Question:
Why do I need to set adclient.local.group.merge to true if group exists both locally & in AD with same unix group name and gid ?
Answer:
When a unix machine is joined to AD, "getent group" will return 2 entries 1 from AD and second from /etc/group. Programs on different OS's handle these 2 entries differently, e.g "id" will loop through all entries and report every group that the user is a member of; however, some program will stop at the first entry and may cause inconsistencies.
Centrify has the following parameter in /etc/centrifydc/centrifydc.conf to add local group member(s) to the AD group.
# adclient.local.group.merge: false
change to:
adclient.local.group.merge: true
Once it is uncommented and set to true, first getent group entry (from AD) will now show local members as well.
Then run,
# adflush -f
# adreload
All of the above steps does is, when asked about members of a given AD group, adclient will merge local group (same name and gid) members into the list from AD and return members when a command like getent is issued.
Note: "adquery group" command will not list all members of the merged group. Only AD group members.
