Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-19322: Commands calling centrifydc pam module fails when adclient is joined and stopped on RHEL/CentOS 7.6

Authentication Service ,  

15 April,20 at 09:50 AM

Problem:
Commands calling centrifydc PAM module fails for 'Permission denied' when adclient is joined and stopped on redhat/CentOS 7.6
For example: 
[super@centos76v1 ~]$ sudo /usr/share/centrifydc/bin/centrifydc stop
Centrify DirectControl stopped.
[super@centos76v1 ~]$ sudo /usr/sbin/adflush -f
sudo: PAM account management error: Permission denied
[super@centos76v1 ~]$ sudo /usr/share/centrifydc/bin/centrifydc start
sudo: PAM account management error: Permission denied
 
Cause:
As we don't assign rescue right to any local user, the apu.lst is empty as expected when DA supports AuditRequired.
And if we did not add local user to user.ignore, so the user is not in user.ignore list as expected.
This issue is related to the recent rh7-sudo-1.8.23 enhancement: https://access.redhat.com/solutions/3679241
 
Resolution:
when adclient is not running, local users must be in the user.ignore.

Adding the user to user.ignore file will work as long as the user's audit level is not intended to be "AUDIT_REQUIRED" or "DO_NOT_AUDIT", as the default audit level for users in the user.ignore list is "AUDIT_IF_POSSIBLE".

This issue is fixed in 19.6 release.

Related Articles

 No related Articles