How applications determine access rights
Most of the programs you run on Linux and UNIX computers are configured to use a pluggable authentication module (PAM) to control access. For example, the login, secure shell (ssh), and file transfer (ftp) services are all PAM-enabled programs. These programs check the local PAM configuration to determine whether a user is allowed to use the requested service.
When you install the Centrify agent and join a domain, you replace the default PAM authentication service with a PAM service that looks for the users and groups to allow or deny access to in Active Directory. Because the PAM service is the first “gatekeeper” to access on most computers, users must have at least one PAM access right to log on at all.