Centrify not respecting role assignments
10-25-2018 10:10 AM
To begin - I'm pretty new to Centrify, so there is most likely something I'm missing that's easy, but can't find why this is happening through the documentation I've seen. It's bound to have been addressed previously, but couldn't find it in a search.
Long story short - I've created a zone with role assignments assigned to a single AD group. Currently only one computer exists in the zone. UNIX Login is restricted to this AD group, and checking Effective UNIX permissions on the computer/zone show that no inheritance is occurring from the parent zone.
However, users that are not a part of this group are able to SSH into the machine. When checking dzinfo (user) it shows no role assignments, but still able to log into the system. Viewing effective UNIX user rights for both system and zone show only 4 users are assigned roles, but it doesn't seem to be respecting that.
Like I said, bound to be something easy I'm missing, but can't seem to figure out what.
Thanks in advance!
10-25-2018 11:27 AM
Welcome to the Centrify forums.
When submitting questions, please always provide: Operating System and version, Centrify version (adinfo -v) and operating mode (e.g. adinfo --zone).
Zone deployments are typically commercial engagements, these provide design, implementation and/or training services. Are you working with a Centrify professional or partner?
There are two pre-requisites for a user to be able to log in to a system in a Centrify zone:
a) The user has an identity defined.
b) The user (or a group that the user belongs) has a role that allows to log in.
The minimum a role can have is a PAM acces right like SSH access or the built-in login all. Otherwise an empty role will not work.
Things to keep in mind if looks like a system is allowing too much access:
Is it really in a zone? (Auto Zone will allow any user from the current domain or trusted domains to access the system, this is referred as Workstation mode). The mode can be viewed with the adinfo --zone command.
- Roles can be assigned at different levels:
- At the zone
- At the child zone - If the system is part of a child zone, it will inherit the role assignments from the parent zone(s).
- At the computer role (teams of systems)
- At the local system level (called a system override)
- Is there any other software loaded in the system that leverages PAM, NSS or Kerberos?
Some Red Hat derivatives may have the sssd daemon enabled.
Some Samba-enabled systems may have been joined to Active Directory.
When making changes, you have to account for AD replication. A common tip is to connect your Access Manager console (or trigger your PowerShell) in the same Domain Controller that your test system is latched on (adinfo --server).
Have you flushed the object cache after making changes? (by default it could take up to 1 hour for changes to be effective). Use adflush or adobjectrefresh.
- Time-bound Role Assignments
Centrify supports temporary role assignments. If the role becomes effective at a particular time in the day, then you'll see those users.
- The users that can log in to a system can be viewed with the "adquery user" command in the target system. In access Manager, you can also use the "Show effective user rights" functionality or via Powershell commands.
Please provide this de-dentified output:
adquery user (clean-up the results)
sudo dzinfo [user that should not be able to log-in]