 

In DirectAudit 3.x, a better solution is implemented using the "rescue/always permit login" sysright. This sysright will be honored by both DirectControl and DirectAudit and it should obsolete ‘dash.user.alwaysallowed.list’. Hence, when upgrading from DirectAudit 2.x to DirectAudit 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles).

 

·        On AIX, upgrading DirectControl in disconnected mode may cause unexpected behavior (Ref: CS-30494a)

 

On AIX, upgrading DirectControl from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl in disconnected mode.

 

·        On some versions of AIX, user may not be able to login if LOGIN_NAME_MAX is set to 9 (Ref: CS-30789a)

 

Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in adcheck to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users may understand the potential risk and decide if it may be a problem in their environment or not.

 

·        On Solaris 8 and 9, user may fail to install DirectControl due to Perl not installed (Ref: CS-31298a)

 

Some versions of Solaris, e.g. 8 and 9, may not have Perl version 5.8 or above pre-installed, thus resulting in some DirectControl features, e.g. group policy, not running properly. Starting from DirectControl version 5.1.1, we have enforced the checking for the correct Perl version in adcheck. If the Perl version is not 5.8 or above, adcheck will fail the test case. User has to install a proper Perl version before deploying the DirectControl agent.

 

·        On HPUX 11.11 and 11.23, KCM server credential support may not work due to missing libc patches, resulting in some features not working, e.g AD users cannot access Samba server. (Ref: CS-32187a)

 

On HPUX 11.11, the patch PHCO_36184 is required whereas on HPUX 11.23, the patch PHCO_35744 is required. As a preventive measure, we have added a new test case in adcheck to check if the required patch is there. If the required patch is not available, adcheck will show the failed test case and advise users to install the required patch before deploying DirectControl agent.

  

·        PAM messages depend on operating system (Ref: CS-16710c)

 

Configurable PAM messages from pam.account.locked.mesg parameter in centrifydc.conf may not be shown depending on the login method, daemon version and operating system version.

 

·        Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting. (Ref: CS-18659a)

 

·        Working with adclient.client.idle.timeout (Ref: CS-18792c)

 

This property is only read at startup. Hence if it is changed, adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines.

 

·        Use of addns on computers that act as network gateways (Ref: CS-20319c)

 

UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in /etc/centrifydc/centrifydc.conf 

to the addns command line necessary to select the correct network interface and IP address.

 

·        Working with users defined in a Kerberos realm (Ref: CS-21846a)

 

DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used.

 

·        Use of rsh and rcp with DirectControl (Ref: CS-22172c, CS-21523c)

 

rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances.

 

·        adedit cannot create AIX extended attributes in a SFU zone (Ref: CS-25392c)

 

·        Failed to login as override user with NSCD running (Ref: CS-29816c)

 

On Solaris, with NSCD running, attempt to login as override user using <username>@localhost fails.

  

·        Potential issues on Fedora 19 and above (Ref: CS-31549a, CS-31730a)

 

There are several potential issues on Fedora 19 and above:

1)  Adcheck will fail if the machine does not have Perl installed.

2)  Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

·        Using DirectControl 4.x agents with DirectControl 5.x (Ref: IN-90001)

 

DirectControl 4.x agents can join classic zones created by DirectControl 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

 

·        Some non-alphanumeric characters are valid for Windows user or group names and are converted to underscore ("_") when changed to be UNIX names in the Access Manager, but cannot be used in adedit. (Ref: IN-90001)

 

The list is:

\ ( ) + ; " , < > =

  

·        Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed a default zone could be created that would be the default zone used when none was specified. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used.

 

·        Change password and rsh / rlogin (Ref: IN-90001)

 

When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.

 

·        Changing the password of an orphan user with adpasswd (Ref: IN-90001)

 

adpasswd should not be used to change the password of an orphan user.  If it is used, an error will be generated as follows:

 

Error: Unsuccessful IPC execute: system error

 

·        Working with /var mounted via NFS (Ref: IN-90009)

 

The directory /var should not be NFS mounted or else DirectControl may not work properly.

 

·        nss.minuid and nss.mingid are no longer used (Ref: IN-90009)

 

These have been replaced by user.ignore and group.ignore.  DirectControl will ignore the local UID and GID values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file.   The values from nss.minuid and nss.mingid will be added to this file during the upgrade process.

