Problem:
When the unix command 'groups <user>' is executed on a Centrify-enabled system, their homedir gets mounted. This does not happen on NIS-based machines. Why would adclient access a user's homedir simply because their group membership was being queried?
On a Centrify machine:
[joeuser@mymachine ~]$ ls -l /home
total 52K
drwxr-xr-x 113 mphun design 32K Jul 19 11:28 mphun
drwxr-xr-x 22 rdp cad 8.0K Jul 19 11:53 rdp
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 11:19 joeuser
[joeuser@mymachine ~]$ groups ryye
ryye : design admin cad provision
[joeuser@mymachine ~]$ ls -l /home
total 516K
drwxrwxrwt 9 root disk 432K Jul 19 2011 mail
drwxr-xr-x 113 mphun design 32K Jul 19 11:28 mphun
drwxr-xr-x 22 rdp cad 8.0K Jul 19 11:53 rdp
drwxr-xr-x 138 ryye design 24K Jul 18 16:55 ryye
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 11:19 joeuser
Note in the above output, the /home/ryye has been mounted as the groups command was executed earlier.
However, on a NIS machine:
[joeuser@ca2h1747 ~]$ ls -l /home
total 608K
drwxr-xr-x 6 root root 4.0K Jul 9 2008 admin
drwxrwxrwt 9 root disk 432K Jul 19 12:49 mail
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 12:49 joeuser
drwxrwsr-x 68 root admin 8.0K Jan 3 2011 usr_local
[joeuser@ca2h1747 ~]$ groups ryye
ryye : design cad admin provision
[joeuser@ca2h1747 ~]$ ls -l /home
total 608K
drwxr-xr-x 6 root root 4.0K Jul 9 2008 admin
drwxrwxrwt 9 root disk 432K Jul 19 12:49 mail
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 12:49 joeuser
drwxrwsr-x 68 root admin 8.0K Jan 3 2011 usr_local
Notice that /home/ryye is *not* mounted. Is there any reason?
Cause:
This is a known issue with Centrify which came as a result of a feature request.
Resolution:
The following parameter must be set in /etc/centrifydc/centrifydc.conf as root. The command /usr/sbin/adreload (or centrify restart) is needed for changes to go into effect.
adclient.ignore.setgrpsrc: true
Please be aware that this workaround does not affect the usage of the adsetgroups command (please see man pages for the syntax). In the simplest case, when a user logs into a machine and uses 'adsetgroups' to select a subset of their groups to show up as their current groups in a new shell, and then runs whatever command which requires those group memberships, its OK if the adsetgroups command checks for files in the user's homedir. The reason being is that at that point, the user has already logged in and we know that their homedir is mounted.