Troubleshooting PCS

This page provides help for issues and questions you might encounter while using Delinea Platform and PCS.

Can't Find Log Files

Before you can begin troubleshooting, you need to know where to find the Delinea Platform log files.

Delinea Connector

C:\Program Files\Delinea\Delinea Connector\log.txt

Delinea Platform Engine

C:\ProgramData\Delinea Platform Engine\<engine_version>\log

Command Relay

Command Relay stores logs in two places.

  • Abridged Log:

    C:\ProgramDataC:\Program Files\Delinea Engine\<engine_version>\delinea\command-relay\<version>\log

  • Detailed Log:

    C:\ProgramData\Delinea\CommandRelay\Logs

Privilege Control Agent

  • Linux:

    /var/log/centrifydc.log

  • Windows (default location):

    C:\Program Files\Common Files\Centrify Shared\Logs\

You can change where the Windows agent log files are stored using Privilege Elevation Service Settings:

  1. Open Delinea Agent Configuration.

  2. In Privilege Elevation Service, click Settings.

  3. Select the Troubleshooting tab and click Options.

  4. In Log folder path, set the path as desired.

  5. (Optional) You can also change the trace level in this Options dialog.

Connection and MFA Issues

This section gives solutions for issues related to multi-factor authentication (MFA) and connecting to the Delinea Platform.

Can't Connect to Delinea Platform

Unable to log in to the Delinea Platform instance.

Connection issues can be caused by improperly configured Integrated Windows Authentication (IWA).

Use the following command to verify whether IWA is working on your Delinea Platform host:

https://<connector_host_name>:<https_port>/iwa/sitecheck

For details, see Verifying IWA Over HTTPS.

The command /iwa/ping can also be used, but /iwa/sitecheck gives more information.

Windows Diagnostics Error for MFA

The Windows Diagnostics Tool produces an error message like the following:

"Error: One or more validations have a problem. The environment might not be configured appropriately and some features might not be functioning properly."

The error message is incorrect. It indicates erroneously that MFA is not working for PCS, when MFA is actually working. You can ignore this message.

MFA Zero Pass-Through Not Working

When configuring multi-factor authentication, you can set the pass-through duration to zero in an authentication profile. This pass-through setting should prevent any time from elapsing before a user is prompted again for MFA authentication. However, when privilege elevation is done with an MFA authentication profile set, the "no pass-through" setting is not honored.

The command dzdo is used to perform commands with privilege elevation. The issue occurs because, by default, dzdo has an authentication timeout interval of 5 minutes. This means that once dzdo has been authenticated, it does not have to authenticate again for 5 minutes. This 5-minute interval overrides the intended effect of setting the pass-through interval to zero.

To solve the issue, you must force dzdo to use an authentication timeout of 0, to match the pass-through interval. In the configuration file /etc/centrifydc/centrifydc.conf on the Linux agents, uncomment the parameter dzdo.timestamp_timeout and set it to 0.

DirectControl Authentication Not Working on *nix

On UNIX/Linux systems, when the directory /var is NFS mounted, DirectControl may not work properly.

Resolution:

Do not mount /var on NFS.

Policies

This section gives solutions for issues related to PCS authentication policies. For information about these policies, see Step 10: Set Up PCS Policies.

Can't Find User for Subjects

Issue:

When searching for a known user to add as a subject for a PCS policy, the user's name does not appear, or no user names appear.

Resolution:

  1. Open the Delinea Connector Configuration UI.

  2. On the Status tab, look at the Last connection result.

    • If the message is "Connector is not available," select the Connector tab and click Start.

    • If the message is "Successful" but the Last connection time was a long time ago, select the Connector tab and click Stop.
      When the connector stops, click Start. It might take several seconds for the connector to stop and start.

  3. If your known user or all users are still not showing up in your search to a policy target, check the Connector logs. Contact Delinea support if necessary.

Policy Endlessly Activating or Deactivating

Issue:

A policy is stuck in Activating or Deactivating status.

Cause:

This typically indicates a problem with the Command Relay.

