Question:
The goal is adding an AD user to a local machine group. The KB article below covers the same topic, but it involves some administrative tasks from within Active Directory:
Is it possible to use UNIX command "usermod" to make an AD user a member of local machine group instead?
Answer:
usermod can be used to change user account attributes such as home directory, shell, uid, gid & etc.
These parts will never work as the local machine root does not have the authority to modify AD user characteristics.
This is why Centrify includes usermod in the NSS program ignore list in its default settings; so usermod does not look up account information in Active Directory and usermod will not work to modify AD user attributes under the default configuration.
If usermod is desired to update AD user group membership explicitly, use the following steps:
- Log into the target machine as root
- Open Centrify config file: /etc/centrifydc/centrifydc.conf
- Search for the following line: nss.program.ignore
# Don't call Centrify group or user iteration for these programs
# This helps prevent adding local users and groups that conflict with
# DirectControl users in AD
nss.program.ignore: useradd,adduser,groupadd,addgroup,userdel,groupdel,usermod,groupmod,chfn,chsh,chpasswd,gpasswd,pwconv,pwunconv,grpconv,grpunconv,redhat-config-users,unix_chkpwd
- Remove "usermod" from the comma-separated list
- Save the file
- Restart adclient
/usr/share/centrifydc/bin/centrifydc restart
See the example below:
[root@rhel5_5 samba]# usermod -a -G wheel test1
[root@rhel5_5 samba]# id test1
uid=37749839(test1) gid=37749890(dzdo_group) groups=37749890(dzdo_group),37749947(testgroup),37749882(testgrp),10(wheel)
[root@rhel5_5 samba]# getent group | grep wheel
wheel:x:10:root,test1