Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-50184: After upgrading to CentrifyDC 5.7.1, adclient crashes when trying to establish the NetLogon secure channel

Authentication Service ,  

19 March,21 at 02:50 PM

Problem:

After upgrading the CentrifyDC agent to 5.7.1, the adclient process keeps crashing.

The follow messages from the Centrify debug logs (/var/log/centrifydc.log) indicating a SMB timeout may be seen:
 
Mar 04 15:55:33 filesvr02 adclient[21311]: DEBUG <bg-MAIN:UpdateOS> krb5.trace [21311] 1614894933.734570: Retrieving filesvr02$@acme.com from FILE:/etc/krb5.keytab (vno 0, enctype rc4-hmac) with result: 0/Success
Mar 04 15:55:33 filesvr02 adclient[21311]: DEBUG <bg-MAIN:UpdateOS> com.centrify.smb.smb2packet using path name 'NETLOGON' for SMB2.
Mar 04 15:56:03 filesvr02 adclient[21311]: DEBUG <bg-MAIN:UpdateOS> util.io.connectutil readWithTimeout(timeout=30.000000 length=4): Timeout waiting for response from 10.134.56.34:445
Mar 04 15:56:03 filesvr02 adclient[21311]: DEBUG <bg-MAIN:UpdateOS> util.except (BSDSockets) : BSDSockets::recv - Failed to received data from the socket (ret=-2)!!: Timer expired (reference ../smb/utils/bsdsockets.cpp:279 rc: 62)
Mar 04 15:56:03 filesvr02 adclient[21311]: DEBUG <bg-MAIN:UpdateOS> com.centrify.smb.smbclient SMB abort connect \\acmedc02.acme.com\IPC$


A similar SMB message may also be see under the System Health section of the adinfo_support.txt output or by running "adinfo -y health" from the command line.
 
===============System Health===================
    HealthStatus:    Unhealthy
    SubSystem:    SMB
    ErrCount:    1
    LastSet:    Thu Mar  4 16:12:45 2021
    LastReset:    Never
    LastCode:    62
    LastReason:    BSDSockets::recv - Failed to received data from the socket (ret=-2)!!: Timer expired
    LastOperation:    SMB Connect


Cause:

In CentrifyDC version 5.7.1, the default method for NetLogon negotiations to the Domain Controller was set to use the SCHANNEL instead of GSSKerberos due to the Microsoft NetLogon vulnerability (CVE-2020-1472), so that erroneous event ID 5829 event messages would not be logged on the Domain Controller.

In this scenario, when adclient tried to establish the NetLogon secure channel (SCHANNEL) communication, the Domain Controller for an unknown reason never sent a SMB response. This caused the adclient to time out and in the process of the agent aborting the SMB connection, it caused an exception that caused the CentrifyDC agent to crash.  


Workaround:

The CentrifyDC agent can be switched back to use the GSSKerberos security mechanism for MS-RPC NetLogon channel by setting the following setting in the /etc/centrifydc/centrifydc.conf file.
 
adclient.netlogon.packet.security.type: 3

After setting the above setting and then saving the file, run "adreload" for the setting to take effect.


Resolution:

This issue will be fixed in a future release of Centrify Infrastructure Services.


Note:
For more information on Centrify and the Microsoft NetLogon Vulnerability (CVE-2020-1472) see the below KB:
KB-39695: Does vulnerability CVE-2020-1472 affect Centrify?