Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2434: Why does ZPA allow groups to be added from accounts domain in a 1-way trust?

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 10:57 AM

Applies to: All versions of Centrify DirectControl ZPA.

In a 1-way trust [resource domain (where Centrify servers are joined) trusts accounts domain], it is found that users and groups show up fine in the Centrify DirectControl Console which is enabled using Zone Provisioning Agent or ZPA. Users can log in successfully. However, their secondary group membership do not resolve. It only shows their Primary Group. Even though unix groups are displaying fine on the Centrify Console, why do commands like adquery or lsgroup (in AIX) fail. Any reason?

This is a known issue with ZPA. In the above example,  ZPA is being used to unix-enable groups from the accounts domains in a 1-way trusted env. This is not supported and will not work. The proper way to zone-enable unix groups would be to create "Domain local group" in resource domain and add users or global groups from Accounts domain. 

Centrify DirectControl Console (without ZPA enabled) will not allow you to add groups across a 1-way trust.  A question may be asked "Why groups from a one-way trusted forest can not be used with Centrify DirectControl". See below for an explanation.

The definition of a one-way outgoing trust is that users in the trusted domain can be authenticated in the current domain, but the current domain is not trusted in reverse.  This means that principals which are members of the current domain (such as the Centrify server) do not have permissions to read data from the trusted domain.  In order to enable this, a two-way trust must be created. Since by definition, the group object in the trusted domain isnot readable by the Unix computer principal, this group cannot be used.