Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-15261: Cannot login to server with a restricted shell

Authentication Service ,  

18 June,19 at 02:43 PM

Problem:
A user has been assigned a Role Definition that has a restricted shell. The user tries to login, but cannot and either gets errors or just taken back to the main login page. Why does this happen?


Cause:
A restricted shell in Centrify is meant to restrict the commands a user can run. However, during the login process, there are commands getting ran without user knowledge that are meant to setup the environment for the user. 


Solution:
To find which commands are being ran and getting denied due to this restricted shell, a technician or administrator must enable debug logging to see what is happening during login. 

Please see the following article that has the instructions on enabling debug logging:

KB-0062: How to Collect Debug Logs from a DirectControl Agent



Once the issue has been reproduced and the logs have been gathered, there should be some lines in the logs that look like the following:

-dzsh[9910]: INFO  AUDIT_TRAIL|Centrify Suite|dzsh|1.0|3|dzsh command execution denied|5|user=clyde pid=9910 utc=1559251809758 centrifyEventID=33003 DASessID=N/A DAInst=DefaultInstallation1 status=DENIED service=dzsh command=/usr/bin/env reason=sam checking returned false, user is not allowed to use this command or runas MfaRequired=false EntityName=ocean.net

It is seen that the command that is getting blocked is /usr/bin/env

To resolve this issue, the command must be added to the role definition. The steps to do this are below:

1) Go to Access Manager, expand the zone, then Authorization > UNIX Right Definitions > Commands > right-click - "New Command"

2) Give the command definition a name, description, etc. and specify the path to the command. Should look something like below:


User-added image




3) Although it is set by default, make sure the "Can be used in a restricted role" is checked on the Restricted Shell tab:


User-added image




4) Once the command definition has been built, add this command to the Role Definition that specifies a restricted shell. Right click the Role Definition and choose "Add right"

User-added image




5) Then add the command that has just been created:


User-added image

6) Run the adflush -f command on the server in question and the user should now be able to login.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleLeast-Privileged Access and the Centrify Restricted Shell articleKB-6041: How to show current license type in use by adclient articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[Labs] Setting-up an AWS Test Lab for Centrify