Centrify® Server Suite 2016 DirectControl® 5.3.0 Release Notes

© 2004-2016 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

1.      About This Release. 4

2.      Feature Changes. 4

2.1.       Feature Changes in DirectControl 5.3.0 Update (Suite 2016). 4

2.2.       Feature Changes in DirectControl 5.3.0 (Suite 2016). 5

New Features. 5

General 6

DirectManage Access Manager. 9

Report Center. 9

Access Module for PowerShell 10

Zone Provisioning Agent 10

Deployment Manager. 11

Group Policies. 11

Deployment Report 11

adedit 11

Centrify LDAP Proxy. 12

Centrify OpenSSH.. 12

Supported Platforms. 13

2.3.       Feature Changes in DirectControl 5.2.3 (Suite 2015.1). 14

DirectControl Agent 14

DirectManage Access Manager. 17

Access Module for PowerShell 17

Deployment Manager. 17

Group Policies. 18

Deployment Report 18

adedit 18

Centrify LDAP Proxy. 19

Centrify OpenSSH.. 19

Supported Platforms. 19

2.4.       Feature Changes in DirectControl 5.2.2 (Suite 2015). 20

DirectControl Agent 20

DirectManage Access Manager. 25

Zone Provisioning Agent 26

adedit 26

Centrify OpenSSH.. 27

Supported Platforms. 27

2.5.       Feature Changes in DirectControl 5.2.1 (Suite 2015). 29

2.6.       Feature Changes in DirectControl 5.2.0 (Suite 2014.1). 29

DirectControl Agent 29

DirectManage Access Manager. 30

Deployment Report 30

Supported Platforms. 31

3.      Bugs Fixed. 32

3.1.       Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016). 32

DirectControl Agent 32

DirectManage Access Manager. 34

Access Module for PowerShell 35

Group Policies. 35

adedit 35

Centrify Network Information Service. 35

Centrify LDAP Proxy. 35

Centrify OpenSSH.. 35

3.2.       Bugs Fixed in Centrify DirectControl 5.2.3 (Suite 2015.1). 36

DirectControl Agent 36

DirectManage Access Manager. 38

Access Module for PowerShell 39

adedit 39

Centrify LDAP Proxy. 39

Centrify OpenSSH.. 40

3.3.       Bugs Fixed in Centrify DirectControl 5.2.2 (Suite 2015). 40

DirectControl Agent 40

DirectManage Access Manager. 42

Access Module for PowerShell 43

Deployment Report 43

adedit 44

Zone Provisioning Agent 44

Centrify LDAP Proxy. 44

Centrify OpenSSH.. 44

3.4.       Bugs Fixed in Centrify DirectControl 5.2.1 (Suite 2015). 45

DirectControl Agent 45

3.5.       Bugs Fixed in Centrify DirectControl 5.2.0 (Suite 2014.1). 45

DirectControl Agent 45

DirectManage Access Manager. 46

adedit 46

Centrify OpenSSH.. 47

4.      Known Issues. 47

DirectControl Agent 47

DirectAuthorize on Linux/UNIX.. 53

DirectControl Auto Zone mode. 55

Smart Card. 56

DirectManage Access Manager. 58

Report Center. 60

Report Services. 60

Access Module for PowerShell 60

Zone Migration. 61

Group policies. 61

Centrify Network Information Service. 61

Centrify LDAP Proxy. 62

Centrify OpenSSH.. 62

Interoperability with Centrify Samba. 62

5.      Additional Information and Support 63

 

 

1.     About This Release

 

Centrify Server Suite featuring DirectControl centralizes authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and single sign-on. With Centrify Server Suite, enterprises can easily migrate and manage complex UNIX, Linux and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. DirectControl, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify’s non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

 

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available in the Centrify Knowledge Base.

 

The Centrify Server Suite release notes and documents are available online at http://docs.centrify.com.

 

Centrify software is protected by U.S. Patent No. 7,591,005, 8,024,360, 8,321,523, 9,015,103 B2 and 9,112,846.

2.     Feature Changes

 

For a complete list of supported platforms in all DirectControl releases, refer to the “Centrify Server Suite, Standard Edition” section in the document available from www.centrify.com/platforms.

2.1.          Feature Changes in DirectControl 5.3.0 Update (Suite 2016)

DirectControl 5.3.0 is updated on March 2016 to fix the following DirectAudit issue: When a system is under high CPU utilization, communication between Centrify DirectControl and Centrify DirectAudit agents may timeout but the communication channel remains open. This results in DirectAudit agent processing the incorrect response to its request. Note that this occurs only in DirectAudit *NIX agent when the DirectAudit NSS auditing functionality is enabled. The fix in this version of DirectControl and DirectAudit closes the communication channel between the two agents during timeouts and error situations. 

Centrify strongly recommends customers who use DirectAudit NSS Auditing capability upgrade to this version of DirectControl and DirectAudit across their organization. If you do not use DirectAudit, or do not enable DirectAudit NSS Auditing, there is no need for you to upgrade to this version of DirectControl.

2.2.          Feature Changes in DirectControl 5.3.0 (Suite 2016)

New Features

·          Multi-Factor Authentication (MFA)

MFA is supported for Active Directory users in hierarchical zone on Linux systems.  MFA can be required for all PAM applications (including login) and execution of dzdo commands. The “Require multi-factor authentication” System Rights flag and the “required MFA for Login” role are added to support MFA requirement for login and PAM applications.   You can also specify to require MFA as re-authentication mechanism in a UNIX command right.

For details, refer to the Administrator’s Guide for Linux and UNIX and the Configuration and Tuning Reference Guide. (Ref: CS-36181, CS-36455, CS-38550, CS-38708, CS-38804)

Note:

·         The version of Centrify Cloud connector required is 15.11.137 or above. (Ref: CS-38574).

·         If a user is configured to require MFA for login, the user cannot login if the Linux system cannot reach Centrify Cloud via the Centrify Cloud Connector.  An exception is made for users who also have the effective “rescue/always permit login” sysright; and such user can login in this situation.  Note that the “rescue/always permit login” affects both DirectAudit and MFA.  Also, regardless of whether “rescue/always permit login” sysright is effective for a user or not, all dzdo commands that require MFA will always be denied when Centrify Cloud is not accessible by the Linux system.(Ref: CS-36248)

·         If an Active Directory user is configured to use both password and MFA to login or dzdo command, DirectControl Agent will always continue with MFA authentication regardless of whether the password is correct or not. The user cannot login or continue with dzdo unless both mechanisms succeed.  This is done for security reason.(Ref: CS-36494)

·         The DirectControl Agent ignores the "Challenge Pass-Through Duration" option under the "Authentication Profile" setting in the Centrify Cloud Manager Portal.  The user is always challenged.  This behavior is the same as setting the option to "No Pass-Through". (Ref: CS-38592)

·          Local Account Management

 

Starting from Suite 2016, you can also use Active Directory to manage local user, local group and local service accounts in hierarchical zones.  For details, refer to the Administrator’s Guide for Linux and UNIX. (Ref: CS-35503)

·          Report Services

 

Centrify Report Services, packaged with DirectManage Access, greatly improves report performance by reading the data from a SQL database instead of querying the Active Directory via LDAP. You can schedule to synchronize the Active Directory information periodically to your reporting database, and the report service will populate views based on the data in tables, creating a default set of Access Manager reports as well as SOX and PCI attestation reports. You can also create custom reports based on these views. 

Note: There is a significant difference from the Access Manager Report Center in that you need to install only one instance of Centrify Report Services per Active Directory forest. There is also no need for auditors to install any Centrify software to view the reports because the SSRS reports are Internet Explorer browser-based. (Ref: CS-36440)

Please refer to the Report Administrator’s Guide for details.

For Reporting Services Early Access customers, the view ReportView.UserAccount in Suite 2016 Early Access is no longer available.  The same data can be accessed through the view ReportView.ADUser. New columns are added to the view ReportView.ADUser to provide the additional information that is previously available in ReportView.UserAccount. It only lists Active Directory users but no local users.   Please contact Centrify Technical Support if you need more information about this change. (Ref: CS-38602)

General

·          A new System Rights, “User is visible” is introduced.  If a role assignment contains this right, then the user is visible to all computers in the scope of the role assignment (zone, computer role, or computer).  Like the other rights, the visible right is additive. When a user is assigned to a set of roles, as long as there is one role that has the visible right set to true, then the user becomes visible in the zone. (Ref: CS-35921)

o    dzinfo is enhanced to show whether the user’s effective rights contains the visible flag or not. (Ref: CS-36105)

·          We now have an option to select between RFC 2307 and MS SFU schema. (Ref: CS-34973)

 

Scripts and Command Line Utilities

·          adinfo –y –sysinfo is enhanced to add the ‘cloud’ keyword to show information related to MFA support.. Note this is supported on Linux only. (Ref: CS-38926)

·          A new CLI, admanagelocal, is added to manage local user and group accounts. (Ref: CS-35503, CS-36096)

·          adkeytab -t, --pwdtime is added to report the last password change attempt time and results. (Ref: CS-35847)

·          adflush –c --connectors is added to flush the cloud connectors information in DirectControl Agent.  Note it is supported on Linux only. (Ref: CS-38920)

Smart Card and Certificate Management

·          OpenSSL is upgraded to 0.9.8zg in this release. (Ref: CS-35922)

·          cURL is upgraded to 7.44.0 in this release. (Ref: CS-35702)

·          On Centrify managed RHEL systems, we now can append CA root certificate to the system default store, i.e. /etc/pki/tls/certs/ca-bundle.crt. (Ref: CS-38412)

Configuration Parameters

·        centrifydc.conf has been updated:

New Parameters:

-    adclient.cloud.auth.token.max: This parameter specifies the maximum number of cloud authentication requests that can be processed simultaneously.  The default is 10. (Ref: CS-36247)

-    adclient.krb5.password.change.verify.retries: This parameter controls how many times adkeytab tries to verify password changes running in the background.  The default is zero (no attempts). (Ref: CS-35847)

-    adclient.krb5.password.change.verify.interval: This parameter controls how long (in seconds) adkeytab waits between attempts to verify passwords. The default is 300 seconds (five minutes). (Ref: CS-35847)

-    adclient.krb5.principal.lower: This parameter controls whether the principal name in Kerberos ticket should be converted to lowercase.  The default is false. (Ref: CC-32641)

-    adclient.local.account.manage: This parameter specifies whether the DirectControl Agent should manage local user and local group accounts on computers where the agent is installed.  The default is true. (Ref: CS-36096)

-    adclient.local.account.notification.cli: When this parameter is configured, the DirectControl Agent will invoke the specified executable in a different process and pass the comma separated UNIX name list to it for further processing.  The default is "". (Ref: CS-36409)

-    adclient.refresh.interval.dz: This configuration parameter specifies the maximum number of minutes to keep access control (DirectAuthorize) information in the authorization cache before refreshing the data from Active Directory.  If local account management feature is enabled, this configuration parameter also specifies how often /etc/passwd and /etc/group are updated on individual computers based on the local user and local group settings configured in Access Manager.

-    adclient.skip.unused.outbound.trusts: This configuration parameter specifies whether you want to prevent the DirectControl Agent from sending network queries to outbound trust domains that do not have users in Centrify zones.  The default is false. (Ref: CS-35705)

-    cloud.connector.refresh.interval: This parameter specifies how frequently (in hours) a background process will be run to search for the nearest available cloud connector to use for connectivity to Centrify Cloud service.  The default is 8 hours. (Ref: CS-36181)

-    pam.homedir.create.follow.symlink: If this parameter is set to true, the DirectControl Agent will copy the de-referenced symbolic links (symlinks) in the skeleton directory (/etc/skel) when creating home directory for an Active Directory user.  If it is set to false, then only the symlinks are copied.  The default is true. (Ref: CS-30646)

-    pam.mfa.program.ignore: Use this parameter to specify a list of programs that do not support or require Multi-Factor Authentication. The default value is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd" (Ref: CS-36192, CS-39101)

-    pam.setcred.program.create.creds: This parameter specifies the list of programs for which the DirectControl Agent will always creates new krb5ccache and update KRB5CCNAME in PAM sessions.  The default list contains only 'su'. (Ref: CS-36029)

Updated Parameters:

-    adclient.ldap.packet.encrpt: (Ref: CS-33456)

SignOnly is a new security option added in this release.  When set, all LDAP traffic is required to be signed (but not encrypted) to ensure packet integrity.

-    adclient.krb5.conf.file.custom: (Ref: CS-35645)

This release adds the following additional directives for the adclient.krb5.conf.file.custom configuration parameter.  Please note that these sections are copied as-is from the custom krb5.conf:

o    [login]

o    [logging]

o    [dbdefaults]

o    [dbmodules]

o    [kdcdefaults]

o    [kdc]

o    [kadmin]

o    [password_quality],

o    [otp]

Obsolete Parameters:

-    none

Refer to the Configuration and Tuning Reference Guide for details.

