Authentication Service and Privilege Elevation Service 5.8.1 (Release 2021.1) Release Notes

2004-2021 Centrify Corporation.

This software is protected by international copyright laws.

All Rights Reserved.

 

Table of Contents

1. About This Release. 1

2. Feature Changes. 1

2.1. Feature Changes in Authentication Service and Privilege Elevation Service 5.8.1 (Release 2021.1) 1

General 1

Security Fix. 1

Centrify DirectControl Agent for *NIX.. 1

Centrify Windows Installer. 1

Centrify Access Manager. 1

Centrify Access Module for PowerShell 1

Centrify Licensing Service. 1

Centrify OpenLDAP Proxy. 1

Centrify Report Services. 1

Centrify Smart Card. 1

Centrify Zone Provisioning Agent 1

2.2. Feature Changes in Authentication Service and Privilege Elevation Service 5.8.0 (Release 2021) 1

General 1

Security Fix. 1

Centrify DirectControl Agent for *NIX.. 1

Centrify Access Manager. 1

Centrify Access Module for PowerShell 1

Centrify Windows SDK.. 1

Centrify Group Policy Management 1

Centrify Licensing Service. 1

Centrify OpenLDAP Proxy. 1

Centrify OpenSSH.. 1

Centrify Report Services. 1

Centrify Smart Card. 1

Centrify Zone Provisioning Agent 1

3. Bugs Fixed. 1

3.1. Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.1 Component Update (Release 2021.1) 1

3.2. Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.1 (Release 2021.1). 1

General 1

Centrify DirectControl Agent for *NIX.. 1

Centrify OpenSSH.. 1

Centrify OpenLDAP Proxy. 1

Centrify Access Manager. 1

Centrify Access Module for PowerShell 1

Centrify Group Policy Management 1

Centrify Report Services. 1

Centrify Smart Card. 1

3.3. Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.0 (Release 2021). 1

General 1

Centrify DirectControl Agent for *NIX.. 1

Centrify OpenSSH.. 1

Centrify OpenLDAP Proxy. 1

Centrify Access Manager. 1

Centrify Access Module for PowerShell 1

Centrify Licensing Service. 1

Centrify Group Policy Management 1

Centrify Report Services. 1

Centrify Zone Provisioning Agent 1

4. Known Issues. 1

Centrify DirectControl Agent for *NIX.. 1

Smart Card. 1

Centrify Report Services. 1

5. Additional Information and Support 1

 

1.     About This Release

 

Authentication Service and Privilege Elevation Service, part of the product category Centrify Server Suite (previously called Centrify Infrastructure Services or Centrify Zero Trust Privilege Services), centralize authentication and privileged user access across disparate systems and applications by extending Active Directory-based authentication, enabling use of Windows Group Policy and Single-Sign-On. With Centrify Server Suite, enterprises can easily migrate and manage complex UNIX, Linux, and Windows systems, rapidly consolidate identities into the directory, organize granular access and simplify administration. Centrify Authentication Service, through Centrify's patented Zone technology, allows organizations to easily establish global UNIX identities, centrally manage exceptions on Legacy systems, separate identity from access management and delegate administration.  Centrify's non-intrusive and organized approach to identity and access management results in stronger security, improved compliance and reduced operational costs.

An upgrade application note (/Documentation/centrify-upgrade-guide.pdf) is provided with this release to guide customers who have installed multiple Centrify packages. The document describes the correct order to perform updates such that all packages continue to perform correctly once upgraded. This document is also available online.

The product related release notes and documents are available online at https://docs.centrify.com/.

Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,378,391 and 9,442,962. (Ref: CS-44575)

2.     Feature Changes

 

For a list of the supported platforms by this release, refer to the 'Supported Platforms' section in the Centrify Server Suite release notes.

For a list of platforms that Centrify will remove support in upcoming releases, refer to the 'Notice of Termination Support' section in the Centrify Server Suite release notes.

For a complete list of supported platforms in the latest releases, refer to the 'Centrify Server Suite' section in the document available from https://www.centrify.com/platforms.