Resolution:

Check to be sure you have a Command Relay running. For more options, see the troubleshooting section for Command Relay / Delinea Platform Engine .

Active Policy Not Enforced

Issue:

The status of a policy is Active, but the policy is not being enforced.

Cause:

Policy changes can take up to 30 minutes to be enforced after a policy's status becomes Active or Inactive. This is caused by the agent internal caching.

Resolution

If an active policy is not being enforced after 30 minutes, contact Delinea support.

Inactive Policy Still Seems Active

Issue:

A Login or Privilege Elevation policy status is Inactive, but you can still perform login or privilege elevation on the machine.

Cause:

Policy changes can take up to 30 minutes to be enforced after a policy's status becomes Active or Inactive. This is caused by the agent internal caching.

Resolution:

If an inactive policy is still in effect after 30 minutes, contact Delinea support.

Machine Not In Target List

Issue:

When setting up a PCS authentication policy, the Targets section is not showing the desired machine.

Resolution:

The targets you can select come from Inventory. If you are looking for a machine and it is not showing in the Targets list, check to see whether that same machine appears in the Inventory list.

If the machine not listed under Targets is also not listed under Inventory, run the discovery process. See Discovery.

If the machine not listed under Targets is listed under Inventory, contact Delinea support.

Command Relay / Delinea Platform Engine

This section gives solutions for issues related to Command Relay. The main technique for troubleshooting Command Relay is to look at the Command Relay logs.

Command Relay is one of the workloads deployed by the Delinea Platform Engine. The platform heavily depends on the Engine to run. Therefore, when troubleshooting Command Relay, it is also important to investigate potential problems with the Engine.

Increasing the Log File Detail Level

The default setting for Engine Pool logs includes critical errors only, without much detail. When you need detailed information, increase the verbosity of the default logging level to Debug in the Engine Pool’s appsettings.json file. Edit this file:

C:\Program Files\Delinea Engine\<engine_version>\appsettings.json

Frequently Asked Questions

Question: Is Command Relay setting in Engine Pool for all engines under the same site?

Answer: Yes. You could create another site if you want to use a different domain.

Question: Why does Command Relay need the Active Directory (AD) domain admin credentials?

Answer: Command Relay uses the credentials to communicate with AD to store PCS policies. By default, AD users in the Domain Admins group have all the required permissions.

Question: What happens if I provide the wrong Active Directory domain admin credentials or if they expire?

Answer: Command Relay will stop working, and therefore no other Policy change will be applied. In the Command Relay log, you would see the following:

Command Relay Secret Stops Working

Issue:

The selected secret for Command Relay stopped working (service account).

Cause:

  • This could happen if the selected secret is changed. For example, if you move the secret to a personal folder in Secret Server, it removes the EngineWorkload shared permissions on the secret, which causes permission failure in Command Relay.

  • This could also happen if the underlying service account associated with this secret is changed; for example, password expired/not synced, account locked, AD permissions removed, and so on. Look at the failure log message for error details.

Command Relay Can't Log In

Issue:

Command Relay can't log in using the secret that works for the Secret Server Discovery service.

In the Command Relay log, you see that the Command Relay cannot log in:

2024-01-29 14:17:11,592 [10] INFO CommandRelay [(null)] - RunAsProcess info: domain=eric-sp-1.eric user=svc-ssd

2024-01-29 14:17:11,592 [10] INFO CommandRelay [(null)] - Normalized RunAs Info: user=svc-ssd domain=eric-sp-1.eric

2024-01-29 14:17:11,616 [10] ERROR CommandRelay [(null)] - Invalid Domain Credentials. Logon user failed: svc-ssd, errorCode=1385

2024-01-29 14:17:11,628 [10] ERROR CommandRelay [(null)] - Invalid domain creds detected, Exception=Delinea.CommandRelay.Common.LogonException: Invalid Domain Credentials. Logon user failed: svc-ssd, errorCode=1385

---> System.ComponentModel.Win32Exception (1385): Logon failure: the user has not been granted the requested log on type at this computer.

Resolution:

Fix the credentials.

