Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2402:Decommissioning Domain Controllers and krb5.conf

Authentication Service ,  

18 August,16 at 11:00 PM

Applies to Centrify DirectControl on all OS Plaforms


We decommissioned some domain controllers, but the krb5.conf still points to one of them as the KDC instead of updating to one of the new ones. 
Is there a way to force the krb5.conf to update?

On DirectControl up to 5.1.0  on all OS Platforms there is no need to modify krb5.conf.  Centrify adclient will fix it by itself in time; adclient will keep checking the status of the AD/DCs and then will eventually update.  You do not need to manually edit the krb5.conf and it is unnecessary to do 'adleave' and 'adjoin'.   

In /etc/centrifydc/centrifydc.conf there are two parameters to check:

adclient.krb5.autoedit (default is 'true')
krb5.config.update (default is set to 8 hours)

You can either manually set the above for each host, or you can set this these configuration parameters using Group Policies:

Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Set configuration update interval
- Select [Enabled] and set the Kerberos configuration file update interval.

Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Manage Kerberos configuration
- Select [Enabled]

On  DirectControl versions later than 5.1.0  on all OS Platforms you must use the /etc/centrifydc/centrifydc.conf parameter "adclient.krb5.conf.domain_realm.strict: true to allow the removal of unknown entries. The for this parameter is "false". 

Related Articles

No related Articles