12 April,16 at 11:09 AM
Applies to: All versions of Centrify DirectControl on all platforms.
Problem:
After assigning a role to an AD Distribution group and adding AD users to the group:
Running dzinfo [AD user] on the UNIX side will show the role is in place, but AD users cannot login.
Running dzinfo [AD user] again will then show the role is now missing:
[root@rhel ~]# dzinfo test1
User: test1
Forced into restricted environment: No
Role Name Avail Restricted Env
--------------- ----- --------------
(test1 has no roles assigned)
PAM Application Avail Source Roles
--------------- ----- --------------------
Privileged commands:
Name Avail Command Source Roles
--------------- ----- -------------------- --------------------
(test1 has no privileged command rights)
Running the command #adflush -a (flush authorization cache) can get back the role assignment, but the role assignment will be missing again after the AD user logs in.
Cause:
AD Distribution group is not supported except via the ZPA.
Workaround:
In ADUC or the CDC console, please change the group back to Security Group and it should function properly.
KB-20210: Common Questions Regarding Centrify DirectControl and CoreOS
KB-6040: How to change the license type in use after adclient successful joined to the AD?
KB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role?
KB-6038: How to specify the license type to use when joining the server to AD using adjoin?
KB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)
KB-6041: How to show current license type in use by adclient
KB-3038: How to add an AD user into a Centrify Zone.
KB-6056: How to report the group policy settings that are in effect for the local computer?
[DevOps] Creating a Kerberos Keytab to Automate DirectControl Active Directory joins & removals