12 April,16 at 11:11 AM
Applies to: Centrify DirectControl 5.0.5 or below on RedHat 6.2
Problem:
In Active Directory Users and Computers console, Account options "Do not require Kerberos Preauthentication" is checked in user's profile.
Attempting to ssh into a RedHat 6.2 serverĀ as this user will stall the session and eventually cause adclient to disconnect, following messages can be captured from debug log:
Jan 17 15:34:06 host adclient[2961]: DEBUG <fd:28 PAMVerifyPassword > dns.findkdc KDC locator for domain.com
Jan 17 15:34:52 host sshd[29990]: Invalid user rlevin1 from 123.456.789.123
Jan 17 15:34:52 host cdcwatch[2962]: ERROR cdcwatch detected adclient is not running properly (ping took 30 seconds)
...
Jan 17 15:35:21 host adclient[30042]: DEBUG <fd:27 PAMVerifyPassword > dns.findkdc KDC locator for domain.com
Jan 17 15:40:11 host cdcwatch[30043]: DEBUG lrpc.session New socket 8 (142709)
Jan 17 15:40:41 host cdcwatch[30043]: DEBUG cdcwatch signalling adclient[30042] with SIGABRT
Workaround:
Uncheck "Do not require Kerberos Preauthentication" option in ADUC for target user.
Resolution:
This has been fixed in Centrify DirectControl 5.1.0 and above.
KB-8538: After Enabling Smartcard, sctool -s Gives the Error "Cannot determine Centrify Smart Card status"
KB-4669: Starting Centrify agent may cause timed out on Solaris platforms
KB-2585: High memory usage when SELinux is enabled/enforced
KB-9255: An application process receives segfault in libnss_centrifyda.so.2 error causing backups to fail
KB-2645: Centrify-enabled OpenSSH crashes while SSL is enabled in OpenLDAP
KB-1323: /etc/security/limits are not being enforced for Centrify zone-enabled users on AIX
KB-8306: Centrify-enabled samba not accessible due to error "NT_STATUS_CANT_ACCESS_DOMAIN_INFO"
[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I
KB-3925: How to add Centrify parameter to a group policy