Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2300: chsh command does not work for Centrify users

Authentication Service ,  

12 April,16 at 11:07 AM

Applies to:

All versions of Centrify DirectControl.

Question:

The unix command chsh (http://en.wikipedia.org/wiki/Chshallows a local user to change his default shell but it looks for the user in /etc/shadow. How will it work for Centrify users.?

#chsh
chsh: Cannot determine your user name. 

Answer:

This is a known issue, and since chsh is not a Centrify command or in the code, its not possible to fix it. However there is a workaround:

Customers can use Centrify's adupdate CLI as shown below: 

/bin/adupdate modify user -s <shell> <username> 

e.g. 

/bin/adupdate modify user -s /usr/sbin/csh testuser 

Note: adupdate does support Kerberos tickets and adupdate can be run as any user. The only caveat is  "since a user doesn’t have rights to change their UNIX identity information in AD by default, they cannot change their shell". The UNIX profile can be ACLed so that the user has access to change their shell but this is something that would need to be done after the user is UNIX enabled. 

Note: If customer is using Centrify DirectControl version 5.0, they can use adedit and build their own tcl script to do it: 

e.g. 

bind $current_domain 

# select curret_zone 
slz $current_zone 

# select target zone user 
slzu $zone_user@$current_domain 

# set zone user AD attribute field 
szuf $attribute $value 

Please refer to Centrify's adedit doc: 

http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-suite-adedit-guide.pdf 

Please note that in order to perform the above workaround as user, you have thetogrant the user right to modify the user profile by following page 234 of the Deployment Guide

Modifying users in standard zones: 

http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-dc-deployment-guide.pdf 

At the end of this KB,  there is a sample script written by a support engineer.

# Usage: adedit attribute.sh [AD admin] [zone user] [attribute] [value]

 

Since adedit also support Kerberos tickets you can remove $ad_admin in the script. You can then use Kerberos tickets to perform the changes.

 


Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-3730: Using UNIX command usermod to add an AD user to a machine local group articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleCentrify 17.1, 17.1 Hotfix 1 & Hotfix 2 Release Notes article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I