Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-8032: The Primary Group Keeps Changing for Users on an HPUX server

Authentication Service ,  

28 December,16 at 07:12 PM

Applies to:
All supported versions of DirectControl on HP-UX servers.

When setting the primary group for users on an HP-UX server via the user override option, the primary group will remain correct until Active Directory synchronizes. At that point, the primary group changes to one of the secondary groups. This doesn't happen on a Red Hat system.

In the centrifydc.conf file, the following parameter is set to false by default:


So for a given AD user, adclient will loop through the passwd.ovr file looking for any match to override the user profile and the first match wins.

For example, if a customer has the following in the passwd.ovr file:


a user who is a member of CTFY-adminmpe, which is a secondary group, gets this group set as the primary because it's the first match.

Red Hat doesn't utilize this process so the problem isn't seen on those servers.

By going to the centrifydc.conf file and changing the setting:

nss.passwd.override.primary_group_only: false


nss.passwd.override.primary_group_only: true

and then running:

adflush and adreload

It tells adclient to apply the override only if the user primary group matches and it will ignore the secondary group.