IWA Doesn't Work When Installing Connector

Issue:

When trying to deploy Delinea Connector on a host, communication issues occur between the host and Integrated Windows Authentication (IWA). The host name also appears truncated wherever it appears in the Delinea Platform UI; for example, in the inventory and the list of engines.

Cause:

The host computer has a host name longer than the maximum Windows NetBIOS name length of 15 characters. The Powershell script supplied in Generating a Self-Signed Delinea Connector IWA Host Certificate for generating a certificate uses the truncated name, and therefore gets the wrong DNS name for the machine.

Resolution:

  1. Rename the host computer with a name that is no more than 15 characters long.

  2. Generate a new certificate for the host.

  3. Remove the host from enrollment with IWA identity services.

  4. Force removal of all data.

  5. Re-enroll the host with the identity services provider using the new host name.

Secret Server

This section gives solutions for issues related to Secret Server.

Distributed Engine Not Working

Issue:

The Secret Server Distributed Engine is not working.

Resolution:

  • Check to see whether the Engine has been Activated.

  • Check the machine where the agent is running to be sure its Windows clock is correct.

Privilege Control for Servers Agent

This section gives solutions for issues related to the PCS Agent.

Increasing the Log File Detail Level

To turn on debugging for Linux agents, run the following commands as the root user:

  • /usr/share/centrifydc/bin/addebug set cloud.object TRACE

  • /usr/share/centrifydc/bin/addebug on

Logs are located in /var/log/centrifydc.log.

To turn off debugging, run the following command as the root user:

/usr/share/centrifydc/bin/addebug off

Turning On Debugging for SSHD

To turn on debugging for the sshd server:

Run ps -ef | grep sshd to find out whether you are using CentrifyDC-openssh or system stock sshd.

If you are using CentrifyDC-openssh:

  1. Add LogLevel DEBUG3 in the configuration file /etc/centrifydc/ssh/sshd_config.

  2. Restart the server by running this command as the root user:

    systemctl restart centrify-sshd

If you are using system stock sshd:

  1. Add LogLevel DEBUG3 in the configuration file /etc/ssh/sshd_config.

  2. Restart the server by running this command as the root user:

    systemctl restart sshd

    Or, on Ubuntu/Debian:

    systemctl restart ssh

Collecting Debugging Information

To collect debug info for the Delinea support team to investigate an issue:

  1. Turn on debugging for Linux agent and sshd.

  2. Reproduce the issue.

  3. Run the following command as the root user:

    adinfo -t

Provide the /var/centrify/tmp/adinfo_support.tar.gz file to the Delinea support team for their investigation.

Frequently Asked Questions

Question: My AD forest has multiple domains, so will each domain have a DelineaZone created?

Answer: No, there will be only one DelineaZone created in the forest when you deploy the very first Engine Pool in the forest.

Session Recording Stops Linux Agent Login

Issue:

Can not log in to Linux agent after enabling Session Recording in a Granular Privilege Elevation policy for Linux (see Policy Details).

Cause:

The Linux agent requires Direct Audit to be enabled on the Agent when policies have session recording enabled.

Resolution:

Enable Direct Audit on the Linux agent by following the steps in Step 11: Set Up Audit and Session Recording.

AD User Can't Log In on Linux

Issue:

An AD user can't log in to a domain-joined Linux machine.

Resolution:

You will need a root shell for the following steps.

Suppose the user's AD user name is tom@acme.com.

  1. Verify whether the AD user is visible on the Linux machine by running the following command in your root shell:

    adquery user tom@acme.com

    If the output is tom@acme.com is not a zone user, verify whether the Command Relay has successfully deployed the policy.

  2. Verify whether the AD user has login permissions by running the following command in your root shell:

    dzinfo --role tom@acme.com

    Example output:

    User: tom

    Forced into restricted environment: No

    MFA Service authentication: Supported

    Privileged commands:

    Name Avail Command Source Roles

    --------------- ----- -------------------- --------------------

    __pe_sys_6240d3 No * Mansion-Grove-Elevat

    33-6256-4221-9a ion/DelineaZone

    23-39bfc381202c

    /DelineaZone

    __pe_6240d333-6 No * Mansion-Grove-Elevat

    256-4221-9a23-3 ion/DelineaZone

    9bfc381202c/Del

    ineaZone

    ...

