The pam.allow.group parameter does not work even when the user is added to the relevant AD groups and listed in /etc/centrifydc/groups.allow.
adquery user -A "username" shows the user does belong to the AD groups but does not show it as zone-enabled.
For this parameter to work, the user in question needs to be zone-enabled otherwise the UID/GID cannot be derived. If the Centrify server is in Auto Zone mode, this is not required. For more details please check the extract from Config Parameter guide:
The pam.groups.allow configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access.
If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not have to be enabled for UNIX. Local group membership and invalid Active
Directory group names are ignored.
In most cases, you set this configuration parameter using the group policy at:
Computer Configuration / Centrify Settings / DirectControl Settings / Login Settings / "Manage login filters"
And selecting the allow option and specifying one or more group names. You can also set it manually in the configuration file if you are not using group policies or want to temporarily override group policies.
If you use this parameter to control access by group name, Centrify DirectControl checks the Active Directory group membership for every user who attempts to use PAM-enabled applications on the host computer.
When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see what groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is accepted and authentication proceeds. If the user is not a member of any group specified by this parameter, authentication fails and the user is rejected.
The parameter’s value can be one or more group names, separated by commas, or the file: keyword and a file location. For example, to allow only members of the administrators, sales, and engineering groups in Active Directory to log in:
You can use the short format of the group name or the full canonical name of the group.
To enter group names with spaces, enclose them in double quotes:
pam.allow.groups: "domain admins",sales,"domain users"
To specify a file that contains a list of the groups allowed access, type the path to the file:
Notes If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter:
- SAM (samAccountName — this is the default); for example:
samAccountName@domain_name; for example:
NTLM; for example:
Look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:
[root]#adquery group -n Finance_Admins
Note: After making changes to this parameter, run adreload and adflush to clear the Centrify DirectControl cache to ensure the changes take effect.