Applies to: All versions of Centrify DirectControl
Question:
How to troubleshoot when a user show up in Show Effective Users but adquery for the user shows the status as zoneEnabled:false
In the Centrify DirectManage Access Manager/DirectControl console, the user does show up in "Show Effective Users" for Centrify servers. But in the UNIX machine, running adquery shows as zoneEnabled:false, for example:
# adquery user -A jsmith
unixname:jsmithi uid:732430 gid:732430 gecos:John Smith home:/home/jsmith shell:/sbin/nologin dn:CN=John Smith,OU=Local Consultants,OU=Information Technology,OU=US,DC=acme,DC=com samAccountName:JSmith displayName:John Smith sid:S-1-5-21-2071661896-1205500103-1105138716-65934 userPrincipalName:JSmith@acme.om canonicalName:acme.com/US/Information Technology/Local Consultants/John Smith passwordHash:x accountExpires:Never passwordExpires:Thu Apr 18 20:22:54 2013 passwordWillExpire:9 nextPasswordChange:Sun Jan 20 19:22:54 2013 lastPasswordChange:Fri Jan 18 19:22:54 2013 accountLocked:false accountDisabled:false zoneEnabled:false unixGroups:jsmith memberOf:acme.com/Groups/Domain Local/Information Technology,acme.com/Groups/Global/Active Email Users,acme.com/Groups/Global/QA,acme.int/Groups/Global/Domain
Answer:
Since the user show up in "Show Effective users", it indicates that the user have a valid UNIX profile in the Zone.
So please check if the user is included in the file
/etc/centrifydc/user.ignore
If so, please do the following:
a) edit the file and remove the user. b) run the command adreload c) make sure the user is not included in the files /etc/centrifydc/user.ignore and /etc/centrifydc/uid.ignore
Then run adquery user -A <username> to verify zoneEnabled:true for the user.
For further reading on building a complete Zone Profile and login issue, please see:
KB-3038: How to add an AD user into a Centrify Zone.
KB-3020: How to troubleshoot if a user is not shown in "Show Effective Users"
KB-3029: Running adquery shows the user's shell as '/sbin/nologin' and user can't login