Privileged Access Service, Authentication Service, Privilege Elevation Service
Centrify Infrastructure Services
the user does not show when using adquery group -m ( show unix users) but it does show when using -a ( show ad users) so adclient sees that the users AD account is part of the group but NOT its associated UNIX profile.
Problem: A specific fully provisioned account is not seen as a member of a provisioned unix group but it is seen as a member of the associated AD group when using "adquery group". "adquery user" does show that the user is a member of both the unix group and ad group.
In the Centrify debug log we can see the following warning after running an "adobjectrefresh -g <groupname>" to initiate the rebuild of that groups membership in cache: base.zonehir Warning: User CN=xxxxx,OU=xxxxx,OU=xxxxx,DC=xxxxx,DC=com zone object is connected to old SID: X-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXXX
Background: This error and associated group/ role membership issue is due to the Centrify unix profile being associated with an AD account's SID that no longer matches the existing SID of the AD user object. This is usually caused when an AD account is deleted when a employee leaves the company then an account is recreated with the same AD name when the employee is rehired. The new AD account will have a new SID that will not match what exists in the Service Connection Point in the zone that stores that accounts Centrify Unix Profile.
Resolution: To resolve this issue please remove the existing provisioned user from the zone and then re-provision the user to have it associate with the correct SID.
1.In the Access Manager Console go to the "users" section of the zone 2. Take a screen shot of the profile for the user so it can be re-provisioned with the same profile info. 3. Right click and delete the profile for the user 4. refresh to ensure the profile is gone 5. Re-provision the user using the information in the screen shot 6. On the linux system in the zone run both the following as root: adobjectrefresh -u <username> adobjectrefresh -g <groupname> 7. Rerun the "adquergroup -m <groupname>" command to verify if the user is now present.