    ...

  3. If you don’t see Password login and Non password login in the Effective rights, verify whether the Command Relay has successfully deployed the policy.

  4. It can take up to 30 minutes before the Linux agent refreshes the latest authentication and authorization information from AD after the policy deployment. To force a refresh, you can run:

    adflush -f

  5. If the adquery and dzinfo commands show the expected result, contact Delinea support. Provide the information described in Collecting Debugging Information.

AD User Can't Run dzdo on Linux

Issue:

An AD user can't run dzdo commands on a domain-joined Linux machine.

Resolution:

You will need a root shell for the following steps.

Suppose the user's AD user name is tom@acme.com.

  1. Verify whether the AD user has privileged command rights by running the following command in your root shell:

    dzinfo --commands tom@acme.com

    Example output:

    User: tom 

    Forced into restricted environment: No
    MFA Service authentication: Supported
    Privileged commands:
    Name             Avail Command               Source Roles
    ---------------  ----- --------------------  --------------------
    __pe_sys_6240d3  No    *                     Mansion-Grove-Elevat
    33-6256-4221-9a                              ion/DelineaZone
    23-39bfc381202c
    /DelineaZone
    __pe_6240d333-6  No    *                     Mansion-Grove-Elevat
    256-4221-9a23-3                              ion/DelineaZone
    9bfc381202c/Del
    ineaZone
    ...
    ...

  2. If you don’t see anything in Privileged commands, verify whether the Command Relay has successfully deployed the policy.

  3. It can take up to 30 minutes before the Linux agent refreshes the latest authentication and authorization information from AD after the policy deployment. To force a refresh, you can run:

    adflush -f

  4. If the Connector appears Active at SettingsConnectors but you see the error message Unable to communicate with the Delinea Platform, you can ignore the message.

  5. If the dzinfo command shows the expected result, contact Delinea support. Provide the information described in Collecting Debugging Information.

Useful Commands and Tips for AD Client on *.nix

This section provides suggestions for commands and techniques you can use to help troubleshoot issues with Active Directory on machines that run on UNIX, Linux, or another supported operating system derived from UNIX/Linux.

Looking Up Basic Information

(For *nix only)

  • To check the general status of the client:

    $ adinfo

  • To see the current domain controller the client is using:

    $ adinfo --server

  • To see the current domain the agent is joined to:

    $ adinfo --domain

  • To see the whether the agent is connected to AD or in offline mode:

    $ adinfo --mode

  • To see the version of the installed client:

    $ adinfo --version

  • To see the corresponding Delinea PCS version:

    $ adinfo --suite-version

  • To view Active Directory connectivity to the current domain:

    $ adinfo --test

  • To view the current Active Directory site:

    $ adinfo --site

  • To see the current joined Delinea zone:

    $ adinfo --zone

    Or, in distinguisnedName format:

    $ adinfo --zonedn

More Detailed Troubleshooting Information

(For *nix only)

This section describes how to get specialized or more-detailed information to help troubleshoot issues.

DNS

  • To check for the "joined-as" name (the local host name and joined-as name might be different):

    $ adinfo --name

  • To check the status of the DNS cache and stats:

    $ adinfo --diag dns

Connectivity

  • To check connectivity with an AD domain:

    $ adinfo --test [domain.name]

  • To check network connectivity statistics:

    $ adinfo --sysinfo neststate

  • To test connectivity with a specific domain controller:

    $ adinfo --T --servername [domain.controller.name]

Active Directory

  • To see the current AD Global Catalog: 

    $ adinfo --gc

  • To see the domain/forest map:

    $ adinfo --sysinfo domain

  • To see the status of the AD computer trust relationship:

    $ adinfo --sysinfo adagent

Configuration

  • To parse the contents of the centrify.conf file:

    $ adinfo --config

  • To show the client's in-memory configuration parameters:

    $ adinfo --sysinfo config

Microsoft Kerberos

  • To view Kerberos information like supported encryption types, key version and registered SPNs:

    $ adinfo --computer

  • PKI: adcert - Delinea Microsoft PKI client

Auto-Enrolling PKI Certificates

(For *nix only)

Auto-enrolling computer PKI Certificates requires eligible template and communications. Use one of the following techniques.

