Applies to: Centrify DirectControl 5.0.x on RedHat platform
Problem:
After unlocking from the RedHat screensaver, the command /usr/share/centrifydc/bin/kerberos/klist shows that Centrify did not renew the Kerberos ticket at all. This requires the user to run /usr/share/centrifydc/bin/kerberos/kinit to get a new ticket.
The following is noticed in the centrify_client.log. Is there any reason for this?
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: -> pam_sm_setcred
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Options: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Flags: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: Flag PAM_ESTABLISH_CRED is not given, ignored!
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: -> pam_sm_setcred
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Options: deny
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: PAM Flags: (none)
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: Flag PAM_ESTABLISH_CRED is not given, ignored!
Dec 28 15:26:00 gnome-screensav[11408] DEBUG: <- pam_sm_setcred, result=PAM_IGNORE(25)
Cause:
Centrify's adclient does not renew Kerberos tickets when unlocking from a RedHat screensaver.
This should not cause problem, as Kerberos tickets will be auto-renewed periodically.
The PAM messages in centrify_client.log are expected and normal behaviour. The screensaver calls pam_sm_setcred then the PAM module manipulates these flags using to generate the final PAM flag. Currently PAM_ESTABLISH_CRED is only run against the screensaver on Mac systems (Unlocking screensaver on Mac will always renew Kerberos tickets), this check is not performed on other platforms. Without this flag, pam_sm_setcred will return PAM_IGNORE.
Workaround:
If Kerberos ticket expiry is not desired, then set krb5.cache.infinite.renewal to true in centrifydc.conf and then run adreload.
By doing this, Kerberos tickets will never expire (Note that they are still not refreshed ticket when unlocking from the screensaver).
Resolution:
This is fixed in Centrify DirectControl 5.1.3.
Customers needs to change the below parameter to true in /etc/centrifydc/centrifydc.conf and run
adreload, adflush and it should work fine.
pam.setcred.support.reinitialize: true
pam.setcred.support.refresh: true
For more details on the above parameter, please refer to pages 114 of Centrify Server Suite 2014
Configuration and Tuning Reference Guide (January 2014)
http://www.centrify.com/downloads/products/documentation/suite2014/centrify-unix-config-guide.pdf