Protecting Centrify Zones from accidental deletion on Active Directory

If you have been using Centrify for some time, Centrify store Zones and other objects within the Active Directory (AD) or OU. One question always surface, how to protect the objects from accidental deletion. There are 2 ways. The first way is the easiest way.

Method 1: (via Manual Way to disable ‘accidental deletion’ for specific AD object only):

  1. Ask your System Administrator or OU Administrator to open up the “Active Directory Users and Computers” application.
  2. 2Navigate to your intended AD object (or any AD object like your ‘Zone’).
  3. 3) Right-click on your intended AD object, and select ‘Properties’.
  4. 4) Click on the ‘Object’ tab.
  5. 5) Ensure to check the checkbox of ‘Protect object from accidental deletion’.
  6. 6) Click the ‘Apply’ and then the ‘Ok’ button to confirm the changes.

Method 2: (via Powershell to disable ‘accidental deletion for all objects under specified OU ):

1) Ask your System Administrator to open up the ‘Power Shell’ application.

2) For the command below modify the ‘distingushedName’ (DN name) so that it points to the OU relevant to your domain. The below command will set this for all objects in the specified OU:

    Powershell: Get-ADobject -Filter * -SearchBase “{DN_Name}” | Set-adobject -ProtectedFromAccidentalDeletion $true

Example Command (for centrify  ‘Zone’ OU):: Get-ADobject -Filter * -SearchBase “CN=Zones,CN=Centrify,CN=Program Data,DC=win16org22,DC=pmm” | Set-adobject -ProtectedFromAccidentalDeletion $true

(Take Note; In order to attain the DN name, Right-click on your intended AD object, > select ‘Properties > and Click on the ‘Attribute Editor’ tab > Click on the ‘distinguishedName’ column > Copy the DN name and paste it in the PowerShell command specified above)

(Take Note: This creates a “deny” for deletion of all the objects under the specified OU. Now whoever tries to delete this will generate an event. Hence, the user will have to remove this permission before the object can be deleted.)


Preparing a Linux Client Server for Centrify and 2FA for CentOS-7

Preliminary Notes:

You have to setup a Cloud Tenant from Centrify by registering an email with Centrify or Centrify Authorised Reseller.

Once the Tenant has been setup, the login link should have been sent to the email you have provided.

You will need to setup the 2FA Connector VM on premise. The recommended specification of the connectors. Port 443 should be opened for the VM.

  • 4 Core; 8GB RAM; 100 GB HDD; Windows 2016 or later

At the Active Directory

  1. Create UNIX computer group in AD if not already created
  2. Add the UNIX computers that will require 2FA to the UNIX group
  3. Create a UNIX Users group if not already created
  4. Add Users that will require 2FA to the UNIX user group
  5. Add the IWA root CA Certificate to the Centrify GPO. The IWA Certificate can be downloaded from the Centrify cloud but the connector needs to be setup first before we can download the IWA Certificate.

At the CentOS Server

Copying the IwaTRustRoot.pem Certificate to CentOS Linux Server

  1. Change the extension of the IWA certificate that was downloaded from .cer to .pem
  2. For CentOS, please copy the certificate to this location /etc/pki/ca-trust/source/anchors/ in the test server.
  3. Copy the cert to /var/centrify/net/certs as well

Configure the SSH settings

# vim /etc/ssh/sshd_config
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes

Restart the SSHD Services

# systemctl restart sshd.service

Restart the Centrifydc services

# /usr/share/centrifydc/bin/centrifydc restart

Active Directory Flush

# adflush -f

Delinea announces support for AlmaLinux and Rocky Linux

Finally, Delinea (Centrify) has added support for RHCOS, AlmaLinux x86_64, Rocky Linux. Good news indeed

As we continue to bolster our PAM solutions for Linux, the latest release of Server Suite adds support for RHCOS, AlmaLinux x86_64, and Rocky Linux.

Red Hat Enterprise Linux CoreOS (RHCOS) is a container-optimized operating system for running containers at scale. Both Rocky Linux and AlmaLinux are binary-compatible with Red Hat Enterprise Linux (RHEL) and have emerged as a viable alternative to CentOS.


Delinea announces support for AlmaLinux and Rocky Linux

How to uninstall Centrify agent on Unix/Linux platforms?

As root or sudo, open a terminal and navigate to the folder where Centrify was first installed (typically /usr/share/centrifydc/bin) . On most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the script.
as follows:

/bin/sh /usr/share/centrifydc/bin/

For example:

Do you want to uninstall the CentrifyDC-5.8.1 package from this computer? (Q|Y|N) [N]:N


KB-1780: How to uninstall Centrify agent on Unix/Linux platforms?

Centrify Client goes into disconnect mode

The article is taken from Centrify Knowledge Base (KB-1425): adclient goes into “disconnected mode”


There are several reasons why adclient can goes into disconnect mode. According to the article, it could be due to

  • Replication Delays
  • Expired Computer Password or not renewed or out of sync


In Linux, you can restart the Centrify DirectControl Service

# /etc/init.d/centrifydc restart
Stopping Centrify DirectControl:                           [  OK  ]
Starting Centrify DirectControl:                           [  OK  ]
adclient state is: connected

OR you can reset computer object on UNIX/LINUX client:

# adkeytab -r -u


Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload. (Default is 28 days)

adclient.krb5.password.change.interval: 0

Implementing Docker Group using Centrify

Why Privilege Access For Docker Container?

