Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3444: Authentication fails when kvno values go out of sync in RODC environments

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:26 AM

Applies to: Centrify DirectControl version 4.4.4 / 5.1.x in RODC environments

Problem:

Consider the following scenario:
  1. adinfo shows the agent is connected. 
  2. adquery user -A joeuser shows the user is Zone-Enabled.
An AD user cannot login using ssh from one system to a target RedHat box system running Centrify DirectControl.
It returns:
 
User not authenticated

Debug logs shows the following entry:
 
audit User 'joeuser' not authenticated: rd_req:Key version number for principal in key table is incorrect

After a reset of computer password, it works temporarily, but then stops working again.


Cause:

The problem is the KVNO (Key Version Number) went out of sync due to a replication delay between RODC (Read Only Domain Controller) and RWDC (Read Write Domain controller).

Centrify's adkeytab password change has two components:
  1. The user credential to reset password 
  2. It uses LRPC to ask adclient to change the machine password. This bumps the kvno by 2.
  • The Centrify agent sends the password change request to the RODC which in turn passes it on to its RWDC partner.
  • The RWDC does the password change and updates the KVNO in its copy of adagent's computer object.
  • However the computer object does not get replicated to the RODC right away, so now the KVNO is stale on the RDOC.
  • When the agent tries to get the updated KVNO it cannot because it can only access the RODC (where the KVNO is out of date).

If the RODC (Read Only Domain Controller) and RWDC (Read Write Domain Controller) has a replication delay such that they have different KVNO values, this breaks. 

The user needs to wait until they are back in sync before it can work again. This is why it is sporadic.

This can be verified by running ldapsearch with msds-keyversionnnumber


Workaround:

Option 1:
If the computer account is NOT replicated to RODC, it is easy to fix on the AD side and wait for the sync so that kvno values can sync up.

Option 2:
On the Centrify agent side, the computer/machine password change can also be disabled (if acceptable) 

Set the following parameter in /etc/centrifydc/centrifydc.conf:
 
adclient.krb5.password.change.interval: 0


Resolution:

For users on Centrify version 4.4.4, please contact Centrify Support for a special build/one-off: Centrify DirectControl 4.4.4-576

LRPC definition:
  • Communication between client libraries and adclient is through Centrify's own protocol called "LRPC" (Lightweight Remote Procedure Call).
  • Unlike real RPC protocols, LRPC communicates only between processes on the same system.

Additional reading about kvno: (Link provided as a courtesy)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.