Applies to: All versions of Centrify DirectControl
Centrify NIS users are unable to login as their accounts are showing "disabled" when adquery command is run. The command ypmatch or ypcat password returns "!!" in the password field for user accounts instead of password hash. Is there any reason?
There are several reasons but in this case, it can happen if the version of Centrify DirectControl (adinfo -v) does not match the version of Centrify NIS server adnisd (adnisd -v). When the install.sh script (or native OS commands) is run to upgrade Centrify agent, it is highly recommeded that customers should upgrade the adnisd component as well to avoid issues like this.
When implementing adnisd, the initial password hash is only generated when the user changes his password. Customer should force users to change their password at the next logon to get the password set at the earliest opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the user’s password hash has not been set.
If a user account is new, disabled, locked, requires a password change, or is not enabled for a zone, the Centrify Suite NIS server sets the user’s hash field to “!”
Depending on the OS, the following are some of the codes ypcat or ypmatch returns. As always, customers should contact support to run additional commands.
1) If it is <blank> then there is no password set.
2) If it is !!, it means the "Account disabled"
3) If it is ! or x, customer should look in /etc/shadow