Using Centrify to get the username from uid

Getting the information from CentirfyDC-5.5.2 if we were given just the user id alone can be very easy. Just do a

% adquery user |grep 1111111

adquery user will list out all the users in the Centrify Console. You just need to parse the information you need with grep

Centrify Client goes into disconnect mode

The article is taken from Centrify Knowledge Base (KB-1425): adclient goes into “disconnected mode”

Causes

There are several reasons why adclient can goes into disconnect mode. According to the article, it could be due to

  • Replication Delays
  • Expired Computer Password or not renewed or out of sync

Solution:

In Linux, you can restart the Centrify DirectControl Service

# /etc/init.d/centrifydc restart
Stopping Centrify DirectControl:                           [  OK  ]
Starting Centrify DirectControl:                           [  OK  ]
adclient state is: connected

OR you can reset computer object on UNIX/LINUX client:

# adkeytab -r -u administrator@yourdomain.com

Notes:

Machine password renewal can be turned off (for testing purposes only) in /etc/centrifydc/centrifydc.conf by making the following change and running adreload. (Default is 28 days)

adclient.krb5.password.change.interval: 0

Useful Commands for Centrify Suite

Taken from [TIPS] A Centrify Server Suite Cheat Sheet


BASIC Troubleshooting

Pt 1. To check the general status of the client

$ adinfo
Local host name: xxx
Joined to domain: xxx.com
Joined as: xxx
Pre-win2K name: xxx
Current DC: xxx
Preferred site: NTU-Site
Zone: xxx
Last password set: 2019-07-24 06:29:08 +08
CentrifyDC mode: connected
Licensed Features: Enabled

Pt 2. To see the corresponding Centrify Suite Version

$ adinfo --suite-version
adinfo (CentrifyDC 5.5.0-200)
Centrify Server Suite 2018

Pt 3. To view Active Directory connectivity to the current domain

$ adinfo --test
Domain Diagnostics:
Domain:
DNS query for:
DNS query for:
Testing Active Directory connectivity:
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good
Domain Controller:
ldap: 389/tcp - good
ldap: 389/udp - good
smb: 445/tcp - good
kdc: 88/tcp - good
kpasswd: 464/tcp - good
ntp: 123/udp - good

Pt 4: To see the current joined Centrify zone

$ adinfo --zone
xxx.com/MyOU/Centrify/Zones/Global

ADVANCED / TROUBLESHOOTING Information

Pt 5: To check the status of the DNS cache and stats

$ adinfo --diag dns
adinfo (CentrifyDC 5.5.0-200)
Host Diagnostics
uname: Linux hpc-gekko1 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64
OS: CentOS
Version: 7.0
Number of CPUs: 32
…..
…..

Pt 6: To check network connectivity statistics

$ adinfo --sysinfo netstate
System Diagnostic
===============Network State===================
Site Map
com.sg=>PreferredSite:XXX.com, SubnetSite:XXX-Site
Domain Map
…
…
state: alive
swept: 21 mins ago
...

Pt 7: To see the status of the AD computer trust relationship

$ adinfo --sysinfo adagent
System Diagnostic
===================adagent internals===================
Binding Table
$=>main11.main.ntu.edu.sg(MAIN.NTU.EDU.SG) connected
xxx.com=>xxx.com disconnected
xxx1=>xxx1.com disconnected
xxx2=>xxx2.com connected
xxx3=>xxx3.com connected

TESTING Credentials Information

$ adinfo -A --user myuserid
Active Directory password:
...

Restricting SSH Access when using Centrify-Free

To restrict users from accessing the system using Centrify free can be easily managed by using the following files

/etc/centrifydc/users.allow
/etc/centrifydc/groups.allow
/etc/centrifydc/users.deny
/etc/centrifydc/groups.deny

1. You have to manually create the the files accordingly and place it at /etc/centifydc. Next you have to  line 273 and uncomment the line

.....
pam.allow.users: file:/etc/centrifydc/users.allow
.....

If you are blocking by groups, you can likewise uncomment the

.....
pam.allow.groups: file:/etc/centrifydc/groups.allow
.....

2. Flush and Reload Centrify-Free

# adflush
# adreload

3. Add users you wish to have access into the system into /etc/centrifydc/users.allow