Taken from Centrify HOWTO: Secure container/docker environments by managing privileges for admins and users

“To perform any docker operation, you need to either be root or part of a local group, ‘docker’, on your Linux machine. Why is that? Because access into a docker container is via a UNIX socket and any socket related operations require the user to have privileged access. ‘Docker’ group membership is sufficient for all container operations, exception is starting the docker daemon itself, which must always run as the root user.”

Step 1:

We need to create a group called Docker and put in the necessary members

Step 2: Verify the permission of the Linux Server

# ls -lZ /var/run/docker.sock
srw-rw----. root root system_u:object_r:container_var_run_t:s0 /var/run/docker.sock
# getenforce

Step 3: Change Owner of the Docker

# chown root:docker /var/run/docker.sock

Step 4: Test the change permission issues

[user1@node1 ~]$ docker search openfoam
INDEX NAME DESCRIPTION STARS OFFICIAL AUTOMATED Offical image of OpenFOAM+ (v3.0+) provide... 8 Offical image of OpenFOAM+ (v1606+) provid... 6 Image of OpenFOAM v5 and ParaView 5.4.0 on... 5 Image of OpenFOAM v6 and ParaView 5.6.0 on... 5 Offical image of OpenFOAM+ (v1612+) provid... 5 Image of OpenFOAM v7 and ParaView 5.6.0 on... 4 Offical image of OpenFOAM(v1706) provided ... 4 Offical docker image of OpenFOAM(v1712) pr... 4 Image of OpenFOAM v6 and ParaView 5.4.0 on... 3 Offical docker image of OpenFOAM(v1806) pr... 3 Offical docker image of OpenFOAM(v1806) pr... 2 Official docker image of OpenFOAM(v1906 ve... 2 OpenFOAM image for use in DICE (Dynamic In... 1 OpenFOAM-dev on Ubuntu 16.04 using the ope... 1 OpenFOAM-dev and ParaView 5.4.0 on Ubuntu ... 1 Image of OpenFOAM-dev and ParaView 5.6.0 o... 1 Image of OpenFOAM v4 and ParaView 5.0.1 on... 1 Image of OpenFOAM v5 on Ubuntu 16.04 from ... 1 Image of OpenFOAM v6 on Ubuntu 18.04 from ... 1 Docker Image for OpenFOAM and Calculix 1 [OK] This image makes it easy to run OpenFOAM o... 0 [OK] OpenFOAM-dev and ParaView 5.0.1 on Ubuntu ... 0 OpenFOAM 0 OpenFOAM240 with Python Paraview 0 OpenFOAM Base Container 0


  1. HOWTO: Secure container/docker environments by managing privileges for admins and users
  2. How to fix docker: Got permission denied while trying to connect to the Docker daemon socket

Useful Commands for Centrify Suite

Taken from [TIPS] A Centrify Server Suite Cheat Sheet

BASIC Troubleshooting

Pt 1. To check the general status of the client

$ adinfo
Local host name: xxx
Joined to domain:
Joined as: xxx
Pre-win2K name: xxx
Current DC: xxx
Preferred site: NTU-Site
Zone: xxx
Last password set: 2019-07-24 06:29:08 +08
CentrifyDC mode: connected
Licensed Features: Enabled

Pt 2. To see the corresponding Centrify Suite Version

$ adinfo --suite-version
adinfo (CentrifyDC 5.5.0-200)
Centrify Server Suite 2018

Pt 3. To view Active Directory connectivity to the current domain

$ adinfo --test
Domain Diagnostics:
DNS query for:
DNS query for:
Testing Active Directory connectivity:
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good

Pt 4: To see the current joined Centrify zone

$ adinfo --zone


Pt 5: To check the status of the DNS cache and stats

$ adinfo --diag dns
adinfo (CentrifyDC 5.5.0-200)
Host Diagnostics
uname: Linux hpc-gekko1 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
OS: CentOS
Version: 7.0
Number of CPUs: 32

Pt 6: To check network connectivity statistics

$ adinfo --sysinfo netstate
System Diagnostic
===============Network State===================
Site Map>, SubnetSite:XXX-Site
Domain Map
state: alive
swept: 21 mins ago

Pt 7: To see the status of the AD computer trust relationship

$ adinfo --sysinfo adagent
System Diagnostic
===================adagent internals===================
Binding Table
$=> connected> disconnected
xxx1=> disconnected
xxx2=> connected
xxx3=> connected

TESTING Credentials Information

$ adinfo -A --user myuserid
Active Directory password:

Delegate Zone Control to the user in the Centrify Management Console

  • Open Access Manager as Administrator
  • Right click “Centrify Access Manager > Zone > Global”
  • Select “Delegate Zone Control…”

  • In the Dialog window, click “Add”

  • Input user name into “Name:” field and click “Find Now”
  • Select the User and click “OK”

  • Click “Next”

  • Click “All” in the Tasks list and click “Next”

  • Click “Yes”

  • Click “Finish”