Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-21367: Adcert logging in UTC time on RHEL 5

Authentication Service ,  

27 September,19 at 05:36 PM

Problem:

On RHEL 5 systems running the CentrifyDC agent, it is noticed that in the syslogs (/var/log/messages) and Centrify debug logs (/var/log/centrifydc.log), that adcert will log in UTC time instead of the local time of the system.

Snippet from /var/log/centrifydc.log showing timestamps starting with 15:00 (EDT) and then switching to 19:00 (UTC)
 
Sep 1 15:00:02 engcen adcert[11234]: DEBUG cli.adcert certificate EC public key matches private key
Sep 1 15:00:02 engcen adcert[11234]: DEBUG cli.adcert certificate and private key exist on computer
Sep 1 15:00:02 engcen adcert[11234]: DEBUG lrpc.adobject key not in dictionary: revision
Sep 1 15:00:02 engcen adcert[11234]: DEBUG lrpc.adobject key not in dictionary: pKIOverlapPeriod
Sep 1 15:00:02 engcen adcert[11234]: DEBUG lrpc.adobject key not in dictionary: pKIExpirationPeriod
Sep 1 19:00:02 engcen adcert[11234]: DEBUG cli.adcert expiration is Tue
Sep 1 19:00:02 engcen adcert[11234]: DEBUG cli.adcert using OCSP url
Sep 1 19:00:02 engcen adcert[11234]: DEBUG cli.adcert trying certificate
Sep 1 19:00:02 engcen adcert[11234]: DEBUG cli.adcert ocsp: issuer certificate:
Sep 1 19:00:02 engcen adcert[11234]: DEBUG cli.adcert certificate is valid


Cause:

The adcert CLI, as a syslog client, writes log directly to syslogd.

On RHEL 5 systems, the syslog timestamp is affected by the TZ env variable (on the client side)

When TZ is not in env, the default timezone (/etc/localtime) will be used.


Workaround:

As root, edit the following file:
 
/usr/share/centrifydc/mappers/machine/certgp.pl


Find this line:
 
# c_rehash needs this environment variable for openssl binary
$ENV{OPENSSL} = $openssl;


Add the below entry, after that line:
 
$ENV{TZ} = "/etc/localtime";


The content should now be:
 
# c_rehash needs this environment variable for openssl binary
$ENV{OPENSSL} = $openssl;
$ENV{TZ} = "/etc/localtime";


The next time adcert is invoked by the Group Policy scripts, it should write to syslog with local time instead of UTC time.
 

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleCentrify 20.7 Release Notes article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III