Re: Centrify Express change AD user home directory

Now we're talking.

I'm going to do the same with Lisa

$ adinfo --zone
Auto Zone
$ adquery user lisa.simpson
lisa.simpson:x:1040190999:1040190999:Lisa Simpson:/home/lisa.simpson:/bin/bash

Lisa already has a role that allows her to log in to systems in the zone.  My goal is to change her home directory from /home/lisa.simpson to /exports/home/lisa.simpson

On the Linux System
You'll be leaving the Auto Zone and joining a zone, then creating an entry at the computer (called an override) for that user with the desired home directory in Access Manager.  Then you'll flush the cache and try to log in with the user.

1. Leave the domain
   

   $ sudo adleave --remove --user auth-user
   [sudo] password for centrifying:
   auth-user@CENTRIFY.VMS's password:
   Using domain controller: dc.centrify.vms writable=true
   Left domain.
   Centrify DirectControl stopped.

2. Rejoin your target zone
   

   $ sudo adjoin -z global -c "ou=servers,ou=unix" -u dwirth centrify.vms
   dwirth@CENTRIFY.VMS's password:
   Using domain controller: dc.centrify.vms writable=true
   Join to domain:centrify.vms, zone:global successful
   
   Centrify DirectControl started.
   Initializing cache

3. Open Access Manager, go to the Zone > Computers > [Target Computer] > Expand the computer > Expand the UNIX Data Node and right-click Users > Select Add Users to Zone
   
   This give Lisa an Identity.  Since she has a role assigned at the zone level, I don't worry about assigning her a role.  However, if you want this user ONLY to be able to log in to this system, you'd use the Role Assignments node under the system and grant the proper role.  If you don't do this, the user won't be able to log in or be visible.
4. Restart the agent (so it can see the override) , flush the cache and verify results
   

   # at this point, lisa's identity is the same inherited from the zone
   # for the override to be visible, you have to restart the service
   $ sudo service centrifydc restart
   
   # flush the cache
   
   $ sudo adflush --force
   DNS cache flushed successfully.
   Authorization cache store flushed successfully.
   GC and DC caches flushed successfully.
   # verify results
   $ adquery user lisa.simpson
   lisa_simpson:x:1040190999:1040190999:Lisa Simpson:/exports/home/lisa_simpson:/bin/bash
   
   # victory is yours
   

There are other ways to do this, but given that you have zones, it's better to have a centralized override.  Other methods include local account with a passwd.ovr (see NSS passwd override here:  https://docs.centrify.com/en/css/suite2016/centrify-unix-config-guide.pdf).