Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3236: How to get Centrify to use only specific domains and avoid contacting blocked ones.

Authentication Service ,  

12 April,16 at 11:08 AM

Applies to: All versions of Centrify DirectControl
 
Question:
Centrify makes unwanted connections to certain domain controllers. 
 
The /etc/centrifydc/centrifydc.conf was edited and target DCs were blocked using the dns.block parameter. In addition, the agent was configured to connect to specific DCs using dns.dc/dns.gc parameters.
 
dns.block: cosp7chad02.abc.com,cosp7idcad02.abc.com,denp7idcad01.abc.com,cosp7idcad01.abc.com,cosp7chad01.abc.com,UNIVERSE.xyz.COM,DS1.abc.com,VBLOCK.xyz.com,DMZMGMT.xyz.com
 
1. How to prevent the agent from contacting blocked DCs? 
2. How can it contact only ms.ds.abc.com and not discover the other domains? 
3. To prevent the domain prefix conflicts, the following parameter was used.
 
auto.schema.domain.prefix.RXSOL.abc.com: 222 
 
However errors are observed as shown below: 
 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
Jun 5 15:13:41 machine01 adclient[24118]: ERROR <fd:26 get object > base.schema.auto Domain: DS.xyz.com (S-1-5-21-691992219-1070251692-926263066) conflicts with Domain: RXSOL.abc.com (S-1-5-21-1113471798-4009987756-1516591974) Use the auto.schema.domain.prefix property in /etc/centrifydc/centrifydc.conf to avoid this problem 
 
Jun 6 15:14:52 machine01 adclient[24118]: INFO <bg:krb5.conf> daemon.main Start trusted domain discovery 
Jun 6 15:14:52 machine01 adclient[24118]: INFO <bg:krb5.conf> daemon.main Trusted domain discovery complete : 67 domains found 
Jun 6 15:14:53 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'XYZ.COM' 
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'wxy.COM' 
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'MNK.jkl.COM' 
Jun 6 15:14:56 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'VBLOCK.xyz.com' 
Jun 6 15:14:59 machine01 adclient[24118]: WARN <bg:krb5.conf> base.kerberos.krb5conf Can not get KDC for the domain 'DMZMGMT.xyz.com' 
Jun 6 15:15:01 machine01 adclient[24118]: INFO <bg:krb5.conf> base.kerberos.krb5conf Wrote /etc/krb5.conf 
 
 
Answer:
On the assumption that "ms.ds.abc.com" is also the joined domain. 
 
Run the following as root or sudo: 
 
1) adclient and cdcwatch must be stopped momentarily (Note: this means no user can login and agent will be momentarily disconnected or down). 
 
2) /var/centrifydc/kset.trusts must be deleted as it is a bootstrap value which agent uses after join.
 
3) The following line needed to be enabled in /etc/centrifydc/centrifydc.conf 
 
adclient.ldap.trust.local.domain.only: true 
 
4) The below line needs to be removed in /etc/centrifydc/centrifydc.conf
 
auto.schema.domain.prefix.RXSOL.abc.COM: 222 
 
5) Start centrifydc/adclient 
 
6) The command  adinfo -y domain can be run.
 
7) The DNS block parameters configured in /etc/centrifydc/centrifydc.conf should be left alone. 
 
 
Step 6 should only show the locally joined domain 
 
Step 2 should get rid of the errors: 
 
WARN <bg:krb5.conf> base.adagent skipping bad cached trust entry 
 
Step 3 means *only* the locally joined domain will be added to the trusted domain map, at which point any domain prefix errors will disappear.
 
Note:
Newer versions of DirectControl will have additional white listing and black listing features for AD domains, NTLM domains, and user principal names. 
 

Related Articles

 No related Articles