Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2003: Cannot login when pam.groups.allow is enabled

Authentication Service ,  

12 April,16 at 11:45 AM


The parameter does not work even when the user is added to the relevant AD groups and listed in /etc/centrifydc/groups.allow.

adquery user -A "username" shows the user does belong to the AD groups but does not show it as zone-enabled.


For this parameter to work, the user in question needs to be zone-enabled otherwise the UID/GID cannot be derived. If the Centrify server is in Auto Zone mode, this is not required. For more details please check the extract from Config Parameter guide: 

The pam.groups.allow configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access.

If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not have to be enabled for UNIX. Local group membership and invalid Active

Directory group names are ignored.

In most cases, you set this configuration parameter using the group policy at:

Computer Configuration / Centrify Settings / DirectControl Settings / Login Settings / "Manage login filters"

And selecting the allow option and specifying one or more group names. You can also set it manually in the configuration file if you are not using group policies or want to temporarily override group policies.

If you use this parameter to control access by group name, Centrify DirectControl checks the Active Directory group membership for every user who attempts to use PAM-enabled applications on the host computer.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see what groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is accepted and authentication proceeds. If the user is not a member of any group specified by this parameter, authentication fails and the user is rejected.

The parameter’s value can be one or more group names, separated by commas, or the file: keyword and a file location. For example, to allow only members of the administrators, sales, and engineering groups in Active Directory to log in:

pam.allow.groups: administrators,sales,engineering

You can use the short format of the group name or the full canonical name of the group.

To enter group names with spaces, enclose them in double quotes:

pam.allow.groups: "domain admins",sales,"domain users"

To specify a file that contains a list of the groups allowed access, type the path to the file:

pam.allow.groups: file:/etc/centrifydc/groups.allow

Notes If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the parameter:

- SAM (samAccountName — this is the default); for example:


samAccountName@domain_name; for example:

NTLM; for example:

Look in the DirectControl configuration file for the value of, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for, execute the following command, which returns the UNIX name as shown:

[root]#adquery group -n Finance_Admins

Note: After making changes to this parameter, run adreload and adflush to clear the Centrify DirectControl cache to ensure the changes take effect.