2.1.          Feature Changes in Authentication Service and Privilege Elevation Service 5.8.1 (Release 2021.1)

General

 

          Compatibility (Ref: 353603, 385159)

Due to the upgrade of OpenSSL in Release 2021.1, this release of Centrify DirectControl Agent for *NIX works only with the following versions:

         Centrify DirectAudit Release 2021.1 or later

         Centrify OpenSSH Release 2021.1 or later

         The latest release of Centrify for DB2 and Centrify for Samba

Note: Since Centrify Deployment Manager is discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX. (Ref: CS-47626)

          Open-Source component upgrade

         Upgraded cURL from v7.75.0 to v7.78.0. (Ref: 298090)

  This includes several security fixes. For details, please refer to https://curl.haxx.se/docs/security.html.

         Upgraded OpenLDAP from v2.4.57 to v2.4.59. (Ref: 297898)

  For changelog details, please refer to https://www.openldap.org/software/release/changes.html.

         Upgraded OpenSSL from v1.1.1k to v3.0.0. With OpenSSL v3.0.0, FIPS mode is now supported on AIX, Mac, CentOS x86_64, RHEL x86_64, SLES x86_64, Ubuntu x86_64. (Ref: 353603, 298483)

  For details, please refer to https://www.openssl.org/ and https://www.openssl.org/docs/.

         Upgraded PostgreSQL from v12.5 to v14. (Ref: 297820)

  For changelog and vulnerability fix details, please refer to https://www.postgresql.org/ and https://www.postgresql.org/support/security/.

         Upgraded PuTTY from v0.74 to v0.76. (Ref: 298222)

  This includes several security fixes. For details, please refer to https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.

          Packaging change

         On Alpine Linux, to avoid UNTRUSTED signature error during installation, RSA public key (included with the bundle) needs to be installed into /etc/apk/keys/. It can be done while running install.sh in interactive mode. Also, as a workaround (not recommended), --allow-untrusted option can be used. (Ref: 353590)

Security Fix

 

          N/A

Centrify DirectControl Agent for *NIX

 

          Added the instrumentation for LDAP bindings. New statistic results will be shown in "adinfo --sysinfo adagent" output and heartbeat log messages. (Ref: 297460)

          Added the support of large-sized messages in LRPC2 by introducing message size ceiling to 4MB. (Ref: 299207)

          Added the support of Thycotic ID Bridging integration controlled by the new configuration parameter auto.schema.thycotic.rids. (Ref: 298380)

          Added the support of managed service accounts (gMSA accounts) as AD users. This new feature allows users to (Ref: 298374)

         define UNIX user profiles and assign roles for gMSA

         configure adclient to automatically pull gMSA's current password into local keytab

         use adkeytab to pull gMSA's current password into local keytab

 

This feature is supported by the following components as well:

         Adedit

         Access Manager

         Zone Provisioning Agent

DirectControl Command Line Utilities

          Enhanced adedit command with the following:

         Added the support of managed service accounts (gMSA accounts) as AD users. (Ref: 298378)

          Enhanced adinfo command with the following:

         A new option -E, --autoedit is added for adinfo command. When this new option is specified, adinfo will show the status of the system configuration files that managed by auto-edit. Note that this option will not show any files on Mac because Mac is not yet supported. (Ref: 294893)

Configuration Parameters

Added the following parameters in centrifydc.conf:

-    adclient.binding.ldapsearch.statistic.interval: this parameter specifies the interval which adclient reset the statistic information. Default is 30 minutes. (Ref: 297460)

-    adclient.gmsa: this parameter specifies the list of gMSA accounts that adclient should take care of. Default is empty. (Ref: 298374)

-    adclient.ipv4.port.range.high: this parameter, together with adclient.ipv4.port.range.low, specify the IPv4 port range that adclient should use for both TCP and UDP outbound connections. Default is 0 which means any ports can be used. If any one of the two parameters is set, validation will make sure both fall into the reasonable boundary between 1024 and 65535. (Ref: 294967)

-    adclient.ipv4.port.range.low: this parameter, together with adclient.ipv4.port.range.high, specify the IPv4 port range that adclient should use for both TCP and UDP outbound connections. Default is 0 which means any ports can be used. If any one of the two parameters is set, validation will make sure both fall into the reasonable boundary between 1024 and 65535. (Ref: 294967)

-    adclient.ntlm.discover.by.trustedDomain: this parameter specifies whether to discover NTLM domain name from "msDS-TrustForestTrustInfo" attribute in objects of class trustedDomain. Default is false. (Ref: 295464)

