AD group issue with Centrify Express

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 6
Registered: ‎08-15-2018
#1 of 15 1,606

AD group issue with Centrify Express

I have Centrify Express (CentrifyDC 5.5.0-200) installed on several servers.   On some of the servers, when I issue this command:

 

               adquery group database_administrators

 

I get back the group name, its id # and members.  On some of the servers, when that command is issued, I get this response instead:

 

              database_administrators is not a zone group

 

All servers are running the same version (version listed above); all info from adinfo --server, --version, etc. is the same; I have done an adreload, adflush as well as left and rejoined the domain.  The end result is the above "not a zone group" message. 

 

Why does this work on some servers but not others?  I am guessing something is amiss, but with the things I have looked at so far, I havent been able to determine what or where.   Has anyone run into this?  Any ideas on what needs updating/fixing would be appreciated.

 

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#2 of 15 1,602

Re: AD group issue with Centrify Express

@sbrews,

 

Are all systems joined to the same domain?

Are all systems running the same operating system/version?

 

Are there any other AD-bridging integrations installed?  (e.g. sssd, pb, etc?).

 

What happens when you do "adquery group database_administrators -A" in both systems?

 

I have the theory that systems are not configured equally.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 9
Registered: ‎10-04-2018
#3 of 15 1,587

Re: AD group issue with Centrify Express

Both servers are:

 

- The same version OS and kernel

- both are using the same DC

- both are in the same domain

- there are no AD bridging integrations

- adquery group database_administrators -A results in the members, etc being printed on the system where it works.  On the other system, it says no such group.

 

And yes, I would agree they are not configured equally, but... one server was installed in the morning, one in the afternoon.  The same package and steps were used for both... no idea where the difference might have happened.

 

Participant III
Posts: 9
Registered: ‎10-04-2018
#4 of 15 1,578

Re: AD group issue with Centrify Express

Interesting new development...

 

I have been trying/looking at various things to try an determine why some groups show up and others dont.  One of the things I did was to add myself to the database_administators group - which previously was NOT showing up with adquery or "getent group" commands.  Now that I have updated the group (by adding myself), it is now showing up as expected - and it is the only thing I have changed.

 

Any ideas/insight?

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#5 of 15 1,574

Re: AD group issue with Centrify Express

@hiccup,

 

Well, perhaps the object cache hadn't been refreshed and your change of group membership triggered it.  There are also environmental issues like replication, communication or placement relative to a Globa Catalog.  Without looking at the logs, it will be very unclear to pinpoint the issue.

 

Centrify's adclient contains varous caches (credential, authorization, connector, DNS, etc.) and the are commands that allow you to trigger theme (adflush and adobjectrefresh).

 

I'm not sure how familiar you are with the product, but there a a  large number of commands that can help you:

https://community.centrify.com/t5/TechBlog/TIPS-A-Centrify-Server-Suite-Cheat-Sheet/ba-p/22568

 

LMK if you have additional questions.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant III
Posts: 9
Registered: ‎10-04-2018
#6 of 15 1,563

Re: AD group issue with Centrify Express

I am familiar with that page - have been using many of those commands to try and figure out what is going on.

 

To add to the issue, I now have another server that WAS working and now gives the "is not a zone group" message.  The only way I have found to "fix" (and it seems to be a short term fix) is to:

 

- adflush -f

- groups (some user in the database_administrator group)

- adquery group database_administrators   (note: without doing the above groups command, this command will fail as noted above)

 

and then I get back the info I expect to see... but it doesnt stick around, at some random point it seems to forget about the group and the whole cycle starts over.

 

 

Participant III
Posts: 9
Registered: ‎10-04-2018
#7 of 15 1,552

Re: AD group issue with Centrify Express

Per support from Centrify:

 

The issue you are describing is a known issue with the express version. It doesn't happen in the licensed version of the product because groups are handled differently

 

So I wasnt imaging things nor do I have anything misconfigured. 

Participant III
Posts: 9
Registered: ‎10-04-2018
#8 of 15 1,478

Re: AD group issue with Centrify Express

Hii...

I am also having this issue. Please tell me, How to fix it??? And also guide me how to do that???

Participant III
Posts: 9
Registered: ‎10-04-2018
#9 of 15 1,476

Re: AD group issue with Centrify Express

Hii... Mobdro

I am also having this issue. Please tell me, How to fix it??? And also guide me how to do that???

Centrify
Posts: 3
Registered: ‎11-30-2015
#10 of 15 1,442

Re: AD group issue with Centrify Express

Hi MNG.
I'm with support and I'm going to contact you shortly to discuss this issue and see if we can determine what this issue is.