Why can't I use zsh?

So I upgraded to Catalina. Actually it's more like a fresh install, I only copied across the few files I wanted to keep.

The shell is now helpfully telling me:

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.

The information on that page helpfully shows GUI instructions which do not work. Specifically, it says "Control-click your user name in the list of users on the left, then choose Advanced Options.", but Control-click does nothing. So I reported that on the page.

When I use the suggested command instead:

hostname:~ username$ chsh -s /bin/zsh
Changing shell for username.
Password for username: 
chsh: Operation was denied because the current credentials do not have the appropriate privileges.  Operation was denied because the current credentials do not have the appropriate privileges.
chsh: no changes made

This is different to "Can't use zsh shell in Catalina" because I get an error message that they don't.

It's also different to "chsh: Operation was denied because the current credentials do not have the appropriate privileges" because it seems that in their case, they were using iTerm. I'm using the default Terminal.app.

I have tried it with sudo just for laughs, but of course it does this, which makes perfect sense:

hostname:~ username$ sudo chsh -s /bin/zsh
Password: 
Changing shell for root.

So what's the deal here? How am I supposed to do it?

Update:

Well this is interesting. Two password prompts, and then a different error message about the parameter being invalid.

hostname:~ username$ sudo chsh -s /bin/zsh username
Password: 
Changing shell for username.
Password for username: 
chsh: One of the parameters provided was invalid.  One of the parameters provided was invalid.
chsh: no changes made

This error is new to me, but apparently it's new to Google as well, so I'm officially a trailblazer!

Update: Happy New Year!

Back in the office again.

Through poking at commands we had determined that Centrify was in use. Centrify comes with an adupdate tool which is supposed to be used to change user information. With the help of IT, we tried it, though, and were still denied, but now it's more like an error.

$ adupdate modify user -s /bin/zsh username
An error occurred while trying to modify a user while in Auto Zone.
The options (-d, -g, -i, -u, -s, -l, -m, -o, -X, -z) cannot be used during this operation.
Please consult the manual pages for more information.

First impressions: What is Auto Zone and how do I get out of it?

Solution 1:

@bmike has already offered the easiest solution, but I wanted to go back to the GUI instructions not working.

I found that Apple’s instructions here can be confusing. Control-Clicking will not do anything unless you first “unlock” the Users & Groups pane, as shown below in the blue box:

Once you have it unlocked, be sure you are clicking in the white-area on the left to access “Advanced Options…” as shown above with the blue arrow.

Then you should be able to access the options, including shell, from the Advanced pane.

Solution 2:

Don’t use sudo directly without some additional switches - your invocation would change root’s shell, not your user account.

If your short name is mike (you can check with whoami or who am i

sudo -s
chsh /bin/zsh mike

Or if you know an admin short name and password you could skip the sudo initially

chsh -u admin /bin/zsh

@ me if you still have issues, there are a couple other ways to skin this cat, but I think once you specify the other user and su to root first, you should be set. It should have just worked out of the box, but hopefully we don’t have to go down that rabbit trail.

Solution 3:

This is a somewhat speculative answer, on the assumption that your account is coming from an Active Directory domain your Mac is bound to. You can check this by running:

dscl /Search -read /Users/"$USER" | grep AppleMetaNodeLocation

If it prints something like "AppleMetaNodeLocation: /Active Directory/<somedomain>", then your account is coming from AD, and this answer might work for you. I say "might" because I don't have a setup to test properly, and haven't messed with this stuff for several versions. If it doesn't print something about "/Active Directory/", this answer is not relevant.

Before proceeding further, I'd make a record of your current AD binding configuration. Run:

sudo dsconfigad -show

...and save its output somewhere, so you can refer to it if you need to put things back the way they were. If it doesn't print anything, then there's something weirder going on and I wouldn't recommend proceeding until you know what it is. It'll probably list something like "Default user Shell = /bin/bash"; if so, I'm pretty sure that's the root of your problem. To change this, run:

sudo dsconfigad -shell /bin/zsh

...and then probably reboot to make sure change takes effect. Oh, and check your Terminal preferences to make sure they're not overriding that (see here).

Explanation (if you care): in unix (including macOS), each user account record has an attribute that controls their default shell. Changing the user's shell (with chsh or whatever) edits the user's record to change that attribute value. But Active Directory accounts don't have this attribute (unless the AD domain has Identity Management for Unix enabled -- but that's deprecated), so Apple's AD connector fakes up a value for this on its own. Because it's fake, it can't really be changed. But you can change what value the AD connector uses to fake it up, and that's what the dsconfigad command does.

Solution 4:

After some more digging, finally a working solution!

$ sudo su -
# vim /etc/centrifydc/passwd.ovr

Added this line:

+username:::::::/bin/zsh:::::::

Saved, back to the shell...

# chmod 644 /etc/centrifydc/passwd.ovr
# adreload
# adflush

Logout from macOS and login again, and default shell is now zsh. 🎉