Applies to: All version of Centrify Infrastructure Services before Suite 2018.1
Problem: On OS RHEL/Centos7 where smart card is used for authentication, the user is able to login successfully but do receive the following error message from SELINUX:
====================================================================== SELinux is preventing /usr/bin/sctool from unlink access on the file krb5cc_1992295514. Plugin catchall (100. confidence) suggests ************************** If you believe that sctool should be allowed unlink access on the krb5cc_1992295514 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. [truncated] ======================================================================
Root cause: The error message is due to access denied when sctool is attempting to clear user Kerberos cache krb5cc_*. If the above occurs, adclient is not able to run PKINIT for pre-authentication to replace the Kerberos cache with the new ticket.
Workaround: Allow sctool to have access on unlinking krb5cc_* file on SELINX policy. Please download attachment and untar the files on the server, then execute below command with root privilege: # semodule -i sctool.pp
Resolution: This policy issue will be fixed in Suite 2018.1 release.