Applies to:
All versions of Centrify DirectControl.
Question:
After changing the dns suffix on a Centrified-server, adinfo still shows the old DNS suffix in
adinfo command. Rebooting Centrify server does not help and logins work fine. Will this affect
Kerberos or NTLM authentication?
Additional information:
In the below example, the local host name is called "rhls64" joined to AD domain abc.com with a dns suffix of xyz.com
Prior to DNS change:
Local host name: rhls64
Joined to domain: abc.com
Joined as: rhls64.xyz.com
Pre-win2K name: rhls64
Current DC: stordc2.abc.com
Preferred site: California
Zone: abc.com/EngUnix/zones/design
CentrifyDC mode: connected
Licensed Features: Enabled
Note: The "joined as" is showing .xyz.com, but the domain this system was joined to is
abc.com.
After converting this system's FQDN from xyz.com to abc.com DNS by updating
/etc/resolv.conf, /etc/hosts, /etc/sysconfig/network (RedHat) and rebooting, the system will
continue to work but adinfo will show the same output as shown below.
"Joined as: rhls64.xyz.com"
Is there any reason?
Answer:
It will affect Kerberos at some point and so its good to fix it.
adinfo reports these names from the following:
a) The Local host name is got from "gethostname" function.
b) The "joined as" info is got from /var/centrifydc/kset.host of the Centrify Unix server.
Note: The kset.host file is used for boot straping adclient. The name is used to construct the
SPN (Service Principal Name) for the host wherever it is needed - like verifying user login (by
trying to get this ticket), SPN for S4U2SELF, and a bunch of things.
The short hostname should not be changed at any cost and and only the DNS suffix can be
changed. Customers should also be aware of "dnshostname" which has to be changed using
Microsoft's ADSIedit in AD.
The easiest way is to do an adleave and adjoin again. If this is an issue, then user should make sure both set of names exist in the computer object spn and in keytab files.
Please follow these steps (if leave and join is not possible)
In the below example, the system was joined with a name of "abc.net" and its DNS suffix was
changed to "iltest.net".
[root@rhls64 ~]# adinfo
Local host name: rhls64
Joined to domain: abc.net
Joined as: rhls64.abc.net
Pre-win2K name: rhls64
Current DC: dc2.abc.net
Preferred site: Default-First-Site-Name
Zone: abc.net/Program Data/Centrify/Zones/Linux
Last password set: 2011-07-26 05:57:56 PDT
CentrifyDC mode: connected
Licensed Features: Enabled
1) Run the adinfo -C command (as root) will display the current SPNs for this server.
[root@rhls64 ~]# adinfo -C
-c OR --computer option displays the service principal names (SPNs) associated with the
computer account.
Computer Account Diagnostics
Joined as: rhls64
Key Version: 2
Service Principal Names: nfs/rhls64.abc.net
nfs/rhls64
http/rhls64.abc.net
http/rhls64
host/rhls64.abc.net
host/rhls64
ftp/rhls64.abc.net
ftp/rhls64
cifs/rhls64.abc.net
cifs/rhls64
2) Run the adkeytab command (as root) to add the correct SPN. In this case, "iltest.net" is the
new DNS suffix.
[root@rhls64 ~]# /usr/sbin/adkeytab -a -P host/rhls64.iltest.net
Administrator@ILTEST.NET's password:
Success: Add SPNs: Default Key Tab
where -a "adds" a service principal to an existing account in Active Directory and generates
the appropriate keys for the new service principal in the account's keytab file. If you don't
specify an account-name , the adkeytab command adds the service principal to the
computer account in the currently joined domain.
-P or --principal principal "specifies the service principal to add to the specified key table". You must specify at least one service principal. To specify multiple service principals, use this option multiple times. For the principal argument, type the service type of
the service principal you want to add. You can specify the principal by:
- Service type alone (http)
- Service type and the host name or alias (http/firefly)
- Service type and the fully-qualified domain name (http/firefly.arcade.com)
If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account name at this computer, creating a fully-qualified domain name (FQDN) for the service principal account.
3) Locate this computer object in AD and modify the DNShostname and service connection
point using Microsoft's ADsiedit. Navigate to the Container/OU where the server is joined to. You should see an attribute called *dNSHostName. Change it to rhls64.iltest.net. Also change the scp (service connection point) in the zone computer container to match the dnshostname.
4) Change /var/centrifydc/kset.host file as follows:
[root@rhls64 ~]# echo -n "rhls64.iltest.net" > /var/centrifydc/kset.host
5) If you run adinfo, you will see the correct info when adinfo is executed.
[root@rhls64 ~]# adinfo
Local host name: rhls64
Joined to domain: iltest.net
Joined as: rhls64.iltest.net
Pre-win2K name: rhls64
Current DC: dc2.iltest.net
Preferred site: Default-First-Site-Name
Zone: iltest.net/Program Data/Centrify/Zones/Linux
Last password set: 2011-07-26 05:57:56 PDT
CentrifyDC mode: connected
Licensed Features: Enabled
6) Now if an attempt is made to login to this system, the login will fail with the below message in the logs.
Jul 26 06:00:32 rhls64 adclient[19146]: WARN <fd:24 PAMVerifyPassword>
base.aduser Can't find service host/rhls64.abc.net. Run adinfo --diag to check
for multiple computer accounts with the same SPN. Check that the local
computer's Active Directory object's servicePrincipalName value has not been
deleted. Check for replication errors.
Jul 26 06:00:32 rhls64 adclient[19146]: DEBUG <fd:24 PAMVerifyPassword>
base.osutil Module=Kerberos : while getting service credentials: Server not
found in Kerberos database (reference base/aduser.cpp:1217 rc: -1765328377)
7) At this point, restart Centrify from /etc/init.d and logins & adinfo should work fine.
*Note: You can use ldapmodify command to modify the DNShost entry.
See link http://www.ghacks.net/2010/09/03/modify-ldap-entries-with-the-ldapmodify-command/ (this link was provided as a courtesy only. Centrify will not take any responsibility for the content or the availability of the same)
Customer can have a file generated with some scripting like:
dn:<dn of computer object which can get from adquery user -D computerobject,
(but need to do some extra text processing to change capitals letter into small
capitals)
changetype: modify
replace: dNSHostName
dNSHostName:<fqdn
see below example:
root@rhls64 ~]# /usr/share/centrifydc/bin/ldapmodify -m -f /tmp/ldap.test
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
modifying entry "cn=rhls64,cn=computers,dc=iltest,dc=net"
[root@rhls64 ~]# cat /tmp/ldap.test
dn: cn=rhls64,cn=computers,dc=iltest,dc=net
changetype: modify
replace: dNSHostName
dNSHostName: rhls64.iltest.net