Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3172: Centrify/adclient accesses user homedir on simple nameservice lookups

Authentication Service ,  

17 September,20 at 02:01 PM

Problem:
 
When the unix command 'groups <user>' is executed on a Centrify-enabled system, their homedir gets mounted. This does not happen on NIS-based machines. Why would adclient access a user's homedir simply because their group membership was being queried? 
 
On a Centrify machine: 
 
[joeuser@mymachine ~]$ ls -l /home 
total 52K 
drwxr-xr-x 113 mphun design 32K Jul 19 11:28 mphun 
drwxr-xr-x 22 rdp cad 8.0K Jul 19 11:53 rdp 
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 11:19 joeuser 
 
[joeuser@mymachine ~]$ groups ryye 
ryye : design admin cad provision 
 
[joeuser@mymachine ~]$ ls -l /home 
total 516K 
drwxrwxrwt 9 root disk 432K Jul 19 2011 mail 
drwxr-xr-x 113 mphun design 32K Jul 19 11:28 mphun 
drwxr-xr-x 22 rdp cad 8.0K Jul 19 11:53 rdp 
drwxr-xr-x 138 ryye design 24K Jul 18 16:55 ryye 
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 11:19 joeuser 
 
Note in the above output, the /home/ryye has been mounted as the groups command was executed earlier.
 
However, on a NIS machine: 
[joeuser@ca2h1747 ~]$ ls -l /home 
 
total 608K 
drwxr-xr-x 6 root root 4.0K Jul 9 2008 admin 
drwxrwxrwt 9 root disk 432K Jul 19 12:49 mail 
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 12:49 joeuser 
drwxrwsr-x 68 root admin 8.0K Jan 3 2011 usr_local 
 
[joeuser@ca2h1747 ~]$ groups ryye 
ryye : design cad admin provision 
 
[joeuser@ca2h1747 ~]$ ls -l /home 
 
total 608K 
drwxr-xr-x 6 root root 4.0K Jul 9 2008 admin 
drwxrwxrwt 9 root disk 432K Jul 19 12:49 mail 
drwxr-xr-x 28 joeuser cad 8.0K Jul 19 12:49 joeuser 
drwxrwsr-x 68 root admin 8.0K Jan 3 2011 usr_local 
 
Notice that /home/ryye is *not* mounted. Is there any reason?
 
Cause:
 
This is a known issue with Centrify which came as a result of a feature request.
 
Resolution:
 
The following parameter must be set in /etc/centrifydc/centrifydc.conf as root. The command /usr/sbin/adreload (or centrify restart) is needed for changes to go into effect.
 
adclient.ignore.setgrpsrc: true 
 
Please be aware that this workaround does not affect the usage of the adsetgroups command (please see man pages for the syntax).  In the simplest case, when a user logs into a machine and uses 'adsetgroups' to select a subset of their groups to show up as their current groups in a new shell, and then runs whatever command which requires those group memberships,  its OK if the adsetgroups command checks for files in the user's homedir. The reason being is that at that point, the user has already logged in and we know that their homedir is mounted.
 
 
 

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? article[Labs] Using Centrify+AD+YubiKey to secure UNIX/Linux access with Strong Authentication articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? article[Labs] Setting-up an AWS Test Lab for Centrify articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0)