Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-11881: Provisioned unix group not showing all users using adquery group -m <GROUPNAME>

Authentication Service ,   Privileged Access Service ,   Privilege Elevation Service ,  

20 March,19 at 04:13 PM

Problem:  A specific fully provisioned account is not seen as a member of a provisioned unix group but it is seen as a member of the associated AD group when using "adquery group". "adquery user"  does show that the user is a member of both the unix group and ad group. 

In the Centrify debug log we can see the following warning after running an "
adobjectrefresh -g <groupname>" to initiate the rebuild of that groups membership in cache:
base.zonehir Warning: User CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=xxxxx,DC=com  zone object is connected to old SID: X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX

This error and associated group/ role membership issue is due to the Centrify unix profile being associated with an AD account's SID that no longer matches the existing SID of the AD user object.
This is usually caused when an AD account is deleted when a employee leaves the company  then an account is recreated with the same AD name when the employee is rehired. The new AD account will have a new SID that will not match what exists in the Service Connection Point in the zone that stores that accounts Centrify Unix Profile.

To resolve this issue please remove the existing provisioned user from the zone and then re-provision the user to have it associate with the correct SID.

1.In the Access Manager Console go to the "users" section of the  zone
2. Take a screen shot of the profile for the user so it can be re-provisioned with the same profile info.
3. Right click and delete the profile for the user
4. refresh to ensure the profile is gone
5. Re-provision the user using the information in the screen shot 
6. On the linux system in the zone run both the following as root:

adobjectrefresh -u <username>
adobjectrefresh -g <groupname>

7. Rerun the "adquergroup -m <groupname>" command to verify if the user is now present.