-    auto.schema.thycotic.rids: this parameter specifies whether UID/GID will be generated based on Thycotic algorithm. Default is false. (Ref: 298380)

-    gp.mappers.runcommand.as.user: this parameter specifies whether to run user Group Policy commands as the current user. Default is false, which means to run as root. (Ref: 295030)

-    gp.mappers.runcommand.as.root.env.list: this parameter specifies the environment variable list which will be exported to the environment for root to run Group Policy commands with. Default is empty. Note: this parameter is ignored if gp.mappers.runcommand.as.user is set to true. (Ref: 295043)

-    nss.process_group.ignore: this parameter specifies whether Centrify group or user lookup and iteration will not be called for the programs in a process group listed in parameter. Default is empty. (Ref: 296909)

-    nss.user.group.prefer.cache: this parameter specifies whether to always favor cache and defer refreshing of AD objects in background for NSS user and group queries. Default is false, meaning the NSS queries will return current results via synchronous AD object refresh in case of expired cache. On systems with heavy NSS load, enabling this option can significantly increase throughput. On systems with heavy NSS query load for users (getpwuid/getpwnam) and groups(getgrgid/getgrnam), enabling this option to true will help improve adclient's throughput as it defers sync object refresh to async refresh. (Ref: 306177)

Modified the following parameters in centrifydc.conf:

-    capi.cache.enabled: as this CAPI cache feature has been widely used for many years, the default value is now changed from false to true to take advantage of this feature by default. (Ref: 299235)

-    Please refer to the manual, Configuration and Tuning Reference Guide, for details.

Centrify Windows Installer

 

          The installer now prompts users to read through the latest user agreement from the Internet instead of embedding a snapshot of the agreement there. This helps users to always have the latest copy from the Internet at the time of installation. (Ref: 351454)

Centrify Access Manager

 

          Added the support to manage the delegation scope for the "Join computers to the zone" task on Access Manager. By default, the scope is the domain root container. (Ref: 297612)

          Added the support of managed service accounts (gMSA accounts). The managed service account can be added into a zone, computer zone, or assigned to a role. (Ref: 298375)

Centrify Access Module for PowerShell

 

          Added the support of RFC2307 NIS Net group with the following new Powershell cmdlets. (Ref: 298002)

1)  New-CdmRfc2307NisNetGroup

2)  Get-CdmRfc2307NisNetGroup

3)  Remove-CdmRfc2307NisNetGroup

4)  Add-CdmRfc2307NisNetGroupMember

5)  Remove-CdmRfc2307NisNetGroupMember

Centrify Licensing Service

 

          N/A

Centrify OpenLDAP Proxy

 

          Added the support of refreshing its cache object in background with the following new parameters in slapd.conf: (Ref: 299239)

         "ldapproxy.refresh.cache.background.enable": set this parameter to true to enable this feature. Default value is "false".

         "ldapproxy.refresh.cache.background.thread.num": set this parameter to specify the number of threads. Default value is "2".

          Added a new parameter "ldapproxy.get.group.membership.for.posixAccount" in slapd.conf to not ask for group membership for PosixAccount searches. Default is true which means to ask for group membership. (Ref: 306357)

          Modified the parameter "ldapproxy.cache.enabled" such that the default is changed from false to true to take advantage of this feature by default. (Ref: 299236)

Centrify Report Services

 

          Added the support of local Windows users and groups. (Ref: 306348)

          Added the support of silent configuration and upgrade for Report Service. (Ref: 298194, 299233)

          Added the support of managed service accounts (gMSA accounts) in UNIX user profile. (Ref: 298379)

Centrify Smart Card

 

          Added perl script support "autoedit_default_sctool.pl" to the autoedit part of sctool. (Ref: 299010)

Centrify Zone Provisioning Agent

 

          Added the support of provisioning managed service accounts (gMSA accounts). (Ref: 298376)

2.2.          Feature Changes in Authentication Service and Privilege Elevation Service 5.8.0 (Release 2021)

General

 

          Open-Source component upgrade

         Upgraded .NET framework from v4.6.2 to v4.8. (Ref: CS-48639)

         Upgraded cURL from v7.70.0 to v7.75.0. (Ref: CS-48932)

  This includes several security fixes. For details, please refer to https://curl.haxx.se/docs/security.html.

