Question:
Classic zone will allow all provisioned users in Active Directory to login to any machine that is joined to the domain. This is the default behavior for classic zone. How can a classic zone be restricted so that only specific provisioned users are allowed to login while other provisioned users are denied login?
Answer:
To configure a classic zone to allow a specific provisioned user to login (and exclude other provisioned users), edit the /etc/centrifydc/centrifydc.conf file and set the parameter pam.allow.users file. This parameter can be either a file or a list of sAMAccountNames. Once the parameter is set, it will allow login by the configured provisioned users and exclude all others.
case 1: the pam.allow.users parameter is pointing to a file which contains a list of allowed provisioned users
i.e. In /etc/centrifydc/centrifydc.conf
pam.allow.users: file:/etc/centrifydc/users.allow
In /etc/centrifydc/users.allow
case 2: the parameter value is the list of users that will be allowed login
i.e. In /etc/centrifydc/centrifydc.conf
pam.allow.users: tetsu,dean@centrifyimage.vms,darrell@centrifyimage.vms
After making a change to centrifydc.conf, or after adding a new name to the users.allow file, the adclient needs to be reloaded
# adreload
adquery user for an included provisioned user (tetsu in the image below) will show zoneEnabled:true
adquery user for a restricted provisioned user (donald in the image below) will show zoneEnabled:false