Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Administrators Guide
March 2010
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2010 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
11
Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting a preview of whats in this release . . . . . . . . . . . . . . . . . . . . . . . . . 12 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 1
Introduction
21
Understanding identity and access management. . . . . . . . . . . . . . . . . . . 21 Why integrate with Active Directory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 What is the Centrify DirectControl solution?. . . . . . . . . . . . . . . . . . . . . . . . 23 What does DirectAuthorize provide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 What can you do after you deploy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Chapter 2
31
Understanding the integration of Windows and UNIX. . . . . . . . . . . . . . . 31 Understanding whats installed on Windows . . . . . . . . . . . . . . . . . . . . . . . 33 Understanding Centrify DirectControl Agents . . . . . . . . . . . . . . . . . . . . . . 37 Understanding the log-on process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Understanding agentless authentication. . . . . . . . . . . . . . . . . . . . . . . . . 43 Chapter 3
45
Installing Centrify Suite 2010 on Windows. . . . . . . . . . . . . . . . . . . . . . . . . 46 Starting Centrify DirectControl for the first time. . . . . . . . . . . . . . . . . . . . 49 Installing the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . . . . . . 52 Chapter 4
Managing zones
55
Understanding Centrify DirectControl zones . . . . . . . . . . . . . . . . . . . . . . . 56 Using the Centrify DirectControl Setup Wizard . . . . . . . . . . . . . . . . . . . . . 56 Creating a new zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Opening and closing zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Delegating control of administrative tasks. . . . . . . . . . . . . . . . . . . . . . . . . 68 Changing zone properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Changing the master domain controller. . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Adding a computer to a zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Changing the location of a zone in Active Directory . . . . . . . . . . . . . . . . 76 Converting a standard DirectControl zone to RFC 2307 . . . . . . . . . . . . . 77 Using the Zone Generator to populate new zones . . . . . . . . . . . . . . . . . . 78 Running reports for zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Searching for profiles in a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Understanding Auto Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Chapter 5
Managing computers
83
Understanding the join operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Deciding who can join computers to the domain. . . . . . . . . . . . . . . . . . . 85 Precreating computer accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Joining a domain interactively or using a script . . . . . . . . . . . . . . . . . . . . 90 Allowing password resets for computer accounts . . . . . . . . . . . . . . . . . . 91 Designating a computer as a NIS server . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Changing the zone for the computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Changing the domain for a computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Administrators Guide
Leaving a domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Customizing configuration settings for a computer . . . . . . . . . . . . . . . . . 98 Running reports for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Chapter 6
101
Determining the source for existing user information . . . . . . . . . . . . . . 101 Preparing to import users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Using the Import from UNIX wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Checking for conflicts and matching candidates . . . . . . . . . . . . . . . . . . . 107 Mapping UNIX profiles to Active Directory accounts . . . . . . . . . . . . . . . 111 Resolving conflicts for pending users and groups. . . . . . . . . . . . . . . . . . 119 Resolving other issues for pending users and groups . . . . . . . . . . . . . . 121 Making imported information available to NIS clients. . . . . . . . . . . . . . 123 Chapter 7
125
Creating group profiles for Active Directory groups . . . . . . . . . . . . . . . . 125 Managing Active Directory group membership. . . . . . . . . . . . . . . . . . . . 128 Adding members to a default primary group. . . . . . . . . . . . . . . . . . . . . . 130 Marking a group profile as required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Adding groups from another trusted forest . . . . . . . . . . . . . . . . . . . . . . . 135 Modifying zone-specific settings for a group profile . . . . . . . . . . . . . . . 136 Modifying the group objects properties . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Customizing additional settings for groups . . . . . . . . . . . . . . . . . . . . . . . 138 Assigning groups to DirectAuthorize roles . . . . . . . . . . . . . . . . . . . . . . . . 139 Running reports for groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Chapter 8
141
Understanding group-based filtering for users . . . . . . . . . . . . . . . . . . . . 142 Using a default primary group for new user profiles . . . . . . . . . . . . . . . 143 Adding Active Directory users to zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Contents
Adding users from another trusted forest . . . . . . . . . . . . . . . . . . . . . . . . 146 Setting or changing a users primary group . . . . . . . . . . . . . . . . . . . . . . . 148 Adding multiple profiles for a user to a zone . . . . . . . . . . . . . . . . . . . . . . 150 Enabling and disabling multiple users in a zone. . . . . . . . . . . . . . . . . . . 151 Modifying zone-specific settings for a user profile. . . . . . . . . . . . . . . . . 151 Modifying the user profile and object properties . . . . . . . . . . . . . . . . . . 152 Working with read-only domain controllers . . . . . . . . . . . . . . . . . . . . . . 153 Applying password policies and changing passwords . . . . . . . . . . . . . 154 Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . 157 Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Customizing other settings for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Assigning users to DirectAuthorize roles . . . . . . . . . . . . . . . . . . . . . . . . . 162 Running reports for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Chapter 9
165
Understanding DirectAuthorize rights and roles . . . . . . . . . . . . . . . . . . .166 Verifying system requirements for DirectAuthorize. . . . . . . . . . . . . . . . 173 Initializing DirectAuthorize for a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Defining specific rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Creating roles for job functions in a zone . . . . . . . . . . . . . . . . . . . . . . . . . 198 Assigning users and groups to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Limiting the scope of a role to a specific computer . . . . . . . . . . . . . . . . 203 Working within assigned roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Cloning and renaming a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Exporting and importing rights and roles. . . . . . . . . . . . . . . . . . . . . . . . . 209 Modifying rights, roles, and role assignments. . . . . . . . . . . . . . . . . . . . . 213 Viewing rights and roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Running reports for roles and rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Administrators Guide
Chapter 10
219
Understanding how licensing works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Adding license containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Assigning a specific license container to a zone. . . . . . . . . . . . . . . . . . . . 224 Viewing the license summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Adding license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Removing a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Running reports for licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Chapter 11
231
Understanding the importance of reports. . . . . . . . . . . . . . . . . . . . . . . . . 231 Understanding the default report definitions . . . . . . . . . . . . . . . . . . . . . 232 Understanding current and snapshot results . . . . . . . . . . . . . . . . . . . . . . 235 Generating a report from current or saved results . . . . . . . . . . . . . . . . . 237 Creating and modifying report definitions . . . . . . . . . . . . . . . . . . . . . . . . 245 Exporting and importing report definitions . . . . . . . . . . . . . . . . . . . . . . . 251 Configuring SMTP for emailing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Chapter 12
