Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3168: adquery not seeing group membership

Centrify DirectControl ,  

12 April,16 at 11:09 AM

Applies to: All versions of Centrify DirectControl
 
Question:
 
A user test_user has membership in group UNIX-CompChem-U and can be confirmed with an ldapsearch
 
However adquery does not show the group (indicating that adclient doesn't recognize it). 
This was noticed on multiple systems as the user needs membership in that group in order to gain access to these hosts via the pam.allow.groups setting:
 
user@servername:$ /usr/share/centrifydc/bin/ldapsearch -E pr=1000/noprompt -s sub -r -LLL -Q -H ldap:// -b $(adquery user -D test_user) memberOf 
 
dn: CN=test_user,OU=CEW,OU=User,OU=Accounts,DC=amer,DC=yourcompany,DC=com 
 
memberOf: CN=GBL-NON-COLLEAGUES-U,OU=CVW,OU=Security,OU=Groups,DC=amer,DC=yourcompany,DC=com 
memberOf: CN=GBL-NON-COLLEAGUES-U,OU=GVW,OU=Security,OU=Groups,DC=amer,DC=yourcompany,DC=com 
memberOf: CN=DL-CAM-200CPD Contractors,OU=CEW,OU=Security,OU=Groups,DC=amer,DC=yourcompany,DC=com 
memberOf: CN=UNIX-CompChem-U,OU=global,OU=Groups,OU=UNIX,DC=amer,DC=yourcompany,DC=com 
memberOf: CN=DL-WWMC CAM All,OU=GRO,OU=Distribution,OU=Groups,DC=amer,DC=yourcompany,DC=com 
memberOf: CN=CEW-DMSStandardUsers01-G,OU=CEW,OU=Security,OU=Groups,DC=amer,DC=yourcompany,DC=com
 
user@servername:$ adquery user -a test_user 
 
amer.yourcompany.com/Groups/Distribution/ADW/DL-Guests 
amer.yourcompany.com/Groups/Distribution/GRO/DL-All 
amer.yourcompany.com/Groups/Distribution/GRO/DL-Research 
amer.yourcompany.com/Groups/Distribution/GRO/DL-WWMC CAM All 
amer.yourcompany.com/Groups/Distribution/GRO/DL-WWMC-All 
amer.yourcompany.com/Groups/Distribution/GRO/DL-Global-All 
amer.yourcompany.com/Groups/Security/CEW/CEW-DMSStandardUsers01-G 
amer.yourcompany.com/Groups/Security/CITTS/AMR-TS-SoftGridUsers-L 
amer.yourcompany.com/Groups/Security/CVW/GBL-NON-COLLEAGUES-U 
amer.yourcompany.com/Groups/Security/GRO/GRO-GP-UserTestGroup-L 
amer.yourcompany.com/Groups/Security/GVW/GBL-NON-COLLEAGUES-U 
amer.yourcompany.com/Groups/Security/MOP/AMR-DMSStandardUsers-G 
amer.yourcompany.com/Groups/Security/MOPPAH/MOP-PAH-iPad_Materials-R-L 
amer.yourcompany.com/Groups/Security/VEG/VEG-PKG-General Meeting-R-L 
amer.yourcompany.com/Groups/Security/VEG/VEG-PKG-ORM-R-L 
amer.yourcompany.com/Groups/Security/VEG/VEG-PKG-PKG Excellence-R-L 
amer.yourcompany.com/Groups/Security/VEG/VEG-PRRegion_OHW_PR-RW-L 
amer.yourcompany.com/Infra/Groups/CIT-AllForestUsers-U 
amer.yourcompany.com/Users/Domain Users 
emea.yourcompany.com/Groups/Distribution/SAN/DL-Guests 


Answer:
 
The AD group in question (UNIX-CompChem-U) was created as a Distribution Group which has never been supported by Centrify. Only Security Groups are supported.
 
Note: Centrify's Zone Provisioning Agent does support Distribution Groups (for provisioning users only).

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-3925: How to add Centrify parameter to a group policy articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient? articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-2003: Cannot login when pam.groups.allow is enabled articleKB-2090: "adquery group" command does not return primary group members articleKB-2081: groups command fail to retrieve all AD groups