 

·        When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

·        AD and all clients should have same time zone setting. If not, when time zone daylight saving time takes effect, and adclient.logonhours.local.enforcement is true, user may not be able to login from clients during "Logon Hours" permitted period. (Ref: CS-33553a)

  

   DirectAuthorize on Linux/UNIX

 

·        Use of common UNIX commands with DirectAuthorize restricted shells

 

The DirectAuthorize restricted shell restricted users to use only a predetermined set of commands; however several common UNIX commands may allow users to execute commands that are not allowed in the restricted shell. The following list provides general guidance and specific examples of the issues to be considered:

 

- The man command (Ref: CS-19538a)

 

When adding a privileged command for the man command in a restricted environment, Centrify recommends:

 

* selecting Reset Environment Variables to allow users to use the default pager only.

 

* disallow the -P, -C, -B or -H options to allow users to use the default pager and man configuration file only, by adding the following commands in addition to the command for man:

 

!man -[PCBH]*

!man * -[PCBH]*

 

The PAGER, MANPAGER environment variables and -P, -C, -B, or –H option can allow a user to run a command not permitted by DirectAuthorize in the restricted environment.

 

- The Allow nested command execution option (Ref: CS-19826a)

 

The Allow nested command execution checkbox on the Attributes tab of the property page for a privileged command allows the privileged command to execute another command. This option is deselected by default (so the command is not allowed to execute other commands), but not all operating systems honor this restriction:

 

Solaris           Honored in all cases

AIX 5.3, 6.1, 7.1 Honored except if a program is seteuid

HP-UX             Honored except if a program is seteuid

Linux             Honored except if a program is seteuid and

                  the Run As... user is not root

 

- The tar command (Ref: CS-19939a)

 

When adding the tar command to a restricted environment, Centrify recommends adding the following commands to prevent the --use-compress-program option to tar in addition to the tar command itself.

 

!tar --use-compress-program*

!tar * --use-compress-program*

 

This prevents the user from using the --use-compress-program option to run other commands not allowed in the restricted environment.

 

- cron jobs (Ref: CS-19940a)

 

Cron jobs are run by the crontab daemon and this has no dzsh restrictions, meaning that any restrictions placed on the user who created the cron job will not be in force when the job itself is run.

 

For this reason, Centrify recommends that users who run in the dzsh restricted shell are not given access to the crontab cmmand.

 

- Editors that allow shell escapes (Ref: CS-19942a)

 

When adding the vi or view command to a restricted shell, the shell escape feature of the command can allow the user to execute a command not allowed in the restricted shell.

 

In addition, the perl, python and ruby support feature of vim, if available, can allow a user to execute a command not allowed in the restricted shell. To check if your version of vim command has perl, python or ruby support, run vim --version, and look for +perl, +python, or +ruby.

 

Centrify recommends the following:

 

* Configure the command to not allow nested command execution (this is the default) to prevent shell escapes

 

* Use the rvi or rview command instead if available.

 

Vim is used as an example here, this applies to other editors that include the ability to escape to the shell and/or include scripting language support.

 

- The rsync command (Ref: CS-19944a)

 

When adding the rsync command to a restricted environment, Centrify recommends adding the following commands, in addition to adding the rsync command itself, to prevent usage of the -e and --rsh options:

 

!rsync -e*

!rsync * -e*

!rsync --rsh*

!rsync * --rsh*

 

This prevents the user from using the -e or --rsh options to run commands not allowed in the restricted environment.

 

·        Cannot add cross domain or cross forest users to roles in classic zone (Ref: IN-90001)

 

DirectAuthorize does not currently support adding users from other domains into roles when the domain controllers are running Windows Server 2003 with security update 926122 or service pack 2.  This is a Microsoft issue and a hot fix is available to install on computers running the DirectAuthorize console that need to run in these domains. More information may be found here:

 

http://support.microsoft.com/kb/943875

 

·        Cannot add cross forest groups to a role in classic zones (Ref: IN-90001)

 

DirectAuthorize does not support adding groups from a trusted forest into roles at this time; all groups added to roles should be defined in the local forest. However, users from a trusted forest may be added to groups in the local forest and then added to a role, or they may be directly added to a role.

 

·        DirectAuthorize reports do not include users in remote forest (Ref: IN-90001)

 

In this release the "Classic Zone - User Role Assignments Grouped by Zone" and “Classic Zone - User Privilege Command Rights Grouped by Zone" reports only show users in the local forest; any users in remote (trusted) forests are not included in the report.

 

·        UI elements occasionally do not appear when expected (Ref: IN-90009)

 

On occasion, the DirectAuthorize console does not show the expected results, or nodes do not appear in the tree on the left side of the console screen. When this happens, choose Refresh from the right-click menu and the screen should refresh to show the expected results. If this does not fix the problem, choose Refresh from the next higher point up the tree from where you expect the result to be shown and that should cure the problem.