253
Understanding the servicing of NIS client requests . . . . . . . . . . . . . . . . 253 Preparing for agentless authentication . . . . . . . . . . . . . . . . . . . . . . . . . 256 Installing and configuring the NIS server. . . . . . . . . . . . . . . . . . . . . . . . . . 262 Configuring the NIS clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Checking the derived passwd and group maps . . . . . . . . . . . . . . . . . . . . 274 Importing and creating additional NIS maps . . . . . . . . . . . . . . . . . . . . . . 275 Changing the map type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Maintaining map records in Active Directory . . . . . . . . . . . . . . . . . . . . . . 282 Chapter 13
285
Contents
Analyzing zone information in Active Directory . . . . . . . . . . . . . . . . . . . 286 Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . 298 Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . 303 Filtering the objects displayed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Appendix A
311
Understanding when to use command line programs . . . . . . . . . . . . . .313 Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . 314 Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Using adupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Using adgpupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Using adobfuscate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Using adrmlocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Using adfixid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Using adkeytab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Using adsmb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Using adsetgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Administrators Guide
Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Using addns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Using dzdo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Using dzinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Using dzsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Using nisflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Using OpenLDAP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Appendix B
513 515
Contents
10
Administrators Guide
Intended audience
This Administrators Guide provides complete information for managing users, groups, computers, and zones with Centrify DirectControl and Active Directory. This guide is intended for system, network, and database administrators who are responsible for managing user access to servers, workstations, enterprise applications, and network resources. This guide does not, however, cover planning or installation details. For complete information
11
about planning a deployment and installing Centrify DirectControl on Windows and non-Windows computers, see the Planning and Deployment Guide. Because the Centrify Suite, Standard Edition, includes components that are installed in the Windows environment and on the Linux, UNIX, or Mac OS X computers you intend to manage, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.
12
Administrators Guide
Chapter 2, About the Centrify DirectControl architecture and operation, provides an overview of the key components of the Centrify DirectControl architecture and how these components provide authentication services. Chapter 3, Installing and starting Centrify DirectControl, summarizes the steps for installing Centrify DirectControl on Windows and on computers to be managed by Centrify DirectControl. For more complete information about installing Centrify DirectControl, see the Planning and Deployment Guide. Chapter 4, Managing zones, describes how to create new zones and how to manage zone properties. Chapter 5, Managing computers, describes how to add computers to an Active Directory domain, how to create and modify computer account properties, and how to change the domain for a UNIX computer. Chapter 6, Importing existing users and groups, describes how to import information from existing identity stores such as the local /etc/passwd and /etc/group configuration files or existing NIS domains. Chapter 7, Managing group profiles, describes how to define UNIX-based profiles for Active Directory groups and how to manage access and profile information for those groups. Chapter 8, Managing user profiles, describes how to define UNIX-based profiles for Active Directory users and how to manage access and profile information for those users. Chapter 9, Defining rights and roles, describes how to define the operations that users in different roles in the organization can perform and how to assign users and groups to roles to enforce the rules you define using DirectAuthorize. Chapter 10, Managing license containers and keys, describes how to view and update Centrify DirectControl license keys.
13
Chapter 11, Generating predefined and custom reports, describes how to generate, filter, and export information about users, groups, computers, zones, and role assignments using the Centrify Report Center. Chapter 12, Managing network information with NIS maps, describes the Centrify DirectControl Network Information Service, how to configure computers to use the Centrify DirectControl Network Information Service for agentless authentication, and how to manage NIS maps stored in Active Directory. Chapter 13, Troubleshooting authentication and authorization, describes how to use diagnostic tools and log files to retrieve information about the operation of Centrify DirectControl. Appendix A, Using Centrify DirectControl UNIX commands, provides reference information for the Centrify DirectControl command line programs. Appendix B, Domain controller versions for Centrify DirectControl, lists the required versions and functional levels of the Microsoft Windows domain controllers that support Centrify DirectControl and Centrify DirectAuthorize, versions 4.2 and later. In addition to these chapters, an index is provided for your reference.
14
Administrators Guide
to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments. Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted. The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 4.2.0 for the Sun Solaris operating system on a SPARC server, the full file name is
centrifydc-4.2.0-sol8-sparc-local.tgz.
15
In addition, all of the documentation for the Centrify Suite, Standard Edition, is available in searchable Adobe Portable Document Format (PDF).
16
Administrators Guide
17
and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment. Web Console Users Guide describes how to perform administrative tasks for zones using the Centrify DirectControl Web Console. The DirectControl Web Console enables you to perform a subset of DirectControl tasks by connecting to a Web server from computers that do not have the Administrator Console installed. Group Policy Guide describes the Centrify DirectControl group policies you can use to customize user-based and computer-based configuration settings. This guide provides an overview of how group policies are applied and how to install and enable DirectControl-specific policies. Configuration Parameters Reference Guide provides reference information for the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies. Administrators Guide for Mac OS X provides information for Mac OS X system administrators about the administrative issues and tasks that are specific or unique to a Mac OS X environment. If you are deploying in an environment with Mac OS X servers or workstations, you should refer to this guide for information about the group policies that only apply to Mac OS X computers and users. NIS Administrators Guide provides information about installing and configuring the Centrify DirectControl Network Information Service (adnisd) and NIS clients to incorporate NIS maps into an Active Directory environment. If you are planning to use both the Centrify DirectControl Agent and Centrify DirectControl Network Information Service to support NIS clients, you should refer to this guide for
18
Administrators Guide
information about how to import and manage NIS maps in Active Directory. Authentication Guide for Apache describes how to use Centrify DirectControl with Apache servers and applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Apache, you should refer to this supplemental documentation for details about how to configure your Apache server to use Centrify DirectControl and Active Directory. Authentication Guide for Java Applications describes how to use Centrify DirectControl with J2EE applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify DirectControl and Active Directory. Individual UNIX man pages for command reference information for Centrify DirectControl UNIX command line programs. In addition to the Centrify DirectControl documentation, you may want to consult the documentation for your Windows, Linux, UNIX, or Mac OS X operating system, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.