         Upgraded OpenLDAP from v2.4.50 to v2.4.57 and applied a patch for CVE-2021-27212. (Ref: CS-49123)

  For changelog details, please refer to https://www.openldap.org/software/release/changes.html.

         Upgraded OpenSSH from v8.4p1 to v8.6p1. (Ref: CS-49607)

  For changelog and vulnerability fix details, please refer to http://www.openssh.com/releasenotes.html and http://www.openssh.com/security.html.

         Upgraded OpenSSL from v1.1.1g to v1.1.1k. (Ref: CS-49218)

  For changelog and vulnerability fix details, please refer to https://www.openssl.org/news/vulnerabilities.html and https://www.openssl.org/news/cl111.txt.

         Upgraded PostgreSQL from v12.0 to v12.5. (Ref: CS-48640)

  For changelog and vulnerability fix details, please refer to https://www.postgresql.org/ and https://www.postgresql.org/support/security/.

         Upgraded PuTTY from v0.73 to v0.74. (Ref: CS-48963)

  This includes several security fixes. For details, please refer to https://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html.

         Upgraded SQLite from v3.31.1 to v3.34.1. (Ref: CS-48827, CS-48988, CS-48685, CS-48580)

  For changelog details, please refer to https://www.sqlite.org/chronology.html.

         Upgraded sudo from v1.8.20p2 to v1.9.5p2. (Ref: CS-49538)

  For changelog details, please refer to https://www.sudo.ws/stable.html#1.9.5p2.

          Packaging change

         Starting from this release, the names of the bundles have changed from Centrify-Infrastructure-Services-XXX.iso/zip/tgz back to Centrify-Server-Suite-xxx.iso/zip/tgz to better reflect the product organization. (Ref: CS-49475)

         Redhat packages are now SHA256 compliant. (Ref: CS-44650)

          Compatibility (Ref: CS-49384)

This release of Centrify DirectControl Agent for *NIX will work with the following except on Solaris:

         The latest released Centrify for DB2 and Centrify for Samba. (Ref: CS-44594)

         Centrify DirectAudit Agent of Release 2017 or later, except

  On AIX, DirectAudit Agent must be of Release 2020.1 or later. (Ref: CS-49425, CS-49427)

  Linux PowerPC platforms, DirectAudit Agent must be of Release 2017.3 or later. (Ref: CS-44597, CS-44601, CS-44749)

         Centrify OpenSSH of Release 19.6. (Ref: CS-45107)

On Solaris, you need to upgrade all packages to Release 2020 or later. E.g., this release of Centrify DirectControl Agent for *NIX will not work with old versions of adbindproxy package, DirectAudit Agent, Centrify OpenSSH, etc., as the location of 64-bit executables is changed (e.g., 'bin/amd64' for x86, and 'bin/sparcv9' for sparc). (Ref: CS-45176)

As Centrify Deployment Manager is already discontinued after Release 18.11, Deployment Manager cannot deploy this release of Centrify DirectControl Agent for *NIX. (Ref: CS-47626)

Security Fix

 

          N/A

Centrify DirectControl Agent for *NIX

 

          Deprecated TLS 1.1 support from adclient TLS channel. We now explicitly specify TLS version 1.2 or above for the https connections to cloud connector. (Ref: CS-49589)

          Added the instrumentation for threadpool information as part of the heartbeat INFO messages to syslog. (Ref: CS-49472)

          Changed CAPI performance log messages from DEBUG to INFO level for better monitoring. (Ref: CS-49299)

          Added a new method, ldapFetch, to the Session class in Python pycapi module. The method can fetch an AD object via LDAP. (Ref: CS-49740)

          Added a performance enhancement that by default user's group membership change triggers group member refreshing for zone enabled groups only. (Ref: CS-49718)

          Added the support to find out the DirectAudit status of servers in the system. (Ref: CS-6971)

          Added the support of SELINUX related feature on SuSE with "minimum" and "targeted" policy. (Ref: CS-45558, CS-47998)

          Added the support of automatically adding local users (users with registry attribute "files") to the user ignore list on AIX. (Ref: CS-49788)

DirectControl Command Line Utilities

          Enhanced adedit command with the following:

