Applies to: All versions of Centrify DirectControl ZPA.
In a 1-way trust [resource domain (where Centrify servers are joined) trusts accounts domain], it is found that users and groups show up fine in the Centrify DirectControl Console which is enabled using Zone Provisioning Agent or ZPA. Users can log in successfully. However, their secondary group membership do not resolve. It only shows their Primary Group. Even though unix groups are displaying fine on the Centrify Console, why do commands like adquery or lsgroup (in AIX) fail. Any reason?
This is a known issue with ZPA. In the above example, ZPA is being used to unix-enable groups from the accounts domains in a 1-way trusted env. This is not supported and will not work. The proper way to zone-enable unix groups would be to create "Domain local group" in resource domain and add users or global groups from Accounts domain.
Centrify DirectControl Console (without ZPA enabled) will not allow you to add groups across a 1-way trust. A question may be asked "Why groups from a one-way trusted forest can not be used with Centrify DirectControl". See below for an explanation.
The definition of a one-way outgoing trust is that users in the trusted domain can be authenticated in the current domain, but the current domain is not trusted in reverse. This means that principals which are members of the current domain (such as the Centrify server) do not have permissions to read data from the trusted domain. In order to enable this, a two-way trust must be created. Since by definition, the group object in the trusted domain isnot readable by the Unix computer principal, this group cannot be used.