19
Contacting Centrify
Contacting Centrify
If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify products, support, services, and upcoming events. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.
20
Administrators Guide
Chapter 1
Introduction
This chapter provides an introduction to identity, access, and configuration management and to the main components of the Centrify Suite 2010, Standard Edition, including a brief overview of the ways Centrify DirectControl and Centrify DirectAuthorize can help organizations leverage their investment in Active Directory. The following topics are covered: Understanding identity and access management Why integrate with Active Directory? What is the Centrify DirectControl solution? What does DirectAuthorize provide? What can you do after you deploy?
21
UNIX and Linux systems, but they are typically isolated from each other and managed separately.
Local accounts stored in local files on individual UNIX servers and workstations UNIX and Linux computers NIS and NIS+ servers and account maps provide a central repository for UNIX accounts Kerberos realms and Key Distribution Center provide authentication for some users and services LDAP authentication for LDAP transactions
Windows computers
Active Directory forests with Kerberos authentication and LDAP directory service
Users who have access to more than one application or computer platform often have multiple login accounts with conflicting user name or password policy requirements. In addition, individual applications and services may use any of these standard mechanisms or have their own specialized authentication method. Because managing user accounts and access using all of these different mechanisms across an enterprise is impractical, Centrify DirectControl provides a way to centralize and simplify the management of user accounts and access to computers and applications through Active Directory.
22
Administrators Guide
services such as messaging or database transactions. For Windows 2000, Windows XP, and Windows Server 2003, Active Directory is the core technology for managing users, computers, and other resources, and, therefore, is a requirement for any organization that manages Windows resources. In addition to being a key component of the organizations infrastructure, Active Directory provides a complete set of tools for authentication, authorization, and directory service, making it an ideal candidate for managing user accounts and access to computer resources. By extending Active Directory to manage Linux, UNIX, and Mac OS X computers, Centrify DirectControl provides administrators with a comprehensive identity and access management solution while reducing administrative complexity and overhead.
Move to a central directory with a single point of administration for user accounts and security policy. Use Centrify DirectControl Zones to provide secure, granular access control and delegated administration. Extend Web single sign-on to internal end-users and external business partners and customers. Simplify compliance with regulatory requirements. Deploy quickly without intrusive changes to the existing infrastructure.
24
Administrators Guide
Enforce consistent security and configuration policies across UNIX, Linux, and Mac OS X servers and workstations by adding Centrify DirectControl group policy templates for computer- and user-based configuration settings to Windows Group Policy Objects. Improve productivity and satisfaction for end-users, who now have only one password to remember, and make fewer Help Desk calls to reset passwords or update their account information.
Chapter 1 Introduction
25
26
Administrators Guide
can access, and which users can access any specific computer or application. By extending Active Directorys password requirements and Group Policy features to UNIX, Linux, and Mac OS X servers and workstations, Centrify DirectControl enables IT managers to enforce consistent, enterprise-wide security policies in a manner that can be verified by auditors. Centrify DirectControl ensures activity on UNIX, Linux, and Mac OS servers and workstations is written to the proper Active Directory logs, providing an audit trail for verifying system access.
Chapter 1 Introduction
27
to this base agent to provide services such as SSO for Web applications or Samba integration. Centrify accelerates an organizations productivity by offering free downloads of Open Source tools such as OpenSSH and PuTTY, which have been optimized to work seamlessly with Active Directory through Centrify DirectControl.
28
Administrators Guide
Deploy a highly available solution for privilege management that works well in a networked environment and does not require changes to your UNIX systems As part of an integrated suite of tools, Centrify DirectControl and Centrify DirectAuthorize provide a simple, scalable solution for managing the cross-platform environment.
Chapter 1 Introduction
29
When a computer is managed by Centrify DirectControl, authorized users can perform the following common tasks: Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp. Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously. Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.
30
Administrators Guide
Chapter 2
31
DirectControl managed system and it can join any Active Directory domain you choose. When a Centrify DirectControl managed system joins an Active Directory domain, it essentially becomes an Active Directory client and relies on Active Directory to provide authentication, authorization, policy management, and directory services. The interaction between the Centrify DirectControl Agent on the local computer and Active Directory is similar to the interaction between a Windows XP client and its Active Directory domain controller, including failover to a backup domain controller if the UNIX computer is unable to connect to its primary domain controller. The following figure provides a simplified view of the integration between Windows and UNIX through Centrify DirectControl.
Centrify DirectControl Management Tools Centrify DirectControl property extensions Centrify DirectControl Administrator Console
To centrally manage access across different platforms using Microsoft Active Directory, you need to: Prepare the Active Directory environment by installing the Centrify DirectControl Administrator Console on at least one Windows computer to update the Active Directory forest with Centrify DirectControl properties. Ensure each UNIX, Linux, or Mac OS X computer can communicate with an Active Directory domain controller to
32 Administrators Guide
present valid credentials for authentication. For successful communication, the managed computer should be able to resolve the address of its Active Directory domain controller through DNS. Install the Centrify DirectControl Agent (adclient) on the UNIX, Linux, or Mac OS X computers that will be joining an Active Directory domain. Run the join command and specify the Active Directory domain to join on each UNIX, Linux, or Mac OS X computers to be managed. Use Active Directory Users and Computers or the Centrify DirectControl Administrator Console to authorize access to the UNIX, Linux, and Mac OS X computers for specific users and groups. Now that you are familiar with the basics, the next sections provide a closer look at whats included in the Centrify DirectControl administrative tools installed on Windows and the Centrify DirectControl Agent installed on other platforms.
