Applies to: All versions of Centrify DirectControl
Question:
Centrify makes unwanted connections to certain domain controllers.
The /etc/centrifydc/centrifydc.conf was edited and target DCs were blocked using the dns.block parameter. In addition, the agent was configured to connect to specific DCs using dns.dc/dns.gc parameters.
dns.block: cosp7chad02.abc.com,cosp7idcad02.abc.com,denp7idcad01.abc.com,cosp7idcad01.abc.com,cosp7chad01.abc.com,UNIVERSE.xyz.COM,DS1.abc.com,VBLOCK.xyz.com,DMZMGMT.xyz.com
1. How to prevent the agent from contacting blocked DCs?
2. How can it contact only ms.ds.abc.com and not discover the other domains?
3. To prevent the domain prefix conflicts, the following parameter was used.
auto.schema.domain.prefix.RXSOL.abc.com: 222
However errors are observed as shown below:
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem
:
Jun 6 15:14:52 machine01 adclient[24118]: INFO <bg:krb5.conf> daemon.main Start trusted domain discovery
Jun 6 15:14:52 machine01 adclient[24118]: INFO <bg:krb5.conf> daemon.main Trusted domain discovery complete : 67 domains found
Jun 6 15:14:53 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'XYZ.COM'
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'wxy.COM'
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'MNK.jkl.COM'
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'VBLOCK.xyz.com'
Jun 6 15:14:59 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'DMZMGMT.xyz.com'
Jun 6 15:15:01 machine01 adclient[24118]: INFO <bg:krb5.conf> base.kerberos.krb5conf Wrote /etc/krb5.conf
Answer:
On the assumption that "ms.ds.abc.com" is also the joined domain.
Run the following as root or sudo:
1) adclient and cdcwatch must be stopped momentarily (Note: this means no user can login and agent will be momentarily disconnected or down).
2) /var/centrifydc/kset.trusts must be deleted as it is a bootstrap value which agent uses after join.
3) The following line needed to be enabled in /etc/centrifydc/centrifydc.conf
adclient.ldap.trust.local.domain.only: true
4) The below line needs to be removed in /etc/centrifydc/centrifydc.conf:
auto.schema.domain.prefix.RXSOL.abc.COM: 222
5) Start centrifydc/adclient
6) The command adinfo -y domain can be run.
7) The DNS block parameters configured in /etc/centrifydc/centrifydc.conf should be left alone.
Step 6 should only show the locally joined domain
Step 2 should get rid of the errors:
WARN <bg:krb5.conf> base.adagent skipping bad cached trust entry
Step 3 means *only* the locally joined domain will be added to the trusted domain map, at which point any domain prefix errors will disappear.
Note:
Newer versions of DirectControl will have additional white listing and black listing features for AD domains, NTLM domains, and user principal names.