Applies to:
All supported versions of DirectControl on HP-UX servers.

Problem:
When setting the primary group for users on an HP-UX server via the user override option, the primary group will remain correct until Active Directory synchronizes. At that point, the primary group changes to one of the secondary groups. This doesn't happen on a Red Hat system.

Cause:
In the centrifydc.conf file, the following parameter is set to false by default:

nss.passwd.override.primary_group_only

So for a given AD user, adclient will loop through the passwd.ovr file looking for any match to override the user profile and the first match wins.

For example, if a customer has the following in the passwd.ovr file:

+@CTFY-admin::::113::::
+@CTFY-mpe::::400::::

a user who is a member of CTFY-adminmpe, which is a secondary group, gets this group set as the primary because it's the first match.

Red Hat doesn't utilize this process so the problem isn't seen on those servers.

Resolution:
By going to the centrifydc.conf file and changing the setting:

nss.passwd.override.primary_group_only: false

to

nss.passwd.override.primary_group_only: true

and then running:

adflush and adreload

It tells adclient to apply the override only if the user primary group matches and it will ignore the secondary group.