All versions of Centrify DirectControl
Root is unable to su to a zone enabled account. The output that is seen in the session is:
# su - tetsu
su: user tetsu does not exist.
adquery user -A tetsu returns a good, zone enabled profile.
dzinfo -A tetsu shows the user has a login role.
This situation can occur if the zone has been moved in Access Manager so that it is no longer a child zone in a hierarchical zone structure, but the location of the zone container in Active Directory is not changed. In the example below, the child zone is named test and the parent zone is named Global.
In Active Directory, and in the adinfo output below, the test zone still appears to be a child of the Global zone.
The adinfo on a machine in the test zone shows the path to the zone. The path implies that test is a child zone of Global as well.
However, in Access Manager, it can be seen that the test zone is actually parallel with the Global zone.
When the test zone was moved in the Access Manager, a prompt appeared asking if the location of the zone (inside Active Directory) should be moved as well.
In this case, the response was No. This left the test zone container in the same location in ADUC, giving the wrong impression that the test zone is still a child zone of Global, in both the outputs from adinfo and when looking into ADUC