DirectManage Access Manager

 

·          If you install DirectManage Access Manager and Access Module for PowerShell on Windows 7 or Windows Server 2008 R2, you need to install SP1 or above for Windows 7 or Windows Server 2008 R2 starting from this release. (Ref: CS-36146)

·          DirectManage Access no longer installs documents and release notes starting from Suite 2016.  You can find them in the ISO Documentation folder or in http://docs.centrify.com (Ref: CS-36401)

·          This release introduces the “user is visible” system right, which controls whether a user is visible to all computers in a zone. By default, a user is visible in any new created role and also roles created before Suite 2016. (Ref: CS-36007)

·          This release provides support for managed service accounts (MSA) which were made available in Windows 7 and Windows 2008 R2. Also, Access Manager is enhanced to support zone delegation to MSA account. (Ref: CS-34492)

·          From the Access Manager result pane, you can now select multiple zones and apply the "Delegate Zone Control ..." action to them.  If different zone types are selected, then only the common tasks will be enabled. (Ref: CS-33843)

·          The “Generate Centrify Recommended Deployment Structure” Wizard is now merged with the Setup Wizard. So a user will be able to create deployment structure under the domain root object or from the organization unit object before running the Setup Wizard. (Ref: CS-35392, CS-35393)

Report Center

·         Report Center is now deprecated and will be removed in future Centrify Server Suite.  It is no longer displayed by default in the Access Manager tree node but can be made available via the drop down menu and context menu.  Report Center is being replaced by the Report Services in Suite 2016. (Ref: CS-36388)

Access Module for PowerShell

·         Access Module for PowerShell is built on .NET Framework 4.5 starting from this release. It requires PowerShell v4 or above to run. (Ref: CS-36376)

·         You can use Access Module for PowerShell to configure settings for Zone Provisioning Agent (ZPA). There is a new object type 'CdmZpaSetting' (Ref: CS-34792)

o   Add a cmdlet named 'Get-CdmZpaSetting' with the following parameters:

- DN

- Name

– Domain

o   Add a cmdlet named 'Set-CdmZpaSetting' with the following parameters:

- Zone

- UserUid

- UserName

- UserShell

- UserHomeDirectory

- UserPrimaryGroup

- UserGecos

- GroupGid

- GroupName

- UserSource

- GroupSource

- IgnoreDisabledAccount

- EnableUserProvisioning

- EnableGroupProvisioning

- GroupPriority

·         Add support for user visible system right in role definition. User can set the right using the New-CdmRole and Set-CdmRole cmdlet. (Ref: CS-36058)

·         Get-CdmManagedComputer is enhanced to show two more new properties (Ref: CS-34190, CS-35028):

o   Preferred Site: <the site that the machine is connected to>

o   Subnet Site: <the site that the machine should be connected to>

Zone Provisioning Agent

 

·          Starting from this release, you can now select managed service accounts (MSA) and group managed service accounts (gMSA) as the provisioning service account. (Ref: CS-34492)

Deployment Manager

 

·          Deployment Manager has been updated to version 5.3.0.  Please refer to the Deployment Manager release notes for information on enhancements and bug fixes in this release.

Group Policies

 

·          Starting from this release, group policies in ADMX (Administrative Template File XML based) format are shipped and ADM (Administrative Template File) format will not be provided. (Ref: CS-6821, CS-30836)

Deployment Report

 

·          Installation information for the Centrify Suite Enterprise Edition is now stored in Active Directory in addition to the existing DirectAudit database. This allows an authenticated Active Directory user to run Deployment Report without having to provide the DirectAudit database credential. (Ref: CS-36265)

·          New usage count information grouped by Server/Workstation license type is added to the Deployment Summary section of the report. (Ref: CS-38619)

adedit

 

·          adedit is enhanced to support local users and local groups with the following new function calls: (Ref: CS-36090, CS-38488)

o    list_local_users_profile

o    new_local_user_profile <UNIX user name>

o    select_local_user_profile <UNIX user name>

o    delete_local_user_profile <UNIX user name>

o    get_local_user_profile

o    get_local_user_profile_field <field name>

o    set_local_user_profile_field <field name> <value>

o    save_local_user_profile

o    list_local_groups_profile

o    new_local_group_profile <UNIX group name>

o    get_local_group_profile

o    select_local_group_profile <UNIX group name>

o    delete_local_group_profile <UNIX group name>

o    get_local_group_profile_field <field name>

o    set_local_group_profile_field <field name> <value>

o    save_local_group_profile

Refer to adedit Administrator’s guide for usage and details.

·          CreateRole function adds a Boolean input parameter, visible, to indicate whether the visible system right is enabled when this role is created. (Ref: CS-36066)

·          The “get_zone_field parent” function adds the new option "-raw" in the TCL ade_lib library to return the parentLink in <GUID>@<DOMAIN> format. This is for hierarchical zone only. (Ref: CS-31010)

·          The “get_zone_field cloudurl” function returns the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·          The “set_zone_field cloudurl <value>” function sets the name of the cloud instance associated with the selected hierarchical zone. (Ref: CS-39190)

·          The get_zone_field and set_zone_field functions are enhanced to support computer zone: (Ref: CS-35950)

o    get_zone_field dn: returns the Distinguished Name (DN) of the current msDS-AzScope Active Directory object associated with the computer zone.

o    get_zone_field description: returns the computer zone description.

o    set_zone_field description <value>: sets the Active Directory description attribute for the msds-AzScope object.

·          There is a new TCL script, adlistnismaps which can be found in /usr/share/centrifydc/adedit directory. It lists the NIS maps stored in Centrify zones. Please refer to adauto.pl and adautouser.pl scripts for its usage. (Ref: CS-36021)

Centrify LDAP Proxy

 

·          ldapsearch adds extendedDN to the –e or –E option to return the extended distinguished name of the object. (Ref: CS-36318)

Centrify OpenSSH

 

·          Centrify OpenSSH 5.3.0 is upgraded to OpenSSH 7.1p1. Unlike the stock OpenSSH, Centrify OpenSSH still supports SSH version 1 protocol in this version. (Ref: CS-8245)

In addition, there are a few behavior changes from Centrify OpenSSH 5.2.3, which is based on OpenSSH 6.7p1:

o    The default for the sshd_config(5) PermitRootLogin option is changed from "yes" to "prohibit-password".

o    Support for ssh-dss, ssh-dss-cert-* host and user keys is disabled by default at run-time.  This means the user with RSA public key will fail to login now as default.

o    UseDNS now defaults to 'no'.

o    Support for the 1024-bit diffie-hellman-group1-sha1 key exchange is disabled by default at run-time.

o    Support for tcpwrappers/libwrap is removed.

For details, refer to the stock OpenSSH 7.1p1 release notes.

·          A new keyword, 'Krb5ccUnique' is added to Centrify sshd_config to specify whether Centrify sshd should generate a unique credential cache name when storing the Kerberos credentials cache.  The default is “yes” (enabled). If it is “no” (disabled), the old style credential cache name, krb5cc_<uid> or KCM:<uid>, is used. (Ref: CS-8250)

·          Starting with Suite 2016, install.sh no longer installs Centrify OpenSSH by default. To do so, please use the Custom installation option. However, if Centrify OpenSSH is already installed, it will be automatically upgraded. (Ref CS-32389, CS-38266)

Please note that, you will still need to install Centrify OpenSSH on AIX in the following cases:

o    If you use DirectAudit. Otherwise local users will not be audited.

o    If you have local user and AD user with the same name but different UNIX profiles. Centrify OpenSSH will resolve this whereas AIX SSH will not handle this.

Supported Platforms

 

·          Support has been added for the following operating systems (Ref: CS-7155, CS-36163, CS-36361, CS-36418):

-  Windows 10 (x86_64)

-  Mac OS X 10.11 (x86_64)

-  Fedora 23 (x86, x86_64)

-  CentOS 6.7 (x86, x86_64)

-  Oracle Enterprise Linux 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Desktop 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Server 6.7 (x86, x86_64)

-  Red Hat Enterprise Linux Server 6.7 (ppc64 – no Power8)

-  Red Hat Enterprise Linux Desktop 7.2 (x86_64)

-  Red Hat Enterprise Linux Server 7.2 (x86_64)

-  Red Hat Enterprise Linux Server 7.0, 7.1, 7.2 (ppc64 – no Power8)

-  Scientific Linux 6.7 (x86, x86_64)

-  Ubuntu Desktop 15.10 (x86, x86_64)

-  Ubuntu Server 15.10 (x86, x86_64)

-  SUSE Linux Enterprise Desktop 11 SP4 (x86, x86_64)

-  SUSE Linux Enterprise Server 11 SP4 (x86, x86_64, ppc64, ia64)

-  Oracle Solaris 11.3 (x86_64, SPARC)

 

 

·          Support is removed for the following operating systems (Ref: CS-34860):

-  All 32-bit Windows platforms

-  Mac OS X 10.8

-  Fedora 19 (32-bit and 64-bit)

-  Oracle Enterprise Linux 4.x (32-bit and 64-bit)

-  openSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

-  Oracle Solaris 8 SPARC

 

·          This is the last release for the support of the following operating (Ref: CS-35417):

-  Debian Linux 6.x (32-bit and 64-bit)

-  Fedora 20 (32-bit and 64-bit)

-  HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

-  HP-UX 11.23 Itanium (Normal and Trusted modes)

-  Oracle Solaris 9 (32-bit and 64-bit)

-  Ubuntu Desktop 14.10 (32-bit and 64-bit)

-  Ubuntu Server 14.10 (32-bit and 64-bit)

 

·          Support will be discontinued soon (the next release will be the last release with support) for the following operating systems:

-  Fedora 21 (32-bit and 64-bit)

-  Ubuntu Desktop 15.04, 15.10 (32-bit and 64-bit)

-  Ubuntu Server 15.04, 15.10 (32-bit and 64-bit)

-  SUSE Linux Enterprise Desktop 10 (32-bit and 64-bit)

-  SUSE Linux Enterprise Server 10 (32-bit and 64-bit)

-  openSUSE 13.1 (32-bit and 64-bit)

2.3.          Feature Changes in DirectControl 5.2.3 (Suite 2015.1)

DirectControl Agent

 

Scripts and Command Line Utilities

·          addns –e –-interface option is added to support operation using interface name instead of IP address. (Ref: 23388)

Specify one or more local network interface names to use in an add/delete/list/update operation. You can specify this option multiple times to support multi-homed hosts. This option can be used in conjunction with the -i (--ipaddress) option. It is to be used for local host only and hence cannot be used together with the –n (--name) option.

·          addns -I --ignoreptrerr option is added to allow host record update even if there is an error from deleting reverse record PTR. (Ref: 47426, 76700)

·          adflush –y –-intended option is added to clarify the intention of –f –-force option. The usage is as follows: (Ref: 74413)

o    -f --force: This option is to remove adclient cache and force adclient to fetch everything from Active Directory again. However, in disconnected mode, removing the cache will result in no AD user able to login until adclient is connected to Active Directory again and the cache is rebuilt. Hence, starting from this release, if adflush command is issued in disconnected mode or when adclient is not running, an error message will be displayed: ‘Flush all caches will cause no AD user to be able to login. If this is intended, please run "adflush -f -y"’

o    -y --intended: This flag should be used together with –f if you really intend to flush adclient cache even when adclient is not running or not connected. Note: by doing this, no AD user is able to login again until the cache is created when adclient is up and connected next time.

·          adinfo –x –suite-version option is added to show the Centrify Server Suite number in addition to the DirectControl agent build number. (Ref: 70417, 75328)

·          adjoin –t –-licensetype is added to specify whether a server or workstation license is used for this operation.  The default is to use workstation license for auto zone and the server license for classic and hierarchical zones. (Ref: 75362)

·          adjoin –R –computerrole is added to specify which computer role is to be added after the computer successfully joins to the zone. (Ref: 68255)

·          adlicense –t –-licensetype is added to change the license type. (Ref: 75362)

·          adlicense –q –-query is added to show the license mode and the license type. (Ref: 75362)

·          Two new options are added to the Centrify PAM plugin (pam-centrifydc.so): (Ref: 78589)

o    deny_pwexp: This option is used by the ”auth” module in pam.conf.  If this option is present, Centrify PAM plugin checks for password expiration before even attempting authentication.  If the password has expired, the authentication attempt will fail immediately without asking if the user wants to change the password. This is useful for web application where it is not possible to prompt the user to change passwords.

o    skip_pwexp_check: This option is used by the ”account” module in pam.conf.  If this option is present AND the existing centrifydc.conf parameter "pam.allow.password.expired.access" is TRUE, then Centrify PAM plugin skips checking if the password has expired or not.

 

Hadoop Support

 

·          Support infinite renewal of the user’s Kerberos’s Ticket Granted Ticket for a user who has logged out while his Hadoop job is still running. You may use the two new configuration parameters, krb5.cache.infinite.renewal.batch.users and krb5.cache.infinite.renewal.batch.groups, to do that. Please refer to the Configuration Parameters section below for details.  (Ref: 75989)

 

Smart Card and Certificate Management

·          OpenSSL is upgraded to 0.9.8zf in this release. (Ref: 78758)

·          DirectControl now supports SHA2 for signing the Certificate Signing Request (CSR) in certificate auto-enrollment with version 3 template. (Ref: 76270)

·          This release supports Microsoft Authentication Mechanism Assurance for smart cards. (Ref: 78246)

·          Smart card user fails to login to Active Directory in some OS such as Red Hat Enterprise Linux 7.0 if his name contains upper case characters. This release specifies “ignorecase” in the Microsoft UPN extension section in pam_pkcs11.conf to support mix case in the user name. (Ref: 74574)

 

Configuration Parameters

·        centrifydc.conf has been updated:

New Parameters:

-    adclient.logonhours.local.enforcement: This parameter specifies whether adclient will perform "Logon Hours" restriction check in addition to Active Directory. The default is true; otherwise only Active Directory will enforce the checking. Notice that Active Directory and all its client machines should have the same daylight saving time setting. (Ref: 62286)

-    adclient.lookup.sites<.domain>: This parameter restricts DC (domain controller) and GC (global catalog) lookup to a configured site list. The default is “”. (Ref: 76507)

-    krb5.cache.infinite.renewal.batch.groups: Specify a list of Active Directory groups that contain users whose Kerberos TGTs (Ticket-granting Ticket) require infinite renewal even after the users have logout. Note: this feature supports AD group names only. You may use the following formats: <adgroup> <samname@domain>. The default is “”. (Ref: 75989)

-    krb5.cache.infinite.renewal.batch.users: Specify a list of users whose TGTs require infinite renewal even after the users have logout. Note: these users must be zone enabled. Mapped users are not supported. You may use the following formats: <unixname> <upn> <samaccountname> <samaccountname@domain>. The default is “”. (Ref: 75989)

-    pam.homedir.create.hook: You can specify a script on how the user's home directory should be created. (Ref: 70569)

The script should be:

1.  root owned and only writeable by owner

2.  executable

3.  not symlink

 

The sample script /usr/share/centrifydc/samples/homedir.sh.sample can create the home directory for a user on a Solaris ZFS mounted volume.

The default is “”, i.e. DirectControl agent uses mkdir to create home directory.

Updated Parameters:

-    none

Obsolete Parameters:

-    adclient.autoedit.dsconfig (Ref: 73179)

 Refer to the Configuration and Tuning Reference Guide for details.