  • Using the computer object to authenticate: 

    $ dzdo /usr/share/centrifydc/sbin/adcert --enroll --machine

  • Using a user to authenticate (substitute the user name for [ADusername]):

    $ dzo /usr/share/centrifydc/sbin/adcert --enroll --user [ADusername]

To test a user's password:

  1. Run the following command (substitute the user name for [username]):

    $ adinfo -A --user [username]  #

  2. When prompted, enter the user's password. Expected output:

    Password for user "username" is correct

Dynamic DNS

(For *nix only)

This section shows some useful commands using addns, a dynamic DNS client for AD DNS or RFC 2136-compliant servers.

  • To renew DNS using machine credentials:

    $ sudo addns --update --machine

  • To renew DNS using user credentials:

    $ sudo addns --update --user [ADusername]

  • To renew DNS only on a specific interface (for example, eth0):

    $ sudo addns --update --machine --interface eth0

Querying AD Users and Groups

(For *nix only)

This section shows some useful commands using adquery, which provides information about Active Directory users and groups that are UNIX-enabled by Delinea Platform.

  • To view all UNIX-enabled users:

    $ adquery user

    In Express mode, this command shows all AD users. In Zone mode, it shows only authorized users.

  • To view all UNIX-enabled groups: 

    $ adquery group

    In Express mode, this command shows all AD groups. In Zone mode, it shows only UNIX-enabled groups.

  • To view a user's entry in UNIX passwd file style:

    $ adquery user [username]

  • To view a group entry in UNIX group file style:

    $ adquery group [groupname]

  • To view only the user or group's AD group memberships:

    $ adquery user [user] --adgroup

  • To view all information about a user or group, including AD object attributes:

    $ adquery user|group [user or group] -A

  • To view the distinguished name of a user or group:

    $ adquery user|group [user or group] --dn

  • To view all information and include password expiration, account lockout/enabled state:

    $ sudo adquery user [user] -A

  • To view information about a computer:

    $ adquery user [computername]$ -A

  • To get results from cache instead of fetching from AD:

    $ adquery user|group [options] --cache-first

Delinea Cache Commands

(For *nix only)

This section shows some useful commands using adflush, which clears the Delinea cache in the local computer (dc, gc, credential, and dns).

  • To flush the authorization cache:

    $ dzdo adflush --auth

  • To rebind and force a new DC selection:

    $ dzdo adflush --bindings

  • To flush the DNS cache:

    $ dzdo adflush --dns

  • To expire the information from domain controllers and global catalogs:

    $ dzdo adflush --expire

  • To force complete removal/expiration even when disconnected:

    Use this command with care.
    $ dzdo adflush --force

  • To refresh the krb5.conf file:

    $ dzdo adflush --trusts

  • To clear the health history:

    $ dzdo adflush --health

  • To clear the cloud connectors (when MFA is being used):

    $ dzdo adflush --connectors

Group Policy Commands

(For *nix only)

This section shows some useful commands related to group policies.

The following commands use adgpupdate, which triggers the group policy refresh interval.

  • To refresh the GPOs in the system:

    $ adgpupdate

  • To refresh only computer GPOs:

    $ adgpupdate --target Computer

  • To refresh only user GPOs:

    $ adgpupdate --target User

The following commands use adgpresult to view an RSoP (resultant set of policy) report for the local system or user.

  • To view the report for computer and user:

    $ adgpresult

  • To view the report for the computer:

    $ adgpresult --computer

  • To view the report for the current user:

    $ adgpresult --user

  • To view the report for a particular user:

    $ dzdo adgpresult --user [user.name]

Joining Active Directory (adjoin)

(For *nix only)

This section shows some useful commands using adjoin, which joins an Active Directory domain.