33
DirectControl properties. You do this by selecting one or both of the following components: The Centrify DirectControl property extensions for Active Directory can be installed on any computer that is joined to an Active Directory domain and has Active Directory Users and Computers installed. The property extensions allow you to use Active Directory Users and Computers to store UNIX-specific attributes. You are not required to install the property extensions if you do not intend to use Active Directory Users and Computers to view or manage UNIX-specific attributes. The Centrify DirectControl Administrator Console must be installed on at least one computer that can access domains in Active Directory. The Centrify DirectControl Administrator Console provides a central location for managing UNIX users, groups, and computers and performing administrative tasks, such as importing accounts, running reports, and analyzing account information. The Centrify DirectControl Administrator Console includes a Setup Wizard that updates the Active Directory forest to include Centrify DirectControl properties the first time you start the console. The update to the Active Directory forest does not make any changes to the underlying Active Directory schema you have installed. Some optional components require the Centrify DirectControl Administrator Console to be installed on the same computer. For example, the Extension for NIS Maps can only be installed on a computer where you install the Centrify DirectControl Administrator Console. For more information about installing optional component, see Choosing optional DirectControl components on page 35.
Note
The Centrify DirectControl Administrator Console is a Microsoft Management Console (MMC) snap-in. It is the primary console for
34
Administrators Guide
managing Centrify DirectControl properties because it provides access to a full spectrum of management activities that are specific to DirectControl. A separate Centrify DirectControl Web Console provides Web-based access to a subset of these administrative activities. The Centrify DirectControl Web Console is not a substitute for the Centrify DirectControl Administrator Console MMC snap-in, but can be used separately to perform common tasks. For more information about adding the Centrify DirectControl Web Console to your environment, see Understanding the DirectControl Web Console on page 36.
35
computer where you install the Centrify DirectControl Administrator Console. The Zone Generator enables you to programmically populate new zones with existing information. The following figure provides a simplified view of the architecture.
Windows environment DirectControl Administrator Console DirectControl Property Extensions UNIX environment
adclient Active Directory Users and Computers adclient Active Directory Domain Controller adclient
36
Administrators Guide
For more information about installing and using the Centrify DirectControl Web Console to perform administrative tasks, see the Web Console Users Guide and the Web Console online help.
37
The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:
Core services for UNIX shell programs and applications Kerberos-enabled applications Other add-on modules: Apache JAAS realm SPNEGO NIS
PAM module
NSS module
Kerberos environment
Centrify DirectControl Service Library Centrify DirectControl adclient Active Directory Domain Controller Centrify DirectControl Agent Command line programs
As this figure suggests, the Centrify DirectControl Agent includes the following core components: The core Centrify DirectControl Agent is the adclient process that handles all of the direct communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information. The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. The Centrify DirectControl NSS module is added to the nsswitch.conf so that system look-up requests use the Centrify DirectControl agent to look up and validate information using Active Directory through LDAP. The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks,
38
Administrators Guide
such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks. The Centrify DirectControl Kerberos environment generates a Kerberos configuration file (etc/krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled applications to authenticate through Active Directory. These files are maintained by the Centrify DirectControl Agent and are updated to reflect any changes in the Active Directory forest configuration. The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency. In addition to these core components, the Centrify DirectControl Agent can also be extended with the following add-on modules: The Centrify DirectControl libraries for Apache, Tomcat, JBoss, WebLogic, or WebSphere plug in to the native authentication mechanisms for each Web server to enable you to configure Web applications to use Active Directory for authentication. The Centrify DirectControl Network Information Service (adnisd) is a separate service that works in conjunction with the Centrify DirectControl agent to enable you to store NIS maps in Active Directory and publish that information to NIS clients through Centrify DirectControl. Optional utilities and programs, such as updated Kerberos, OpenSSH, OpenLDAP, Samba, or PuTTY utilities, that have been optimized to work with Centrify DirectControl and Active Directory.
39
When a user starts the UNIX computer, the following takes place:
1 A login process starts and prompts the user to supply a user
name.
2 The user responds by entering a valid local or Active Directory
user name.
3 The login process, which is a PAM-enabled program, then reads
the PAM configuration file, /etc/pam.conf, and determines that it should use the Centrify DirectControl PAM service, pam_centrifydc, for identification. The UNIX login process then passes the log-in request and the user name to the Centrify DirectControl Pluggable Authentication Module (PAM) service for processing.
4 The PAM service checks parameters in the Centrify
DirectControl configuration file to see if the user name entered is an account that should be authenticated locally. If the user should be authenticated locally, the PAM service passes the log-in request to the next PAM module in the PAM
40
Administrators Guide
configuration file, for example, to the local configuration file /etc/passwd. If the user is not set to be authenticated locally, the PAM service checks to see if the Centrify DirectControl agent process, adclient, is running. If it is, the PAM service passes the log-in request and user name to adclient for processing.
5 The adclient process connects to Active Directory and queries
the Active Directory domain controller to determine whether the user name included in the request is a Centrify DirectControl user who has access to computers in the current computers zone. If adclient is unable to connect to Active Directory, it queries the local cache to determine whether the user name has been successfully authenticated before. If adclient can connect to Active Directory but the user account does not have access to computers in the current zone or if the user cant be found in Active Directory or the local cache, adclient checks the Centrify DirectControl configuration file to see if the user name is mapped to a different Active Directory user account. If the user name is mapped to another Active Directory account in the configuration file, adclient queries the Active Directory domain controller or local cache to determine whether the mapped user name has access to computers in the current computers zone.
6 If the user has a UNIX profile for the current zone, adclient
receives the zone-specific information for the user, such as the users UID, the users local UNIX name, the users global Active Directory user name, the groups of which the user is a member, the users home directory, and the users default shell.
7 The adclient process queries through the NSS service to
determine whether there are any users logged in with same UID. If there are no conflicts, the log-in request continues and
41
adclient
passes the request to the PAM service to have the UNIX login process prompt for a password.
DirectControl configuration file to see if any user or group filtering has been specified to allow or deny access to specific user or group accounts. If any filtering has been specified, the current user is either allowed to continue with the login process or denied access.