DirectManage Access Manager

 

·          Two menu items are added to the root node in Access Manager to run Centrify Deployment Report wizards:

o    Deployment Report (Standard Edition) …

o    Deployment Report (Enterprise Edition) …

·          When zone-enabling a user, the validation logic now checks if the user’s login name (unixname) matches the samaccountname of another user in the same domain in order to avoid confusing naming practice in the system. (Ref: 77425)

·          Centrify Putty is upgraded to 0.64 putty code. (Ref: 74953)

Access Module for PowerShell

 

·         Get-CdmEffectiveUnixRight and Get-CdmEffectiveWindowsRight are enhanced to show effective rightS from a given computer role (Ref: 72108)

·         New-CdmUserProfile, New-CdmGroupProfile, Set-CdmUserProfile and Set-CdmGroupProfile are enhanced to support generation of UID or GID from SID or using Apple UID/GID scheme in classic zone. (Ref: 70795)

Deployment Manager

 

·          Deployment Manager has been updated to version 5.2.3.  Please refer to the Deployment Manager release notes for information on enhancements and bug fixes in this release. You can find all the Centrify Server Suite release notes and documentation in the Documentation Center in Centrify support portal.

Group Policies

 

·          Pre-announcement of deprecating the ADM format

This is the last release that group policies in ADM (Administrative Template File) format are shipped.  From next release onward, only ADMX (Administrative Template File XML based) format will be shipped. (Ref: 79102)

Deployment Report

 

·          Deployment report now shows whether a computer is using workstation or server license. (Ref: 75375)

·          Deployment report is enhanced to allow you gather only the license usage of Centrify Server Suite Standard Edition using the currently logged in user credential. You can do so by invoking the “Deployment Report (Standard Edition)” menu item in Access Manager.  (Ref: 78647)

·          You can now launch the Deployment Report utility (CentrifyDeploymentReport.exe) in silent mode. It supports the following parameters: (Ref: 78648)

o    /standardmode: run CentrifyDeploymentReport.exe to gather license usage for Standard Edition only.

o    /server=<server>: specify the name of a domain controller in the forest for which you want to run the report.

o    /silent: run deployment report in non-interactive mode.  The default is interactive mode and launches the Deployment Report wizard.

o    /output=<file>: generate the deployment report with the specified file path and file name in the Output parameter. This is valid only in silent mode.

o    /force: this is used in conjunction with the /output parameter. If specified, the Deployment Report utility overwrites any existing deployment report without prompting, used together with /output.

o    /help: show command usage.

·          In this release, the forest name is no longer obfuscated in the deployment report. (Ref: 79421)

·          This release adds the “Send Report …” button in the last page of the Deployment Report Wizard for you to send the generated deployment report directly to Centrify Support Portal. (Ref: 75360)

adedit

 

·          Enhance adedit to support provisioning attributes from Zone Provisioning Agent (ZPA). (Ref: 61580)

·          Enhance the admigrate utility to copy and migrate the ZPA provisioning attributes in the zone container. (Ref: 61581)

Centrify LDAP Proxy

 

·          Support packet data signing (Ref: 61479, 62782)

·          Support auto-private group (Ref: 76645)

·          Support automount (Ref: 76880)

o    Currently we support automount either through NIS proxy (adnisd) or adauto.pl (for indirect map). However, adauto.pl does not support autofs ghost option due to inherent autofs constraint. Now, automount maps are also supported by Centrify LDAP Proxy so that autofs can be configured to get maps via LDAP. 

Centrify OpenSSH

 

·          Centrify OpenSSH is now based on open source 6.7p1 OpenSSH (Ref: 72114)

Supported Platforms

 

·          Support has been added for the following operating systems (Ref: 77908, 78582):

-  CentOS 7.1 (x86_64)

-  Citrix XenServer 6.5 (x86_64)

-  Debian Linux 8.x (x86, x86_64)

-  Fedora 22 (x86, x86_64)

-  Oracle Enterprise Linux 7.1 (x86_64)

-  Red Hat Enterprise Linux Desktop 7.1 (x86_64)

-  Red Hat Enterprise Linux Server 7.1 (x86_64)

-  Red Hat Enterprise Linux Server 7.1 (ppc64)

-  Scientific Linux 7.1 (x86_64)

-  Ubuntu Desktop 15.04 (x86, x86_64)

-  Ubuntu Server 15.04 (x86, x86_64)

 

·          Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 77904):

-  Debian Linux 6.x (32-bit and 64-bit)

-  Fedora 20 (32-bit and 64-bit)

-  HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

-  HP-UX 11.23 Itanium (Normal and Trusted modes)

-  Oracle Solaris 9 (32-bit and 64-bit)

-  Ubuntu Desktop 14.10 (32-bit and 64-bit)

-  Ubuntu Server 14.10 (32-bit and 64-bit)

 

·          This is the last release for the support of the following operating (Ref: 73750):

-  All 32-bit Windows platforms

-  Fedora 19 (32-bit and 64-bit)

-  OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

-  Oracle Enterprise Linux 4.x (32-bit and 64-bit)

-  Oracle Solaris 8 SPARC

 

·          Support is removed for the following operating systems (Ref: 56644, 61795, 64457, 68948):

-  AIX 5.3 (32-bit and 64-bit)

-  Linux Mint 15, 16 (32-bit and 64-bit)

-  Ubuntu Desktop 10.04 LTS (32-bit and 64-bit)

-  Ubuntu Server 10.04 LTS (32-bit and 64-bit)

-  Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

-  Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

-  Windows 2003, Windows 2003R2 – Estimated vendor EOL: 2015-07-14

 

2.4.          Feature Changes in DirectControl 5.2.2 (Suite 2015)

DirectControl Agent

 

General

 

·          Hadoop support

Deploying Hadoop in secure mode requires Kerberos service principal management across each cluster as well as within each node.  Centrify Server Suite 2015 facilitates the deployment of Hadoop in secure mode by automating the creation of Hadoop headless accounts and per node service accounts as well as providing support for Kerberos keytab management.  In this way, customers are able to fully integrate their Hadoop deployments with the rest of their enterprise identity system – they can leverage an existing investment in Active Directory to provide centralized identity management and auditing across Hadoop clusters, nodes and services and seamlessly integrate identity and access management, privilege management and session monitoring across the broadest range of platforms in the industry.  This results in a more secure Hadoop environment and addresses regulatory requirements while leveraging existing infrastructure and skillsets.

Centrify Server Suite 2015 includes the following features to enable Hadoop enterprise deployment in secure mode:

-  The adkeytab utility is enhanced to support computer account creation, with the option of password never expires to enable long-lived accounts that must be shared across a cluster. (Ref: 73742)

-  A sample script is provided to automate Hadoop service account creation and keytab management.  This makes deployment easier and reduces risk of error, and it enables secure rotation of Kerberos keys across nodes in the cluster. (Ref: 73961, 74761)

-  Centrify Server Suite continues to support Active Directory user Kerberos credential renewal – this is called out to emphasize the importance of enterprise grade features required for continuous, secure operations. (Ref: KB-3039)

 

Please refer to the README or README.html in /usr/share/centrifydc/samples/hadoop for the pre-requisite requirements, how to setup Hadoop and use the sample scripts.

 

·          Audit Trail

-  Audit Trail events are now documented for customer use. The document AuditTrailEvents.xml can be found on "Autorun">"Documentation" page, or in the Documentation folder of the ISO image. (Ref: 66241)

-  Centrify sshd will now use a new way to send out its Audit Trail messages. These messages will not be received if any of the previous versions of DirectControl agent is used with this new version of Centrify OpenSSH. (Ref: 54642)

 

·          Software Upgrades

-  Centrify OpenSSH is now based on OpenSSH 6.6p1. The fix to CVE-2014-2653 - "The verify_host_key function in sshconnect.c in the client in OpenSSH 6.6 and earlier allows remote servers to trigger the skipping of SSHFP DNS RR checking by presenting an unacceptable HostCertificate" is also included in this release. (Ref: 62477, 63380)

-  Centrify OpenSSH and Centrify DirectControl are now integrated with OpenSSL 0.9.8zc. (Ref: 72505)

-  Centrify DirectControl is integrated with curl library 7.39. (Ref: 73193)

-  Centrify dzdo is now based on sudo-1.8.10p3, with all features and behaviors the same as the former dzdo except for the following. (Ref: 40468)

1.  dzdo behavior is unchanged, including the exit status. But the failure/warning messages in some cases may be different.

2.  When env_reset is enabled, in the new dzdo, the initial value of HOME is set as the current user's (if HOME is in dzdo.env_keep) or target user's home directory, whereas in the old dzdo, it is always set as the current user's home directory. (Ref: 74272)

3.  dzdo now supports the use of -E option to ease the migration from sudo for some users. The -E option is only permitted if the related DirectAuthorize command has 'env_reset' field unset (such as unset the 'Reset environment variables' option of dzcmd in Access Manager). Note: neither the –E option nor the unset of 'env_reset' dzcmd field is a safe operation – use it with care. (Ref: 76005)

Note: dzdo does not support sudo policy and session plugins in this release.  (Ref: 66785)

-  Centrify sudo Import is extended to support sudoers files based on sudo 1.8.10p3 (Ref: 66267)

-  Centrify LDAP Proxy is now based on OpenLDAP 2.4.40.

-  Earlier versions of Centrify DirectControl and DirectSecure will not work with this version of Centrify LDAP Proxy (Ref: 72579)

-  After this upgrade, when ldapsearch outputs the search result, it also checks the size limit. The default value of size limit "-z" is 0 (no limit). However if you specify "-E pr=<size>/prompt" without the "-z" option, it will always display only one page result.  Due to this new behavior in OpenLDAP 2.4.40, you should always use both options "-E" and "-z" together to output the right search results. (Ref: 73260)

-  We have enabled TLS support in this version of Centrify LDAP Proxy. Hence, if Centrify slapd starts with TLS or Active Directory server is accepting TLS/SSL connections, LDAP client tools (e.g. ldapsearch) will be able to connect to slapd or AD using ldaps. Note: please refer to Centrify Server Suite Administrator’s Guide for Linux and UNIX for configuration steps. (Ref: 51382)

 

·          Enhancement of scripts or command line utilities

-  A new command-line utility, adgpresult, is introduced. The adgpresult command enables you to report the group policy settings that are in effect for the local computer, the current user, or a specified user. If you have configured and applied a Group Policy Object to a site, domain, or organizational unit that includes a Centrify−managed computer, you can use the adgpresult command to see the computer and user configuration policies that have been applied. The command displays a Resultant Set of Policies similar to the Microsoft Windows gpresult program. (Ref: 32411)

-  A new script, adautouser.pl, is provided to return automount map entries only for users who are zone enabled. This is different from the existing script adauto.pl which returns all map entries instead. (Ref: 34428)

-  A new script, adsyncignore, is provided to find the non-zone users and groups and update the user.ignore and group.ignore files accordingly. (Ref: 57164)

-  The command, adfixid, now supports a single UID/GID range. E.g. adfixid –id 5000-5000 now uses 5000 for conflict resolution. (Ref: 62209)

-  The command, addns, now has a new option, --secure (-S). This new option instructs addns to skip the non-secure update attempt and only perform the secure update. It works with --update only. (Ref: 40787)

-  The dzsh command history is available and persistent between invocations.  This is done by enhancing dzsh to save and restore commands from a command history file (.dzsh_history). (Ref: 62168)

-  Two new options ("-M" and "-W") are added to the command, adkeytab. "-M, --computer-object" is used to create account as computer object. Without this option, the account is created as user object. "-W, --password-never-expire" is used to set password to never expire when creating the account. (Ref: 73742)

-  A new option (--interactive, -I) is added to allow adkeytab/adinfo to prompt user for password if TGT is revoked. This is normally used when user's Kerberos credential cache is used in authenticating to RODC domain. When a machine is located on a RODC site, and the AD users' passwords are allowed to be replicated to RODC, there is a possibility that RODC would return with TGT_REVOKED error leading to adkeytab/adinfo failure. By specifying the -I option, the CLI automatically prompts user for password to re-request the TGT from the RODC. (Ref: 69631)

-  A new option (----enableAppleIDGenScheme) is added to allow adjoin to apply Apple UID/GID scheme by default. This should take effect only if auto-zone or workstation mode is chosen (i.e option –w or –z "NULL_AUTO"). Once this is applied, centrifydc.conf is modified to have the following two parameters set "auto.schema.apple_scheme:true" and "auto.schema.primary.gid: -1". Note: this does not work with –precreate option. (Ref: 73317)

-  dzdo supports the use of "%groupname" or "%#GID" in the user list part (the part before colon) of dzdo_runas settings for DirectAuthorize commands. If it is set, all users in the specific group will pass the check of the runas user part for command matching in dzdo. (Ref: 73384)

-  Sudo import supports group and GID in the runas user list, the first runas list, in a runas specification from a user specification. However, other items such as netgroup and non-UNIX group and GID, remain unsupported and would be dropped during import. Please note that there is a limitation on sudo import in resolving group membership. Therefore, the default option that is directly applied to group members instead of the group itself would not be recognized and correctly configured during import. (Ref: 73483)

 

·          New start/stop support

-  Added a script "centrify-ldapproxy" to start/stop ldapproxy in Centrify LDAP Proxy.

Usage: /usr/share/centrifydc/bin/centrify-ldapproxy {start|stop|restart|condrestart|status} [options]. (Ref: 5288, 39402)

 

·          New Group Policy support

-  Added a new GP, "Enable core dump cleanup", to clear Centrify DirectControl Agent core dumps which are older than <n> days. (Ref: 66050)

-  Added a new GP, "Add sshd_conf properties", to configure arbitrary sshd parameters. (Ref: 61700)

-  Added two new GPs, "Set ignored programs" and "Add centrifyda.conf properties", to set up nss.program.ignore and generic parameters respectively for DirectAudit. (Ref: 64645)

-  Added the support of "Exception groups" to the GP, "Require smart card login", to allow users in those groups to login with their AD usernames and passwords even when this GP is enabled. Note: the machine has to be online for the exception groups to work. (Ref: 62705)

-  Added Gnome 3 GPs for Linux platforms. (Ref: 50777)

Please refer to the Group Policy Guide for details.

