Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2300: chsh command does not work for Centrify users

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to:

All versions of Centrify DirectControl.


The unix command chsh ( a local user to change his default shell but it looks for the user in /etc/shadow. How will it work for Centrify users.?

chsh: Cannot determine your user name. 


This is a known issue, and since chsh is not a Centrify command or in the code, its not possible to fix it. However there is a workaround:

Customers can use Centrify's adupdate CLI as shown below: 

/bin/adupdate modify user -s <shell> <username> 


/bin/adupdate modify user -s /usr/sbin/csh testuser 

Note: adupdate does support Kerberos tickets and adupdate can be run as any user. The only caveat is  "since a user doesn’t have rights to change their UNIX identity information in AD by default, they cannot change their shell". The UNIX profile can be ACLed so that the user has access to change their shell but this is something that would need to be done after the user is UNIX enabled. 

Note: If customer is using Centrify DirectControl version 5.0, they can use adedit and build their own tcl script to do it: 


bind $current_domain 

# select curret_zone 
slz $current_zone 

# select target zone user 
slzu $zone_user@$current_domain 

# set zone user AD attribute field 
szuf $attribute $value 

Please refer to Centrify's adedit doc: 

Please note that in order to perform the above workaround as user, you have thetogrant the user right to modify the user profile by following page 234 of the Deployment Guide

Modifying users in standard zones: 

At the end of this KB,  there is a sample script written by a support engineer.

# Usage: adedit [AD admin] [zone user] [attribute] [value]


Since adedit also support Kerberos tickets you can remove $ad_admin in the script. You can then use Kerberos tickets to perform the changes.