10 If the current user account is not prevented from logging on by
user or group filtering, the PAM service queries adclient to see if the user is authorized to log on.
11 The adclient process queries the Active Directory domain
controller through Kerberos to determine whether the user is authorized to log on to the current computer at the current time.
12 The adclient process receives the results of its authorization
request from Active Directory and passes the reply to the PAM service. If the user is not authorized to use the current computer or to log in at the current time, the PAM service denies the users request to log on through the UNIX login process. If the users password has expired, the PAM service sends a request through the UNIX login process asking the user to change the password. After the user supplies the password, log-in succeeds. If the users password is about to expire, the PAM service notifies the user of impending expiration through the UNIX login process. If the user is authorized to log on and has a current password, the login process completes successfully. If this is the first time the user has logged on to the computer through Centrify DirectControl, the PAM service creates a new home
42 Administrators Guide
directory on the computer in the location specified in the Centrify DirectControl configuration file by the parameter pam.homeskel.dir. The following figure provides a simplified view of a typical log-on process when using Centrify DirectControl.
Check /etc/centrifydc.conf settings for override, allow, deny, password expiration
xxxxx xxxxx xxxxx
User starts a UNIX log on process using a command such as login, telnet, ssh
Kerberos applications
adclient
43
Active Directory Domain Controller NIS client request submitted to the NIS listening port adnisd adclient Zone: ConsumerDivision
xxxxx xxxxx xxxxx
Local cache
NIS maps generated from information in Active Directory and served by adnisd in response to NIS client requests
In this scenario, the Centrify DirectControl zone acts as the NIS domain for a group of computers or devices that are configured as NIS clients. Those clients submit requests to the Centrify DirectControl Network Information Service, adnisd, listening on the NIS port. The Centrify DirectControl Network Information Service periodically contacts the Centrify DirectControl Agent, adclient, to get updated information from Active Directory and generates a set of maps that it stores locally. The Centrify DirectControl Network Information Service can then use the information in these maps to respond to NIS client requests for authentication or other services.
44
Administrators Guide
Chapter 3
access to at least one Windows computer acting as a domain controller for the Active Directory forest to which you want to add UNIX computers.
2 Check whether the domain controller you have access to or
another computer is the primary DNS server. You should also verify the DNS server allows secure dynamic updates and your domain controllers are configured to publish updated service locator (SRV) records.
45
To verify DNS is configured to allow communication, use the ping command to try to connect to the domain controller from the UNIX computer and to connect to the UNIX computer from the domain controller.
Note
install the Centrify DirectControl Administrator Console has the Active Directory Users and Computers MMC snap-in installed if you want to use Active Directory Users and Computers to manage DirectControl-enabled accounts. Active Directory Users and Computers is not required if you only plan to use the Centrify DirectControl Administrator Console to manage DirectControl-enabled accounts.
4 Verify that you have a user account and password with sufficient
rights to update the Active Directory forest with container objects and root level access for installing the Centrify DirectControl Agent on non-Windows computers.
5 Verify that all of the computers where you are planning to install
Centrify DirectControl components meet the basic system requirements for installing Centrify DirectControl. You can check operating system, disk space, DNS resolution, network connectivity, and other requirements on target agent computers by running the optional adcheck program. The adcheck program helps to ensure target computers meet the system requirements necessary to install the Centrify DirectControl Agent and join an Active Directory domain. For more information about using this program, see the Planning and Deployment Guide.
46
Administrators Guide
environment on the Centrify DirectControl CD or in the folder extracted from a Centrify DirectControl download package.
2 Double-click the appropriate setup program for the Windows
32-bit or Windows 64-bit environment to start the installation of the Centrify Suite 2010. If the current computer configuration must be updated before installing, the setup program displays the updates required and allows you to install the required programs. After you have installed the required programs, you can restart the setup program.
3 At the Centrify Suite 2010 Welcome page, click Next. 4 Select the type of Centrify Suite 2010 you want to install, then
Standard Administrator
Enterprise Administrator
47
To do this Install the Centrify Suite 2010, Developer Edition, which includes all of the components in the Centrify Suite 2010, Enterprise Edition, plus the following: Console extensions for integrating with Microsoft Identity Integration Server. Centrify SDK sample programs and documentation
type of suite you selected, then click Next to proceed if you want to install the default set of packages. If you want to skip the installation of any package on the local computer, click to uncheck the item you want to skip, then click Next.
6 Verify the packages you have selected for installation, then click
Next.
7 The Centrify Suite 2010 setup program then starts the setup
program for each item you selected to install. Follow the prompts displayed for each package to complete its installation. For example, if you are installing the Centrify DirectControl Administrator Console, you are prompted to: Review the terms of the license agreement. Type your name and organization. Select the folder location for installing DirectControl components. Select the components and extensions you want to install. Specify whether you want to disable the publisher verification to skip verification for best startup performance or force verification when applications are started. Verify your installation settings, then click Next.
48
Administrators Guide
8 When setup is complete for all of the packages you are installing
as part of the suite, click Finish to close the Centrify Suite 2010 setup program.
DirectControl Administrator Console and click Start > All Programs > Centrify> Centrify DirectControl.
2 Verify the name of the domain controller displayed is a member
of the Active Directory forest you want to update or type the name of a different domain controller if you want to connect to a different forest, then click OK.
3 At the Welcome page, click Next. 4 Select Use currently connected user credentials to use
your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
5 Select a location for installing license keys in Active Directory,
then click Next. The default container for license keys is domain_name/Program Data/Centrify/Licenses. To create or select a container object in a different location, click Browse. You can also add other License containers in other locations later using the Manage Licenses dialog box.
6 Review the permission requirements for the container, then
permanent license keys. If you have purchased licenses and want to install those license keys, select Install the following license keys, type the 24-character license key you received, then click Add or click Import to import the keys directly from a file.
8 Select Create default zone container and specify a location
for the Zones container, then click Next. The default container location for zones is
domain_name/Program Data/Centrify/Zones.
The default zone and any other zones you create are placed in this container location by default. You can create a new container object or select an existing container object.