         Added the support to allow runtime variable substitution (%{u:xxx}) for user fields. (Ref: CS-49347)

         Added a new sample script to list all AD groups which are assigned with a login sysrights role. (Ref: CS-49722)

          Enhanced dzdo command with the following:

         Added the support of SELINUX related feature on SuSE with "minimum" and "targeted" policy. (Ref: CS-43833)

Audit Trail Events

          N/A

Configuration Parameters

Added the following parameters in centrifydc.conf:

-    adclient.dz.refresh.hook: This parameter specifies the full path of the command that will be executed after adclient finished the DZ cache refresh. (Ref: CS-49610)

Modified the following parameters in centrifydc.conf:

-    N/A

Please refer to the manual, Configuration and Tuning Reference Guide, for details.

Centrify Access Manager

 

          Added an option to not set the security descriptor when creating a computer object or zone object. (Ref: CS-47739)

          Added a registry value "UseMemberNisNetGroup" (Registry key: HKLM\SOFTWARE\Centrify\CIMS\Rfc2307NisMap; Type: DWORD) to save sub-NIS-net-groups in the attribute "memberNisNetgroup" if the registry value is greater than 0. By default, this registry value is 0 or empty, which means to save the sub-NIS-net-groups in the attribute "nisNetgroupTriple". (Ref: CS-49680)

          Added a registry value "AllowedTrusts" (Registry key: HKLM\SOFTWARE\Centrify\CIMS; Type: REG_MULTI_SZ) to manage which foreign trusts are allowed. By default, this registry value is empty. (Ref: CS-49635)

Centrify Access Module for PowerShell

 

          Added support for managing delegation scope by introducing a new parameter "AdComputerScope" of Set-CdmDelegation to control delegation scope when users are granted the permission to join computers to the specified zone. (Ref: CS-49535)

Centrify Windows SDK

 

         N/A

Centrify Group Policy Management

 

          Added the group policy support for Kerberos cache directory configuration parameter 'adclient.krb5.ccache.dir'. (Ref: CS-45623)

Centrify Licensing Service

 

          Enhanced the section 'DirectControl Workstation ALL (summary)' in the Deployment Report to include the count of zoneless systems. (Ref: CS-49565)

          Changed the word 'Unmanaged' in the Deployment Report to 'Zoneless' to better describe the category. (Ref: CS-49548)

Centrify OpenLDAP Proxy

 

          N/A

Centrify OpenSSH

 

          Added a new ssh_config option "ScpBlockUnsafeSpec", to specify whether to deny the scp commands which contain unsafe symbols. The default is "no", meaning not to deny. This option, when set to yes, can avoid the vulnerability mentioned in CVE-2020-15778. (Ref: CS-49406)

          Added the SELINUX support on SLES with "minimum" and "targeted" policy. (Ref: CS-45563)

Centrify Report Services

 

          N/A

Centrify Smart Card

 

          Added support for smart card login on Debian 9 (x86_64) or later and Ubuntu 18.04 LTS (x86_64) or later. (Ref: CS-49402)

Centrify Zone Provisioning Agent

 

          Added support to specify which Domain Controller to use for connection when accessing the zones, users, and groups in the domain. (Ref: CS-40263)

          Added a registry value "AllowedDomains" (Registry key: HKLM\SOFTWARE\Centrify ZPA; Type: REG_MULTI_SZ) to manage which domains/foreign trusts are allowed. By default, this registry value is empty. (Ref: CS-49635)

3.     Bugs Fixed

3.1.          Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.1 Component Update (Release 2021.1)

 

         If the domain controller has installed Windows updates dated November 9, 2021 or later and set the new registry value "PacRequestorEnforcement" as "2", resetting passwords via Kerberos would fail. As a result, DirectControl adjoin, adkeytab and adpasswd command line utilities would fail to reset accounts' password. Microsoft has confirmed this issue, please see the Known issues section of this article: https://prod.support.services.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041. This release has a solution to bypass that issue. (Ref:432938)

         Fixed an issue where if you were using Release 2021 (5.8.0) or earlier and you upgraded to the Release 2021.1 (5.8.1), you might have encountered a cache upgrade issue. The issue caused login failures for offline upgrades and had a negative impact on *NIX agent performance for large Active Directory environments. If you're planning to upgrade, we highly recommend that you use this updated version. (Ref:427731)

