Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2081: groups command fail to retrieve all AD groups

Authentication Service ,  

12 April,16 at 11:08 AM

A Unix server was recently migrated to Centrify. 
There is one account causing an issue: from within Active Directory, we can see it belongs to 4 groups, but on the Centrified server, not all the groups are seen. There are no passwd.ovr or group.ovr entries for this account or any of the groups. The commands #adquery and id -a can show all the groups, but the groups command doesn't. 
When the command su is issued to the account and groups is run, a single group is displayed. In the example below, the command getent group is issued to show that other accounts in the group show all their groups. In this case, the epharms account should actually belong to 4 groups as opposed to just one group. The name server caching daemon (nscd) was stopped and restarted too. The command adflush was run several times. 
Is there any reason? 
This can prevent a script from being run due to the group that owns the script not showing up for this account.
sun112# id -a epharms
uid=39379(epharms) gid=5962(epharms) groups=5699(lsfgrid01),60025(wladmin),5962(epharms),2915(epharm01)
sun112# groups epharms
sun112# adquery user epharms --groups
sun112# getent group epharm01
sun112# groups epharm
epharm01 epharm02 grclpkpd
sun112# groups epharmd
epharmd epharm01 lsfgrid01 wladmin
sun112# groups epharmt
epharmt epharm01 lsfgrid01 wladmin
sun112# groups wladmin
bea cdam_nas epharm01 epharm02 epharms epharmt
sun112# groups epharms

This can happen if the Centrify command #adsetgroups was run to dynamically adjust the number of groups a user can belong to - The file .setgrpsrc is created in the home directory of the user. In this case, this file will contain the account "epharms" and will not query membership from AD. Removing the .setgrpsrc from the home directory of the account (~/epharms) will resolve the issue. 
(Please see page 324 of admin guide - for more details) 
Note: This is not a bug but implemented by design.