Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1631: When CDC is in disconnect mode, users are not able to logon using cached mode

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:38 AM

Problem:
 
We are unable to ssh to Centrify server in disconnect mode using our cached credentials however Kerberos SSO work fine. Additionally we see these messages in the debug log. What do they mean?
 
Apr 21 16:28:45 adclient[23651]: DEBUG <fd:16 PAMVerifyPassword> daemon.ipcclient validate password caught exception: KDC refused skey: Clock skew too great 
Apr 21 16:28:45 adclient[23651]: WARN <fd:16 PAMVerifyPassword> audit User 'mxp883' not authenticated: KDC refused skey: Clock skew too great 

 
Cause:
 
Putty SSO will always work fine as they already have a Kerberos ticket however interactive logon  will fail if the user (in question) had never logged into the box before or if adflush was previously run manually.

Note: You can simulate a disconnect by changing the parameter

adclient.server.try.max to 0.

However the main issue for interactive login to fail is the clock sync. This is really governed by a couple of parameters:

a) adclient.sntp.enabled and
b) adclient.sntp.poll.

The first one is set to true by default which means adclient will make sure (in the event of a drift), we will try to sync up. In some customer environments, they will use ntp client as well and so there will be a racing condition and one of them will win which will ensure we are in sync. 
 
Resolution:
 
We recommend customers to either use ntp completely (which means uncomment & make the parameter adclient.sntp.enabled as false and doing adreload) or use our solution (leave it as default) and disable your ntp.

The 2nd parameter adclient.sntp.poll is for fine tuning only.

If customers continue to see disconnects due to clock sync, they can fine tune this parameter.  

When Centrify disconnects on its own due to clock sync issues, we suggest them to run the command ntpupdate and see how much the drift is so that they can get an idea.  In a nutshell, no additional parameter is needed for cached credentials to work. It should work  out-of-the-box without any tweaking. Please make sure the clock sync drift is not greater than 5 minutes as Kerberos logins are sensitive to time changes.

 

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy articleKB-1425: adclient goes into "disconnected mode"