Applies to:
Centrify DirectControl 5.0.x and above on all platforms
Problem:
Inconsistencies with authorization across a zone is observed in a cross-domain forest. The inconsistency is across the same DC (meaning replication can be safely ruled out).
The groups are in 1 domain and the resources (servers) are in a different domain. Each domain has its own GC.
For role membership, there is an Universal group.
The parameters for authorization are set to default which is 30 minutes. Running adflush -f does help but not always.
Roles assignment which are assigned to group disappear and they re-appear again without any manual intervention.
Is there any reason why?
Cause:
After extensive troubleshooting, this issue can manifest under these circumstances:
a) When moving AD group objects (tied to roles) in the user domain from one container to another.
b) Changes to role assignment in the zone.
There is an issue with our code as a result of a Microsoft object setting ( the reference is updated every 2 DAYS) which is mentioned in the below links.
Since the role assignment has changed in a zone, the refresh will fetch the new data from AD to update the authorization cache.
Before the object reference in the role assignment is updated, AD will return the old reference link to the AD group and therefore will contain
incorrect DN of the AD group. The net result is an incorrect record in the dz.cache which is reflected in the dzinfo output.
adflush will only work when the object reference is updated.This is set to 2 days by default and cannot be changed (see MS links)
References:
1) Cross-NC Object References
http://msdn.microsoft.com/en-us/library/cc223161.aspx
2) Reference Update -
http://msdn.microsoft.com/en-us/library/dd240022.aspx
(or extract below)
"In AD DS, attributes of attribute syntax Object (DS-DN), Object(DN-String), Object(DN-Binary), Object(Access-Point) and Object(OR-Name) can have attribute
values that reference objects in an NC for which no NC replica is present on the server. The server does not get a replicated update when an object in the
NC replica not present on the server is modified or deleted. In such a case, references to such objects will remain to an old dsname on the server.
In order to update these kinds of references, a background task called reference update is run at regular intervals. By default, each reference is examined
very two days."
Workaround:
Customers can change the below parameter in /etc/centrifydc/centrifydc.conf
This configuration parameter specifies the frequency (in seconds) with which the Centrify UNIX agent flushes its authorization cache. You should note that this parameter only forces periodic updates to the authorization cache. It does not affect the agent’s primary domain controller cache. The default value is 0, which completely disables periodic flushing of the authorization cache.
adclient.cache.flush.interval.dz: 3600 (for example)
Run adreload and this should help build the refreshed cache
Resolution:
Realizing the above workaround parameter can cause traffic if implemented across several servers, Centrify will improve the code for
adclient to have the capability to get the extended dn which include SID/GUID of the AD Group object as opposed to the canonical group name.
Customers running into this issue can contact support for a special build..