 

·          Add Smart Card support on Red Hat Enterprise Linux 7 (Ref: 65104, 74574)

 

Configuration Parameters

·        centrifydc.conf has been updated:

 

-  New parameters:

-  adclient.cache.upn.index: This parameter specifies whether the cache enables creation of indexes on UPN Names. This is useful to resolve the situation when the UPN of one user is equal to the SAM@DomainName of another user, and both user objects are stored in the cache. The Default value is false. (Ref: 55469)

-  adclient.get.primarygroup.membership: This new parameter specifies whether or not adclient should add zone user as a member of this primary group. The default is false. (Ref: 69928)

-  adclient.krb5.conf.file.custom: This parameter enables merging of custom krb5.conf entries into the existing krb5.conf. By default, this parameter is not enabled, and the default value is an empty string. (Ref: 51038)

-  adclient.krb5.principal: This parameter specifies the name form to be used as the principal in the Kerberos Ticket. The acceptable values are "upn" and "sam". The default value is "upn". Note: (1) If "upn" is specified, and in case the UPN is not available, the SAM@DomainName will be used. (2) For MIT Kerberos users, the UPN will still be used even if "sam" is specified. (3) If "sam" is specified, the configuration parameter adclient.cache.upn.index must be set to true, to resolve ambiguity in the adclient cache. (Ref: 69484)

-  adclient.preferred.login.domains: When duplicate sAMAccountNames exist across multiple domains in a forest, the ambiguity in resolving these names is fixed by configuring the parameter adclient.preferred.login.domains parameter to force adclient to login using the specified domain names. Note: If this parameter is set and adclient caching is enabled, the configuration parameter adclient.cache.upn.index must be set to true, to resolve ambiguity in the adclient cache. (Ref: 60464)

-  adclient.preferred.site: Adclient uses CLDAP NETLOGON requests to discover its site as configured in Active Directory Sites and Services. Active Directory servers in the same site are preferred since they are likely the closest. This keyword enables customers to override the site returned from AD. The default value (empty) instructs adclient to continue discovering sites using CLDAP. There are two types of overrides: (1) Universal site override - where an Active Directory forest is not included in the keyword, e.g. adclient.preferred.site: my-site, (2) Forest specific site overrides - where an Active Directory forest is included in the keyword, e.g. adclient.preferred.site.acme.com: my-acme-site. Note: Forest specific site overrides take precedence over universal site overrides. With the two types of overrides it is possible to override sites for all forests, specific forests, or a combination of the two. (Ref: 65369)

-  dz.auto.anchors: This parameter allows you to specify whether to add anchors ($) automatically for the regex formed DZ commands to do reluctant match to avoid finding the wrong path or command if the regex pattern is not carefully set. The default is true. If set to false, user should be aware of all the possible matches for the regex he/she set there. (Ref: 66057, 67676)

-  gp.use.user.credential.for.user.policy: This parameter allows you to specify whether to use user credential or machine credential to retrieve user GP. When set to false, The Group Policy processor still uses the machine credential to retrieve user GP; when set to true, the GP processor will use user credential to retrieve user GP. The default is false. (Ref: 29077)

-  krb5.sso.block.local_user: This parameter allows you to inform kerberos library to block a local user to do single sign on with .k5login. The default is false. If the parameter is set to true, the UPN is checked against nss.ignore.user list.  If it is in the list, it is considered as a local user and SSO is not allowed.  User has to enter the local user's password to login. (Ref: 71292)

-  nss.passwd.info.hide: This parameter allows you to control the masking of sensitive password attributes (Maximum Password Age, Password Expiration Date, Minimum Password Age, Change Password Needed, and Password Last Changed On) of a user from non-root users. When set to false, the non-root users can also view the password attributes of other users. The default is always true, except for HPUX systems, where these attributes are not protected. (Ref: 60578)

-  pam.homedir.perms.recursive: The default is false. By default, PAM creates user home directory and copies everything in the skeleton directory, including the permissions, to the newly created directory. If this parameter is set to true, PAM will copy everything in the skeleton directory but use the permissions of pam.homedir.perms recursively. (Ref: 56091)

 

Please refer to the Configuration Parameters Reference Guide for details.

 

Note: In centrifydc.conf, we now denote configuration parameters that are not available in the Express mode. (Ref: 70413)

 

DirectManage Access Manager

 

·          Delegate zone control

-  Access Manager now allows users to select multiple computers for zone control delegation. This feature works if all the computers selected have the same operating system.

-  One new task, namely Create Computer Role, is added into zone control delegation tasks for hierarchical or SFU zone. This task is to delegate the administrative permission to add computer roles in a specified zone. (Ref: 60601)

 

·          Generate Centrify Recommended Deployment Structure

-  Access Manager now has a new wizard, "Generate Centrify Recommended Deployment Structure", to help users to generate a deployment structure that follows Centrify recommended best practice. Users can use "Use current script for deployment" for default structure, or use "Export script for customized deployment" and "Use custom script for deployment" for customization. (Ref: 62473)

 

·          Now "All Active Directory Accounts" and "All Local Windows Accounts" can be assigned to the roles with Rescue right, e.g. the built-in "Rescue - always permit login" role. (Ref: 74049)
 
·          Dzdo support for RunAs User in an AD group

-  Privileged Command right runas user list now supports group name "%groupname" and GID "%#GID". (Ref: 73484)

 

·          ADUC Extension

-  Administrative notification handler for ADUC snap-in now also removes associated Centrify data and machine-level role assignments upon AD computer object removal. (Ref: 62216)

 

·          Group Policy Management Editor Extension

-  GPOE Extension is now available as a standalone installable package. (Ref: 63451)

 

Zone Provisioning Agent

 

·          A new ZPA option "Ignore disabled user accounts" is added in hierarchical zone's Provisioning tab page (in Advanced dialog). With this option box checked, ZPA will not provision the disabled user accounts into the zone. (Ref: 62533)

 

·          Zone Provisioning Agent now supports one more option "Generate from group SID" as user’s primary group. (Ref: 57105)

 

·          Root level hierarchical zones now support provisioning users and groups from another source zone. (Ref: 61701)

 

·          A new feature has been added to avoid duplicated UNIX names when provisioning with truncated names: There is an option to append an auto-incrementing number at the end in case a duplicate UNIX user/group name is encountered during provisioning. This option is disabled by default. To enable it, go to Zone Properties page -> Provisioning Tab -> Login name -> Advanced UNIX Name Settings dialog, and then enable the Avoid Duplicated Names option. (Ref: 62142)

adedit

 

·          Enhancement of adedit commands/functions

-  Added a function, get_user_role_assignments(), in ade_lib.tcl to collect role assignments in the current zone for a given user. The output list contains the role assignments of a given user either assigned directly, or from AD group membership, or from computer roles in the current zone. (Ref: 36858)

-  Added the support to the function, set_zone_user_field, to unset a field using "-" in SFU zone. (Ref: 38895)

-  Added a new option [-f <forest>] to the command, get_objects, to specify the forest in which an object is searched. (Ref: 45053)

-  Added a new option [-automount <map>] to the command, new_nis_map, to support creating an automount map with the specified name. (Ref: 64408)

-  Added a new option [-stype <service principal name>] to the command, precreate_computer, to add a service principal name to the pre-created computer object.  This option can be repeated in the command for each service type. (Ref: 58732)

 

Centrify OpenSSH

 

·          Centrify OpenSSH with Service Management Facility control

-  Starting with this version, Centrify OpenSSH will be installed and managed by SMF (Service Management Facility) if it is enabled and running in the Solaris machines. Therefore a user can view, set or control the Centrify sshd service using the SMF tools, such as svcs and svccfg from now on. (Ref: 65499)

 

·          Merge of parameters when stock sshd is upgraded to Centrify sshd

-  Customer can add the list of parameters to be merged into the file of /var/centrify/SSHD_MERGE_SPEC, then CDC-openssh post-install script will merge the specified parameters from old sshd_config to new sshd_config. (Ref: 66173)

 

·          Alternate SPN for SSO login to host using ssh

-  A new option 'ServicePrincipalName' is added into the ssh option list (the 'ssh -o') as well as ssh_config, to specify the GSS-SPN name used for GSS authentication. Please note that such name should be in GSS name format and malformed ones will fail the connection immediately. (Ref: 67603)

 

·          Selection of preferred startup service for Centrify sshd

-   Before installing or upgrading of Centrify OpenSSH on RHEL 6 or similar, such as CentOS 6, administrator may select the preferred startup service for Centrify sshd between upstart, sysvinit or systemd. This is done by creating a file at /etc/centrifydc named "CENTRIFY_SSH_UPSTART" for upstart, "CENTRIFY_SSH_SYSVINIT" for sysvinit and "CENTRIFY_SSH_SYSTEMD" for systemd. If no file is created, or the selected one is not available on the system, then: If this is an upgrade or another OpenSSH is running, the current startup service will be used. If there is no OpenSSH installed before installing Centrify OpenSSH, the default is to use the startup service that available. The order is: upstart, systemd, sysvinit. (Ref: 66497)

 

Supported Platforms

 

·          Support has been added for the following operating systems (Ref: 72653, 73601, 73602):

-  CentOS 5.11, 6.6 (x86, x86_64)

-  Debian Linux 7.7 (x86, x86_64)

-  Fedora 21 (x86, x86_64)

-  Linux Mint 17.1 (x86, x86_64)

-  OpenSUSE 13.1, 13.2 (x86, x86_64)

-  Oracle Linux 5.11, 6.6 (x86, x86_64)

-  Oracle Linux 7.0 (x86_64)

-  Oracle Solaris 11.2 (x86_64, Sparc 64-bit)

-  Red Hat Enterprise Linux Server 5.11, 6.6 (x86, x86_64)

-  Red Hat Enterprise Linux Desktop 5.11, 6.6 (x86, x86_64)

-  Red Hat Enterprise Linux Server 5.10, 5.11, 7.0 (ppc64)

-  Red Hat Enterprise Linux Server 5.10, 5.11 (IA64)

-  Scientific Linux 5.11, 6.6 (x86, x86_64)

-  Scientific Linux 7.0 (x86_64)

-  Ubuntu Desktop 14.10 (x86, x86_64)

-  Ubuntu Server 14.10 (x86, x86_64)

-  SUSE Enterprise Linux 12 (x86_64)

 

·          Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 73750):

-  Fedora 19 (32-bit and 64-bit)

-  Oracle Enterprise Linux 4.x (32-bit and 64-bit)

-  OpenSUSE 12.1, 12.2, 12.3 (32-bit and 64-bit)

-  HP-UX 11.11, 11.23 PA-RISC (Normal and Trusted modes)

-  HP-UX 11.23 Itanium (Normal and Trusted modes)

-  Oracle Solaris 8 SPARC

 

·          This is the last release for the support of the following operating systems (Ref: 56644, 61795, 64457, 68948):

-  AIX 5.3 (32-bit and 64-bit)

-  Linux Mint 15, 16 (32-bit and 64-bit)

-  Ubuntu Desktop 10.04 LTS (32-bit and 64-bit)

-  Ubuntu Server 10.04 LTS (32-bit and 64-bit)

-  Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

-  Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

-  Windows 2003, Windows 2003R2 – Estimated vendor EOL: 2015-07-14

 

·          Support is removed for the following operating systems (Ref: 56643, 59441, 61010, 66423, 69921):

-  CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-  Citrix/XenSource XenServer 4, 4.1, 5, 5.5, 5.6 (32-bit)

-  Debian Linux 5 (32-bit and 64-bit x86)

-  Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

-  Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

-  Linux Mint 12, 14 (32-bit and 64-bit x86)

-  Mac OS X 10.7 (Mac 10.10 one-off is the last supported release)

-  Mandriva Linux One 2008, 2009, 2009.1, 2010, 2010.1, 2010.2, 2011 (32-bit and 64-bit x86)

-  Mandriva Enterprise Server 5, 5.2 (32-bit and 64-bit x86)

-  OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

-  Red Hat Enterprise Linux 3 (32-bit and 64-bit x86, PPC)

-  Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

-  SUSE Enterprise Linux 8.0 (32-bit x86)

-  SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86, PPC, Itanium server)

-  Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

-  VMware ESX 3.5 (32-bit)

-  VMware ESX 4.0, 4.1 (64-bit)

-  Windows XP

 

·          Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list.

 

 

2.5.          Feature Changes in DirectControl 5.2.1 (Suite 2015)

 

·          This is a maintenance version update for DirectControl agents with no new feature.       

 

2.6.          Feature Changes in DirectControl 5.2.0 (Suite 2014.1)

DirectControl Agent

 

General

 

·        Windows 2012 KDC SID Compression (Ref: 60868)

- We now support KDC Sid Compression for domain controllers with Windows 2012 and higher.

 

·        Limited Express (Ref: 64987, 65872)

- User is now alerted during installation/upgrade that the Express version has a limit in features and in number of agents. We have also cleaned up some inconsistent wordings related to the Express version. Please refer to the EULA for details.

- Note: This is a behavioral change that may affect your customized installation logic because the prompts and related informational messages for Express mode in the install script are changed. E.g. "Express authentication mode" is now called "Express mode".

 

Smart Card

 

·        Allow certificates without an Extended Key Usage (EKU) (Ref: 58322)

- A new smartcard login support is added to allow smartcard login even though its certificate does not have the EKU property. A new centrifydc.conf parameter "smartcard.allow.noeku" and the corresponding windows group policy "Allow certificates with no extended key usage certificate attribute" are implemented for this purpose. A new option "-E" is also added to the utility "sctool" to support the group policy. This option must be used with "-a" or "-k" option. It would allow smartcard to do pkinit, even though the certificate has no EKU.

 

·        Centrify now supports SmartCard authentication on CentOS 5.x and 6.x. (Ref: 64284)

 

DirectControl Agent Commands

·        CLI is updated (Ref: 62616, 63949):

 

-   adquery

- New --guid (-B): This is an optional parameter to display the GUID of the user.

- Modified --all (-A): This option will now display the GUID of the user as well.

-   dzinfo

- the output of this command now includes the Audit Level even for a user in a classic zone.

 

Configuration Parameters

·        centrifydc.conf has been updated:

 

-   New parameters:

- smartcard.allow.noeku: This parameter allows you to do SmartCard logon using certificates without an Extended Key Usage (EKU) set (Ref: 58322). The default is false, which means only certificates that have "Smartcard Login" as an extended key usage attribute can be used to log in with a smart card. If you enable this policy setting, certificates with the following attributes can also be used to log on with a smart card:

- Certificates with no EKU

- Certificates with an All Purpose EKU

- Certificates with a Client Authentication EKU

- nss.user.ignore.all: In a Centrify environment, a user can be identified by different names: a UNIX name, a distinguish name (LDAP name), a SamAccount name and a display name. This parameter allows you to specify if the names listed in nss.user.ignore apply to unix user names only or all the different user names. The default is false, which means unix user names only. If it is set to true, user names listed in nss.user.ignore will not be searched in AD at all. That means the listed user names can only be accessed as a local user. This will save CPU cycles by avoiding unnecessary AD access. (Ref: 64054, 64398) 

  

Please refer to the Configuration Parameters Reference Guide for details. 

