AD group issue with Centrify Express
10-03-2018 07:26 PM
I have Centrify Express (CentrifyDC 5.5.0-200) installed on several servers. On some of the servers, when I issue this command:
adquery group database_administrators
I get back the group name, its id # and members. On some of the servers, when that command is issued, I get this response instead:
database_administrators is not a zone group
All servers are running the same version (version listed above); all info from adinfo --server, --version, etc. is the same; I have done an adreload, adflush as well as left and rejoined the domain. The end result is the above "not a zone group" message.
Why does this work on some servers but not others? I am guessing something is amiss, but with the things I have looked at so far, I havent been able to determine what or where. Has anyone run into this? Any ideas on what needs updating/fixing would be appreciated.
10-03-2018 08:05 PM
Are all systems joined to the same domain?
Are all systems running the same operating system/version?
Are there any other AD-bridging integrations installed? (e.g. sssd, pb, etc?).
What happens when you do "adquery group database_administrators -A" in both systems?
I have the theory that systems are not configured equally.
10-04-2018 08:17 AM
Both servers are:
- The same version OS and kernel
- both are using the same DC
- both are in the same domain
- there are no AD bridging integrations
- adquery group database_administrators -A results in the members, etc being printed on the system where it works. On the other system, it says no such group.
And yes, I would agree they are not configured equally, but... one server was installed in the morning, one in the afternoon. The same package and steps were used for both... no idea where the difference might have happened.
10-04-2018 09:55 AM
Interesting new development...
I have been trying/looking at various things to try an determine why some groups show up and others dont. One of the things I did was to add myself to the database_administators group - which previously was NOT showing up with adquery or "getent group" commands. Now that I have updated the group (by adding myself), it is now showing up as expected - and it is the only thing I have changed.
10-04-2018 10:02 AM
Well, perhaps the object cache hadn't been refreshed and your change of group membership triggered it. There are also environmental issues like replication, communication or placement relative to a Globa Catalog. Without looking at the logs, it will be very unclear to pinpoint the issue.
Centrify's adclient contains varous caches (credential, authorization, connector, DNS, etc.) and the are commands that allow you to trigger theme (adflush and adobjectrefresh).
I'm not sure how familiar you are with the product, but there a a large number of commands that can help you:
LMK if you have additional questions.
10-04-2018 01:24 PM
I am familiar with that page - have been using many of those commands to try and figure out what is going on.
To add to the issue, I now have another server that WAS working and now gives the "is not a zone group" message. The only way I have found to "fix" (and it seems to be a short term fix) is to:
- adflush -f
- groups (some user in the database_administrator group)
- adquery group database_administrators (note: without doing the above groups command, this command will fail as noted above)
and then I get back the info I expect to see... but it doesnt stick around, at some random point it seems to forget about the group and the whole cycle starts over.
10-04-2018 04:10 PM
Per support from Centrify:
The issue you are describing is a known issue with the express version. It doesn't happen in the licensed version of the product because groups are handled differently
So I wasnt imaging things nor do I have anything misconfigured.