Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8032: The Primary Group Keeps Changing for Users on an HPUX server

Authentication Service ,  

28 December,16 at 07:12 PM

Applies to:
All supported versions of DirectControl on HP-UX servers.

Problem:
When setting the primary group for users on an HP-UX server via the user override option, the primary group will remain correct until Active Directory synchronizes. At that point, the primary group changes to one of the secondary groups. This doesn't happen on a Red Hat system.

Cause:
In the centrifydc.conf file, the following parameter is set to false by default:

nss.passwd.override.primary_group_only

So for a given AD user, adclient will loop through the passwd.ovr file looking for any match to override the user profile and the first match wins.

For example, if a customer has the following in the passwd.ovr file:

+@CTFY-admin::::113::::
+@CTFY-mpe::::400::::

a user who is a member of CTFY-adminmpe, which is a secondary group, gets this group set as the primary because it's the first match.

Red Hat doesn't utilize this process so the problem isn't seen on those servers.

Resolution:
By going to the centrifydc.conf file and changing the setting:

nss.passwd.override.primary_group_only: false

to

nss.passwd.override.primary_group_only: true

and then running:

adflush and adreload

It tells adclient to apply the override only if the user primary group matches and it will ignore the secondary group.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6041: How to show current license type in use by adclient articleKB-3925: How to add Centrify parameter to a group policy articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III