Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2772: After unlocking from RedHat screensaver, Centrify does not refresh Kerberos cache

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl 5.0.x on RedHat platform
 
Problem:
 
After unlocking from the RedHat screensaver, the command /usr/share/centrifydc/bin/kerberos/klist shows that Centrify did not renew the Kerberos ticket at all. This requires the user to run /usr/share/centrifydc/bin/kerberos/kinit to get a new ticket. 
 
The following is noticed in the centrify_client.log. Is there any reason for this?
 
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: -> pam_sm_setcred
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Options: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Flags: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: Flag PAM_ESTABLISH_CRED is not given, ignored!
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: -> pam_sm_setcred
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Options: deny
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Flags: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: Flag PAM_ESTABLISH_CRED is not given, ignored!
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)
 
Cause:
 
Centrify's adclient does not renew Kerberos tickets when unlocking from a RedHat screensaver. 
This should not cause problem, as Kerberos tickets will be auto-renewed periodically.
 
The PAM messages in centrify_client.log are expected and normal behaviour. The screensaver calls pam_sm_setcred then the PAM module manipulates these flags using to generate the final PAM flag. Currently PAM_ESTABLISH_CRED is only run against the screensaver on Mac systems (Unlocking screensaver on Mac will always renew Kerberos tickets), this check is not performed on other platforms. Without this flag, pam_sm_setcred will return PAM_IGNORE.
 
Workaround:
 
If Kerberos ticket expiry is not desired, then set  krb5.cache.infinite.renewal to true in centrifydc.conf and then run adreload

By doing this, Kerberos tickets will never expire (Note that they are still not refreshed ticket when unlocking from the screensaver).
 
Resolution:
 
This is fixed in Centrify DirectControl 5.1.3.

Customers needs to change the below parameter to true in /etc/centrifydc/centrifydc.conf and run
adreload, adflush and it should work fine.

pam.setcred.support.reinitialize: true
pam.setcred.support.refresh: true

For more details on the above parameter, please refer to pages 114 of Centrify Server Suite 2014
Configuration and Tuning Reference Guide (January 2014)

http://www.centrify.com/downloads/products/documentation/suite2014/centrify-unix-config-guide.pdf

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-2917: Refreshing User GPs reports "Can not invoke GP for [username]: Kerberos credentials not found for current user." articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-3925: How to add Centrify parameter to a group policy articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer?