Centrify Express installation fails with AD subnet error

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 4
Registered: 3 weeks ago
#1 of 8 367

Centrify Express installation fails with AD subnet error

Hi!

 

I've been trying to install Centrify Express to one of my Ubuntu hosts for quite some time now. Somehow, the Deployment Manager always gives me an error about the AD subnets. (https://imgur.com/a/UdZC2hM)

 

However, from the Sites and Services console I can see that the subnets have indeed been properly configured. (https://imgur.com/a/DBqSCuh).

 

What could be causing this? I'm running Ubuntu Server 18.04 on the Linux side and Windows Server 2019 DC with 2016 functional level.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#2 of 8 352

Re: Centrify Express installation fails with AD subnet error

[ Edited ]

@milo,

 

Welcome to Centrify.

 

To clarify here. Your installation isn't failing;  what's failing is the system checks.   You can easily run "dpkg -i centrify-package.deb" and the installation will succeed.

 

Keep in mind that you have flexibility.  I personally don't use DM, but I'd recommend that you run the adcheck command locally in the system.  Your screenshots just show the error and the sites and services, but you don't specify the IP address/subnet of the target host.

 

Bottom-line:

 

Run adcheck in the system and provide the output.  Also show the actual subnet of the system to see if it's really accounted for or not.

 

Alternatively, just ignore the error and join AD.  Our client is smart enough to figure out a path as long as your DNS is configured correctly.

 

sudo dpkg -i (centrify-package).deb

sudo adjoin -w -c "ou=your,ou=container" -u your-user -V domain.name

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: 3 weeks ago
#3 of 8 342

Re: Centrify Express installation fails with AD subnet error

Thanks for the quick reply.

 

Here's what the adcheck command says when run locally:

root@nmsep01-ic1-bfi:~/centrify# ./adcheck-deb8-x86_64 -V corp.xxx.com
adcheck (CentrifyDC 5.5.1-400)

Host Diagnostics
    uname: Linux nmsep01-ic1-bfi 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64
      OS: Ubuntu
      Version: 18.04
      Number of CPUs: 1
    Linux sanity checks
    uname says Linux nmsep01-ic1-bfi 4.15.0-39-generic #42-Ubuntu SMP Tue Oct 23 15:48:01 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    osrev=ubuntud18.04
    found Perl: /usr/bin/perl
    Samba not found in $PATH.
Inspecting DNS configuration
    Configured DNS servers are: -
        127.0.0.53 (localhost)
            UDP OK, response time = 0.0002
            UDP OK, response time = 0.0002
            UDP OK, response time = 0.0001
            UDP OK, response time = 0.0002
            UDP OK, response time = 0.0001
            TCP probe failed: rejected
IP Diagnostics
Local host name: nmsep01-ic1-bfi
Local IP Address: 10.99.2.1
FQDN host name:nmsep01-ic1-bfi.corp.xxx.com
Local IP Address: 10.0.2.1
FQDN host name:nmsep01-ic1-bfi.local
    look for local ssh server - found  SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.1
    inspecting OS type
    inspecting ssh configuration
        sshd -v says OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017
Domain Diagnostics:
    DNS query for: _ldap._tcp.corp.xxx.com
    Found SRV records:
        wpdcp01-ic1-bfi.corp.xxx.com:389
Found SRV records:
    Probe domain controller: wpdcp01-ic1-bfi.corp.xxx.com
    Probe this domain controller with its IP address: 10.0.1.1
        LDAP UDP port test OK for IP 10.0.1.1, response time = 0.0004
        NTP port test OK for IP 10.0.1.1, response time = 0.0024
server wpdcp01-ic1-bfi.corp.xxx.com ( 10.0.1.1 ) says the time is Fri Nov, 30 14:04:13 UTC
        SMB port test OK for IP 10.0.1.1, response time = 0.0004
        Kerberos TCP port test OK for IP 10.0.1.1, response time = 0.0002
        Kerberos UDP port test OK for IP 10.0.1.1, response time = 0.0013
        kpassword TCP port test OK for IP 10.0.1.1, response time = 0.0001
        Kpass UDP port test OK for IP 10.0.1.1, response time = 0.0000
        LDAP TCP port test OK for IP 10.0.1.1, response time = 0.0002
        Anonymous LDAP bind to wpdcp01-ic1-bfi.corp.xxx.com
        Retrieve DC root object
        Domain Controller: wpdcp01-ic1-bfi.corp.xxx.com
        Domain controller type: Windows 2003
        Domain Name:            corp.xxx.com
        isGlobalCatalogReady:   TRUE
        domainFunctionality:           7
        forestFunctionality:           7
        domainControllerFunctionality: 7
    Probe this domain controller with its IP address: 10.99.1.1
        LDAP UDP port test OK for IP 10.99.1.1, response time = 0.0002
        NTP port test OK for IP 10.99.1.1, response time = 0.0002
server wpdcp01-ic1-bfi.corp.xxx.com ( 10.99.1.1 ) says the time is Fri Nov, 30 14:04:13 UTC
        SMB port test OK for IP 10.99.1.1, response time = 0.0004
        Kerberos TCP port test OK for IP 10.99.1.1, response time = 0.0001
        Kerberos UDP port test OK for IP 10.99.1.1, response time = 0.0015
        kpassword TCP port test OK for IP 10.99.1.1, response time = 0.0001
        Kpass UDP port test OK for IP 10.99.1.1, response time = 0.0000
        LDAP TCP port test OK for IP 10.99.1.1, response time = 0.0001
        Anonymous LDAP bind to wpdcp01-ic1-bfi.corp.xxx.com
        Retrieve DC root object
        Domain Controller: wpdcp01-ic1-bfi.corp.xxx.com
        Domain controller type: Windows 2003
        Domain Name:            corp.xxx.com
        isGlobalCatalogReady:   TRUE
        domainFunctionality:           7
        forestFunctionality:           7
        domainControllerFunctionality: 7

