Some AD users cannot login and are not authenticating when trying to access the share through Mac and some users can access the share using their AD account.
The issue occurred after DirectAuthorize was configured. Before DirectAuthorize was setup all users were able to access the shares.
from /var/log/auth.log on server with hostname 'files' the following error occurred:
Oct 10 11:25:30 files adclient: INFO <fd:25 PAMVerifyPassword > audit User 'cg114796' authenticated based on Kerberos exchange to AD
Oct 10 11:25:30 files adclient: INFO <fd:25 PAMIsUserAllowedAccess2 > audit User 'cg114796' is not authorized: User 'cg114796' denied access to application 'netatalk' by DirectAuthorize
The above error indicate that the user is blocked by DirectAuthorize.Solution:
On the CentrifyDC Console add 'netatalk' into the PAM access list, then run /usr/sbin/adflush (with no option) and restart /etc/init.d/netatalk restart
See the image as an example:
NOTE: This KB does not explain on how to configure Netatalk.