KB-7419: Is there a way to force Centrify DirectAudit agent to use an alternate krb5.conf other than /etc/krb5.conf?
Auditing and Monitoring Service
,
1 September,16 at 02:59 PM
Show Properties
Hide Properties
|
9/1/2016 2:59 PM |
|
10/24/2016 4:49 PM |
|
9/1/2016 2:59 PM |
|
Article Audience |
|
Products |
Auditing and Monitoring Service
|
|
|
|
|
000007419 |
|
|
|
Applies To: All versions of Centrify DirectAudit
Question:
Is there a way to force Centrify DirectAudit agent to use an alternate krb5.conf other than /etc/krb5.conf?
Answer:
Two steps are required to accomplish this;
i) First adclient to build a valid krb5.conf at an alternate location.
ii) Second centrifyda goes to that alternate location to fetch KDC information.
Here's the procedure assuming that the alternate location for krb5.conf file to be at /etc/centrifydc:
1) Before joining to domain, update /etc/centrifydc/centrifydc.conf file to set
adclient.krb5.conf.file: /etc/centrifydc/krb5.conf
2) Adjoin to the domain. After the join, the /etc/centrifydc/krb5.conf file is built with proper content and /etc/krb5.conf will not be touched.
3) Modify /etc/init.d/centrifyda startup script , change the line
MSG=`dad $OPTIONS 2>$1’
To
MSG=`KRB5_CONFIG=/etc/centrifydc/krb5.conf dad $OPTIONS 2>$1’
4) Restart centrifyda
/etc/init.d/centrifyda restart
5) Run 'dainfo' to verify dad is online.