Applies to Centrify DirectControl on all OS Plaforms
Question:
We decommissioned some domain controllers, but the krb5.conf still points to one of them as the KDC instead of updating to one of the new ones.
Is there a way to force the krb5.conf to update?
Answer:
On DirectControl up to 5.1.0 on all OS Platforms there is no need to modify krb5.conf. Centrify adclient will fix it by itself in time; adclient will keep checking the status of the AD/DCs and then will eventually update. You do not need to manually edit the krb5.conf and it is unnecessary to do 'adleave' and 'adjoin'.
In /etc/centrifydc/centrifydc.conf there are two parameters to check:
adclient.krb5.autoedit (default is 'true')
krb5.config.update (default is set to 8 hours)
You can either manually set the above for each host, or you can set this these configuration parameters using Group Policies:
Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Set configuration update interval
- Select [Enabled] and set the Kerberos configuration file update interval.
Computer Configuration > Policies > Centrify Settings > DirectControl Settings > Kerberos Settings > Manage Kerberos configuration
- Select [Enabled]
On DirectControl versions later than 5.1.0 on all OS Platforms you must use the /etc/centrifydc/centrifydc.conf parameter "adclient.krb5.conf.domain_realm.strict: true to allow the removal of unknown entries. The for this parameter is "false".