All versions of Centrify DirectControl
Why does Centrify's adfixid tool not report uid conflicts while adrmlocal does?
pg288 - adfixid
pg286 - adrmlocal
adfixid fixes users with conflicting names/uids against AD in /etc/passwd and for groups with conflicting names/gids vs against AD in /etc/group. For the user, if an AD user matches the local user name as well as uid, then it is NOT a conflict. This is same for group conflicts too.
In the following scenario; the AD user dt04547 has a uid of 4547 in AD and in local /etc/passwd, and a gid of 8841 in AD and local group:
# adquery user dt04547
# adquery group osg
# grep dt04547 /etc/passwd
No user-id conflicts were found.
31 local user(s) that are duplicated with AD users:
dt04547:uid(4547):gid(8841):ADuid(4547):ADgid(42655) Conflicted with AD
So dt04547:x:4547.... is same on both sides.
The username/uid matches - so it is the same person - there is no conflict.
osg:x:8841:... does not exist in /etc/group; no conflict.
8841 was NOT renamed, therefore any reference to 8841 will NOT be changed.
adrmlocal is for different purpose - to purge the system of local users or groups by removing all non-matching local users from /etc/passwd - here the different primary gid triggered the action.
adfixid is intended to help resolve conflicts with /etc/passwd and /etc/group.
Centrify tries to minimize what is changed in the local system (in case of uninstall).
(1) adfixid and adrmlocal are for different purposes,
(2) There is no need to remove dt04547 after adfixid - since the user profile will come from AD.
The standard practise is to choose one way or the other - There is no need to use both tools in an environment.
In this particular case, /etc/passwd will be superceded as CentrifyDC is first in line for PAM and NSS.
The system will only see the AD profile; therefore adrmlocal is not necessary.
Due to the wide variety of desired behaviors in different environments - Centrify will be depreciating adfixid and adrmlocal in favor of adedit, which can be used to script to the exact behavior needed.
Attached to the end of this KB article is a sample perl script to check UID and GID conflicts.
This script should be run after the machine is joined to domain.
To do a test run:
sudo ./sample.pl -n
To run and fix conflicts: