Applies to: Centrify DirectControl 4.4.4 on RHEL platforms
Question:
After upgrading the Centrify Linux client from version 4.4.3-424 to 4.4.4-543, there is a change of behavior.
With the old version, root can su to any account, even a "locked AD account" (which is normal Linux behavior).
With the new version, root cannot su to a "locked account" (which is NOT normal Linux behavior).
As a result, daemons and cron jobs owned by a "locked account" cannot run.
The PAM config did not change.
/etc/pam.d/su:
# lines inserted by Centrify Direct Control (CentrifyDC 4.4.3-424)
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
session required pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
#%PAM-1.0
auth sufficient pam_rootok.so
# lines inserted by Centrify Direct Control (CentrifyDC 4.4.3-424)
auth sufficient pam_centrifydc.so enable_dzpamgate
auth requisite pam_centrifydc.so deny
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Answer:
This is an issue with Centrify DirectControl 4.4.4.
To fix this, please follow the steps below:
1) Make a backup of /etc/pam.d/su.
2) Copy /etc/pam.d/su.pre_cdc /etc/pam.d/su
(or)
Create a file called /etc/pam.d/su with the contents below:
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
3) Change the autoedit parameter in /etc/centrifydc/centrifydc.conf
(Otherwise upon restart, Centrify will re-add the lines or restore the file)
adclient.autoedit.pam: true (default is false)
4) Optionally, restart Centrify DirectControl:
service centrifydc restart
5) Test su - "locked AD" accounts and it should work fine.
Note: The steps above are not required in Centrify DirectControl 5.0.2 or above