Bug due to artitecture made only the last role to take effect.
Applies to: Centrify Suite 2015.1 (5.2.3) and below.
The issue applies to all the releases prior to Centrify Suite 2016. If the same role is assigned from multiple role assignments only the settings in the last role are used.
Due to a design limitation, for a given role with multiple role-assignments, it will only recognize the last one, even though it can list all of them. The problem is that later in processing, the role assignments wind up in a map keyed by role name which only has one slot. Therefore the last one wins.
Example: This issue can be reproduced on Fedora Server 22 with cdc build 5.2.3-429
1. Install cdc and join to domain 2. Assign Unix Login role to zone AD user nekou1 then assign same role to nekog1(group of nekou1) 3. Run "adflush -f; dzinfo nekou1"
[root@fcs22v3 523429]# dzinfo nekou1 User: nekou1 Forced into restricted environment: No Role Name Avail Restricted Env --------------- ----- -------------- UNIX Login/neko Yes None UNIX Login/neko No None >>> Get two same roles here. This is incorrect.
4. Run "dzinfo -f nekou1"
[root@fcs22v3 523429]# dzinfo -A -f nekou1 nekou1:ROLE:Local User:No nekou1:ROLE:Role Name:UNIX Login/neko nekou1:ROLE:Description:Predefined system role for general UNIX login users. nekou1:ROLE:Avail:Yes nekou1:ROLE:Restricted Env:None nekou1:ROLE:Effective:Immediate nekou1:ROLE:Expires:Never nekou1:ROLE:Available Hours:Always nekou1:ROLE:NEXT:======== nekou1:ROLE:Role Name:UNIX Login/neko >>> Get two same roles. This is incorrect. ===================
This is fixed in Suite 2016 ( adclient version 5.3.0).
In this version when same role is assigned to an user through multiple role assignment, previously dzinfo incorrectly displayed as there were multiple roles assigned to user and the shown-up as multiple role properties and role assignment properties. This issue has been fixed, and dzinfo will show one role, with one role properties and multiple role assignment properties.