Applies to Centrify DirectControl on all OS Plaforms
We decommissioned some domain controllers, but the krb5.conf still points to one of them as the KDC instead of updating to one of the new ones.
Is there a way to force the krb5.conf to update?
On DirectControl up to 5.1.0 on all OS Platforms there is no need to modify krb5.conf. Centrify adclient will fix it by itself in time; adclient will keep checking the status of the AD/DCs and then will eventually update. You do not need to manually edit the krb5.conf and it is unnecessary to do 'adleave' and 'adjoin'.
In /etc/centrifydc/centrifydc.conf there are two parameters to check:
adclient.krb5.autoedit (default is 'true')
krb5.config.update (default is set to 8 hours)
You can either manually set the above for each host, or you can set this these configuration parameters using Group Policies:
Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Set configuration update interval
- Select [Enabled] and set the Kerberos configuration file update interval.
Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Manage Kerberos configuration
- Select [Enabled]
On DirectControl versions later than 5.1.0 on all OS Platforms you must use the /etc/centrifydc/centrifydc.conf parameter "adclient.krb5.conf.domain_realm.strict: true to allow the removal of unknown entries. The for this parameter is "false".