         Applied the patches of CVE-2022-0778, CVE-2022-1292, CVE-2022-1473, CVE-2022-1434 and CVE-2022-1343 to Centrify OpenSSL. (Ref:434301)

 

3.2.          Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.1 (Release 2021.1)

General

 

          Fixed an issue that package install fails on RHEL 8.x with FIPS enabled. (Ref: 306330)

          Fixed an issue that install.sh will now validate the requirement of corresponding DB2 plugin to 5.7.0. (Ref: 299260)

Centrify DirectControl Agent for *NIX

 

          Fixed an issue that some fields in postalAddress are lost when a machine joins to a classic zone. (Ref: 298307)

          Fixed an issue that the installed packages in postalAddress of computer object are incomplete due to the distinguishedName too long. (Ref: 303388)

          Fixed an issue that the user might fail to login if the group it belongs to has too many members (E.g., The length of the whole members is larger than 1000 characters). (Ref: 299242)

          Fixed an issue that causes adclient performance to degrade in environments where AD objects have identical usnChanged attribute value across different domain controllers. (Ref: 383716)

          Fixed an issue that causes cross domain Kerberos traffic to be blocked. (Ref: 304296)

Centrify OpenSSH

 

          Fixed an issue that Centrify OpenSSH always gets restarted every time when Centrify DirectControl tries to update a group policy. (Ref: 352010)

Centrify OpenLDAP Proxy

 

          Fixed an issue that slapd will core dump when in-memory cache is enabled. (Ref: 303555)

          Fixed an issue that slapd core dump file is missing. (Ref: 301514)

Centrify Access Manager

 

          Fixed an issue that some servers are showing up in Access Manager not joined to a zone. Note: The fix is by adjusting the comparison of the joined time in a +/- range. By default, the range is +/- 30 seconds. The range can be configured by the registry value "HKLM\Software\Centrify\CIMS\JoinTimeRange". (Ref: 298722)

Centrify Access Module for PowerShell

 

          Fixed an issue that creating user profile with empty string results in UID 0. (Ref: 296885)

Centrify Group Policy Management

 

          Fixed the unnecessary error messages in Group Policy mapper scripts about glob disappearing in Perl 5.30. (Ref: 298454)

          Fixed an issue that Direct Control group policy settings cannot be found if Direct Audit group policy is also installed on the same machine. (Ref: 304400)

Centrify Report Services

 

          N/A

Centrify Smart Card

 

          Fixed an issue that smartcard login not working on system that has been STIG hardened due to dconf configs not readable to GDM users. (Ref: 298272)

3.3.          Bugs Fixed in Authentication Service and Privilege Elevation Service 5.8.0 (Release 2021)

General

 

          N/A

Centrify DirectControl Agent for *NIX

 

          Fixed an issue that corrupted the cache DB when storing big keys. (Ref: CS-49756)

          Fixed an issue that rescue rights is not working after reboot when MFA is enabled. (Ref: CS-49613)

          Fixed the crash due to exception thrown out of SecureChannel destructor. (Ref: CS-49612)

          Fixed an issue that sudoers.pl cannot determine sudoers file location due to locale setting. (Ref: CS-49608)

          Fixed an issue that the properties for custom attributes like 'adclient.custom.attributes.user' are not upgraded correctly after package upgrade. (Ref: CS-49439)

          Fixed an issue that in Kickstart deployment, the DirectContol maybe installed without systemd support and cannot work after installation. The fix is to add dependency to make sure DirectControl will be installed after systemd. (Ref: CS-49419)

          Fixed an issue that sshd is stuck at sigchild handler function. (Ref: CS-49749)

DirectControl Command Line Utilities

          Fixed an issue that the Python module PyLRPC is broken on Ubuntu 18.04. Note: this change breaks backward compatibility. The fix is to correct the wrong return type from previous releases. Certain attributes cannot be returned as string and python supports locale which means we cannot arbitrarily set everything to utf8. Customers who depend on previous return type of string will need to change their logic to match the new return type. (Ref: CS-49592)

          Fixed an issue that 'sctool -D' crashes when signing test fails. (Ref: CS-49678)

Centrify OpenSSH

 

          N/A

Centrify OpenLDAP Proxy

 

          N/A

Centrify Access Manager

 

          Fixed an issue that roleTime is not updated when the sys right of a role is updated in a zone. (CS-49426)

Centrify Access Module for PowerShell

 

          N/A

Centrify Licensing Service

 

          N/A

Centrify Group Policy Management

 

          N/A

Centrify Report Services

 

          The SQL Server Availability Group feature in SQL Server 2012 is now supported. (Ref: CS-39674)

Centrify Zone Provisioning Agent

 

          N/A

4.     Known Issues

 

The following sections describe common limitations or known issues associated with this Authentication Service and Privilege Elevation Service release.

