Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4911: How to enable extended debug logging for capturing group policy issues

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:44 AM

Applies to: Centrify DirectControl for Mac OS X

Question:

When working on group policy issues with Centrify Support, it is sometimes necessary to gather deeper-level debug logging from the processes being investigated.
What are the steps needed to enable the higher-level logging status?


Answer:

To trace extensive logging for group policy issues, the /etc/centrifydc/centrifydc.conf file needs to be edited to raise the trace level of specific policy mappers.

To enable detailed logging for all group policy issues use either of the following steps: 

Option 1: Enabling manually for a single machine:
  1. Login to the Mac as Local Admin and open the config file for editing:
    • /etc/centrifydc/centrifydc.conf
  2. Add the following line to the bottom of the file:
    • log.gp.mappers: TRACE
  3. Save the file and then run:
    • sudo adreload
    • adinfo -c
  4. Make sure the added line now appears in the list of active parameters.
    • Once confirmed, Debug Mode can be enabled and the issue can be reproduced with enhanced logging enabled.



Option 2: Enabling via Group Policy for multiple machines:
  1. Enable the GP at:
    • Computer Configuration / Centrify Settings / DirectControl Settings / "Add centrifydc.conf properties" 

    • (If the DirectControl Settings folder cannot be seen, make sure the "centrifydc_settings.xml" template has been added into the GPO)
  2. Add the following entry:
    • Name: log.gp.mappers
    • Value: TRACE
  3. Save the GPO and run refresh the GPs on the target machine(s) to apply the new configuration.




Notes:
  • The trace-level setting can also be applied to individual group policy mapper scripts for a more focussed logging output.
  • For example, to set the trace-level logging to debug certificate-related policy issues, use the following entries in /etc/centrifydc/centrifydc.conf:
    • log.gp.mappers.certgp.pl: TRACE
    • log.gp.mappers.certgp_mac.pl: TRACE 

    • Or via GP:  
       
      User-added image
  • The GP mapper scripts can be found under:
    • For versions 5.2.3 and below:
      • /usr/share/centrifydc/mappers/machine
      • /usr/share/centrifydc/mappers/user
    • For versions 5.2.4 and above:
      • /usr/local/share/centrifydc/mappers/machine
      • /usr/local/share/centrifydc/mappers/user
  • See the following KB for further info on troubleshooting group policy issues on Mac systems:
  • Once the logging level has been raised, the Mac Diagnostic Tool can be used to capture issues as normal:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.