Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1405: Why do I need to set adclient.local.group.merge to true if group exists both locally & in AD ?

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies to: DirectControl 4.0.0 & above

Question:

Why do I need to set
adclient.local.group.merge to true if group exists both locally & in AD with same unix group name and gid ?

Answer:

When a unix machine is joined to AD, "
getent group" will return 2 entries 1 from AD and second from /etc/group.   Programs on different OS's handle these 2 entries differently, e.g "id" will loop through all entries and report every group that the user is a member of; however, some program will stop at the first entry and may cause inconsistencies.

Centrify has the following parameter in /etc/centrifydc/centrifydc.conf to add local group member(s) to the AD group.

# adclient.local.group.merge: false  

change to:

adclient.local.group.merge: true

Once it is uncommented and set to true, first getent group  entry (from AD) will now show local members as well.

Then run,

# adflush -f
# adreload 

All of the above steps does is, when asked about members of a given AD group, adclient will merge local group (same name and gid) members into the list from AD and return members when a command like getent is issued. 

Note: "adquery group" command will not list all members of the merged group. Only AD group members.

 

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.