 

For the most up to date list of known issues, please login to the Customer Support Portal at https://www.centrify.com/support and refer to Knowledge Base articles for any known issues with the release.

Centrify DirectControl Agent for *NIX

 

          Known issues with Multi-Factor Authentication (MFA)

If MFA is enabled but the parameter "adclient.legacyzone.mfa.required.groups" is set to a non-existent group, all AD users will be required for MFA. The workaround is to remove any non-existent groups from the parameter. (Ref: CS-39591b)

          Known issues with AIX

 

On AIX, upgrading DirectControl agent from 5.0.2 or older versions in disconnected mode may cause unexpected behavior. The centrifydc service may be down after upgrade. It's recommended not to upgrade DirectControl agent in disconnected mode. (Ref: CS-30494a)

 

Some versions of AIX cannot handle username longer than eight characters. As a preventive measure, we have added a new test case in the adcheck command to check if the parameter LOGIN_NAME_MAX is set to 9. If yes, adcheck will show a warning so that users can be aware of it. (Ref: CS-30789a)

 

          Known issues with Fedora 19 and above (Ref: CS-31549a, CS-31730a)

 

There are several potential issues on Fedora 19 and above:

1)    The adcheck command will fail if the machine does not have Perl installed.

2)    Group Policy will not be fully functional unless Text/ParseWords.pm is installed.

 

         Known issues with RedHat

When logging into a RedHat system using an Active Directory user that has the same name as a local user, the system will not warn the user of the conflict, which will result in unpredictable login behavior. The workaround is to remove the conflict or login with a different AD user. (Ref: CS-28940a, CS-28941a)

          Known issues with rsh / rlogin (Ref: IN-90001)

 

-    When using rsh or rlogin to access a computer that has DirectControl agent installed, and where the user is required to change their password, users are prompted to change their password twice. Users may use the same password each time they are prompted, and the password is successfully changed.

 

          Known issues with compatibility 

 

Using DirectControl 4.x agents with Access Manager 5.x (Ref: IN-90001)

 

-    DirectControl 4.x agents can join classic zones created by Access Manager 5.x. It will ostensibly be able to join a DirectControl 4.x agent to a hierarchical zone as well, but this causes failure later as such behavior is undefined.

 

Default zone not used in DirectControl 5.x (Ref: IN-90001)

 

-    In DirectControl 4.x, and earlier, there was a concept of the default zone. When Access Manager was installed, a special zone could be created as the default zone. If no zone was specified when joining a domain with adjoin, the default zone would be used.

 

-    This concept has been removed from DirectControl 5.0.0 and later as it is no longer relevant with hierarchical zones. In zoned mode, a zone must now always be specified.

 

-    A zone called "default" may be created, and default zones created in earlier versions of Access Manager may be used, but the name must be explicitly used.

 

Smart Card

 

          Release 18.8 includes an update to Coolkey to support Giesecke & Devrient 144k, Gemalto DLGX4-A 144, and HID Crescendo 144K FIPS cards. However, this has caused known issues that may cause CAC cards to only work sporadically. A workaround for CAC cards is to wait for it to prompt for PIN and Welcome, without removing the card, and then try again. (Ref: CC-58013a)

 

          There is a Red Hat Linux desktop selection issue found in RHEL 7 with smart card login. When login with smart card, if both GNOME and KDE desktops are installed, user can only log into GNOME desktop even though "KDE Plasma Workspace" option is selected. (Ref: CS-35125a)

 

          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and a smartcard is inserted on the login screen, a PIN prompt may not show up until you hit the "Enter" key. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-35038a)

 