Locating global catalogs for CORP.xxx.COM from DNS.
    DNS query for: _gc._tcp.CORP.xxx.COM
    Found SRV records:
        wpdcp01-ic1-bfi.CORP.xxx.COM:3268
Found SRV records:
    Probe GC: wpdcp01-ic1-bfi.CORP.xxx.COM
    Probe this GC with its IP address: 10.0.1.1
        GC port test OK for IP 10.0.1.1, response time = 0.0002
    Probe this GC with its IP address: 10.99.1.1
        GC port test OK for IP 10.99.1.1, response time = 0.0001
DC performance table
wpdcp01-ic1-bfi.corp.xxx.com udp response 0ms site=
        symmetry test on 127.0.0.53
        get srv list for domain ok 1 entries
    Retrieving site information from wpdcp01-ic1-bfi.corp.xxx.com

compare the clocks on all domains to see if they are all synchronized.
OSCHK    : Verify that this is a supported OS                          : Pass
PATCH    : Linux patch check                                           : Pass
PORTMAP  : Verify that portmap or rpcbind is installed                 : Warning
         : Could not install CentrifyDC-nis package.
         : PORTMAP not installed. Please install required
         : portmap or rpcbind package, which CentrifyDC-nis
         : depends on

PERL     : Verify perl is present and is a good version                : Pass
SAMBA    : Inspecting Samba installation                               : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
HOSTNAME : Verify hostname setting                                     : Pass
NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
DNSPROBE : Probe DNS server 127.0.0.53                                 : Warning
         : This DNS server does not appear to respond to TCP
         : requests. This is OK for small domains but will cause
         : problems otherwise. Note that the VMware NAT service
         : does not support TCP - this is normal.

DNSCHECK : Analyze basic health of DNS servers                         : Warning
         : One or more DNS servers are dead or marginal.
         : Check the following IP addresses in /etc/resolv.conf.
         :
         : The following table lists the state of all configured
         : DNS servers.
         :  127.0.0.53 (localhost): TCP dead but UDP OK

WHATSSH  : Is this an SSH that Centrify DirectControl Agent works well with: Pass
SSH      : SSHD version and configuration                              : Note
         : You are running OpenSSH_7.6p1 Ubuntu-4ubuntu0.1, OpenSSL 1.0.2n  7 Dec 2017.

DOMNAME  : Check that the domain name is reasonable                    : Pass
ADDC     : Find domain controllers in DNS                              : Pass
ADDNS    : DNS lookup of DC wpdcp01-ic1-bfi.corp.xxx.com   : Pass
ADPORT   : Port scan of DC wpdcp01-ic1-bfi.corp.xxx.com 10.0.1.1: Pass
ADPORT   : Port scan of DC wpdcp01-ic1-bfi.corp.xxx.com 10.99.1.1: Pass
ADDC     : Check Domain Controllers                                    : Pass
ADDNS    : DNS lookup of DC wpdcp01-ic1-bfi.CORP.xxx.COM   : Pass
GCPORT   : Port scan of GC wpdcp01-ic1-bfi.CORP.xxx.COM 10.0.1.1: Pass
GCPORT   : Port scan of GC wpdcp01-ic1-bfi.CORP.xxx.COM 10.99.1.1: Pass
ADGC     : Check Global Catalog servers                                : Pass
DCUP     : Check for operational DCs in corp.xxx.com       : Pass
DNSSYM   : Check DNS server symmetry                                   : Pass
ADSITE   : Check that this machine's subnet is in a site known by AD   : Failed
         : This machine's subnet is not known by AD.