Note
When you select this option, Centrify DirectControl creates both the parent container for zones and a default first zone for evaluation or a pilot deployment. You can modify the properties for the default zone after running the Setup Wizard, if needed, or remove the zone if you choose not to use it.
default zone.
10 Select the container location and type for the default zone, type
a description of the zone, and specify the master domain controller to use for the zone, then click Next.
11 Check the Specify a zone that contains Unix profile
information for users and groups option if you want to add users or groups from an existing zone in the Active Directory forest. If you check this option, click Find to search for and select the zone that contains existing user and group profiles, then click Next.
Note
In most cases, you leave this option unchecked when creating a default zone for evaluation or a pilot deployment.
50
Administrators Guide
This option is more useful when adding zones after completing the initial configuration of Centrify DirectControl.
12 Type the numeric user identifier (UID) you want to start with
use as the default primary group for users in the default zone, type the UNIX group identifier (GID) and UNIX group name to use, then click Next.
17 Click Next if you are configuring a standard Centrify
DirectControl zone without agentless authentication. For more information about agentless authentication, see the Planning and Deployment Guide.
18 Check the Grant computer accounts in the Computers
container permission to update their own account information option to give each UNIX computer account permission to manage its own account password, then click Next.
19 Select Register administrative notification handler for
Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the data stored in Centrify UNIX profiles, then click Next.
20 Select Activate Centrify profile property pages if you
want to be able to display the properties in Centrify DirectControl profiles in any Active Directory context, then click Next.
51
This setting is not required to display the Centrify DirectControl property pages when using Active Directory Users and Computers or the Centrify DirectControl Administrator Console. If you only need to access Centrify DirectControl properties from Active Directory Users and Computers or the Centrify DirectControl Administrator Console, leave this option unchecked and click Next.
21 Review and confirm your configuration settings, click Next,
then click Finish. For information about modifying zone properties after configuring the first zone, see Changing zone properties on page 71.
computer running Linux or UNIX, or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.
Note
You are not required to log on as the root user on Mac OS X computers, but you must know the password for the Administrator account to complete the installation. local computers operating environment, if it is not automatically mounted.
2 Mount the cdrom device using the appropriate command for the
52
Administrators Guide
network where the Centrify DirectControl agent package is located. For example, to install on a Linux computer from the Centrify DirectControl CD, change to the Agent_Linux directory:
cd Agent_Linux
Similarly, if you are installing on a Mac OS X computer, change to the Agent_Mac directory.
4 Run the install.sh script to start the installation of Centrify
Follow the prompts displayed to select the services you want to install and the tasks you want to perform. For example, you can choose whether you want to join a domain or restart the local computer automatically at the conclusion of the installation.
53
services will reread the name switch configuration file. As an alternative to restarting individual services, you may want to reboot the system to restart all services. Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.
Note
54
Administrators Guide
Chapter 4
Managing zones
This chapter describes how to use the Centrify DirectControl Administrator Console to create zones and manage zone properties. It also shows how to manage without zones by using Auto Zone. The following topics are covered: Using the Centrify DirectControl Setup Wizard Creating a new zone Opening and closing zones Delegating control of administrative tasks Changing zone properties Changing the master domain controller Adding a computer to a zone Changing the location of a zone in Active Directory Converting a standard DirectControl zone to RFC 2307 Using the Zone Generator to populate new zones Running reports for zones Searching for profiles in a zone Understanding Auto Zone For information about zone types, strategies for using zones, and planning the migration of users and groups to zones, see the Planning and Deployment Guide.
55
object for new zones, you can re-run the Setup Wizard to make this change. When you re-run the Setup Wizard, the steps you see depend on the specific steps you took during the initial configuration of Centrify DirectControl. Follow the instructions displayed to make changes to the Centrify DirectControl environment.
Unless you join to the domain through Auto Zone (see Understanding Auto Zone on page 80), you must either create the default zone using the Setup Wizard, or create at least one new zone before you begin adding computers to the Active Directory domain. Computers are automatically added to the default zone when you join them to the domain unless you specify a different zone, or join to Auto Zone. For more information about configuring zone properties for an existing zone, see Changing zone properties on page 71. Whether you choose to create the default zone or not, you can use the Create New Zone wizard to create as many zones as you need. You can create the zones in the default Zones container object or in other containers or organizational units within Active
57
Directory. To create new zones, however, you must be a domain administrator or have the permissions described in the Planning and Deployment Guide. Once you create a zone, you can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. In most cases, only the user who creates a zone has the appropriate rights to delegate administrative tasks to other users. To create a new Centrify DirectControl zone:
1 Open the Centrify DirectControl Administrator Console. 2 If you are not currently connected to the appropriate forest,
58
Administrators Guide
4 Type the zone name and description and specify the parent
container, object type, and primary domain controller for the new zone, then click Next. For example:
Do this Type a name for the zone. The zone name can start with any alphanumeric character or an underscore character (_), followed by any combination of alphabetic, numeric, underscore (_), hyphen (-), or period (.) characters up to a maximum length of 64 characters. For example:
paris1.france-tgv.org
59
Do this Specify the parent container for this zone. By default, the parent location is the container you specified in the Setup Wizard. If you want to select a different location for this zone, click Browse and navigate to the container or organizational unit you want to use as the parent for this zone. If you are not using the default parent container, you can click Create to create a new container or organizational unit or select an existing container or organizational unit, then click OK. Note In selecting a location for a zone, keep in mind that individual zones should never be nested inside of another named zone. You can use any other Active Directory parent container or organizational unit, but not another zone object. In addition, you should never put any Active Directory objects, such as user or computer objects into zone containers. For more information about planning how to add Centrify DirectControl objects to Active Directory, see the Planning and Deployment Guide. Select Container or Organizational Unit to specify whether the zone should be created as a container object or an organizational unit object. If the parent container for the zone is a generic container object, the zone must be created as a container object. If the parent container is an organizational unit, the zone must be created as organizational unit. You cannot apply Group Policy Objects to generic container objects. Type a description of the zone. You can use the description to provide more detailed information about how computers are grouped. For example, if you are grouping computers by location, you may want to use the location in the zone description. If you are organizing computers by department, you may want to specify the department in the description.
