Centrify not respecting role assignments

Showing results for 
Search instead for 
Do you mean 
Reply
j87
Participant I
Posts: 1
Registered: ‎10-25-2018
#1 of 2 519

Centrify not respecting role assignments

To begin - I'm pretty new to Centrify, so there is most likely something I'm missing that's easy, but can't find why this is happening through the documentation I've seen.  It's bound to have been addressed previously, but couldn't find it in a search.

 

Long story short - I've created a zone with role assignments assigned to a single AD group.  Currently only one computer exists in the zone.  UNIX Login is restricted to this AD group, and checking Effective UNIX permissions on the computer/zone show that no inheritance is occurring from the parent zone.

 

However, users that are not a part of this group are able to SSH into the machine.  When checking dzinfo (user) it shows no role assignments, but still able to log into the system.  Viewing effective UNIX user rights for both system and zone show only 4 users are assigned roles, but it doesn't seem to be respecting that.

 

Like I said, bound to be something easy I'm missing, but can't seem to figure out what.

 

Thanks in advance!

Centrify Guru I
Posts: 2,432
Registered: ‎07-26-2012
#2 of 2 512

Re: Centrify not respecting role assignments

@j87,

 

Welcome to the Centrify forums.

 

When submitting questions, please always provide:  Operating System and version, Centrify version (adinfo -v) and operating mode (e.g. adinfo --zone).

 

Zone deployments are typically commercial engagements, these provide design, implementation and/or training services.  Are you working with a Centrify professional or partner?

 

There are two pre-requisites for a user to be able to log in to a system in a Centrify zone:

a) The user has an identity defined.

b) The user (or a group that the user belongs) has  a role that allows to log in.
The minimum a role can have is a PAM acces right like SSH access or the built-in login all.  Otherwise an empty role will not work.

 

Things to keep in mind if looks like a system is allowing too much access:

  • Mode
    Is it really in a zone?  (Auto Zone will allow any user from the current domain or trusted domains to access the system, this is referred as Workstation mode).  The mode can be viewed with the adinfo --zone command.
  • Roles can be assigned at different levels:
    - At the zone
    - At the child zone - If the system is part of a child zone, it will inherit the role assignments from the parent zone(s).
    - At the computer role (teams of systems)
    - At the local system level (called a system override)
  • Is there any other software loaded in the system that leverages PAM, NSS or Kerberos?
    Some Red Hat derivatives may have the sssd daemon enabled.
    Some Samba-enabled systems may have been joined to Active Directory.
  • Time
    When making changes, you have to account for AD replication.  A common tip is to connect your Access Manager console (or trigger your PowerShell) in the same Domain Controller that your test system is latched on (adinfo --server).

    Have you flushed the object cache after making changes?  (by default it could take up to 1 hour for changes to be effective).  Use adflush or adobjectrefresh.
  • Time-bound Role Assignments
    Centrify supports temporary role assignments.  If the role becomes effective at a particular time in the day, then you'll see those users.

Some tips:

- The users that can log in to a system can be viewed with the "adquery user" command in the target system.  In access Manager, you can also use the "Show effective user rights" functionality or via Powershell commands.
am-effrights.png

 

Please provide this de-dentified output:

adinfo -v

adquery user  (clean-up the results)

sudo dzinfo [user that should not be able to log-in]

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: