Applies to: All versions of Centrify DirectControl
How is a Centrify user added to a local group on their server?
For example: Is it possible to add a Centrify user to the "local cdrom group" on a Centrify server.
It appears the only way to add the user would be to create a local account, which is not always desirable.
The user can be directly added into the /etc/group entry, or control of the group membership can be handled solely from the AD side:
1. Create an AD group with the same name and same GID as the local group.
2. Add the AD user as a member into that AD group.
3. On the Centrify server, add the following parameter into /etc/centrifydc/centrifydc.conf as root:
4. Remove the corresponding local group from /etc/centrifydc/group.ignore
5. Run adreload and adflush.
For more information on this parameter, please refer to page 70 of the guide below:
This configuration parameter determines whether merge local group membership from the /etc/group file into the Centrify DirectControl group membership for groups that have the same name and GID.
For example, if DirectControl retrieves the membership list of kwan, emily, and sam for the group profile with the group name performx1 and GID 92531 from Active Directory and there is also a local group named performx1 with the GID 92531 with users wilson and jae, the merged group would include all five member (kwan,emily,sam,wilson,jae).
By default, this parameter value is set to false to prevent unexpected results.
Setting this parameter to true violates normal NSS behavior and, therefore, may have unexpected side effects. Analyze the environment carefully before changing this parameter to true. If it is determined that local and Active Directory group profiles can be safely merged, the parameter can be uncommented and and its value changed.
Note: After setting this parameter to true, run adreload to detect changes in the local group file.