 

   DirectControl Auto Zone mode

 

·        One-way cross forest trusts are not supported in Auto Zone mode (Ref: AG-0403)

 

   Smart Card

 

·        There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login.  When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

 

·        On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

 

·        On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", screen will be locked several seconds after login with smart card. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

 

·        When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

 

·        On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

 

·        If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a )

 

·        In order to login successfully in disconnected mode (Ref: CS-29111a):

o   For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other CDC Unix behavior)

o   For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

·        After upgrading from Centrify DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: CS-30025c)

 

·        When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the after GP Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

 

·        After upgrading from Centrify DirectControl Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: CS-30353c)

 

·        A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

 

·        Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

 

·        Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

·        Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users are allowed to log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed.   This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342.  This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

 

    DirectManage Access Manager

 

·        You may find a warning message "Failed to resolve assembly ..." in the console log. This warning is produced by a plugin module detection logic which does not affect the operations of the Access Manager console. They can simply be ignored. (Ref: CS-40909)

·        After upgrading Access Manager from Centrify Server Suite 2013 to Centrify Server Suite 2014, the category screen in Windows 8 or Windows Server 2012 still does not show “Centrify Server Suite 2014. The change takes effect after a reboot. (Ref: CS-32951a)

 

·        Import users and groups before importing sudoers file (Ref: IN-90001)

 

Sudoers Import creates user roles but not the users. It is recommended that you import users and groups prior to importing the sudoers file.  Otherwise, no sysRights are created for the users.

 

·        Pre-create computers before importing computer role from sudoers file (Ref: IN-90001)

                                    

The computers contained in the sudoers file must either be joined to a zone or pre-created. 

 

·        Delegating zone administration permissions for SFU zones (Ref: IN-90001)

 

Delegate permissions to add, remove or modify users for SFU zone are not supported.

 

·        Users with rights to import user and groups into a zone also gain rights to modify profiles (Ref: IN-90001)

 

Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles".

 

·        Using domain local groups to manage resources (Ref: IN-90001)

 

Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains.

 

·        Domain local groups from other domains shown in search dialog (Ref: IN-90001)

 

When using the search dialog in the Access Manager to delegate zone control to a group, domain local groups from child domains will be shown incorrectly in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups.

 

·        Analyze forest and SFU zones (Ref: IN-90001)

 

The analyze forest feature in the Access Manager does not report empty zones or duplicated users or groups in a SFU zone.

 

·        Working with users that have more than one UNIX mapping (Ref: IN-90001)

 

DirectControl supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with more than one UNIX mapping, you should use DirectControl Access Manager 5.0.0 or later to remove all but one of the UNIX profiles for each of these AD users and then re-add them.

 

In addition, you should always use DirectControl console 5.0.0 or later when modifying these users.

 

·        In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such limitations with a computer joined to a classic zone. (Ref: IN-90001)

 

·        Extra results when analyzing duplicate service principal names (Ref: IN-90001)

 

When running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly returned as a duplicate.  The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains.

  

·        Secondary groups not imported from XML files (Ref: IN-90009)

 

Using the Import Wizard to import user information from XML files does not import secondary group membership.

  

·        Application rights created by Centrify Server Suite 2014 Access Manager console won't be usable by Suite 2013 agent for Windows. (Ref: CS-32653a)

 

·        DirectManage Password Synchronization Extension does not remove HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_<GUID> registry key during upgrade from Suite 2013 or earlier on Windows Server 2008 R2 Server Core.(Ref: CS-36520a)

  Report Center

 

·        Color and font change in Report Center occasionally fails (Ref: IN-90009)

 

Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report.  

  Report Services

 

·        SQL Server Availability Group feature in SQL Server 2012 is currently not supported in Report Services. (Ref: CS-39674)

·        Centrify Report Services requires administrator permission to install and upgrade. That also means only administrator can uninstall and repair Centrify Report Services. (Ref: CS-40808a)

 

·        After upgrade, full synchronization should be performed before incremental update is allowed. (Ref: CS-40029a)

 

·        If you run Report Services with Microsoft SQL Server 2012 Service Pack 2 and Visual Studio 2010 on the same system, please update Visual Studio 2010 to Service Pack 1.(Ref: CS-38553a)

 

·        Error "The server is unwilling to process the request" may occur during synchronization from Active Directory if the memory is low on the domain controller.  Follow the capacity planning article from Microsoft on the minimum amount RAM. (Ref: CS-36412a)

