Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4226: dznfo and role privileges inconsistent

Authentication Service ,  

12 April,16 at 11:47 AM

Applies to:
 
Centrify DirectControl 5.0.x and above on all platforms
 
Problem:
 
Inconsistencies with authorization across a zone is observed in a cross-domain forest. The inconsistency is across the same DC (meaning replication can be safely ruled out).
 
The groups are in 1  domain and the resources (servers) are in a different domain. Each domain has its own GC.
 
For role membership, there is an Universal group.
 
The parameters for authorization are set to default which is 30 minutes. Running adflush -f does help but not always. 
 
Roles assignment which are assigned to group disappear and they re-appear again without any manual intervention. 
 
Is there any reason why?
 
Cause:
 
After extensive troubleshooting, this issue can manifest under these circumstances:
 
a) When moving AD group objects (tied to roles) in the user domain from one container to another.
 
b) Changes to role assignment in the zone.
 
There is an issue with our code as a result of a Microsoft object setting ( the reference is updated every 2 DAYS) which is mentioned in the below links.
 
Since the role assignment has changed in a zone, the refresh will fetch the new data from AD to update the authorization cache. 
Before the object reference in the role assignment is updated, AD will return the old reference link to the AD group and therefore will contain
incorrect DN of the AD group. The net result is an incorrect record in the dz.cache which is reflected in the dzinfo output. 
 
adflush will only work when the object reference is updated.This is set to 2 days by default and cannot be changed (see MS links)
 
References:
 
1) Cross-NC Object References 
 http://msdn.microsoft.com/en-us/library/cc223161.aspx
 
2) Reference Update - 
 
http://msdn.microsoft.com/en-us/library/dd240022.aspx
 
(or extract below)
 
"In AD DS, attributes of attribute syntax Object (DS-DN), Object(DN-String), Object(DN-Binary), Object(Access-Point) and Object(OR-Name) can have attribute  
values that reference objects in an NC for which no NC replica is present on  the server. The server does not get a replicated update when an object in the
NC replica not present on the server is modified or deleted. In such a case,   references to such objects will remain to an old dsname on the server.
In  order to update these kinds of references, a background task called reference    update is run at regular intervals. By default, each reference is examined
very two days."
 
Workaround:
 
Customers can change the below parameter in /etc/centrifydc/centrifydc.conf
 
This configuration parameter specifies the frequency (in seconds) with which the Centrify UNIX agent flushes its authorization cache. You should note that this parameter only forces periodic updates to the authorization cache. It does not affect the agent’s primary domain  controller cache. The default value is 0, which completely disables periodic flushing of the authorization  cache.
 
adclient.cache.flush.interval.dz: 3600 (for example)
 
Run adreload and this should help build the refreshed cache
 
Resolution:
 
Realizing the above workaround parameter can cause traffic if implemented across several servers, Centrify will improve the code for 
adclient to have the capability to get the extended dn which include SID/GUID of the AD Group object as opposed to the canonical group name.
 
Customers running into this issue can contact support for a special build..

Related Articles

 No related Articles