8 August,17 at 08:57 AM
Applies to: All versions of Centrify DirectControl
Question:
On the adjoined server AD user is able to change their password and sync it back to AD.
Is it possible to disable this function and not affect other services?
Answer:
This can be achieved by using following parameter in /etc/centrifydc/centrifydc.conf.
pam.allow.password.change: false
* Remember to run command 'adreload' to make above change effective.
With above parameter configured, both adpasswd and passwd will be blocked.
[administrator@rhel63 ~]$ adinfo -c | grep -i pam.allow.password.change
pam.allow.password.change: false
[administrator@rhel63 ~]$ adpasswd
Password change not permitted
[administrator@rhel63 ~]$ passwd
Changing password for user administrator.
Password change not permitted
passwd: Authentication token manipulation error
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-6041: How to show current license type in use by adclient?
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
KB-6038: How to specify the license type to use when joining the server to AD using adjoin?
KB-6056: How to report the group policy settings that are in effect for the local computer?
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
KB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?
KB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?
KB-1871: How to disable SAP SNC user password request reset