Object type
Description
60
Administrators Guide
Do this Type the fully-qualified name of the primary domain controller to use for the zone. Specifying a master domain controller forces the Centrify DirectControl Administrator Console to connect to the master domain controller for all zone-related operations, such as adding and removing users and groups. Using a master domain controller helps to ensure data integrity by preventing administrators using other domain controllers from updating zone information and potentially creating duplicate UID or GID values or orphan data.
select whether you want to maintain compatibility with DirectControl 2.0 or DirectControl 3.0 if you want to manage computers with 2.x or 3.x DirectControl Agents in the zone you are creating. For example, if you want the zone to include computers with DirectControl 3.0.x agents, you can check Maintain backward compatibility and DirectControl 3.0 UNIX agent, then click Next:
If none of the computers to be included in the zone have an older version of the DirectControl Agent installed, you can leave this
61
option unchecked and click Next to create a new zone exclusively for DirectControl 4.x agents. Selecting Maintain backward compatibility and an agent version creates a zone with slightly different properties than when this option is not selected. This option does not prevent any DirectControl Agents from joining the zone, but adding computers with 2.x or 3.x agents to a zone created strictly for 4.x agents is not a supported configuration. If you have computers with 2.0.x or 3.0.x agents that you dont want to upgrade, you should check the Maintain backward compatibility option to ensure compatibility. If all of the computers to join the zone will have the 4.0 or later agent installed, you should leave the Maintain backward compatibility option unchecked.
6 Select the type of zone to create, then click Next. The zone type
identifies the schema definition to use for storing UNIX attributes in Active Directory.
62
Administrators Guide
Depending on the Active Directory schema you have installed and the functional level of the Active Directory forest, you can choose one of the following zone types:
Select this zone type Standard DirectControl zone To do this Store UNIX properties using the standard Active Directory schema. In a standard DirectControl zone, individual users can have multiple UNIX profiles (user name, UID, shell, home directory, and primary group), and each user can be a member of as many standard zones as needed. Standard DirectControl zones can include users from any trusted domain or forest as members. This zone type is available when you use the standard Active Directory schema or when you use the Microsoft Services for UNIX or R2 schema extensions. The functional level of the domain and forest can be Windows 2000, Windows Server 2003, or Windows Server 2008. Because the Standard DirectControl zone supports more Active Directory configurations than other zone types, it is the most commonly used zone type.
63
To do this Store UNIX properties using the Microsoft Windows Services for UNIX (SFU) schema extension. In a DirectControl Services for UNIX (SFU) zone, UNIX properties are stored as part of the Active Directory user object. Each user can only belong to one SFU zone and only users in the same domain as the zone can be members of the zone. This zone type is only available if you installed the Windows Services for UNIX (SFU) schema installed. The functional level of the Active Directory forest can be Windows 2000 or Windows Server 2003 for this zone type. Note If you select this zone type and click Next, you are prompted to select the Windows domain and to specify the NIS domain. Centrify DirectControl doesnt validate the NIS domain name, however. If the domain name you specify doesnt exist, Centrify DirectControl can successfully create the zone and store UNIX properties in the SFU schema, but Active Directory Users and Computers will not display the UNIX Attributes tab. If the NIS domain you specify doesnt exist, you must use the Centrify DirectControl Administrator Console to enter UNIX attributes. Store UNIX properties using the Microsoft RFC 2307-compliant schema extension. This zone type is only available if you installed the Windows Server 2003, R2 schema installed and have raised the functional level of the Active Directory forest to Windows Server 2003.
64
Administrators Guide
To do this
DirectControl RFC 2307-compatible Store UNIX properties using the SFU zone Microsoft RFC 2307-compliant Services for UNIX (SFU) schema extension. This zone type is only available if you have raised the functional level of the Active Directory forest to Windows Server 2003 or Windows Server 2008.
For more information about the implications of selecting a zone type and the relationship between zone type and the Active Directory schema, see the Planning and Deployment Guide. For more information about Microsoft Services for UNIX (SFU), see the Microsoft Services for UNIX documentation. For more information about the RFC 2307 specification, see the original Request for Comments available at http://www.faqs.org/rfcs/rfc2307.
Note
information for users and groups option if you want to add users or groups from an existing zone in the Active Directory forest. This option enables you to use the existing profile information for users and groups when you add them to the new zone. If you check this option, click Find to search for and select the zone that contains the existing user and group profiles, then click Next. When you add users or groups with profiles in the selected zone to the zone you are currently creating, their UNIX profiles have the same UIDs and GIDs in the new zone as they had in the selected zone. This option is especially useful if you have a DirectControl zone or a Microsoft Services for UNIX (SFU) zone that contains master data you want to use in multiple zones.
Note
8 Type the numeric user identifier (UID) you want to start with
65
9 Type the numeric group identifier (GID) you want to start with
primary group for new users: Click Browse to find the existing Active Directory group to make the default primary group. In the browser, select the group to use, then click OK. Click Create to create a new Active Directory group to use as the default primary group for users in the current zone. If you are creating a new Active Directory group, you need to specify the parent container for the group, the group name, and the group scope, then click OK. For example:
Once you have selected or created the Active Directory group to use, review the UNIX profile for the group, then click Next.
13 If you want to allow agentless authentication through the
Centrify DirectControl Network Information Service in the current zone, select the Support agentless clients option, then select the Active Directory attribute for storing the
66
Administrators Guide
password hash and the name of the NIS domain the zone maps to, then click Next. If you are not allowing computers or devices to submit NIS client requests to the Centrify DirectControl Network Information Service on a Centrify DirectControl-managed computer, you can leave this option unchecked and click Next to continue creating the zone.
14 Check the selections you have made, then click Finish to
Opening a zone
To open a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones and right-click, then click
Open Zone.
