Applies to: Centrify Mac agent version 5.4.0
Unable to distribute User and Machine certificate onto the Mac via GP or manually with adcert command, as shown with the following error message at the centrifydc.log:
Jul 19 09:08:57 MacBook-A adcert: WARN cli.adcert Error while issuing a certificate for MacCert: certificate request failed on CA [IVAN15.LAB]: NetBuf::chkEOB - Attempt to access past end of buffer!!
Centrify uses MS-RPC, using GSSAPI/Kerberos auth mechanism, to request the certificate.
And, there's a bug in the kerberos library in 5.4.0 version when decrypt the MS-RPC response, which was encrypted using GSSAPI mechanism, from the cert server. The issue exist when RC4 or DES is used , where RC4 is the default enctype used by CDC when the DFL is Windows 2003 or Windows 2003 R2.
Starting from Windows 2008 Server DFL , assuming the certificate server also run on 2k8 machine, then AES enctype will be used, and this issue will not exist.
Therefore, The problem only exist on AD domain with DFL Windows Server 2003 or Windows Server 2003 R2.
The problem does not exist on AD Domain with DFL Windows Server 2008 or above.
This issue has been fixed in later version Suite 2017.2 (5.4.2)