Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8755: CentrifyDC fails to start due to a protection fault in libkrb5.so

Centrify DirectControl ,  

26 May,17 at 07:08 PM

Applies to: Centrify DirectCOntrol 5.4.0 on all supported platforms

Problem:
1. The “service centrifydc start” command takes a long time to complete.
2. Domain logins are not working.
3. Syslog includes errors such as below:
Mar 31 17:48:54 ldt-1774089.gfdl.noaa.gov kernel: traps: adclient[6612] general protection ip:7fc9cd19a99d sp:7ffcb72c5aa8 error:0 in libkrb5.so.3.3[7fc9cd164000+c9000]

Cause:
There is a bug in the process that  does the cleanup of non fips entries.
For adclient, the key is generated with nonfips allowed enctype cannot be used with FIPS mode is enable.
As long as fips.mode.enable: true is set in centrifydc.conf once adclient is restarted, adclient will run in compliant mode.

Workaround:
Please set the following parameter to false in /etc/centrifydc/centrifydc.conf
adclient.krb5.keytab.clean.nonfip.enctypes : false

Resolution:
This issue is fixed in the 2017.1 release.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-8867:Solaris Samba not able to connect with NT_STATUS_CONNECTION_DISCONNECTED and krb5_kt_start_seq_get failed (No such file or directory) error articleKB-6190: GetGCsForDomain failed due to a timeout in the RPC articleKB-5616: Cached logins may fail for the first few minutes when connected to external (non-domain) networks articleKB-4744: adnisd doesn't start up on zone reboots on Solaris 10 articleKB-7441: List of error codes Adclient and DAD daemons generated for Solaris and Linux clients articleKB-8065: SQL Server Reporting Services Service Start Timeout on Windows 2008R2 articleKB-2000: "addebug on" command fails with syslog ng installed articleKB-6055: Audit trail events and associated eventID information