Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2626: adfixid does not report conflicts while adrmlocal reports

Centrify DirectControl ,  

28 October,13 at 12:49 PM

Applies to:

All versions of Centrify DirectControl
 
Question:
 
Why does Centrify's adfixid tool not report uid conflicts while adrmlocal does?
 
References: 
http://www.centrify.com/downloads/products/documentation/suite2012/ga/centrify-suite-admin-guide.pdf
pg288 - adfixid
pg286 - adrmlocal
 
Answer:
 
adfixid fixes users with conflicting names/uids against AD in /etc/passwd and for groups with conflicting names/gids vs against AD in /etc/group. For the user, if an AD user matches the local user name as well as uid, then it is NOT a conflict. This is same for group conflicts too. 
 
In the following scenario; the AD user dt04547 has a uid of 4547 in AD and in local /etc/passwd, and a gid of 8841 in AD and local group:
 
# adquery user dt04547 
dt04547:x:4547:42655:Mitch Montgomery:/dst/home/dt04547:/usr/bin/ksh 
 
# adquery group osg 
osg:x:8841:dt00856,dt04547,dt14437,dt19339,dt20588,dt22425,dt36659,dt38500,dt39063,dt42481,dt42486,dt42752,dt50058,dt58943,dt60815,dt61276,dt64932,dt72253,dt72383,dt73646,dt75024,dt75143,dt75523,dt76385,dt76615,dt77790,dt81517,dt81816,dt82461,dt83451,dt84352
 
# grep dt04547 /etc/passwd 
dt04547:x:4547:8841:Mitch Montgomery:/dst/home/dt04547:/usr/bin/ksh 
 
Running :
 
# adfixid 
No user-id conflicts were found. 
 
#adrmlocal 
31 local user(s) that are duplicated with AD users:
  
dt04547:uid(4547):gid(8841):ADuid(4547):ADgid(42655) Conflicted with AD
 
 
So dt04547:x:4547.... is same on both sides. 
The username/uid matches - so it is the same person - there is no conflict.
 
 
For group
 
osg:x:8841:... does not exist in /etc/group; no conflict. 
8841 was NOT renamed, therefore any reference to 8841 will NOT be changed.
 
 
adrmlocal is for different purpose - to purge the system of local users or groups by removing all non-matching local users from /etc/passwd - here the different primary gid triggered the action. 
 
adfixid is intended to help resolve conflicts with /etc/passwd and /etc/group
 
Centrify tries to minimize what is changed in the local system (in case of uninstall). 
 
 
In conclusion:
 
(1) adfixid and adrmlocal are for different purposes,
 
(2) There is no need to remove dt04547 after adfixid - since the user profile will come from AD. 
 
The standard practise is to choose one way or the other - There is no need to use both tools in an environment.
 
In this particular case, /etc/passwd will be superceded as CentrifyDC is first in line for PAM and NSS. 
The system will only see the AD profile; therefore adrmlocal is not necessary. 
 
Due to the wide variety of desired behaviors in different environments - Centrify will be depreciating adfixid and adrmlocal in favor of adedit, which can be used to script to the exact behavior needed.
 
Note:
 
Attached to the end of this KB article is a sample perl script to check UID and GID conflicts.
This script should be run after the machine is joined to domain.
 
To do a test run:
sudo ./sample.pl -n
 
To run and fix conflicts:
sudo ./sample.pl
 
Attachments:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.