A user has been assigned a Role Definition that has a restricted shell. The user tries to login, but cannot and either gets errors or just taken back to the main login page. Why does this happen?Cause:
A restricted shell in Centrify is meant to restrict the commands a user can run. However, during the login process, there are commands getting ran without user knowledge that are meant to setup the environment for the user. Solution:
To find which commands are being ran and getting denied due to this restricted shell, a technician or administrator must enable debug logging to see what is happening during login.
Please see the following article that has the instructions on enabling debug logging:
KB-0062: How to Collect Debug Logs from a DirectControl Agent
Once the issue has been reproduced and the logs have been gathered, there should be some lines in the logs that look like the following:
-dzsh: INFO AUDIT_TRAIL|Centrify Suite|dzsh|1.0|3|dzsh command execution denied|5|user=clyde pid=9910 utc=1559251809758 centrifyEventID=33003 DASessID=N/A DAInst=DefaultInstallation1 status=DENIED service=dzsh command=/usr/bin/env reason=sam checking returned false, user is not allowed to use this command
or runas MfaRequired=false EntityName=ocean.net
It is seen that the command that is getting blocked is /usr/bin/env
To resolve this issue, the command must be added to the role definition. The steps to do this are below:
1) Go to Access Manager, expand the zone, then Authorization > UNIX Right Definitions > Commands > right-click - "New Command"
2) Give the command definition a name, description, etc. and specify the path to the command. Should look something like below:
3) Although it is set by default, make sure the "Can be used in a restricted role" is checked on the Restricted Shell tab:
4) Once the command definition has been built, add this command to the Role Definition that specifies a restricted shell. Right click the Role Definition and choose "Add right"
5) Then add the command that has just been created:
6) Run the adflush -f command on the server in question and the user should now be able to login.