Applies to: All versions of Centrify DirectControl
Questions:
- What does the prevalidate user/group parameter in /etc/centrifydc/centrifydc.conf do?
- How often does adclient refresh the validation?
- What does adclient do during pre-validation?
- Is there a performance hit if pre-validating 1000+ accounts?
Answers:
- adclient.prevalidate.allow.groups / adclient.prevalidate.allow.users
This parameter specifies the groups/users that are pre-validated to access local UNIX computers using Active Directory credentials while the computer is offline, WITHOUT requiring the users to have previously logged onto the computer beforehand.
Under normal circumstances, only users who have previously logged on to the computer can be authenticated in while the computer is disconnected from the network. For those users, authentication is based on password hashes stored during the previous log-on.
In some cases, however, it may be required for users who have never logged onto a particular computer to be authenticated while the computer is disconnected from the network. For example, an administrative group that requires access to computers that are disconnected from the network but on which they have never previously logged in.
For more details see pages 55-58 of the Configuration and Tuning Reference Guide:
http://www.centrify.com/downloads/products/documentation/suite2013/centrify-unix-config-guide.pdf
- By default the validation is refreshed every 8 hours, governed by: adclient.prevalidate.interval
- The adclient uses machine credentials to get the special service (preval) ticket for the user and cache the user object.
- Prevalidating by adclient.prevalidate.allow.users will trigger only the user object to be brought into cache (passwd hash, uid, gid, etc), however secondary groups will NOT be brought in.
Prevalidating by adclient.prevalidate.allow.groups will have that group plus its member users. When an AD user logs in, it triggers their group to also be brought into the cache. So if there is a large number of users, it is suggested to use the adclient.prevalidate.allow.groups parameter and specify all the needed groups.