DirectManage Access Manager

 

·  JScript support in SDK is now discontinued starting from this release. (Ref: 67601, 55282)

 

Deployment Report

 

·  Deployment Report enhancement (Ref: 60216, 60217, 62412)

- Under the Deployment Summary, a more in-depth comparison among different agent types of DirectControl/DirectAuthorize agents is added. It lists out the number of deployed agents in zones, Auto Zone, Null Zone (if available) as well as Express agents. If zLinux system is also deployed, the number zLinux systems in each type would also be reported.  The number of zones that is created under the forest is reported. This is followed by a detail breakdown of number of deployed agents in each zone. Please note that Auto Zone and Null Zone are not created by user; therefore, they are not included.

 

 

Supported Platforms

 

·        Support has been added for the following operating systems (Ref: 60522, 62251, 65973, 68311):

- CentOS Linux 7 (64-bit)

- Citrix XenServer 6.1, 6.2 (32-bit) – added in post Server Suite 2014.1 GA

- Debian Linux 7.5, 7.6 (32-bit and 64-bit)

- Linux Mint 17 (32-bit and 64-bit)

- Linux Mint Debian Edition 201403 (32-bit and 64-bit)

- Mac OS/X 10.10 - added in post Server Suite 2014.1 GA

- Red Hat Enterprise Linux 7 (64-bit)

- Ubuntu Desktop 14.04 LTS (32-bit and 64-bit)

- Ubuntu Server 14.04 LTS (32-bit and 64-bit)

 

·        Support will be discontinued soon (the next release will be the last release with support) for the following operating systems (Ref: 56208, 56644, 61795, 68948):

- AIX 5.3 (32-bit and 64-bit)

- Linux Mint 15, 16 (32-bit and 64-bit)

- Mac OS X 10.7

- Ubuntu Desktop 13.04, 13.10 (32-bit and 64-bit)

- Ubuntu Server 13.04, 13.10 (32-bit and 64-bit)

 

·        This is the last release for the support of the following operating systems (Ref: 56643, 61009):

- CentOS Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- Citrix/XenSource XenServer 4, 4.1, 5, 5.5, 5.6 (32-bit)

- Debian Linux 5 (32-bit and 64-bit x86)

- Fedora 14, 15, 16, 17, 18 (32-bit and 64-bit)

- Linux Mint Debian Edition 201204 (32-bit and 64-bit x86)

- Linux Mint 12, 14 (32-bit and 64-bit x86)

- Mandriva Linux One 2008, 2009, 2009.1, 2010, 2010.1, 2010.2, 2011 (32-bit and 64-bit x86)

- Mandriva Enterprise Server 5, 5.2 (32-bit and 64-bit x86)

- OpenSUSE 11.0, 11.1, 11.2, 11.3, 11.4 (32-bit and 64-bit x86)

- Red Hat Enterprise Linux 3 (32-bit and 64-bit x86, PPC)

- Scientific Linux 4.4, 4.5, 4.6, 4.7, 4.8, 4.9 (32-bit and 64-bit x86)

- SUSE Enterprise Linux 8.0 (32-bit x86)

- SUSE Enterprise Linux 9.0, 9.1, 9.2, 9.3 (32-bit and 64-bit x86, PPC, Itanium server)

- Ubuntu 10.10, 11.04, 11.10, 12.10 (32-bit and 64-bit x86, desktop and server)

- VMware ESX 3.5 (32-bit)

- VMware ESX 4.0, 4.1 (64-bit)

- Windows XP

 

·        Refer to http://www.centrify.com/products/all-supported-platforms.asp for the complete list. 

3.     Bugs Fixed

3.1.          Bugs Fixed in Centrify DirectControl 5.3.0 (Suite 2016)

DirectControl Agent

 

·          The Kerberos credentials of logged-in users are now renewed when the machine goes back to connected mode after a reboot in disconnected mode. (Ref: CS-39183)

·          The issue of mapped users set in passwd.ovr not able to login intermittently is now fixed. (Ref: CS-36108)

·          Due to an error when parsing PAC (Privilege Attribute Certificate) that has SID compressed in the resource group field, zoned users are not able to login and adquery reports NULL SID for these users. The issue is fixed. (Ref: CSSUP-6606, CS-36209)

·          With NTLM authentication turned on, if the user principal name is different from the canonical name (also known as pre-Windows 2000 login name), the user cannot login.  This problem is fixed. (Ref: CS-36231)

·          Some applications like Apache Tomcat may send an empty NTLM Challenge packet to check whether the DirectControl Agent supports NTLM authentication or not. This will crash the DirectControl Agent.  In this release, it returns an error "Bad packet" to the sender. (Ref: CS-35958)

·          For an Active Directory user from a one-way cross forest outbound trust, if a role assignment is added or removed after his zone user profile is cached by the DirectControl Agent, the user cannot be displayed or removed from the UNIX machine unless the local cache is flushed. This issue is now fixed. (Ref: CS-38628)

·          When using passwd override in passwd.ovr, if the user's UNIX account name is different from its Active Directory account name, then the user cannot login. This problem is fixed. (Ref: CS-36301)

·          The current auto mount map inheritance scheme in adauto.pl supports only zone hierarchy in the same domain. Thus, if the automount maps are defined in a parent domain, the child domain cannot read the automount maps and cannot inherit the automount maps.  This is now fixed.  (Ref: CS-35343)

·          When there are a large number of NIS map entries in Active Directory, the auto_maps cache keeps growing. This is due to deleted entries in the underlying database not being purged. This release fixes this issue. (Ref: CS-35959)

·          Previously, dzinfo displays the same role and the role assignment multiple times for a user if the role is assigned via multiple role assignments.  In this release, dzinfo now shows only one role with multiple role assignments. (Ref: CS-35763)

·          In this release, the customizing environment variables for command execution through dzdo commands settings or centrifydc.conf options, the listed set values replaces the existing list rather than be added onto them in prior releases.  Please note this may affect the current dzdo use, for example, if a machine has centrifydc.conf option 'dzdo.env_keep' set as 'dzdo.env_keep: VAR', then now only 'VAR' is in the list to be kept, all others in the default list such as 'PATH', 'KRB5CCNAME' will be removed. User may need to check and update them for this. (Ref: CS-36094)

·          This release fixed the long delay to display password prompt in Solaris and HPUX during dzdo command execution when there is a large number of groups in the current zone. (Ref: CS-39064)

·          This release fixed the slow login or timeout issue on Solaris and HPUX that may happen when sshd_config has group checking related options such as 'DenyGroups'), and the zone has many groups. (Ref: CS-8246)

·          In previous release, when command level auditing is enabled, then "dzdo -i" will fail until unless the right to run /bin/centrifyda or the audited shells command rights are granted to the role.  The issue is fixed to work with command auditing for in DirectAudit v3.2.2 (in Suite 2015) or newer. Note that you still need to grant command rights to /bin/centrifyda when unknown shell is used. (Ref: CS-35465)

·          Starting in this release, Centrify OpenSSH ssh-keygen program will always links with the Centrify libcrypto.so.  In previous releases, due to the order in $LIBPATH settings, it may link to a non- Centrify libcrypto.so, resulting in missing symbols or unexpected results. (Ref: CS-8238)

·          In this release, we will no longer replace the customer’s copy of /etc/dzshrc with the one in the package during upgrade. (Ref: CS-35980)

·          If ‘compat’ is added before ‘centridydc’ in the passwd section in nsswitch.conf, getent passwd <user> fails to return zoned AD user information when NSCD is running. This problem is fixed. (Ref: CS-35899)

·          When an Active Directory user without root permission runs adinfo, it prints out "WARN  base.nocachemode Disabling the agent directory cache" message in centrifydc.log. This problem it is fixed. (Ref: CS-36444)

·          This release adds new SELinux rule to support automount to avoid the intermittent automount disconnect issue. (Ref: CS-36399)

·          Amazon Linux AMI is not a supported OS but it passes adcheck and the install script in previous releases. It is now fixed. (Ref: CS-38472)

·          Starting with this release, the "R" option in install.sh will install an add-on package (such as CentridyDA or Centridy OpenSSH) if it is not already present. (Ref: CS-38529)

·          In previous releases, syslog facility other than ‘auth’ in the ‘logger.facility.*’ parameter is ignored.  This release allows any syslog facilities to be added, one facility per line. (Ref: CS-35902)

DirectManage Access Manager

 

·          To support the new features in DirectManage Access Manager, it will overwrite %windir%\System32\Mmc.exe.config after upgrade.  The original file is backup to %APPDATA%\DirectManage Access Manager\Mmc.exe.config.  If you have customized Mmc.exe.config, you need to manually consolidate your changes to the new configuration file. (Ref: CS-34553, CS-38329)

·          Running the “Hierarchical zone – Windows User Effective Rights” from Report Center takes a long time, or may even fail. This report is now replaced by “Hierarchical Zone- Effective Rights Report” from Reporting Services. (Ref: CS-29910)

·          In previous releases, the registry value "Notification Packages" under registry key "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" is overwritten when Password Synchronization Extension is installed.  The registry value should be appended and is fixed in this release. (Ref: CS-36138)

·          Instead of removing all existing members from target group and then add again, the tool CopyGroup.exe is fixed to add or remove only members according to the differences from source group. (Ref: CS-38918)

·          In this release, we no longer automatically install Microsoft SQL Server Compact 3.5. (Ref: CS-38693)

Access Module for PowerShell

 

·         PowerShell scripts using Centrify Access Module may use up a lot of memory if the PowerShell is running in STA mode.  This is because COM (Component Object Model) objects being used in Centrify Access Module for PowerShell cannot be released in timely manner.  This release enables MTA mode to eliminate this problem. (Ref: CS-35744)

Group Policies

 

·          The .NET default maxLength value for a textbox is 32767 characters, which is not enough for the sudoer content textbox of the sudo rights group policy. This release changes the maxLength to 10485760 characters. (Ref: CS-35918)

adedit

 

·          The get_user_role_assignments command returns error "Malformed DN" if the user’s distinguished name contains white spaces.  This issue is fixed. (Ref: CS-35950)

·          The PAM autoedit scripts for adjoin and adleave are updated to continue even when errors are encountered during processing.  The errors are reported at the end of processing. (Ref: CS-36492)

Centrify Network Information Service

 

·         adnisd stops functioning in AIX sporadically with multiple interfaces.  The adnisd service is hanging at times and ypwhich and ypcat commands from the client systems get the error "Domain not Bound".  This is fixed in this release. (Ref: CS-35880, CS-35890)

Centrify LDAP Proxy

 

·          In DirectControl agent 5.2.3, ldapsearch can only find auto-private group through its group ID.  You can now search the auto-private group by its group name. (Ref: CS-36468)

Centrify OpenSSH

 

·          When doing 'remote to remote' scp, such as 'scp host1:/path/file1 host2:/path2/file2', that requires password authentication for both hosts, scp session fails to authenticate the second host.  This problem is fixed in this release. (Ref: CS-8240)

·          If a local user adds '/usr/sbin:/sbin' in its PATH environment, after Centrify OpenSSH is installed, these two paths will be removed from the PATH environment when a bash shell is opened. This problem happens only in Red Hat Linux family OS and it is now fixed. (Ref: CS-38398)

·          Fixed the issue in HPUX that its service startup log, /etc/rc.log reports 'FAILED' for disabled stock ssh service. (Ref: CS-8258)

3.2.          Bugs Fixed in Centrify DirectControl 5.2.3 (Suite 2015.1)

DirectControl Agent

 

·         The fix of CVE-2015-1546 is incorporated in Centrify DirectControl LDAP code. (Ref: 78758)

·         When the KRBTGT account password is changed in Active Directory, adclient can no longer request service ticket using the current ticket-granting ticket (TGT).  Previously, adclient has to wait till the TGT expires before re-acquiring a new TGT from KDC (the default of TGT lifetime is 10 hours).  In this release, instead of waiting for ticket expiration, adclient will re-acquire the machine's TGT when there is problem requesting service ticket using the currently cached TGT. (Ref: 78103)

·          dzdo –i –-login changes its behavior: (Ref: 78145)

In Server Suite 2015, “dzdo –i/--login” invokes the current user’s login shell instead of the target runas user’s login shell.  This is fixed in Server Suite 2015.1 such that the target runas user’s login shell is invoked.  Please note that you need to set up a dzdo command right to allow the user to execute the target runas user’s login shell.  Also, if the target runas user is audited by DirectAudit on login,  DirectAudit NSS/LAM module sets the login shell for the target runas user to /bin/centrifyda (for pre- Server Suite 2015) or …/cdax/<login_shell> (e.g., /bin/cdax/csh if the target runas user’s original login shell is /bin/csh); so you need to set up a dzdo command right to allow the user to execute /bin/centrifyda (for pre-Server Suite 2015) or …/cdax/<login_shell> (e.g., /bin/cdax/csh if the target runas user’s original shell is /bin/csh).

·          In prior release, if dzdo is audited by DirectAudit and any stdin/stdout/stderr of dzdo is redirected to a pipe or a file, password input may be echoed.  This bug is fixed in Server Suite 2015.1. (Ref: 76471)

·          dzdo now always checks the value of environment variable TZ and removes it from the executing command if the value is considered unsafe according to CVE-2014-9680. (Ref: 77939)

·          This release fixed a dzdo issue that exists in some UNIX platforms such as Solaris due to the upgrade to a new sudo version in the previous Centrify DirectControl release. The problem is that dzdo fails to store the user authentication timestamp data as expected and displays an error message: "dzdo: unable to open /var/run/dzdo/<username> will clean it for next try". The issue can also be safely worked around by manually removing the problematic directory shown in that message.  (Ref: 80457, 80460)

·          For Solaris machines using ZFS file system, the user’s home directory is not created under ZFS dataset when the user account is created.  In this release, adclient provides a generic hook to invoke a customer script that creates the home directory. The script is specified in a new configuration parameter, pam.homedir.create.hook, in centrifydc.conf.  The sample script for providing separate ZFS datasets for each user is also included in this release.  (Ref: 70209, 70569)

·          adclient does not populate the users defined in Group Role assignment after the object cache is flushed by the periodic object cache flush background task or through the user invoking the adflush command. This issue is fixed. (Ref: 69123)

·          A warning message “… base.zonehier Failed to extend object for …” is logged when an adclient encounters an AD object that has no extended attributes like dNSHostName.  This has been fixed since DirectControl 5.1.3 in Server Suite 2014.  (Ref: 46936, 73497)

·          The password_hash field in the adcache command was overridden when the catch all filter is configured in the passwd.ovr file.  This is fixed in this release.  (Ref: 76678)

·          When the attribute AD_PWCHG_LAST of an user object is not available, which can happen when the administrator accidentally disallows attribute read access for that user object, the password expiration group policy is applied even though the user account’s password is set to "never expires".  This problem is fixed in this release.  (Ref: 76727).