TIME     : Check clock synchronization                                 : Pass
ADSYNC   : Check domains all synchronized                              : Pass
1 serious issue was encountered during check. This must be fixed before proceeding
3 warnings were encountered during check. We recommend checking these before proceeding

And here's the IP addresses for the machine:

root@nmsep01-ic1-bfi:~/centrify# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 4e:0f:ca:9c:f9:21 brd ff:ff:ff:ff:ff:ff
    inet 10.99.2.1/16 brd 10.99.255.255 scope global ens18
       valid_lft forever preferred_lft forever
    inet6 fe80::4c0f:caff:fe9c:f921/64 scope link
       valid_lft forever preferred_lft forever
3: ens19: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether e2:8a:a4:b9:1c:3b brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.1/16 brd 10.0.255.255 scope global ens19
       valid_lft forever preferred_lft forever
    inet6 fe80::e08a:a4ff:feb9:1c3b/64 scope link
       valid_lft forever preferred_lft forever

DNS server issues are just caused by the new resolver system in Ubuntu 18.04, nothing to worry about there.

 

I do understand that the check can be overridden by installing it locally, but we have a lot of servers where this should be installed - that's why we went with Deployment Manager in the beginning.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#4 of 8 338

Re: Centrify Express installation fails with AD subnet error

You are correct, nothing related to AD sites/subnets makes sense, however...

 

server wpdcp01-ic1-bfi.corp.xxx.com ( 10.0.1.1 ) says the time is Fri Nov, 30 14:04:13 UTC
        Domain controller type: Windows 2003

server wpdcp01-ic1-bfi.corp.xxx.com ( 10.99.1.1 ) says the time is Fri Nov, 30 14:04:13 UTC
        Domain controller type: Windows 2003

We no longer support DFL and FFL 2003.  I am hoping this is not a production Active Directory (fails most audits).

 

From release notes:

5.   Notice of Termination of Support
[truncated]

This release is the last release in which the following Domain Functional 
Level (DFL) and Forest Functional Level (FFL) are supported (Ref: CS-43754): · Windows 2003

https://docs.centrify.com/en/css/2017.3/Centrify-Infrastructure-Services-2017.3-Release-Notes.html

 

I would think that if the APIs for adsites/services have changed, perhaps that client is confused.

 

I know you posted in Express, but if you did it by mistake and you're a customer, you can downgrade to 2017.2 (5.4.2), otherwise you either upgrade your DC (assuming Microsoft Active Directory, not Samba) for the sake of security first, and then retry.

 

As far as deployment goes, we understand the popularity of DM, but in reality the best thing to do is to use something like Chef, Puppet, Ansible, etc.

 

R.P

 

 

 

There are so many other software suites like Chef, Puppet, Ansible for deployment.  That's the best practice.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 4
Registered: 3 weeks ago
#5 of 8 335

Re: Centrify Express installation fails with AD subnet error

Hmm, could there be an issue regarding the detection of Server 2003? Our DC definitely runs Server 2019 and the DFL is also Server 2016. (https://imgur.com/a/TNKFtOE)

 

Thanks for the advice, I'll try to test the installation manually.

Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#6 of 8 331

Re: Centrify Express installation fails with AD subnet error

@milo,

 

You just found the issue. We have not officially claimed support DFL/FFL for 2016.

I need to report this as a bug if a 2016 DFL looks to us as 2003.

 

Force the join and move ahead, report any other issues.

 

Tip:  I am not a DM exptert, but you could modify the LUA file that does the adcheck not to do the AD check so you can carry on with it.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Centrify Guru I
Posts: 2,388
Registered: ‎07-26-2012
#7 of 8 306

Re: Centrify Express installation fails with AD subnet error

Spoke to Engineering.

The bug is on adcheck that does not know what DFL 7 means.   Does not affect our functionality.

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Highlighted
Participant II
Posts: 4
Registered: 3 weeks ago
#8 of 8 239

Re: Centrify Express installation fails with AD subnet error

Well, I tried using the direct installation with adjoin. Unfortunately, that failed too with the error "No writable domain controllers found.". I suspect that this is also related to the subnet issues.

 

Log below:

root@nmsep01-ic1-bfi:~/centrify# adjoin -w -u milo-admin -V corp.xxx.com
milo-admin@CORP.xxx.COM's password:
Options
-------
Precreate: no
Compatible with 2.x/3.x: no
Enable Apple Scheme to generate UID/GID: no
domain: corp.xxx.com
user: milo-admin@CORP.xxx.COM
container: null
computer name: nmsep01-ic1-bfi
Pre-Windows 2000 name: nmsep01-ic1-bfi
DNS Host Name used for dNSHostName attr: null
zone: Auto Zone
server: null
zoneserver: null
gc: null
upn: null
noconf: no
set time: yes
force: no
forceDeleteObj: no
forceDeleteObjWithDupSpn: no
trust: no
des: no
self-serve: no
respectEncInConf: no
respectSpnInConf: no
use ldap to create computer object: no
license type: null
createComputerZone: no
forceDeleteExistingComputerZone: no

Setting time
Initializing domain settings file to corp.xxx.com
Attempting bind to corp.xxx.com(site:) as milo-admin@CORP.xxx.COM on any server
Error: No writable domain controllers found.


Join to domain 'corp.xxx.com', zone 'Auto Zone' failed.