Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-9125: How can an Auto-Zone be configured to include users from a transitive trust?

Authentication Service ,  

6 December,17 at 08:46 PM

How to enable users from a transitive trust to have the ability to logon to a server in auto-zone?

An auto-zone can be configured to allow users from a transitive trust to login by updating two parameters in the /etc/centrifydc/centrifydc.conf file:


The following example will demonstrate the steps to be taken.

This diagram illustrates an example environment for this scenario, where the user object "jsmith" is local to the domain "" and requires access to a server in ""
User-added image

Please note that the changes are to be made on the destination host, in this example, on a server in

In this configuration two external files are used rather than updating the centrifydc.conf file directly. This is done by using a file path as the value placeholder in the configuration files.

# auto.schema.allow.users: file:/etc/centrifydc/auto_users.allow
# auto.schema.allow.groups: file:/etc/centrifydc/audo_groups.allow

Insert the specified users or groups in each file:





To enable auto-zone to recognize a user or group from a transitive trust domain, add the canonical name of the object in each file.

/etc/centrifydc/auto_groups.allow Roles/unix_users Roles/unix_admins

/etc/centrifydc/auto_users.allow Users/Marketing Users/jsmith Users/Marketing Users/mworthington

Once the files are updated run the following two commands to activate the changes.


The changes made in the above configuration files do not enable a user's ability to logon, only to be seen by the servers in the trusted domain.