·          On AIX, previously only the DirectControl Agent can be installed in WPAR.  This release can also install the remaining components (KCM, NIS, LDAP Proxy and Centrify OpenSSH) in WPAR.  (Ref: 28634)

·          On AIX, log rotation cron job causes mail messages to be sent to system administrators.  This release redirects the log rotation messages to /var/log/centrify_logrotate.log file.  (Ref: 76636, 76795)

·          There were core files left behind in the system after the DirectControl agent 5.2.2 was upgraded.  The system recovered and was not affected.  The root cause is fixed in this release. (Ref: 79793)

·          The NIS parameter securenets is not populated after upgrade.  This problem is now fixed.  (Ref: 78244)

·          For DNS configurations that do not have DNS reverse lookup zones or if the reverse lookup zones are static, you can use the –I –ignoreptrerr option in addns to update only the A records.  (Ref: 30915)

·          If a group is listed in group.ignore and was being indexed in local object cache, there is a possibility that adclient will return an incorrect data to the NSS (Name Service Switch) call, resulting in segmentation fault by NSS library. This issue is fixed in this release. (Ref: 77636, 77637)

·         Centrify DB2 GSS plug-in (centrifydc_db2gsskrb5) fails to start (Ref: 76268)

This problem happened only on AIX due to the stock krb5 shared library being loaded instead of the Centrify updated version.  This problem is now fixed.

 

DirectManage Access Manager

 

·          When defining application right criteria from importing process, the IPv6 address of a remote machine is supported. (Ref: 68956)

 

·          When a list view contains many items, it can be hard to find a specific item. . This issue is fixed by adding a search filtering capability. The fix affects the following UI. (Ref: 64798)

   Classic zone:

      - PAM Access and Commands Access tab in role property pages

      - Add Privileged Commands dialog (add command to above tab page)

      - Commands tab in restricted environment property page

   Hierarchical zone:

      - Select Role dialog (create role assignments)

      - Add Rights dialog (add rights to role)

      - Effective Windows/UNIX user dialog

 

·         Delegation wizard did not grant the right to manage machine overrides in the past. This capability is now added via allowing the following tasks to be delegated: (Ref: 34090)

o    Create machine overrides and computer roles

o    Remove machine overrides and computer roles

o    Add user and group profiles to computer

o    Remove user and group profiles from computer

o    Modify user and group profiles in computer

o    Manage role assignments in zone, computer role and computer

o    Delegate permission for machine overrides

o    Create NIS maps

Note that the “Add computer roles” and “Manage role assignments in zone” tasks have been removed and subsumed by the new tasks above.

·         Create Zone Wizard now allows users to select standard zone type in addition to RFC2307-compatible zone type and SFU zone type on the Specify Zone Storage Model page. (Ref: 76562)

·         On a 64-bit Windows machine, if display specifier is already set up in the forest, opening the user/group/computer property pages in ADUC may result in an unexpected exception. This issue is fixed in this release. (Ref: 79757)

 

·         Adding a computer role appends to the list, this release sorts them in alphabet order in the tree panel.  The result pane is also sorted after refresh.  (Ref: 62505)

 

·         When the user is added to a zone, its login name is not populated if the user’s name contains only numbers.  This problem is fixed in this release.  (Ref: 63283)

 

·         Previously, only classic zone is allowed to create DirectAuthroize roles and rights with name containing '.'.  This release also makes it work in hierarchical zones.  (Ref: 62206)

 

Access Module for PowerShell

 

·         Cmdlet Get-CdmUserProfile, Get-CdmGroupProfile and Get-CdmEffectiveUnixRight may return SFU profiles not coming from domain specified in "ZoneDomain" parameter. The issue is fixed in this release. (Ref: 76495)

·         The timestamp for assignment change may be updated wrongly when a computer role or computer zone is created. The issue is fixed in this release. (Ref: 76850)

 

adedit

 

·          adreport and adreport2 fail to find the role assignments in a computer role if the computer group name contains white space character. This problem is fixed. (Ref: 77133)

 

·          In previous releases, adedit cannot handle the situation where the computer zone and the computer role have the same name.  This problem is fixed. (Ref: 77211)

 

Centrify LDAP Proxy

 

·          Fix the issue that ldapsearch outputs only one page of entries if "-z 0" or "-z none" is specified or the “-z” option is not specified in the command line. (Ref: 78835)

·          This release of the LDAP Proxy supports searches using wildcards.  (Ref: 26721, 72033)

·          The configuration parameter “require authc” is added to sldap.conf.  With this change, authentication is required when it accesses the LDAP database in LDAP session. Please note that this is a change from the default configuration in slapd.conf. (Ref: 79259)

·          On AIX platform, in previous releases, simple bind authentication is not supported.  This is supported in this release.  (Ref: 70908)

 

Centrify OpenSSH

 

·          Centrify 5.2.3 OpenSSH is upgraded to 6.7p1 OpenSSH. (Ref: 72114)

·          Some OS such as  Red Hat Enterprise Linux 7.1 and Fedora 22use systemd to manage its services.  When Centrify SSH service is started or restarted, all the AD user login sessions in the OS are killed.  This problem can also happen during upgrade because the OS needs to stop the old SSH service and start the new Centrify SSH service.  This release of Centrify SSH fixes this problem.  Please upgrade to this version in order to avoid such problem. (Ref: 77492)

 

3.3.          Bugs Fixed in Centrify DirectControl 5.2.2 (Suite 2015)

DirectControl Agent

 

·          Because KCM server is restarted during an upgrade, the in-memory Kerberos cache credentials will be lost. A warning message is now added in the upgrade log to remind users about this behavior. (Ref: 59013)

 

·          Previously when adflush is run without any option, object caches were flushed. This was not a desirable default behavior. In this release, adflush will only expire the object caches if no option is specified. Use '-f' or '--force' option if you really want to flush the object caches. Note: this is a behavior change. (Ref: 61501)

 

·          A fix has been added to adclient, by handling the DNS_REFUSED error (Error Code: 5), such that you can successfully join to a domain even with some caching-only DNS Servers. (Ref: 56826)

 

·          The command, adsendaudittrailevent, will now run only if the effective UID is 0. This is to avoid non-root users from generating unnecessary log messages. (Ref: 63255)

 

·          It is found that zone hierarchy may not able to load successfully at adclient startup under unusual DNS status. Failing to load zone hierarchy causes sysright not be set properly, which results in user login failure. This problem is now fixed.  (Ref: 60104)

 

 

·          If an AD group from cross domain assigned to a role is moved to another container, and this result in change in DN. Therefore, before AD DC automatically correct the object references in CDC zones, group members would lose roles assigned to the AD group, even adreload would not help. This release fixes this problem by searching the object by its group SID. (Ref: 63746, 65530, 65691)

 

·          If autoprivate group is used, sporadic "No Primary Group with gid" error messages shows up in the log. It happens more likely in large AD environment. This was caused by a race condition between the background and the calling application. (Ref: 71090, 71103)

 

·          Previously a dzdo command always used the invoker’s ulimits on AIX. In this release, dzdo correctly uses the runas target user's major ulimits settings for the executed commands. This is the same behavior as the stock sudo in sudo-1.8.10p3. (Ref: 63444)

 

·          Previously when using dzdo on HP/UX 11.31, customer gets the following error message in syslog:

dzdo: hpsec: auth - illegal option use_first_pass.

This issue has been fixed. (Ref: 64168)

 

·          In dzsh, if the cd command fails due to insufficient permission, the PWD and OLDPWD are still updated as if it was in the target directory. This is fixed. (Ref: 58761)

 

·          The fixhome.pl script now does not support the ‘-f’ option any more. ‘-f’ option was used to follow the symbolic link while fixing the home directory. This has become a default behavior now. When a user runs the script, all files or directories pointed to by symlinks will be fixed as well. (Ref: 59014)

 

·          On AIX, no user is able to login except root if the stanza in methods.cfg contains redundant blank lines or the module name starts with whitespace character.  From DirectControl 5.1.2 on, we have improved adcheck to alert users about this incorrect formatting in methods.cfg. (Ref: 36849)

 

·          On AIX, certain LIBPATH order causes DirectControl agent to load the wrong libcrypto library.  This release always loads the libcrypto library installed by DirectControl agent. (Ref: 68886)

 

·          On HPUX, some local accounts with UID 0 may get locked out repeatedly. See KB-4065 for more details. This problem is now fixed. (Ref: 59156, 60948)

 

·         When computer and user password change is disable by setting adclient.krb5.password.change.interval:0 or pam.allow.password.change :false in centrifydc.conf correspondingly, adclient will not probe for kpasswd port 464. (Ref: 55441)

 

·         To avoid all machines changing their machine password simultaneously, a random number within the value specified in adclient.krb5.password.change.random_offset.interval is added to compute the next update time of the machine password. (Ref: 70744)

 

·         adinfo displays the previously joined domain controller to a non-root user.  This problem does not happen to the root user.  It is now fixed.  (Ref: 58208)

 

·         adcheck is improved to ignore the properly formatted swap entries in /etc/fstab to avoid unnecessary warning messages. (Ref: 61272)

 

·         adclient crashes if /etc/group contains a line longer than 1024 characters. This problem is now fixed. (Ref: 75211)

 

·         adclient significantly improves the performance when iterating through UNIX objects.  Iteration is now performed through local cache rather than paged search to Active Directory. (Ref: 57828)

 

DirectManage Access Manager

 

·          The permission checking was incorrect when a user/group was added/removed in a SFU zone. This has been fixed. (Ref: 60601)

 

·          The predefined role "always permit login" is now renamed to "Rescue - always permit login". This will clarify the fact that this role only permits assignee login when running in emergency mode. (Ref: 39917)  

 

·          The column "canonical name" under zone->users is now available again. (Ref: 57662)

 

·          Previously Access Manager failed to launch due to the dependency with PowerShell 2.0. This issue has been fixed by (Ref: 70537):

-  showing proper error message during installation on an unsupported Windows platform.

-  prompting user to confirm the installation of the needed PowerShell 2.0.

 

·          If a zone contained any user profile or group profile from a disconnected Active Directory domain, the Effective Windows User Rights dialog would stop working and would show an error message "Object reference not set to an instance of an object".  The same problem would occur if any of the roles is assigned to an AD user or AD group coming from the disconnected domain. This was a known issue in Centrify Server Suite 2014.  This issue has been fixed. (Ref: 59459)

 

·          Pending import from UNIX can now match candidates with accounts from foreign forest. (Ref: 46142)

 

·          When defining application right criteria from importing process, for remote machines with IPv6 address, link-local, multicast, or site-local address can now retrieve file details and description of its running processes. Other IPv6 address types are not supported. (Ref: 68956)

 

·          “Import from UNIX” wizard now supports exact match or partial match when matching candidates. (Ref: 51146)

 

·          The dialog adding rights to a role now sorts the rights by name. (Ref: 40758)

 

·          There was a warning message that a command object is not configured for restricted role. The warning message is irrelevant because restricted shell doesn’t apply to local accounts. It is fixed in this release. (Ref: 42965)

 

·          In the Effective UNIX User Rights screen, “Show omitted users” is missing users having complete profiles but no role assignments. This problem also happened to the Effective Windows User Rights screen. This is fixed.  (Ref: 40764)

 

·          Forest analysis can detect invalid secondary user profile(s) even though the user’s primary profile does not exist or is invalid. (Ref: 31373)

 

·          If the auto-enrollment GP is set to “Not configured”, certificate auto-enrollment is still performed.  This problem happens on DirectControl agent before version 5.2.2.  This is fixed.  (Ref: 73278)

 

Access Module for PowerShell

 

Deployment Report

 

·          The report file extension has been changed from '.csv' to '.txt' to avoid it from being automatically reformatted by certain spreadsheet editors. The report context remains the same. Note: as the file extension is changed, please update your affected automation script if any. (Ref: 72951)

  

adedit

 

·          adedit previously used inconsistent Boolean arguments for the following five commands: set_role_field allowLocalUser, set_role_field AlwaysPermitLogin, set_zone_computer_field enabled, set_zone_group_field required and set_zone_user_field enabled. Now they all accept the following Boolean values: 1/0, y/n, yes/no, true/false. (Ref: 57180)

 

·          adedit is now able to change the ADS_UF_PASSWD_CNT_CHANGE flag in UserAccountControl attribute in Active Directory. (Ref: 57908)

 

·          admigrate adds support of AIX extended attributes. (Ref: 62850)

 

Zone Provisioning Agent

  

·          Previously Windows events generated by ZPA all had the same Event ID 0. This problem has been fixed. (Ref: 55904)

 

·          The ‘Zone default value’ option of UID has been changed to ‘Use auto incremented UID’. The ‘Zone default value’ option of GID has been changed to ‘Use auto incremented GID’. These changes are to reflect the proper default values. (Ref: 70575)

 

·          ZPA can now resolve user’s primary group information in the nested groups.  The default is to resolve only its immediate group.  To enable this feature, you need to set the DWORD registry key “HKLM\Software\Centrify ZPA\IncludeNestedGroups” to 1. (Ref: 51968)

 

·          ZPA is improved to ignore the leading and trailing space characters in the value field of the registry keys. (Ref: 62185)

 

Centrify LDAP Proxy

 

·          CVE-2015-1546 is fixed in this release. (Ref: 78997)

Centrify OpenSSH

 

·          Previously the sshd would fail with 'no hostkey alg' error and drop login if client required ECDSA hostkey algorithm by, e.g., "ssh host -o HostKeyAlgorithms=ecdsa-sha2-nistp256". Such issue existed since Centrify Openssh5.9p1, and could be solved by manually generating the ECDSA hostkey through this command: /usr/share/centrifydc/bin/ssh-keygen -q -t ecdsa -f /etc/centrifydc/ssh/ssh_host_ecdsa_key -C '' -N '' and restarting the sshd server. This issue has been fixed. Note: when upgrading to this new version, please remove the old incorrect ECDSA key file /etc/centrifydc/ssh/ssh_host_ecdsa_key first, or else the new Centrify OpenSSH will not regenerate it. (Ref: 62152)

 

·          The service name in the sysvinit output of new Centrify OpenSSH in the command '/etc/init.d/centrify-sshd status' in Redhat systems has been changed from 'sshd' to 'Centrify-openssh-daemon'. This is to distinguish the name from other sshd processes and hence avoid the unexpected 'status' result in Redhat 5 systems. (Ref: 73425)

 

·          Centrify OpenSSH now integrates with Solaris SMF control.  (Ref: 70978, 71207)

 

·          Centrify sshd produced extra timestamp and the meaningless “\terror” string in its syslog messages.  This problem is fixed in this release. (Ref: 67329, 67897)

 

3.4.          Bugs Fixed in Centrify DirectControl 5.2.1 (Suite 2015)

DirectControl Agent

 

·          A problem was found in 64-bit Solaris 10 platforms that users might not be able to log in and adinfo would show ‘mode: <unavailable>’ even though the machine was successfully joined. This problem has been fixed. (Ref: 71202)

 

3.5.          Bugs Fixed in Centrify DirectControl 5.2.0 (Suite 2014.1)

DirectControl Agent

 

·  Dzdo, to avoid the command path faking risk, will always get the full path of the command to be run and add such info in the DZCommand checking done by DirectAuthorize. However, the special command, 'dzedit' which can be used unrelated to path (that is, run directly such as 'dzdo -e file' or 'dzedit file', not run under dzdo such as 'dzdo dzedit file' which will be related to its path), will not be affected by such limit and work well as expected in both use styles.

