There is bug in cleaning up the kerberos keytab during adclient startup.
Applies to: Centrify DirectCOntrol 5.4.0 on all supported platforms
Problem: 1. The “service centrifydc start” command takes a long time to complete. 2. Domain logins are not working. 3. Syslog includes errors such as below: Mar 31 17:48:54 ldt-1774089.gfdl.noaa.gov kernel: traps: adclient general protection ip:7fc9cd19a99d sp:7ffcb72c5aa8 error:0 in libkrb5.so.3.3[7fc9cd164000+c9000]
Cause: There is a bug in the process that does the cleanup of non fips entries. For adclient, the key is generated with nonfips allowed enctype cannot be used with FIPS mode is enable. As long as fips.mode.enable: true is set in centrifydc.conf once adclient is restarted, adclient will run in compliant mode.
Workaround: Please set the following parameter to false in /etc/centrifydc/centrifydc.conf adclient.krb5.keytab.clean.nonfip.enctypes : false
Resolution: This issue is fixed in the 2017.1 release.