Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6344: User can unlock padlock with incorrect password

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:01 AM

Applies to:  Centrify DirectControl 5.3 (Suite 2016) for Mac OS X

Problem:  

On the Mac OS X client, it is found that an AD user without admin rights can simply unlock the padlock with an incorrect password.  Consider the scenario, given an AD user with CN/Name "Alpha" and samAccountName is "Beta".  On the Mac, create a local admin account call "Beta" (similar to AD samAccountName).  You can login with AD account Alpha and unlock the padlock by simply provide an incorrect password.

Cause:

Prior to authentication, Centrify DirectControl will search if there's a conflict between the AD account with Local account which is the case here.  Once CDC confirms the local account is same as AD account, authentication will be handled by the OS local database and CDC will ignore all passwords.  On the other hand the OS will skip authentication altogether since Local account is not found.

Workaround:

Turn off (set it to False) two parameters below in /etc/centrifydc/centrifydc.conf file:

adclient.user.lookup.cn: false
adclient.user.lookup.display: false

To disallow Centrify DirectControl from lookup display name or CN for the AD user.

Resolution:

This is fixed in Suite 2016.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.