Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4181: After upgrade to 5.1.2 if a .k5login exists, SSO is not possible with Centrify's OpenSSH

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Problem:

After upgrading Centrify DirectControl from 5.1.1 or 5.0.x  to 5.1.2, if a .k5login exists in the AD user's home directory, SSO (Kerberos) is not possible with Centrify's OpenSSH. Is there any reason for this?

Cause:

This is by design to prevent a security hole. From windows the ticket is from samaccountname (which is not necessarily all lower case) if this does not match the ticket presented (case sensitivity), it is rejected. This is normal behavior for MIT Kerberos.

When we create user home directory, we create .k5login as part of the process. Now, if user had .k5login there, and it is not correct, the upgrade will expose the issue.

In CDC 5.1.2, we  fixed openssh to honor .k5login (first) if present.

Resolution:

Delete or rename existing .k5login file. The contents should have the upn (user principal name) of the AD user account. This should fix SSO/Kerberos for that account.

Addendum:
10/9/2014

Centrify DirectControl does added one more check:

A) We try to locate the Unix profile of the AD user (zone enabled) of the presented credential (UPN).
If the found profile shows the same unix user name matching the login account, then it is allowed. 
This is by and larger for convenience of customer that has mixed case samaccountname. 

B) The precedence is that if .k5login is present, it wins (this is the part that we fixed). Centrify Direct Control hook is not invoked at all. 
Otherwise, CDC hook gets its say after all other Kerberos checks have failed. 

Note:
CDC used to take precedence over .k5login. This causes issues and so, it is fixed so that now .k5login takes precedence.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-3925: How to add Centrify parameter to a group policy articleKB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?