To run adjoin, you need the following:

  • Permission level of root or sudo

  • Credentials (or the keytab) of an AD user that can join computers to a container (not the Domain Admin user)

  • Distinguished Name of the container that you will place the system in AD; for example, "ou=servers,ou=unix"

  • Domain name of the domain you are joining

  • Clear network path to the AD domain controller (DC) or DCs you are using (dns, global catalog, kerberos, ldap, cifs, ntp)

Following are some useful ways to use adjoin:

  • To join AD in workstation/express mode (AD user must be able to add computers to "ou=workstations,ou=unix"):

    $ sudo adjoin --workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD in Self-Service mode (before running this command, the AD/Delinea administrator must create the machine ahead of time using Access Manager or Delinea Powershell cmdlets):

    $ sudo adjoin --selfserve [domain.name]

  • To join AD in zone mode (for example, Global zone):

    $ sudo adjoin --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD in zone mode and don't initialize (precache):

    $ sudo adjoin --noinit --zone Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD and trust the computer for delegation:

    Use this command only if you have the expertise. This command has security implications.
    $ sudo adjoin --trust Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD in workstation mode and specify a workstation license:

    $ sudo adjoin --licensetype "workstation"--workstation --container "ou=workstations,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To use a specific domain controller to join (for example, dc1.hq.fabrikam.com):

    $ sudo adjoin --server dc1.hq.fabrikam.com Global --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join a Mac in workstation mode and instruct Delinea to use the Apple algorithm to generate UID/GID scheme:

    $ sudo adjoin --enableAppleIDGenScheme --container "ou=macs,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD and provide a different AD name than the local system name (for example, adserver rather than localhost):

    $ sudo adjoin --name adserver --container "ou=servers,ou=unix" --user [AuthorizedADUser] --verbose [domain.name]

  • To join AD using keytab (kinit Authorized AD user keytab first, then run adjoin without the --user option): 

    $ env KRB5_CONFIG=[/path/to/krb5.conf] /usr/share/centrifydc/kerberos/bin/kinit -kt /path/to/keytab [principal]: 
    $ sudo adjoin --zone Global --container "ou=servers,ou=unix" --verbose [domain.name]

What Happens When adjoin Runs Succesfully

When adjoin runs successfully, it activates the DirectControl agent (adclient/ DelineaDC service), with the following effects:

  1. Creates a computer object in AD and sets SPNs for http, host, nfs, cifs, afpserver.

  2. Establishes a secure communication channel between the system and Active Directory.

  3. A forest/domain/site map is created to locate the nearest DCs.

  4. The Kerberos environment (krb5.conf, krb5.keytab) are maintained by Delinea (configurable). A backup is created.

  5. Network time is synchronized with AD DCs (configurable).

  6. The PAM (Pluggable Authentication Modules) are modified to include Delinea auth, account, password, and session modules. A backup of the previous configuration is made.

  7. The NSS (Name Service Switch) providers for users and groups defaults to AD first, then other methods (such as files, ldap, and so on). A backup of the previous configuration is made. In the OS X platform, the PAM/NSS functions are channeled using the Directory Services Plugin API.

  8. An Access Control Model is enforced depending on the zone mode:

    • In zone mode, authorization (RBAC) follows zone rules: defaults to closed, only authorized users can access, and enabled groups are visible.

    • In express/workstation mode, only authentication is facilitated. The system is open for all AD users, and all groups are visible.

  9. Privilege Elevation: Delinea-enhanced sudo (dzdo) becomes active based on the roles and rights defined.

  10. User and Group identity (RFC2307) data in AD is stored within the Delinea zone, not with the user or group object.

  11. The virtual registry is initialized, and group policies are enforced.

Leaving Active Directory (adleave)

(For *nix only)

This section shows some useful commands using adleave, which leaves an Active Directory domain.

