Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-15261: Cannot login to server with a restricted shell

Authentication Service ,  

18 June,19 at 02:43 PM

A user has been assigned a Role Definition that has a restricted shell. The user tries to login, but cannot and either gets errors or just taken back to the main login page. Why does this happen?

A restricted shell in Centrify is meant to restrict the commands a user can run. However, during the login process, there are commands getting ran without user knowledge that are meant to setup the environment for the user. 

To find which commands are being ran and getting denied due to this restricted shell, a technician or administrator must enable debug logging to see what is happening during login. 

Please see the following article that has the instructions on enabling debug logging:

KB-0062: How to Collect Debug Logs from a DirectControl Agent

Once the issue has been reproduced and the logs have been gathered, there should be some lines in the logs that look like the following:

-dzsh[9910]: INFO  AUDIT_TRAIL|Centrify Suite|dzsh|1.0|3|dzsh command execution denied|5|user=clyde pid=9910 utc=1559251809758 centrifyEventID=33003 DASessID=N/A DAInst=DefaultInstallation1 status=DENIED service=dzsh command=/usr/bin/env reason=sam checking returned false, user is not allowed to use this command or runas MfaRequired=false

It is seen that the command that is getting blocked is /usr/bin/env

To resolve this issue, the command must be added to the role definition. The steps to do this are below:

1) Go to Access Manager, expand the zone, then Authorization > UNIX Right Definitions > Commands > right-click - "New Command"

2) Give the command definition a name, description, etc. and specify the path to the command. Should look something like below:

User-added image

3) Although it is set by default, make sure the "Can be used in a restricted role" is checked on the Restricted Shell tab:

User-added image

4) Once the command definition has been built, add this command to the Role Definition that specifies a restricted shell. Right click the Role Definition and choose "Add right"

User-added image

5) Then add the command that has just been created:

User-added image

6) Run the adflush -f command on the server in question and the user should now be able to login.