Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3730: Using UNIX command usermod to add an AD user to a machine local group

Authentication Service ,  

12 April,16 at 11:11 AM

Question:
 
The goal is adding an AD user to a local machine group. The KB article below covers the same topic, but it involves some administrative tasks from within Active Directory:
Is it possible to use UNIX command "usermod" to make an AD user a member of local machine group instead?
 
Answer:
 
usermod can be used to change user account attributes such as home directory, shell, uid, gid & etc.
These parts will never work as the local machine root does not have the authority to modify AD user characteristics.
 
This is why Centrify includes usermod in the NSS program ignore list in its default settings; so usermod does not look up account information in Active Directory and usermod will not work to modify AD user attributes under the default configuration.
 
If usermod is desired to update AD user group membership explicitly, use the following steps:
  1. Log into the target machine as root
  2. Open Centrify config file: /etc/centrifydc/centrifydc.conf
  3. Search for the following line: nss.program.ignore

    # Don't call Centrify group or user iteration for these programs
    # This helps prevent adding local users and groups that conflict with
    # DirectControl users in AD
    nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users,unix_chkpwd
     
  4. Remove "usermod" from the comma-separated list
  5. Save the file
  6. Restart adclient

    /usr/share/centrifydc/bin/centrifydc restart
 
 
See the example below:
 
[root@rhel5_5 samba]# usermod -a -G wheel test1
[root@rhel5_5 samba]# id test1
uid=37749839(test1) gid=37749890(dzdo_group) groups=37749890(dzdo_group),37749947(testgroup),37749882(testgrp),10(wheel)
[root@rhel5_5 samba]# getent group | grep wheel
wheel:x:10:root,test1
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6041: How to show current license type in use by adclient articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-3925: How to add Centrify parameter to a group policy articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[TIPS] A Centrify Server Suite Cheat Sheet