 

http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx 

Access Module for PowerShell

·        Installation of Access Module for PowerShell on a Windows Server Core environment shall be done in silent mode due to the UI limitation. Please check the process exit code for successful or failure result. (Ref: CS-33696a)

 

Zone Migration

 

·        admigrate does not migrate classic SFU zone. (Ref: CS-28289a)

 

·        admigrate does not migrate zone delegation rights. (Ref: IN-90002)

 

Group policies

 

·        You may find warning message "…Kerberos credentials not found for current user." in syslog on certain OS platforms when you run cron jobs. This is because of the line "session    include    system-auth" in /etc/pam.d/crond causing cron job to open session resulting in GP processing check which fails to find Kerberos credentials as it is not a real login. A workaround is to comment out that line to avoid unnecessary warning message. (Ref: CS-34452a)

 

·        There are four group policies (run command, sudo, crontab entries and Linux firewall) that can merge the lines of different GPOs to a resulting group policy. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. (Ref: CS-21048a)

 

·        Entering multi-line password prompt group policies (Ref: CS-26243c)

 

Multi-line group policies are supported; however an escape newline character "\\n" must be used.

 

·        Checking the location of the Perl environment (Ref: CS-31258a)

 

DirectControl group policies require a version of Perl to be installed and located in the path. If Perl is not found in the path or has been installed in a non-standard location, you may encounter errors when you attempt to set group policies or leave the domain. If Perl is installed on the local computer but not included in the path by default, you can manually edit the shell script /usr/share/centrifydc/perl/run to add the correct path to the front of the PERL_DIRS environment variable.

 

·        Disable does not function with “Allow Groups” group policy (Ref: IN-90001)

 

Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the groups should be removed from the Group Policy Object.

 

Centrify Network Information Service

 

·        A problem of the startup and kill sequence of adnisd during system start up and shutdown related to ypbind has been fixed.  New installation of CentrifyDC-nis runs chkconfig and the sequence is automatically updated.  Upgrade of CentrifyDC-nis, however, will not run chkconfig. This is to ensure any modification made to the start up or kill sequence by system administrators is preserved.  User can run "chkconfig adnisd on" after the upgrade if the system default is preferred. (Ref: CS-32321a)

 

·        adnisd daemon fails to start on WPAR (Ref: CS-30588c)

 

The adnisd service is not currently defined in the WPAR.

 

Centrify LDAP Proxy

  

·        Require the prefix “auto” in the automount map (Ref: IN-90001)

 

If an automount map created with a 4.x or earlier version of the DirectControl Console does not start with the string "auto" (i.e. auto.home, auto_master, auto_net, etc), it will not be recognized by this release of the DirectControl LDAP Proxy as an automount map. Automount maps which do not start with the string "auto" must be exported and imported using this version of the DirectControl Console or adedit.

 

Centrify OpenSSH

 

·        Centrify OpenSSH will support only 'ssh -Y' starting version 5.4.0. Though '-X' is still available for backward compatibility but it may not work. This is because the 'xauth' program used by 'ssh -X' is usually broken by the absence of XC-Security extension in xorg-server version > 1.7.5, please check the doc of Xorg and system for details. (Ref: CS-40800a)

 

·        Starting from version 5.3.1, Centrify OpenSSH requires DirectControl version 5.3.1 or above. (Ref: CS-39521a)

 

·        On AIX platform, Centrify OpenSSH releases prior to version 5.2.3 are not compatible with DirectControl agent version 5.2.3 and later. (Ref: CS-8232a)

 

·        Prior to version 6.7, stock OpenSSH performs the initial key exchange using the "diffie-hellman-group1-sha1” method. However, in version 6.7 (and hence Centrify OpenSSH 5.2.3 as it is based on stock OpenSSH), the default set of ciphers and MACs (Message Authentication Code) has been modified to remove unsafe algorithms. Hence SSH clients using the original settings may fail to login. Note that some modern OS such as Ubuntu 15.04 ships OpenSSH 6.7 by default. Centrify’s Deployment Manager in Server Suite 2015.1 has been modified to support the new key exchanges. (Ref: CS-8234a, CS-38259a)

 

Interoperability with Centrify Samba

 

The last version of Samba that was patched by Centrify was CentrifyDC-samba 4.5.9, based on Samba 3.6.25. Centrify does not plan to patch any later versions of Samba. Instead, Centrify is extending CentrifyDC-adbindproxy to enable Linux and UNIX computers running Centrify Server Suite to use the stock Samba distribution, without any patches to the Samba code by Centrify. (Ref: SAMBA-945a)   

5.    Additional Information and Support

 

In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately.  For more information, see the Centrify Resource Center Web site:

 

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Server Suite, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.