Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9125: How can an Auto-Zone be configured to include users from a transitive trust?

Centrify DirectControl ,  

6 December,17 at 08:46 PM

Question:
How to enable users from a transitive trust to have the ability to logon to a server in auto-zone?

Answer:
An auto-zone can be configured to allow users from a transitive trust to login by updating two parameters in the /etc/centrifydc/centrifydc.conf file:

auto.schema.allow.users
auto.schema.allow.groups


The following example will demonstrate the steps to be taken.

This diagram illustrates an example environment for this scenario, where the user object "jsmith" is local to the domain "child.DomainA.net" and requires access to a server in "child.DomainB.net."
User-added image

Please note that the changes are to be made on the destination host, in this example, on a server in child.DomainB.net.

In this configuration two external files are used rather than updating the centrifydc.conf file directly. This is done by using a file path as the value placeholder in the configuration files.

# auto.schema.allow.users: file:/etc/centrifydc/auto_users.allow
# auto.schema.allow.groups: file:/etc/centrifydc/audo_groups.allow


Insert the specified users or groups in each file:

/etc/centrifydc/auto_groups.allow

unix_users
unix_admins

/etc/centrifydc/auto_users.allow

jsmith
mworthington


To enable auto-zone to recognize a user or group from a transitive trust domain, add the canonical name of the object in each file.

/etc/centrifydc/auto_groups.allow

child.DomainA.net/Centrify/User Roles/unix_users
child.DomainA.net/Centrify/User Roles/unix_admins

/etc/centrifydc/auto_users.allow

child.DomainA.net/Centrify/Centrify Users/Marketing Users/jsmith
child.DomainA.net/Centrify/Centrify Users/Marketing Users/mworthington


Once the files are updated run the following two commands to activate the changes.

adreload
adflush


Note:
The changes made in the above configuration files do not enable a user's ability to logon, only to be seen by the servers in the trusted domain.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.