Applies to: All versions of Centrify DirectAuthorize.
Why does X11 forwarding doesn't work when using "dzdo su - <user>", but works when using "su - <user>" command though?
When user is switched to mw by using "su - mw" command and run firefox. Firefox then starts.
When user is switched to mw by using "dzdo su - mw" command. Firefox cannot be started.
When the above command is executed with xshell and the error is different.
This is an expected behavior and is not considered as a bug.
Note that dzdo run as root, so when root does "su -" it bypassed all authentication. In other words, for root to do "su - <user>" this will not work either.
The error seen here when launching X app is:
PuTTY X11 proxy: MIT-MAGIC-COOKIE-1 data did not matchxterm Xt error: Can't open display: localhost:10.0
This means the .Xauthority and ssh connection does not match and this is how X sort out and protect against unauthorized connection.
When a normal user su - to another, user will be prompted for password. After login, you will see a new env variable:
This is the new X cookie for connection through the same SSH connection.
This would work if X11UseLocalhost is NOT used. However that means user will have to specify DISPLAY manually to name the Xserver and it is much less secure because this does not go through SSH connection.