Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1980: What does the prevalidate group parameter do?

Authentication Service ,  

12 April,16 at 10:59 AM

Applies to: All versions of Centrify DirectControl
  1. What does the prevalidate user/group parameter in /etc/centrifydc/centrifydc.conf do?
  2. How often does adclient refresh the validation?
  3. What does adclient do during pre-validation?
  4. Is there a performance hit if pre-validating 1000+ accounts?
  1. adclient.prevalidate.allow.groups / adclient.prevalidate.allow.users

    This parameter specifies the groups/users that are pre-validated to access local UNIX computers using Active Directory credentials while the computer is offline, WITHOUT requiring the users to have previously logged onto the computer beforehand.
    Under normal circumstances, only users who have previously logged on to the computer can be authenticated in while the computer is disconnected from the network. For those users, authentication is based on password hashes stored during the previous log-on.

    In some cases, however, it may be required for users who have never logged onto a particular computer to be authenticated while the computer is disconnected from the network. For example, an administrative group that requires access to computers that are disconnected from the network but on which they have never previously logged in. 

    For more details see pages 55-58 of the Configuration and Tuning Reference Guide:
  2. By default the validation is refreshed every 8 hours, governed by: adclient.prevalidate.interval
  3. The adclient uses machine credentials to get the special service (preval) ticket for the user and cache the user object.
  4. Prevalidating by adclient.prevalidate.allow.users will trigger only the user object to be brought into cache (passwd hash, uid, gid, etc), however secondary groups will NOT be brought in. 

    Prevalidating by adclient.prevalidate.allow.groups will have that group plus its member users. When an AD user logs in, it triggers their group to also be brought into the cache. So if there is a large number of users, it is suggested to use the adclient.prevalidate.allow.groups parameter and specify all the needed groups.