Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3029: Running adquery shows the user's shell as '/sbin/nologin' and user can't login

Centrify DirectControl ,  

29 February,16 at 04:00 PM

Applies to: All versions of Centrify DirectControl

 

Question:

 

Why are Centrify users not able to login?

 

Running adquery shows the shell as /sbin/nologin, for example:

 

# adquery user -A jsmith

unixname:jsmithi

uid:732430
gid:732430
gecos:John Smith
home:/home/jsmith
shell:/sbin/nologin
dn:CN=John Smith,OU=Local Consultants,OU=Information Technology,OU=US,DC=acme,DC=com
samAccountName:JSmith
displayName:John Smith
sid:S-1-5-21-2071661896-1205500103-1105138716-65934
userPrincipalName:JSmith
@acme.om

canonicalName:acme.com/US/Information Technology/Local Consultants/John Smith
passwordHash:x
accountExpires:Never
passwordExpires:Thu Apr 18 20:22:54 2013
passwordWillExpire:9
nextPasswordChange:Sun Jan 20 19:22:54 2013
lastPasswordChange:Fri Jan 18 19:22:54 2013
accountLocked:false
accountDisabled:false
zoneEnabled:false
unixGroups:jsmith

memberOf:acme.com/Groups/Domain Local/Information Technology,acme.com/Groups/Global/Active Email Users,acme.com/Groups/Global/QA,1800flowers.int/Groups/Global/Domain

 

 

Answer :

 

a) To access a machine, a user must have an identity in the form of a complete UNIX profile and an assignment to at least one role that is valid in the zone to which the machine is joined.

 

b) In order to be able to log in to a machine, a user must be assigned to at least one role with either the 'Password login and non-password (SSO) login are allowed' or 'Non-password login is allowed' system right enabled. By default, no system rights are enabled for a new role.

 

Right-click on the role -> Properties -> System Rights, enable either the "Password login and non-password (SSO) login are allowed" or "Non-password login is allowed" system right for that role.

  

On the UNIX machine:


1. Flush the cache  by running

 

        # adflush -f  

2. Check the adquery attributes for the User. Confirm if the  shell is set to the  user's default shell and Zone Enabled is true.

 

       # adquery user -A <username>

       
3. To confirm the roles assigned to the user.

     

        # dzinfo <username>

 

 

In addition to a login system right, the ability to login requires a way to login in; that is, access to at least one PAM application. In a UNIX environment, a typical user has rights to log into their default shell through any of the standard PAM applications (login, ftp, telnet, etc.) with or without a password.  

 

To facilitate role assignments for these typical UNIX users on DirectControl-managed computers, DirectControl predefines a role called 'login', which enables the password, non-password, and non-restricted shell system rights, and adds a PAM right that grants access to all PAM applications. Rather than create your own login role to assign to typical UNIX users, you can simply assign them this predefined role.

 

The 'Login with non-Restricted shell' right determines whether users are assigned their default shell or assigned to the dzsh restricted-shell environment.

 

The rights granted by roles accumulate such that users are granted all the rights from all the roles to which they are assigned. This means that it is not needed to have to grant system rights to every role defined as long as one role is assigned with login rights (such as the predefined login role) to any user who needs a login.

 

 

For further reading on building a complete Zone Profile, please see:

KB-3038: How to add an AD user into a Centrify Zone.

KB-3020: How to troubleshoot if a user is not shown in "Show Effective Users"

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.