          On RHEL 5.10 and 5.11, if "Smart Card Support" is enabled and "Card Removal Action" is configured as "Lock", the screen will be locked several seconds after login with smart card. The workaround is to replace libsoftokn3.so with the old one on RHEL 5.9, which is a shared object file in NSS package. (Ref: CS-33871a)

 

          When a SmartCard user attempts to login on Red Hat 6.0 with a password that has expired, the authentication error message may not mention that authentication has failed due to an expired password. (Ref: CS-28305a)

 

          On RedHat, any SmartCard user will get a PIN prompt even if he's not zoned, even though the login attempt will ultimately fail. This is a divergence from Mac behavior - On Mac, if a SmartCard user is not zoned, Mac doesn't even prompt the user for PIN. (Ref: CS-33175c)

 

          If a SmartCard user's Active Directory password expires while in disconnected mode, the user may still be able to log into their machine using their expired password. This is not a usual case, as secure SmartCard AD environments usually do not allow both PIN and Password logins while using a Smart Card. (Ref: CS-28926a)

 

          To login successfully in disconnected mode (Ref: CS-29111a):

         For a password user:

  A password user must log in successfully once in connected mode prior to logging in using disconnected mode. (This is consistent with other DirectControl agent for *NIX behavior)

         For a SmartCard user:

  The above is not true of SmartCard login. Given a properly configured RedHat system with valid certificate trust chain and CRL set up, a SmartCard user may successfully login using disconnected mode even without prior successful logins in connected mode.

  If certificate trust chain is not configured properly on the RedHat system, the SmartCard user's login attempt will fail.

  If the SmartCard user's login certificate has been revoked, and the RedHat system has a valid CRL that includes this certificate, then the system will reject the user.

 

          After upgrading from DirectControl version 5.0.4 to version 5.1, a Smartcard user may not be able to login successfully. The workaround is to run the following CLI commands:

 

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*

 

then run adgpupdate. (Ref: CS-30025c)

 

          When CRL check is set via Group Policy and attempting to authenticate via Smartcard, authentication may fail. The workaround is to wait until the Group Policy Update interval has occurred and try again or to force an immediate Group Policy update by running the CLI command adgpupdate. (Ref: CS-30090c)

 

          After upgrading from DirectControl agent Version 5.0.4 to version 5.1.1, a SmartCard user may not be able to authenticate successfully. The workaround is to perform the following CLI command sequence:

 

sctool -d

sctool -e

sudo rm /etc/pam_pkcs11/cacerts/*

sudo rm /etc/pam_pkcs11/crls/*

sudo rm /var/centrify/net/certs/*"

adgpupdate

 

and then re-login using the SmartCard and PIN. (Ref: CS-30353c)

 

          A name-mapping user can unlock screen with password even though the previous login was with PIN. (Ref: CS-31364b)

 

          Need to input PIN twice to login using CAC card with PIN on RedHat. It will fail on the first input but succeed on the second one. (Ref: CS-30551c)

 

          Running "sctool D" with normal user will provide wrong CRL check result. The work-around is to run it as root. (Ref: CS-31357b)

          Screen saver shows password not PIN prompt (Ref: CS-31559a)

 

Most smart card users can log on with a smart card and PIN only and cannot authenticate with a username and password. However, it is possible to configure users for both smart card/PIN and username/password authentication. Generally, this set up works seamlessly: the user either enters a username and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

On RHEL 7, an authenticated Active Directory user via smart card cannot login again if the smart card is removed. This is due to a bug in RHEL 7, https://bugzilla.redhat.com/show_bug.cgi?id=1238342. This problem does not happen on RHEL6. (Ref: CSSSUP-6914c)

Centrify Report Services

 

          N/A

5.     Additional Information and Support

 

In addition to the documentation provided with this package and on the web, you can find the answers to common questions and information about any general or platform-specific known limitations as well as tips and suggestions from the Centrify Knowledge Base.

 

The Centrify Resources web site provides access to a wide range of information including analyst report, best practice brief, case study, datasheet, ebook, white papers, etc., that may help you optimize your use of Centrify products. For more information, see the Centrify Resources web site:

https://www.centrify.com/resources

You can also contact Centrify Support directly with your questions through the Centrify Web site, by email, or by telephone. To contact Centrify Support or to get help with installing or using this software, send email to support@centrify.com or call 1-669-444-5200, option 2. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.