Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-8554: The "su - <user>" Command Does Not Create the Home Directory For The User

Authentication Service ,  

11 September,17 at 06:31 PM

Applies to: 
Centrify DirectControl 5.4.0 and 5.4.1
 
Problem:
The command: 
 
# su - <username> 
 
has traditionally caused a new user's home directory to be created.  The adclient from Centrify Server Suite 2017 does not create the home directory for a new user.


Cause: 
The problem is due to a side-effect of another issue that was resolved with Suite 2017 where, under certain circumstances, a kerberos TGT (Ticket Granting Ticket) for a user, is kept in transient cache memory and can inadvertently be regenerated by the root account. 


Workaround:
1) As root, open the file /etc/centrifydc/centrifydc.conf .
2) Add this parameter without any value, exactly as shown below.
 
adclient.create.krb5.creds.prog.blacklist: 

3) Save the file.
4) Reload adclient.
 
# adreload 
 
5) Test by running the command:
  
# su - <username>

and ensure the home directory is successfully created.

Note: This workaround will allow the home directory to be created just as in prior versions, but it also reintroduces the TGT issue detailed above.

Resolution:
This issue is fixed in Centrify DirectControl Suite 2017.2 (5.4.2)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III