Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9895: Buffer issue denied Mac from fetching certificates from CA

12 February,18 at 12:10 PM

Applies to: Centrify Mac agent version 5.4.0

Problem:
 
Unable to distribute User and Machine certificate onto the Mac via GP or manually with adcert command, as shown with the following error message at the centrifydc.log:

Jul 19 09:08:57 MacBook-A adcert[6393]: WARN cli.adcert Error while issuing a certificate for MacCert: certificate request failed on CA [IVAN15.LAB]: NetBuf::chkEOB - Attempt to access past end of buffer!!

Cause:
 
Centrify uses MS-RPC, using GSSAPI/Kerberos auth mechanism, to request the certificate.
And, there's a bug in the kerberos library in 5.4.0 version when decrypt the MS-RPC response, which was encrypted using GSSAPI mechanism, from the cert server. The issue exist when RC4 or DES is used , where RC4 is the default enctype used by CDC when the DFL is Windows 2003 or Windows 2003 R2.

Starting from Windows 2008 Server DFL , assuming the certificate server also run on 2k8 machine, then AES enctype will be used, and this issue will not exist.

Therefore, The problem only exist on AD domain with DFL Windows Server 2003 or Windows Server 2003 R2.
The problem does not exist on AD Domain with DFL Windows Server 2008 or above.
 
Solution:
This issue has been fixed in later version Suite 2017.2 (5.4.2)

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.