Applies to: All versions of Centrify DirectControl
Question:
The /usr/sbin/adcheck command executed on a Centrify server complains about ldap port 389 and ntp port 123 which are blocked. adjoin fails too.
How important are these ports?
./adcheck-rhel3-x86_64 proddfs.pf.yourcompany.com-s yourdc.proddfs.pf.yourcompany.com
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting samba installation : Pass
SPACECHK : Check if has enough disk space in /var /usr /tmp : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 192.168.1.1 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
SRVOPT : Checking that the -s server exists : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Warning
: You are running OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul
2008
: We suggest that you install the Centrify build of OpenSSH
: This can be obtained from www.centrify.com
: Your OpenSSH is not configured correctly to use PAM.
: This means that AD users will not be able to log in
: You should set explicitly like this:
: UsePAM yes
: ChallengeResponseAuthentication yes
: in /etc/ssh/sshd_config
DOMNAME : Check that the domain name is reasonable : Pass
ADDNS : DNS lookup of DC yourdc.proddfs.pf.yourcompany.com: Pass
ADPORT : Port scan of DC yourdc.proddfs.pf.yourcompany.com:
Warning
: One or more port failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports
: ldap(389)/udp - timeout
: ntp(123)/udp - timeout
DCUP : Check DCs in proddfs.pf.yourcompany.com: Failed
: No working domain controllers were found
1 serious issue was encountered during check. This must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
Note: You specified a server name on the command line. You must specify this on the adjoin command and in the Centrify configuration file once you have installed DirectControl
Answer:
adcheck is failing because it failed on udp port 389.
udp port 389 is absolutely needed to probe Active Directory and get all the Domain Controllers out there.
(Note: Just tcp port 389 is not enough, this is not a bug as it is a requirement of the protocol)
Since 389 is blocked, the check fails and results in the DCUP failure message. If adcheck is run with the verbose flag, it will search the first 10 domain controllers (as it is a long list) and will report that there were NO working DCs; they all timed out due to the block on port 389.
For the NTP message, see the following KB:
For the complete list of ports needed for Centrify DirectControl, see: