Why are Centrify users not able to login?
Running adquery shows the shell as /sbin/nologin, for example:
# adquery user -A jsmith
dn:CN=John Smith,OU=Local Consultants,OU=Information Technology,OU=US,DC=acme,DC=com
canonicalName:acme.com/US/Information Technology/Local Consultants/John Smith
passwordExpires:Thu Apr 18 20:22:54 2013
nextPasswordChange:Sun Jan 20 19:22:54 2013
lastPasswordChange:Fri Jan 18 19:22:54 2013
memberOf:acme.com/Groups/Domain Local/Information Technology,acme.com/Groups/Global/Active Email Users,acme.com/Groups/Global/QA,1800flowers.int/Groups/Global/Domain
a) To access a machine, a user must have an identity in the form of a complete UNIX profile and an assignment to at least one role that is valid in the zone to which the machine is joined.
b) In order to be able to log in to a machine, a user must be assigned to at least one role with either the 'Password login and non-password (SSO) login are allowed' or 'Non-password login is allowed' system right enabled. By default, no system rights are enabled for a new role.
Right-click on the role -> Properties -> System Rights, enable either the "Password login and non-password (SSO) login are allowed" or "Non-password login is allowed" system right for that role.
On the UNIX machine:
1. Flush the cache by running
# adflush -f
2. Check the adquery attributes for the User. Confirm if the shell is set to the user's default shell and Zone Enabled is true.
# adquery user -A <username>
3. To confirm the roles assigned to the user.
# dzinfo <username>
In addition to a login system right, the ability to login requires a way to login in; that is, access to at least one PAM application. In a UNIX environment, a typical user has rights to log into their default shell through any of the standard PAM applications (login, ftp, telnet, etc.) with or without a password.
To facilitate role assignments for these typical UNIX users on DirectControl-managed computers, DirectControl predefines a role called 'login', which enables the password, non-password, and non-restricted shell system rights, and adds a PAM right that grants access to all PAM applications. Rather than create your own login role to assign to typical UNIX users, you can simply assign them this predefined role.
The 'Login with non-Restricted shell' right determines whether users are assigned their default shell or assigned to the dzsh restricted-shell environment.
The rights granted by roles accumulate such that users are granted all the rights from all the roles to which they are assigned. This means that it is not needed to have to grant system rights to every role defined as long as one role is assigned with login rights (such as the predefined login role) to any user who needs a login.
For further reading on building a complete Zone Profile, please see:
KB-3038: How to add an AD user into a Centrify Zone
KB-3020: How to troubleshoot if a user is not shown in "Show Effective Users"