Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3038: How to add an AD user into a Centrify Zone.

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: Centrify DirectControl console / Centrify DirectManage Access Manager for all versions of Centrify Suites
 
Question:
 
A workstation has been successfully joined to the domain in Zone Mode and the adinfo command shows that the machine is running in Connected mode:
 
# adinfo
...
CentrifyDC mode:   connected
...
 
However the AD user is unable to login. Running an adquery on the user shows that they are not enabled for the Zone:
 
# adquery user -A username
...
zoneEnabled:false
...
 
How can the user be enabled for the Zone?
 

Answer:
 
Note: The following information and further reading can also be found:
The essential steps are as follows: 
  1. On the Windows server with the Centrify Suite installed, open the DirectManage Access Manager / DirectControl console. 
     
  2. Expand to the Zone where the computer has been joined is and go into the UNIX Data > Users section > Right-click and select "Add User to Zone"
     
    User-added image
     
     
    1. Search and select the AD account to be added, the "Set UNIX User Profile" menu appears.
       
      - The UID and primary group can be set to desired values, for testing purposes; set a UID of 100001 and the primary group to <auto private group> from the dropdown. (Note that these can also be auto-filled using the User Defaults tab in the Zone Properties menu).
       
      - The UNIX User Profile must have at least the following attributes configured for it to be considered complete: 
      • Login name 
      • UID 
      • Primary group 
      • Home directory 
      • Shell
      User-added image

       
    2. Once the AD account has been added into the Zone, it needs to be authorised for Login. The Login Role can be assigned to a whole AD group so that the Role gets applied to every member of that group, or it can be assigned to an individual account so that only that user can login. 
       
      Note: An AD account needs to be both a member of the Centrify Zone AND given a Login Role before they are authorised for logging into a Zone. Members within an AD group which has been assigned a Login Role, but who do not have a complete Zone Profile and have not been added into the Zone itself will still not be able to login to that Zone. 
       
    3. To check if the user account has been authorised for login to a Zone, right-click on the blue globe icon of the Zone and select "Show Effect UNIX User Rights". 
       
    4. Select the desired computer from the dropdown list and check that the account shows up in the list of users below.

      User-added image

       
    5. Click on the "PAM Accesses" / "Rights" tab and make sure that user has the "login-all" PAM permission.
       
    6. If the account does not show up in this list, then go back to the Zone tree and below the "UNIX Data" section is the "Authorization" section - expand this and right-click on "Role Assignments". 
       
    7. Select "Assign Role" and select "UNIX Login" > Add the AD account or AD group into the Role Assignments and then check the Show Effective Users box again.
       
      Note: On Centrify Suite 2012 and prior, the login role was just named "Login".
       
      User-added image
       
      User-added image
       
      User-added image
       
      User-added image
       
      Once the account is listed under the computer in the Show Effective Users box, it will be deemed authorised for login in that Zone. 
       
    8. Go to a Centrify-joined workstation and run the commands:

      # sudo adflush
      # adquery user -A username

      The user output will now return as:
      ...
      zoneEnabled:true
      ...

    Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.