I think you might be confused here (or perhaps, I may have confused you 
)
The fact that you can use "adinfo -A -u <user>" to test if the password is correct or not, doesn't necessarly mean that the user has access to the system. See, when you do this, under the hood you're leveraging Kerberos (e.g. kinit <user>); adinfo is just returning back success or failure.
$ adinfo -A -u administrator Active Directory password: Password for user "administrator" is correct
For example, if you use "sudo adquery user -A bruce" I expect to see a valid output, because the "-A" switch (combined with sudo) tells the client to go and get the information about the user. Here's an example from one of my systems:
Note that my valid users don't include all AD users. $ adquery user bart:x:1040191001:1040191001:Bart Simpson:/home/bart:/sbin/nologin dwirth:x:1040188499:1040188499:Diana Wirth:/home/dwirth:/bin/bash homer.simpson:x:1040191003:1040191003:Homer Simpson:/home/homer.simpson:/usr/bin/dzsh maggie.simpson:x:1040191002:1040191002:Maggie Simpson:/home/maggie.simpson:/bin/bash tom:x:1040192080:1040192080:Tom Stanton:/home/tom:/bin/bash Note what happens when I query for a well-known username $ adquery user administrator Administrator is not a zone user Now see what happens when I use the -A switch
(if I had used sudo or dzdo, I would have been able to see more info) $ adquery user -A administrator dn:CN=Administrator,CN=Users,DC=centrify,DC=vms samAccountName:Administrator sid:S-1-5-21-3883016548-1611565816-1967702834-500 canonicalName:centrify.vms/Users/Administrator passwordHash:x guid:cd7c955c-4657-4afe-846d-8cb22e62840b requireMfa:false zoneEnabled:false memberOf:centrify.vms/Staff/Groups/Mac Admins,centrify.vms/UNIX/User Roles/centrify-directaudit-service-managers,centrify.vms/Users/Denied RODC Password Replication Group,centrify.vms/Users/Domain Admins,centrify.vms/Users/Domain Users,centrify.vms/Users/Enterprise Admins,centrify.vms/Users/Group Policy Creator Owners,
With Centrify, it's not only about authentication, but about authorization and auditing as well. This all depends on the mode of operation (Auto Zone or Zone Mode) and if you are using filtering or any other capabilities. Your domain/forest layout has a lot to say as well.
- With that out of the way, what mode of operation are you using? (adinfo --zone)
If it says Auto Zone, you should be able to see the users visible to the system by running the 'adquery user' command. - Do you see any output when you run adquery user? Can you try to log in (or su - username) to any of those users?
We need to figure out what's up with bruce, but it's possible that he may be in the other side of a one-way trust (not supported in Auto Zone mode, only in zone mode).
Also, what is the version of Centrify that you're using? (adinfo -v)
Thanks
R.P