Centrify DirectControl version 4.4.4 / 5.1.x in RODC environmentsProblem:
Consider the following scenario:
- adinfo shows the agent is connected.
- adquery user -A joeuser shows the user is Zone-Enabled.
An AD user cannot login using ssh from one system to a target RedHat box system running Centrify DirectControl.
User not authenticated
Debug logs shows the following entry:
audit User 'joeuser' not authenticated: rd_req:Key version number for principal in key table is incorrect
After a reset of computer password, it works temporarily, but then stops working again.Cause:
The problem is the KVNO (Key Version Number) went out of sync due to a replication delay between RODC (Read Only Domain Controller) and RWDC (Read Write Domain controller).
password change has two components:
- The user credential to reset password
- It uses LRPC to ask adclient to change the machine password. This bumps the kvno by 2.
- The Centrify agent sends the password change request to the RODC which in turn passes it on to its RWDC partner.
- The RWDC does the password change and updates the KVNO in its copy of adagent's computer object.
- However the computer object does not get replicated to the RODC right away, so now the KVNO is stale on the RDOC.
- When the agent tries to get the updated KVNO it cannot because it can only access the RODC (where the KVNO is out of date).
If the RODC (Read Only Domain Controller) and RWDC (Read Write Domain Controller) has a replication delay such that they have different KVNO values, this breaks.
The user needs to wait until they are back in sync before it can work again. This is why it is sporadic.
This can be verified by running ldapsearch
with msds-keyversionnnumberWorkaround:Option 1:
If the computer account is NOT replicated to RODC, it is easy to fix on the AD side and wait for the sync so that kvno
values can sync up.Option 2:
On the Centrify agent side, the computer/machine password change can also be disabled (if acceptable)
Set the following parameter in /etc/centrifydc/centrifydc.conf
For users on Centrify version 4.4.4, please contact Centrify Support for a special build/one-off: Centrify DirectControl 4.4.4-576
- Communication between client libraries and adclient is through Centrify's own protocol called "LRPC" (Lightweight Remote Procedure Call).
- Unlike real RPC protocols, LRPC communicates only between processes on the same system.
Additional reading about kvno
: (Link provided as a courtesy)