Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3029: Running adquery shows the user's shell as '/sbin/nologin' and user can't login

Authentication Service ,  

30 March,18 at 02:53 PM


Why are Centrify users not able to login?

Running adquery shows the shell as /sbin/nologin, for example:

# adquery user -A jsmith


gecos:John Smith
dn:CN=John Smith,OU=Local Consultants,OU=Information Technology,OU=US,DC=acme,DC=com
displayName:John Smith
sid:S-1-5-21-2071661896-1205500103-1105138716-65934 Technology/Local Consultants/John Smith
passwordExpires:Thu Apr 18 20:22:54 2013
nextPasswordChange:Sun Jan 20 19:22:54 2013
lastPasswordChange:Fri Jan 18 19:22:54 2013
unixGroups:jsmith Local/Information Technology, Email Users,,


a) To access a machine, a user must have an identity in the form of a complete UNIX profile and an assignment to at least one role that is valid in the zone to which the machine is joined.

b) In order to be able to log in to a machine, a user must be assigned to at least one role with either the 'Password login and non-password (SSO) login are allowed' or 'Non-password login is allowed' system right enabled. By default, no system rights are enabled for a new role.

Right-click on the role -> Properties -> System Rights, enable either the "Password login and non-password (SSO) login are allowed" or "Non-password login is allowed" system right for that role.

On the UNIX machine:

1. Flush the cache by running

adflush -f  

2. Check the adquery attributes for the User. Confirm if the  shell is set to the  user's default shell and Zone Enabled is true.

# adquery user -A <username>

3. To confirm the roles assigned to the user.

 # dzinfo <username>

In addition to a login system right, the ability to login requires a way to login in; that is, access to at least one PAM application. In a UNIX environment, a typical user has rights to log into their default shell through any of the standard PAM applications (login, ftp, telnet, etc.) with or without a password.  

To facilitate role assignments for these typical UNIX users on DirectControl-managed computers, DirectControl predefines a role called 'login', which enables the password, non-password, and non-restricted shell system rights, and adds a PAM right that grants access to all PAM applications. Rather than create your own login role to assign to typical UNIX users, you can simply assign them this predefined role.

The 'Login with non-Restricted shell' right determines whether users are assigned their default shell or assigned to the dzsh restricted-shell environment.

The rights granted by roles accumulate such that users are granted all the rights from all the roles to which they are assigned. This means that it is not needed to have to grant system rights to every role defined as long as one role is assigned with login rights (such as the predefined login role) to any user who needs a login.

For further reading on building a complete Zone Profile, please see:

KB-3038: How to add an AD user into a Centrify Zone

KB-3020: How to troubleshoot if a user is not shown in "Show Effective Users"