Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4038: Deployment Manager not able to deploy software with an account with root privileges local to the server or NIS root account

Authentication Service ,  

12 April,16 at 11:13 AM

Applies to: All versions of Centrify Deployment Manager

Problem:
 

Using DM, it is not possible to deploy Centrify software using an account that has root privileges on a server that is running nis (legacy nis and not adnisd). It is possible to deploy the software using the systems local root account.
 
The nis account has full root access (it has uid of 0, gid of 0) to the systems and its possible to ssh into the machine with this nis account to the console.

Cause:

Deployment Manager/DM creates temporary folders on the target system(unix box) and copies the installation package in it. After that, DM makes sure that the data in the folder is not compromised and DM does some validation checking including the ownership of the folder.

In this environment, the user is (NIS user) and DM creates temporary folder and set ownership to the user (NIS user). When DM validates the ownership of the folder, the owner is  set to 'root'(because the NIS user is map to UID 0 in the local unix box). DM finds the owner is not the same and deletes the temporary folder, that cause the deployment to fail.

Workaround:

The working folder /var/centrifydm/tmp must be owned by the current user. The DM validates it by comparing the name of the user.  The ownership of the folder must be done by comparing the userid instead of user name

Centrify has fixed this issue with a special build (One-off  version is 5.1.2-387) to provide option to verify by uid instead of by user name. Support can be contacted for this version.

Note:  Suite 2014 has this fix.

Check the attached word doc for detail instruction on how to apply the fix. 
Attachments:
EMC_DM_one_off.docx

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleKB-3925: How to add Centrify parameter to a group policy