To run adleave, you need the following:

  • Permission level of root or sudo

  • For the online leave command, authorized AD user credentials

Following are some useful ways to use adleave:

  • Leave the domain and disable the computer object (orphan object left behind):

    $ dzdo adleave --user [Authorized ADUsername]

  • Leave the domain and remove computer object (frees license):

    $ dzdo adleave --user [Authorized ADUsername] --remove

  • Offline/forced leave (no AD connectivity required, must clean up in AD):

    $ dzdo adleave --force

What Happens When adleave Runs Successfully

When adleave runs successfully, it has the following effects, some of which depend on how the command was run:

  • Online with the --remove object: The object in AD is removed from the container and from the zone (frees license).

  • Online without the --remove object: The object in AD is marked as disabled. Must be overwritten to rejoin.

  • Offline: The object in AD is left orphaned. Cleanup must happen through any Delinea API (AM, PowerShell, adedit).

  • The UNIX environment is reset and rolled back (Kerberos, PAM, NSS).

  • The Delinea adclient (DelineaDC) service is disabled.

Privilege Elevation ("dz" commands):

(For *nix only)

This section shows some useful commands using dzinfo, which displays information about the user's access controls.

  • To view self access (all):

    $ dzinfo

  • To view the properties of the role(s), including effectiveness:

    $ dzinfo --roles

  • To view how you can access the system (PAM rights):

    $ dzinfo --pam

  • To view the commands you can run:

    $ dzinfo --commands

  • To view the computer roles that apply to the system (requires privilege elevation):

    $ dzinfo --computer-role

  • To view authorization information about another user (requires privilege elevation):

    $ dzdo dzinfo [user.name]

  • To test a command against the role:

    $ dzinfo --test [path/to/binary] [options]

Delinea-enhanced sudo (dzdo)

(For *nix only)

The dzdo command is a Delinea-enhanced version of the sudo command that uses Delinea zone data in AD for commands. In all other ways, it is identical to sudo.

To view version information (as of 2015, based on sudo 1.8.10p3):

$ dzdo -V

DirectAudit Commands ("da" commands)

(For *nix only)

This section shows some useful DirectAudit commands.

The following commands use dainfo, which shows information about the status of the audit agent.

  • To view the audit agent status:

    $ dainfo

  • To view status with verbose output:

    $ dainfo --diag  (or dadiag)

  • To view contents of the configuration file:

    $ dainfo --config

  • To view audited status of another user (requires privilege elevation):

    $ dzdo dainfo --username lisa.simpson

The following commands use dacontrol, which controls the status/configuration of the DirectAudit client (requires privilege elevation).

  • To set the installation (if not set by Group Policy):

    $ dzdo dacontrol --installation [installation-name]

  • To check if the audit agent is enabled:

    $ dzdo dacontrol --query

  • To enable direct audit:

    $ dzdo dacontrol --enable

  • To disable direct audit:

    $ dzdo dacontrol --disable

Important Files and Folders

(For *nix only)

This section lists some important files and folders that you should be familiar with to successfully run and troubleshoot PCS and the Delinea Platform on UNIX/Linux.

  • In the directory /usr/share/centrifydc/ (or OS X El Capitan and later, /usr/local/share/centrifydc):

    • bin

      Contains user binaries, including Delinea-enhanced openldap tools like ldapsearch

    • sbin

      Contains system binaries, including adcert and Delinea-enhanced OpenSSH

    • samples

      Sample files for hadoop, adedit and local account management

  • In the directory /etc/centrifydc:

    • centrifydc

      Configuration files for the DirectControl agent

    • centrifyda

      Configuration files for the DirectAudit agent

    • centrifycc

      Configuration files for the Privilege Service CLI Toolkit for AAPM

    • openldap

      Configuration files for Delinea-enhanced OpenLDAP proxy, if installed

    • ssh

      Configuration files for Delinea-enhanced OpenSSHls

  • In the directory /var/centrifydc:

    • kset* files

      Dynamic information about the environment

    • reg

      Virtual registry which contains the computer and user hives (user GPO disabled on Servers)

  • In the directory /var/centrify:

    • net/certs

      Location of any Microsoft Certificate Authority auto-enrolled certificates, keys, and trust chain