 

Note: This problem has been fixed in Server Suite 2014 and is recorded here for reference purpose. (Ref: 59852)

 

·  A problem was found having core dumps due to local AD object cache operations. It was related to the adding and deleting of records from our local AD object cache using an open source library Berkeley DB. There was no known workaround but this problem has been fixed now. (Ref: 63761)

 

·  A problem was found having to do with a role being associated with more than 1500 rights ended up with no way to retrieve or list all the rights in the role. There was no known workaround for this problem but it has been fixed now. (Ref: 63880)

 

·  On Solaris 10, a problem was found that adnisd did not start up on zone reboot if either passwd or group was excluded, e.g. "nisd.exclude.maps: passwd group". This was because in this case adnisd startup script unnecessarily checked for passwd and group maps and refused to start up if they were not there. This problem has been fixed. (Ref: 60446)

 

·  On AIX, a problem was found that a background thread in adclient might consume unnecessary CPU cycles when processing user/group attributes if a network failure happened during the operation. This problem has been fixed. (Ref: 61008)

 

·  Previously group policy logic might create folder and files, e.g. Previous.pol, Local.pol and Registry.pol, with incorrect permission. These files/folders should only grant root user permission, i.e. 0600/0700. This problem has been fixed. (Ref: 63506)

 

·  The /usr/share/cdentrifydc/bin/centrifydc script starting from version 5.1.1 might hang on Solaris 10 or above if the machine was in single user mode. This might cause a problem if user was upgrading DirectControl in single user mode. This problem has been fixed. (Ref: 62786)

 

·  Smart card (Ref: 64519)

 

A smartcard login fail issue, which would happen when a smartcard had different UPN prefix and samAccountName under RHEL, has been fixed. 

DirectManage Access Manager

 

·  Previously Access Manager Group Report might crash or showed no entry due to a bug in the object cache. This problem has been fixed. (Ref: 62702)  

 

·  Auto private group was mistakenly used as the user primary group GID when adding user with Access Manager. This issue has been fixed. (Ref: 64088)

adedit

 

·        Under certain occasions, e.g. stack size is set to a high value, running might result in error 'Unable to initialize tcl environment' on AIX. This problem has been fixed by applying a corresponding tcl patch. (Ref: 61760)

Centrify OpenSSH

 

·  Previously, if dzssh check enabled, Centrify sshd through dzsshchk only checked for 'dzssh-scp' right for any scp request. Now it will also check for 'dzssh-exec' right if a scp request has -S option set, or else it will only check for 'dzssh-scp' right same as before. (Ref: 60288)

 

4.     Known Issues

 

The following sections describe common known issues or limitations associated with this Centrify Server Suite release; they are categorized as follows:

 

- DirectManage Access Manager

- Group policies

- Zone Provisioning Agent

- DirectControl Agent

- Centrify NIS server (adnisd)

- Centrify Network Information Service

- Centrify LDAP Proxy

- Smart Card

- Zone Migration

- Interoperability with Centrify Samba

- Deployment Report

 

In addition to the known issues described in these sections, you should review the appropriate platform-specific release-notes-agent.txt file for the operating environments you support.

 

For the most up to date list of known issues, please login to the Customer Support Portal at http://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

DirectControl Agent

 

·          Centrify MFA Compatibility Issues with Linux GUI Desktop

 

Some versions of Linux Desktop GUI are not compatible with additional user interaction required for MFA.   The following are some examples:

 

o    On the system such as RHEL 5 that uses an old version of gdmgreeter, the MFA challenge message may be overlapped by the username/password input box. To avoid this issue, the user can change positions for "user-pw-entry" and "pam-prompt" entries in the theme file /usr/share/gdm/themes/RHEL/RHEL.xml, or directly install and set gdm login to use a newer version of gdm-simple-greeter such as gdm-2.24.0-24.101.19. (Ref: CS-38946)

o    For Linux OS such as SLES 11 SP3 that use old gdm-simple-greeter for console login authentication, the incorrect behavior in this program will cause MFA login to fail. SLES 11 SP4 has fixed this issue. (Ref: CS-38898)

o    On systems such as SLES 11 where screen unlock is handled by the program unix2_chkpwd, users will not be challenged for MFA when they unlock the screen. (Ref: CS-38896)

o    In systems such as SLES 10 where the screen unlock is handled by the program gnome-screensaver.  Some versions of gnome-screensaver cannot handle the additional challenge/response interaction required for MFA and hang during unlock.  In this case, please add 'gnome-screensav' to the pam.mfa.program.ignore list in centrifydc.conf to disable MFA functionality for this screen saver. (Ref: CS-39220)

o    In systems such as Ubuntu 15.04 where screen unlock is handled by the program compiz, MFA does not work because compiz does not support the additional Challenge/Response interactions. Please add 'compiz' to the  "pam.mfa.program.ignore" list in centrifydc.conf to disable MFA functionality for this program. (Ref: CS-38891)

o    MFA is disabled in KDE Display Manager (kdm) environment in openSUSE due to issues with the native generic plugin module.  Please refer to the following links:

https://bugs.kde.org/show_bug.cgi?id=329523

https://bugs.kde.org/show_bug.cgi?id=105631

(Ref: CS-38898)

If you need to modify the parameter "pam.mfa.program.ignore" list in centrifydc.conf, please note that you need to specify the default values in the parameter.   The default list is "vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd".  For example, if you need to add compiz to this list, the line should be:

pam.mfa.program.ignore: vsftpd java httpd cdc_chkpwd kdm unix2_chkpwd compiz

Please check with Centrify Support if you need more information about Linux desktop (especially screensaver) compatibility issues.

 

·         SmartCard user logging in via PIN will not be authenticated by MFA. (Ref: CS-38641)

 

·         Local account management is not supported on HP-UX trusted mode. (Ref: CS-38396b)

 

·         Centrify Privilege Service (CPS) cannot manage the password for a user if MFA is required for the user to login.  You can still add a MFA-required user account to CPS resource – with “Manage this password” unchecked - to do login from CPS.  However, you may see the status as “Failed” due to system delay.  If the operation is successful, then no status will be shown for this user. (Ref: CS-38767)

 

·          Issue with RHEL 7 (Ref: CS-33833a)

 

DirectControl is supported on RHEL 7. However, due to a RHEL 7 issue, you need to reboot the machine or run the following commands from the ssh console in order to make GDM UI login work.

$ sudo systemctl restart messagebus

$ sudo systemctl restart gdm

 

·          pam.allow.override is not working on AIX (Ref: CS-33506a)

  

This is because using username with suffix @localhost is not supported on AIX. The LAMGetEntry call that is used to get user information and extended attribute information does not support login name change. Hence login fails as there is no way to find the user or authenticate the user.

 

·          Issue on interoperability with DirectAudit (Ref: CS-33803a)

  

In DirectAudit 2.x, there is a configuration parameter ‘dash.user.alwaysallowed.list’ in centrifyda.conf that holds a list of users who can start a session even when the DirectAudit agent cannot perform auditing. However, this parameter is not honored by the DirectControl agent when DirectAudit is not functional.

 

In DirectAudit 3.x, a better solution is implemented using the "rescue/always permit login" sysright. This sysright will be honored by both DirectControl and DirectAudit and it should obsolete ‘dash.user.alwaysallowed.list’. Hence, when upgrading from DirectAudit 2.x to DirectAudit 3.x, please assign the users in ‘dash.user.alwaysallowed.list’ list to the "always permit login" role (if any one of these users have "audit required" in their roles).

 

·          On AIX, upgrading DirectControl in disconnected mode may cause unexpected behavior (Ref: CS-30494a)

 

On AIX, upgrading DirectControl from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl in disconnected mode.

 

·          On some versions of AIX, user may not be able to login if LOGIN_NAME_MAX is set to 9 (Ref: CS-30789a)

 

Some versions of AIX cannot handle user name longer than eight characters. As a preventive measure, we have added a new test case in adcheck to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users may understand the potential risk and decide if it may be a problem in their environment or not.

 

·          On Solaris 8 and 9, user may fail to install DirectControl due to Perl not installed (Ref: CS-31298a)

 

Some versions of Solaris, e.g. 8 and 9, may not have Perl version 5.8 or above pre-installed, thus resulting in some DirectControl features, e.g. group policy, not running properly. Starting from DirectControl version 5.1.1, we have enforced the checking for the correct Perl version in adcheck. If the Perl version is not 5.8 or above, adcheck will fail the test case. User has to install a proper Perl version before deploying the DirectControl agent.

 

·          On HPUX 11.11 and 11.23, KCM server credential support may not work due to missing libc patches, resulting in some features not working, e.g AD users cannot access Samba server. (Ref: CS-32187a)

 

On HPUX 11.11, the patch PHCO_36184 is required whereas on HPUX 11.23, the patch PHCO_35744 is required. As a preventive measure, we have added a new test case in adcheck to check if the required patch is there. If the required patch is not available, adcheck will show the failed test case and advise users to install the required patch before deploying DirectControl agent.

  

·          PAM messages depend on operating system (Ref: CS-16710c)

 

Configurable PAM messages from pam.account.locked.mesg parameter in centrifydc.conf may not be shown depending on the login method, daemon version and operating system version.

 

·          Cross forest groups are not supported in the pam.allow.group or pam.deny.groups property setting. (Ref: CS-18659a)

 

·          Working with adclient.client.idle.timeout (Ref: CS-18792c)

 

This property is only read at startup. Hence if it is changed, adclient must be restarted. There is a Group Policy setting for this property but changing it has no effect until adclient is restarted on affected machines.

 

·          Use of addns on computers that act as network gateways (Ref: CS-20319c)

 

UNIX computers that act as gateways between different networks may require specification of the addns command line such that the correct network adapter IP address is registered in Active Directory's DNS. Set the adclient.dynamic.dns.command property in /etc/centrifydc/centrifydc.conf 

to the addns command line necessary to select the correct network interface and IP address.

 

·          Working with users defined in a Kerberos realm (Ref: CS-21846a)

 

DirectControl supports users defined in a Kerberos realm as long as the Kerberos domains / realms are resolvable by DNS. Kerberos realm names are case sensitive, so care should be taken to check the spelling / case of any realm used.

 

·          Use of rsh and rcp with DirectControl (Ref: CS-22172c, CS-21523c)

 

rsh and rcp are considered archaic methods and should not be used with DirectControl as their behavior cannot be guaranteed in all circumstances.

 

·          adedit cannot create AIX extended attributes in a SFU zone (Ref: CS-25392c)

 

·          Failed to login as override user with NSCD running (Ref: CS-29816c)

 

On Solaris, with NSCD running, attempt to login as override user using <username>@localhost fails.

  

·          Potential issues on Fedora 19 and above (Ref: CS-31549a, CS-31730a)

 

There are several potential issues on Fedora 19 and above:

1)  Adcheck will fail if the machine does not have Perl installed.

2)  Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

·          Using DirectControl 4.x agents with DirectControl 5.x (Ref: IN-90001)

 

DirectControl 4.x agents can join classic zones created by DirectControl 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

 

·          Some non-alphanumeric characters are valid for Windows user or group names and are converted to underscore ("_") when changed to be UNIX names in the Access Manager, but cannot be used in adedit. (Ref: IN-90001)

 

The list is:

\ ( ) + ; " , < > =

  

·          Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

In DirectControl 4.x, and earlier, there was a concept of the default zone. When DirectControl was installed a default zone could be created that would be the default zone used when none was specified. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

A zone called "default" may be created, and default zones created in earlier versions of DirectControl may be used, but the name must be explicitly used.

 

·          Change password and rsh / rlogin (Ref: IN-90001)

 

When using rsh or rlogin to access a computer that has DirectControl installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted and the password is successfully changed.

 

·          Changing the password of an orphan user with adpasswd (Ref: IN-90001)

 

adpasswd should not be used to change the password of an orphan user.  If it is used, an error will be generated as follows:

 

Error: Unsuccessful IPC execute: system error

 

·          Working with /var mounted via NFS (Ref: IN-90009)

 

The directory /var should not be NFS mounted or else DirectControl may not work properly.

 

·          nss.minuid and nss.mingid are no longer used (Ref: IN-90009)

 

These have been replaced by user.ignore and group.ignore.  DirectControl will ignore the local UID and GID values which correspond to the users and groups in the .ignore file and generate a uid.ignore and gid.ignore file.   The values from nss.minuid and nss.mingid will be added to this file during the upgrade process.

 

·          When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

·          AD and all clients should have same time zone setting. If not, when time zone daylight saving time takes effect, and adclient.logonhours.local.enforcement is true, user may not be able to login from clients during "Logon Hours" permitted period. (Ref: CS-33553a)

·          Local account management is not supported on HP-UX trusted mode. (Ref: CS-38396b)

  

   DirectAuthorize on Linux/UNIX

 

·          Use of common UNIX commands with DirectAuthorize restricted shells

 

The DirectAuthorize restricted shell restricted users to use only a predetermined set of commands; however several common UNIX commands may allow users to execute commands that are not allowed in the restricted shell. The following list provides general guidance and specific examples of the issues to be considered:

 

- The man command (Ref: CS-19538a)

 

When adding a privileged command for the man command in a restricted environment, Centrify recommends:

 

* selecting Reset Environment Variables to allow users to use the default pager only.

