Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-7524: Machine override is not applying

Authentication Service ,  

27 September,16 at 05:12 PM

Applies to:

All versions of Centrify DirectControl on all supported platforms.


User/group added to machine override is not applying to the machine (ie. 'adquery' reports incomplete details or access is not working as expected)


In this scenario, the cause of the issue is that the user/group that was added as a machine override (defined in Access Manager at the computer level) was the first override added.

When an override is added to a machine for the first time, a new container is created in AD that is associated with the computer account and Centrify profile object (serviceConnectionPoint). This object is a computer zone. The LDAP query responsible for seeking this object is very resource-expensive, so it is only performed by the agent during the startup logic. Until this search is performed, the agent does not know about the new object that has become associated with it, which results in the new information not being made available to the host. 

Here is an example of what the objects in AD can be expected to look like once a computer zone has been added:

# ldapsearch -QLLLrm -b "CN=Computers,CN=Legion,CN=Alera,CN=Zones,OU=Centrify,DC=alera,DC=ath" "(cn=rhel65*)" cn objectClass
dn: CN=rhel65.alera.ath,CN=Computers,CN=Legion,CN=Alera,CN=Zones,OU=Centrify,DC=alera,DC=ath
objectClass: top
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: rhel65.alera.ath

dn: CN=rhel65.alera.ath:zone,CN=Computers,CN=Legion,CN=Alera,CN=Zones,OU=Centrify,DC=alera,DC=ath
objectClass: top
objectClass: container
cn: rhel65.alera.ath:zone


This behavior is expected. Please restart the 'centrifydc' service on the host. This will force the host to effectively rebuild what it knows about itself, as present in AD. This is necessary as there is now a new object created that it is associated with. Once this has been performed, the machine override should be available, as expected.

Note: This is a one-time occurrence, once the first override has been added, and should not be necessary for future work-flow. If you would like to introduce a deployment step to head this off, the computer zones may always be pre-created, which would render this a non-issue.