Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-9203: How to Restrict or Allow User Logins in Classic Zone

Authentication Service ,  

26 September,17 at 10:16 PM

Question:
 
Classic zone will allow all provisioned users in Active Directory to login to any machine that is joined to the domain.  This is the default behavior for classic zone.  How can a classic zone be restricted so that only specific provisioned users are allowed to login while other provisioned users are denied login?

Answer:
 
To configure a classic zone to allow a specific provisioned user to login (and exclude other provisioned users), edit the /etc/centrifydc/centrifydc.conf file and set the parameter pam.allow.users file. This parameter can be either a file or a list of sAMAccountNames. Once the parameter is set, it will allow login by the configured provisioned users and exclude all others.
  
case 1: the pam.allow.users parameter is pointing to a file which contains a list of allowed provisioned users
 
i.e. In /etc/centrifydc/centrifydc.conf
  
pam.allow.users: file:/etc/centrifydc/users.allow

In /etc/centrifydc/users.allow
  
User-added image
  
 
case 2: the parameter value is the list of users that will be allowed login
  
i.e. In /etc/centrifydc/centrifydc.conf
  
pam.allow.users: tetsu,dean@centrifyimage.vms,darrell@centrifyimage.vms

After making a change to centrifydc.conf, or after adding a new name to the users.allow file, the adclient needs to be reloaded
  
# adreload
 
adquery user for an included provisioned user (tetsu in the image below) will show zoneEnabled:true
adquery user for a restricted provisioned user (donald in the image below) will show zoneEnabled:false
 
User-added image

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-3376: How to limit a user to access to only one particular machine in Classic Zone articleKB-5180: Does PowerShell module support with DirectControl in classic zones?