Question:
A workstation has been successfully joined to the domain in Zone Mode and the adinfo command shows that the machine is running in Connected mode:
# adinfo
...
CentrifyDC mode: connected
...
However the AD user is unable to login. Running an adquery on the user shows that they are not enabled for the Zone:
# adquery user -A username
...
zoneEnabled:false
...
How can the user be enabled for the Zone?
Answer:
Note: The following information and further reading can also be found:
The essential steps are as follows:
- On the Windows server with the Centrify Suite installed, open the DirectManage Access Manager / DirectControl console.
- Expand to the Zone where the computer has been joined is and go into the UNIX Data > Users section > Right-click and select "Add User to Zone"
- Search and select the AD account to be added, the "Set UNIX User Profile" menu appears.
- The UID and primary group can be set to desired values, for testing purposes; set a UID of 100001 and the primary group to <auto private group> from the dropdown. (Note that these can also be auto-filled using the User Defaults tab in the Zone Properties menu).
- The UNIX User Profile must have at least the following attributes configured for it to be considered complete:
- Login name
- UID
- Primary group
- Home directory
- Shell
-
Once the AD account has been added into the Zone, it needs to be authorised for Login. The Login Role can be assigned to a whole AD group so that the Role gets applied to every member of that group, or it can be assigned to an individual account so that only that user can login.
Note: An AD account needs to be both a member of the Centrify Zone AND given a Login Role before they are authorised for logging into a Zone. Members within an AD group which has been assigned a Login Role, but who do not have a complete Zone Profile and have not been added into the Zone itself will still not be able to login to that Zone.
- To check if the user account has been authorised for login to a Zone, right-click on the blue globe icon of the Zone and select "Show Effect UNIX User Rights".
- Select the desired computer from the dropdown list and check that the account shows up in the list of users below.
- Click on the "PAM Accesses" / "Rights" tab and make sure that user has the "login-all" PAM permission.
- If the account does not show up in this list, then go back to the Zone tree and below the "UNIX Data" section is the "Authorization" section - expand this and right-click on "Role Assignments".
- Select "Assign Role" and select "UNIX Login" > Add the AD account or AD group into the Role Assignments and then check the Show Effective Users box again.
Note: On Centrify Suite 2012 and prior, the login role was just named "Login".
Once the account is listed under the computer in the Show Effective Users box, it will be deemed authorised for login in that Zone.
- Go to a Centrify-joined workstation and run the commands:
# sudo adflush
# adquery user -A username
The user output will now return as:
...
zoneEnabled:true
...
