How to enable users from a transitive trust to have the ability to logon to a server in auto-zone?
An auto-zone can be configured to allow users from a transitive trust to login by updating two parameters in the /etc/centrifydc/centrifydc.conf file:
The following example will demonstrate the steps to be taken.
This diagram illustrates an example environment for this scenario, where the user object "jsmith" is local to the domain "child.DomainA.net" and requires access to a server in "child.DomainB.net."
Please note that the changes are to be made on the destination host, in this example, on a server in child.DomainB.net.
In this configuration two external files are used rather than updating the centrifydc.conf file directly. This is done by using a file path as the value placeholder in the configuration files.
# auto.schema.allow.users: file:/etc/centrifydc/auto_users.allow
# auto.schema.allow.groups: file:/etc/centrifydc/audo_groups.allow
Insert the specified users or groups in each file:
To enable auto-zone to recognize a user or group from a transitive trust domain, add the canonical name of the object in each file.
child.DomainA.net/Centrify/Centrify Users/Marketing Users/jsmith
child.DomainA.net/Centrify/Centrify Users/Marketing Users/mworthington
Once the files are updated run the following two commands to activate the changes.
The changes made in the above configuration files do not enable a user's ability to logon, only to be seen by the servers in the trusted domain.