Applies to:
All versions of Centrify DirectControl.
Question:
The unix command chsh (
http://en.wikipedia.org/wiki/Chsh)
allows a local user to change his default shell but it looks for the user in /etc/shadow. How will it work for Centrify users.?
#chsh
chsh: Cannot determine your user name.
Answer:
This is a known issue, and since chsh is not a Centrify command or in the code, its not possible to fix it. However there is a workaround:
Customers can use Centrify's adupdate CLI as shown below:
/bin/adupdate modify user -s <shell> <username>
e.g.
/bin/adupdate modify user -s /usr/sbin/csh testuser
Note: adupdate does support Kerberos tickets and adupdate can be run as any user. The only caveat is "since a user doesn’t have rights to change their UNIX identity information in AD by default, they cannot change their shell". The UNIX profile can be ACLed so that the user has access to change their shell but this is something that would need to be done after the user is UNIX enabled.
Note: If customer is using Centrify DirectControl version 5.0, they can use adedit and build their own tcl script to do it:
e.g.
bind $current_domain
# select curret_zone
slz $current_zone
# select target zone user
slzu $zone_user@$current_domain
# set zone user AD attribute field
szuf $attribute $value
Please refer to Centrify's adedit doc:
http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-suite-adedit-guide.pdf
Please note that in order to perform the above workaround as user, you have thetogrant the user right to modify the user profile by following page 234 of the Deployment Guide
Modifying users in standard zones:
http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-dc-deployment-guide.pdf
At the end of this KB, there is a sample script written by a support engineer.
# Usage: adedit attribute.sh [AD admin] [zone user]
[attribute] [value]
Since adedit also support Kerberos tickets you can remove
$ad_admin in the script. You can then use Kerberos tickets to perform the
changes.