Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1689: Cannot 'su -' when using DirectAuthorize

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: Centrify DirectControl 4.4.x and above on CentOS 5.x/RedHat Linux 5.x

AD User unable to 'su -'  to root when using privileged commands. The roles are defined correctly when running the command dzinfo 'username'

-bash-3.2$ dzdo su -
Account cannot be accessed at this time.
Please contact your system administrator.
su: incorrect password

On RedHat/CentOS, there are 2 PAM applications for su which is "su" and "su-l".

In this case, su is going through su-l (not su) which is NOT defined in DirectAuthorize, which is why it was disallowed.To verify this turn on debugging to capture "dzdo su -"

1) /usr/share/centrifydc/bin/addebug on
2) /usr/share/centrifydc/bin/addebug clear
3) In another terminal session login as your aduser and run: dzdo su -
4) /usr/share/centrifydc/bin/addebug off

You should see a denied access similar to the following message in the /var/log/centrifydc.log:

Jul 12 15:36:46 mechanic02 adclient[1421]: DEBUG <fd:23 PAMVerifyPassword> base.osutil Module=Base : User 'root' denied access to application 'su-l' by DirectAuthorize (reference ipcclient2.cpp:1238 rc: 0)

1) Add the application 'su-l' (that is the lower case letter "l") to the <Zone_name> --> Rights --> Pam Access

2) Select <Zone_name> --> Roles and right click, select 'Add role', under General tab, create a name then select the PAM Access tab, click on the button 'Add' then seelct  'su-l' application you added in step 1, click OK

3) As root run "adflush" and later login back with AD user to verify "dzdo su -"

None. Here is the reason:

DirectAuthorize implementation is based on the sudo code base 1.7.0.  As you are aware, every PAM service has its own service handle. Now once DZ is configured, when an user tries to authenticate via ssh or sudo or any other PAM enabled service, DZ gets supplied with the PAM service handle depending on the PAM service the user is trying to authenticate from.  Centrify takes the PAM service handle and match it up with what is defined under DZ.  If it matches, we grant the user login or else we restrict. Sudo 1.7.0 changed its PAM service handle to "su-l" hence the issue you are running into. Unfortunately fixing this isbeyond our control because we do NOT really own sudo code base.  Centrify does understand it is tedious to change this for 1000s of users but customers will have to make the changes as proposed in this KB article.  If it may help, customers are advised to use a AD group in the role and assign su-l and make sure all the users are members of this group.