 

* disallow the -P, -C, -B or -H options to allow users to use the default pager and man configuration file only, by adding the following commands in addition to the command for man:

 

!man -[PCBH]*

!man * -[PCBH]*

 

The PAGER, MANPAGER environment variables and -P, -C, -B, or –H option can allow a user to run a command not permitted by DirectAuthorize in the restricted environment.

 

- The Allow nested command execution option (Ref: CS-19826a)

 

The Allow nested command execution checkbox on the Attributes tab of the property page for a privileged command allows the privileged command to execute another command. This option is deselected by default (so the command is not allowed to execute other commands), but not all operating systems honor this restriction:

 

Solaris           Honored in all cases

AIX 5.3, 6.1, 7.1 Honored except if a program is seteuid

HP-UX             Honored except if a program is seteuid

Linux             Honored except if a program is seteuid and

                  the Run As... user is not root

 

- The tar command (Ref: CS-19939a)

 

When adding the tar command to a restricted environment, Centrify recommends adding the following commands to prevent the --use-compress-program option to tar in addition to the tar command itself.

 

!tar --use-compress-program*

!tar * --use-compress-program*

 

This prevents the user from using the --use-compress-program option to run other commands not allowed in the restricted environment.

 

- cron jobs (Ref: CS-19940a)

 

Cron jobs are run by the crontab daemon and this has no dzsh restrictions, meaning that any restrictions placed on the user who created the cron job will not be in force when the job itself is run.

 

For this reason, Centrify recommends that users who run in the dzsh restricted shell are not given access to the crontab cmmand.

 

- Editors that allow shell escapes (Ref: CS-19942a)

 

When adding the vi or view command to a restricted shell, the shell escape feature of the command can allow the user to execute a command not allowed in the restricted shell.

 

In addition, the perl, python and ruby support feature of vim, if available, can allow a user to execute a command not allowed in the restricted shell. To check if your version of vim command has perl, python or ruby support, run vim --version, and look for +perl, +python, or +ruby.

 

Centrify recommends the following:

 

* Configure the command to not allow nested command execution (this is the default) to prevent shell escapes

 

* Use the rvi or rview command instead if available.

 

Vim is used as an example here, this applies to other editors that include the ability to escape to the shell and/or include scripting language support.

 

- The rsync command (Ref: CS-19944a)

 

When adding the rsync command to a restricted environment, Centrify recommends adding the following commands, in addition to adding the rsync command itself, to prevent usage of the -e and --rsh options:

 

!rsync -e*

!rsync * -e*

!rsync --rsh*

!rsync * --rsh*

 

This prevents the user from using the -e or --rsh options to run commands not allowed in the restricted environment.

 

·          Cannot add cross domain or cross forest users to roles in classic zone (Ref: IN-90001)

 

DirectAuthorize does not currently support adding users from other domains into roles when the domain controllers are running Windows Server 2003 with security update 926122 or service pack 2.  This is a Microsoft issue and a hot fix is available to install on computers running the DirectAuthorize console that need to run in these domains. More information may be found here:

 

http://support.microsoft.com/kb/943875

 

·          Cannot add cross forest groups to a role in classic zones (Ref: IN-90001)

 

DirectAuthorize does not support adding groups from a trusted forest into roles at this time; all groups added to roles should be defined in the local forest. However, users from a trusted forest may be added to groups in the local forest and then added to a role, or they may be directly added to a role.

 

·          DirectAuthorize reports do not include users in remote forest (Ref: IN-90001)

 

In this release the "Classic Zone - User Role Assignments Grouped by Zone" and “Classic Zone - User Privilege Command Rights Grouped by Zone" reports only show users in the local forest; any users in remote (trusted) forests are not included in the report.

 

·          UI elements occasionally do not appear when expected (Ref: IN-90009)

 

On occasion, the DirectAuthorize console does not show the expected results, or nodes do not appear in the tree on the left side of the console screen. When this happens, choose Refresh from the right-click menu and the screen should refresh to show the expected results. If this does not fix the problem, choose Refresh from the next higher point up the tree from where you expect the result to be shown and that should cure the problem.

 

   DirectControl Auto Zone mode

 

·          One-way cross forest trusts are not supported in Auto Zone mode (Ref: AG-0403)

 

   Smart Card

 

·          There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login.  When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

 

·          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", screen will be locked several seconds after login with smart card. There is a workaround - replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

 

·          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

 

·          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

 

·          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a )

 

·          In order to login successfully in disconnected mode (Ref: CS-29111a):

o   For a password user:

§  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other CDC Unix behavior)

o   For a SmartCard user:

§  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

§  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

§  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

·          After upgrading from Centrify DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: CS-30025c)

 

·          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the after GP Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

 

·          After upgrading from Centrify DirectControl Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: CS-30353c)

 

·          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

 

·          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

 

·          Running “sctool –D” with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

·         Screen saver shows password not PIN prompt (Ref: CS-31559a)

Most smart card users are allowed to log on with a smart card and PIN only and cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed.   This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342.  This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

 

    DirectManage Access Manager

 

·          After upgrading Access Manager from Centrify Server Suite 2013 to Centrify Server Suite 2014, the category screen in Windows 8 or Windows Server 2012 still does not show “Centrify Server Suite 2014. The change takes effect after a reboot. (Ref: CS-32951a)

 

·          Import users and groups before importing sudoers file (Ref: IN-90001)

 

Sudoers Import creates user roles but not the users. It is recommended that you import users and groups prior to importing the sudoers file.  Otherwise, no sysRights are created for the users.

 

·          Pre-create computers before importing computer role from sudoers file (Ref: IN-90001)

                                        

The computers contained in the sudoers file must either be joined to a zone or pre-created. 

 

·          Delegating zone administration permissions for SFU zones (Ref: IN-90001)

 

Delegate permissions to add, remove or modify users for SFU zone are not supported.

 

·          Users with rights to import user and groups into a zone also gain rights to modify profiles (Ref: IN-90001)

 

Any users who are given the right to "Import users and groups to zone" are automatically also given the right to "Modify user/group profiles".

 

·          Using domain local groups to manage resources (Ref: IN-90001)

 

Domain local groups can only be used to manage resources in the same domain as the group. So, for instance, a domain local group in domain A may be used to manage a computer in domain A but not one in domain B, despite a trust relationship between the two domains.

 

·          Domain local groups from other domains shown in search dialog (Ref: IN-90001)

 

When using the search dialog in the Access Manager to delegate zone control to a group, domain local groups from child domains will be shown incorrectly in the results and should be ignored. The search results when using the ADUC extension do not show these domain local groups.

 

·          Analyze forest and SFU zones (Ref: IN-90001)

 

The analyze forest feature in the Access Manager does not report empty zones or duplicated users or groups in a SFU zone.

 

·          Working with users that have more than one UNIX mapping (Ref: IN-90001)

 

DirectControl supports Active Directory users that have more than one UNIX profile in a zone. However, if you are upgrading from DirectControl 4.x or earlier and have existing users with more than one UNIX mapping, you should use DirectControl Access Manager 5.0.0 or later to remove all but one of the UNIX profiles for each of these AD users and then re-add them.

 

In addition, you should always use DirectControl console 5.0.0 or later when modifying these users.

 

·          In the Centrify Profile tab of the Properties page of a computer joined to a hierarchical zone, you cannot move this computer to a classic zone. Nor can you move it to a zone in another domain. There are no such limitations with a computer joined to a classic zone. (Ref: IN-90001)

 

·          Extra results when analyzing duplicate service principal names (Ref: IN-90001)

 

When running the Analyze / Duplicate Service Principal Names report, kadmin/changepw is incorrectly returned as a duplicate.  The SPN is actually found multiple times, but this is by Microsoft design as it is the default account for the Key Distribution Center service in all domains.

  

·          Secondary groups not imported from XML files (Ref: IN-90009)

 

Using the Import Wizard to import user information from XML files does not import secondary group membership.

  

·          Application rights created by Centrify Server Suite 2014 Access Manager console won't be usable by Suite 2013 Windows Agent. (Ref: CS-32653a)

 

·          DirectManage Password Synchronization Extension does not remove HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_<GUID> registry key during upgrade from Suite 2013 or earlier on Windows Server 2008 R2 Server Core.(Ref: CS-36520)

   Report Center

 

·          Color and font change in Report Center occasionally fails (Ref: IN-90009)

 

Changing the font or colors in a report occasionally fails, even though the Format dialog shows the chosen font and color choices when they are made. Re-opening the Format dialog and changing color and/or font again will correctly set the choices for the report.  

  Report Services

 

·          If you run Report Services with Microsoft SQL Server 2012 Service Pack 2 and Visual Studio 2010 on the same system, please update Visual Studio 2010 to Service Pack 1.(Ref#: CS-38553)

 

·          When Centrify Report Services is installed with the Microsoft SQL Server 2008 R2 Express Advanced in the ISO image, the Windows event log is filled with events from MSSQL Server every 10 minutes. The event ID is 17137 and the message is "Starting up database ReportServer$<ReportServerDBName>TempDB".  This is a SQL Server issue.  See the following article regarding this issue. (Ref: CS-39053)

 

https://social.msdn.microsoft.com/Forums/en-US/1bff29a0-4315-4f7a-af07-0b1c18ff0d2b/numerous-every-10-minutes-event-log-entries

 

·          Error "The server is unwilling to process the request" may occur during synchronization from Active Directory if the memory is low on the domain controller.  Follow the capacity planning article from Microsoft on the minimum amount RAM. (Ref: CS-36412)

 

http://social.technet.microsoft.com/wiki/contents/articles/14355.capacity-planning-for-active-directory-domain-services.aspx 

Access Module for PowerShell

·          Installation of Access Module for PowerShell on a Windows Server Core environment shall be done in silent mode due to the UI limitation. Please check the process exit code for successful or failure result. (Ref: CS-33696a)

 

Zone Migration

 

·          admigrate does not migrate classic SFU zone. (Ref: CS-28289a)

 

·          admigrate does not migrate zone delegation rights. (Ref: IN-90002)

 

Group policies

 

·          You may find warning message "…Kerberos credentials not found for current user." in syslog on certain OS platforms when you run cron jobs. This is because of the line "session    include    system-auth" in /etc/pam.d/crond causing cron job to open session resulting in GP processing check which fails to find Kerberos credentials as it is not a real login. A workaround is to comment out that line to avoid unnecessary warning message. (Ref: CS-34452a)

 

·          There are four group policies (run command, sudo, crontab entries and Linux firewall) that can merge the lines of different GPOs to a resulting group policy. For the policies to merge, the policy in each GPO must be enforced. Policies with higher precedence will be placed lower in the resulting multi-line policy. (Ref: CS-21048a)

 

·          Entering multi-line password prompt group policies (Ref: CS-26243c)

 

Multi-line group policies are supported; however an escape newline character "\\n" must be used.

 

·          Checking the location of the Perl environment (Ref: CS-31258a)

 

DirectControl group policies require a version of Perl to be installed and located in the path. If Perl is not found in the path or has been installed in a non-standard location, you may encounter errors when you attempt to set group policies or leave the domain. If Perl is installed on the local computer but not included in the path by default, you can manually edit the shell script /usr/share/centrifydc/perl/run to add the correct path to the front of the PERL_DIRS environment variable.

 

·          Disable does not function with “Allow Groups” group policy (Ref: IN-90001)

 

Disabling the group policy Computer Configuration > Centrify Settings > Centrify SSH Settings > Allow Groups does not disable the policy. To effectively disable groups of users, the groups should be removed from the Group Policy Object.

 

Centrify Network Information Service

 

·          A problem of the start up and kill sequence of adnisd during system start up and shutdown related to ypbind has been fixed.  New installation of CentrifyDC-nis runs chkconfig and the sequence is automatically updated.  Upgrade of CentrifyDC-nis, however, will not run chkconfig. This is to ensure any modification made to the start up or kill sequence by system administrators is preserved.  User can run "chkconfig adnisd on" after the upgrade if the system default is preferred. (Ref: CS-32321a)

 

·          adnisd daemon fails to start on WPAR (Ref: CS-30588c)

 

The adnisd service is not currently defined in the WPAR.

 

Centrify LDAP Proxy

  

·          Require the prefix “auto” in the automount map (Ref: IN-90001)

 

If an automount map created with a 4.x or earlier version of the DirectControl Console does not start with the string "auto" (i.e. auto.home, auto_master, auto_net, etc), it will not be recognized by this release of the DirectControl LDAP Proxy as an automount map. Automount maps which do not start with the string "auto" must be exported and imported using this version of the DirectControl Console or adedit.

 

Centrify OpenSSH

 

·          Starting from version 5.1.2, Centrify OpenSSH requires DirectControl version 5.1.2 or above. (Ref: CS-8100a)

 

·          On AIX platform, Centrify OpenSSH releases prior to version 5.2.3 are not compatible with DirectControl agent version 5.2.3 and later. (Ref: CS-8232a)

 

·          Prior to version 6.7, stock OpenSSH performs the initial key exchange using the "diffie-hellman-group1-sha1” method. However, in version 6.7 (and hence Centrify OpenSSH 5.2.3 as it is based on stock OpenSSH), the default set of ciphers and MACs (Message Authentication Code) has been modified to remove unsafe algorithms. Hence SSH clients using the original settings may fail to login. Note that some modern OS such as Ubuntu 15.04 ships OpenSSH 6.7 by default. Centrify’s Deployment Manager in Server Suite 2015.1 has been modified to support the new key exchanges. (Ref: CS-8234a, CS-38259a)

 

Interoperability with Centrify Samba

 

·          Centrify Samba 4.5.4 or above (Ref: CS-28744a, CS-29443a)

 

Starting with version 5.1.0, DirectControl Agent does not work with any earlier Centrify Samba versions on AIX and SuSE 8. It only works with Centrify Samba 4.5.4 or above. 

5.     Additional Information and Support

 

In addition to the documentation provided with this package, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resource Center provides access to a wide range of packages and tools that you can download and install separately.  For more information, see the Centrify Resource Center Web site:

 

www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this version of Centrify Server Suite, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.