Product: 

Centrify Server Suite 2017

Component:

Centrify DirectControl Agent 

Summary:

Centrify customers have recently reported cases where authorized users may not be able to log into a Linux or UNIX server protected by the Centrify Server Suite 2017 agent.

The issue is caused by a failure to appropriately update a local cache regarding who is authorized to log in, after a change to the affected user’s Active Directory record. 

Important: This is not a security issue.  It does not enable unauthorized users to gain access to servers protected by the Centrify agent.

The following types of Server Suite 2017 deployments are NOT affected by this issue:

1. The servers running the Centrify agent that only use classic zones.

OR

2. The servers running the Centrify agent that only use autozone. 
   

Again, this only applies to Server Suite 2017, and not earlier versions.

Customer Mitigation:

Centrify recommends that customers follow the process described below immediately to mitigate the issue. 

These steps will ensure a clean environment on the server running the Centrify agent and enforce a group of cache-related Server Suite settings.  The settings can be made in the centrifydc.conf file or through Active Directory Group Policy.  This will mitigate the problem by updating the local cache periodically, but not so often as to cause a performance hit on the Active Directory environment.

1. Add these settings to conf on the target servers; or, deploy them through Group Policy.

• cache.expires: 28800
• refresh.interval.dz: 480
• cache.flush.interval: 4
• cache.flush.interval.dz: 14400
• iteration.refresh.dz.force: false
• binding.refresh.force: false

2. Run the adreload command locally on the servers to force the Centrify agents to immediately recognize the new settings.

3. Make sure the "adquery user" count is correct. (Run adflush -fif necessary).

The constraint in this workaround is that any change to the Active Directory data structure will only be seen after the flush/rebuild happens.  If you need to see the changes faster, then manual intervention is needed with "adflush -f" or "adflush -a"

If you have questions, please contact Centrify Support.  Our team will work with you to explain and help you mitigate this issue.

Centrify Plans for Further Mitigation:

The Centrify Server Suite 2017.1 update will address this issue.  This update is targeted for general customer availability no later than May 31st, 2017, on the Centrify customer download center.

Centrify strongly recommends that all Server Suite customers upgrade to the new agents when it becomes available.

Customer updates:

Centrify will update this Knowledge Base article weekly on the Centrify Customer portal until this issue is resolved.

KB-8711: Sporadic loss of zone user access

If you've arrived at this page from the download center, please close this browser tab to proceed with your file download.