Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8755: CentrifyDC fails to start due to a protection fault in libkrb5.so

Centrify DirectControl ,  

26 May,17 at 07:08 PM

Applies to: Centrify DirectCOntrol 5.4.0 on all supported platforms

Problem:

1. The “service centrifydc start” command takes a long time to complete.
2. Domain logins are not working.
3. Syslog includes errors such as below:
Mar 31 17:48:54 ldt-1774089.gfdl.noaa.gov kernel: traps: adclient[6612] general protection ip:7fc9cd19a99d sp:7ffcb72c5aa8 error:0 in libkrb5.so.3.3[7fc9cd164000+c9000]

Cause:
There is a bug in the process that  does the cleanup of non fips entries.
For adclient, the key is generated with nonfips allowed enctype cannot be used with FIPS mode is enable.
As long as fips.mode.enable: true is set in centrifydc.conf once adclient is restarted, adclient will run in compliant mode.

Workaround:
Please set the following parameter to false in /etc/centrifydc/centrifydc.conf
adclient.krb5.keytab.clean.nonfip.enctypes : false

Resolution:
This issue is fixed in the 2017.1 release.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.