3 Type all or part of the name of the zone you want to open, then
You can use the CTRL and SHIFT keys to select multiple zones. Once you open the zones you want to work with, you should save your changes when you exit the Centrify DirectControl Administrator Console, so that the open zones are displayed by default the next time you start the console. When you save your
Chapter 4 Managing zones 67
console settings, the next time you start the Centrify DirectControl Administrator Console, the console display will be the same as when you last used the console.
Closing a zone
To close an open zone:
1 In the console tree, select the specific zone name you want to
68
Administrators Guide
To delegate which users and groups have control over the objects in a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones, then select and expand the
zone you are interested in, for example, open the default zone.
3 Right-click, then click Delegate Zone Control. 4 At the Welcome page, click Next. 5 Click Add to find the users, groups, or computer accounts to
search for, type all or part of the account name, then click Find Now.
7 Select one or more accounts from the list of results, then click
OK.
8 When you are finished adding users and groups to which you
click Next. For example, if you want all of the members of the group you selected in the previous step to be able perform all administrative tasks for a zone, check the All task.
69
The domain administrator who creates a zone has full control over the zones properties and permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone. The right to create NIS maps is exclusive to the creator of a zone because it requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries. For each zone you create, you should identify at least one user or group that can be delegated to perform all administrative tasks. For example, if you have a Finance zone, you may want to create a Finance Admins group in Active Directory and then delegate All tasks to that group so that members of that group can manage the zone. Although you are not required to create or use a zone administrator group for every zone, assigning the management of each zone to a specific user or group simplifies the delegation of administrative tasks. If you choose to use a finer grain control, for example, allowing one group to only join computers to the domain and zone and another to only add and remove users, you should ensure the members of those groups know their restricted roles. In addition, any user or group assigned the Add users or Add groups task should also be assigned the Change zone properties task to enable the next UID and next GID properties to be updated each time a user or group is added to a zone. If you dont assign the Change zone properties task, you must manually increment the next UID and GID values.
Note
For information about the permissions set in the Zone Delegation Wizard, see the Planning and Deployment Guide.
If you delegate administrative tasks to one or more groups that have members logged on, you should inform the group members that they may need to log out and log back on before they can perform the administrative tasks assigned to the group.
70
Administrators Guide
and, if needed, the user credentials for connecting to the domain controller, then click OK.
3 In the console tree, select Zones to display the list of zones. 4 Select a zone and right-click, then click Properties. For
example:
71
Default Value
UID Manager
GID Manager
72
Administrators Guide
because it prevents other domain controllers from adding and removing users and groups in a zone and introducing duplicate UIDs or GIDs. If you choose not set the master domain controller or the master domain controller is unavailable, it is possible for administrators to add users to the zone with the same UID because they are connecting to different domain controllers. Using a master domain controller ensures that the administrators cannot add new users with duplicate UIDs. If you choose to use a master domain controller for a zone, you should avoid changing it, if possible. If you do need to change the master domain controller, however, you should keep the following in mind: The zone information is only updated in the new master domain controller when replication is complete. If you connect to the old domain controller and view zone information, the zone will display the old domain controller as its master domain controller until replication is complete for all domain controllers. Reports and forest analysis will not report the correct master domain controller for the zone until replication is complete between the new master domain controller and the previous master domain controller. You cannot refresh the information displayed in the Centrify DirectControl Administrator Console until replication is complete between the new master domain controller and the previously connected domain controller. You should for zone information to be replicated to all domain controllers before you add any new users or groups to the zone you are modifying to prevent duplicated UIDs. After changing the master domain controller for one or more zones, you should run the Analyze command to check the Active Directory forest and verify that no duplicate UIDs or GIDs have been introduced.
73
Note
If there are other administrators managing this zone, you should notify them before changing the master domain controller and make this change while they are logged out. Depending how long it takes for replication to complete across the domain controllers in the Active Directory forest, you may want to schedule this change for a time when no administrators need access to zone information.
6 Click Yes to confirm that you want to change the master domain
new master domain controller. To change the master domain controller for multiple zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones to display the list of zones in
which you want to set a new master domain controller. For example:
4 Right-click, then click Change Master Domain Controller. 5 Type the fully-qualified domain name for the new domain
You should notify all Centrify DirectControl administrators before changing the master domain controller for multiple zones and, if possible, make this change while they are logged out. Depending how long it takes for replication to complete across the domain controllers in the Active Directory forest, you may want to schedule this change for a time when no administrators need access to zone information.
Note
6 Click Yes to confirm that you want to change the master domain
75
76
Administrators Guide
and, if needed, the user credentials for connecting to the domain controller, then click OK.
3 In the console tree, select Zones to display the list of zones. 4 Select a zone name, right-click, then click All Tasks >
This task is only available for zones created with an earlier version of Centrify DirectControl or for zones that were created with Centrify DirectControl, version 4.0 or later, but configured to maintain compatibility for 2.x and 3.x DirectControl agents.
5 At the Welcome page, click Next. 6 Select whether you want to create a new converted zone from
the existing zone or convert the existing zone in place, then click Next. Select Create a new zone based on the existing zone to copy the existing zone to a new zone name. If you select this option, you must use adleave to remove the computers from the old zone, then run adjoin to join the computers to the new zone. Select Alter the zone in place to change the zone type without creating a new zone. Changing the zone type changes how some properties are stored. If you select this option, computers can remained joined to the existing zone, but some
Chapter 4 Managing zones 77
information may be removed or overwritten. If you select this option, skip to Step 8.
7 If you are creating a new zone from the existing zone, specify the
new zone location and the new zone name, then click Next.
8 Review the summary of the operation to be performed, then
Next.
9 Click Finish to complete the zone conversion.
78
Administrators Guide
select Properties to view all Active Directory properties or Zone Settings to view only the Centrify DirectControl profile.
79
Although certain group policies are provided to simplify Auto Zone configuration, using Auto Zone does not require enabling any group policies. In fact, you can join a domain by connecting to Auto Zone without installing the Centrify DirectControl Console on any machines in the forest. However, any group policies that are defined in the domain, are enforced on machines joined to Auto Zone.
80
Administrators Guide
If you then run the adinfo command, it shows that you are connected to Auto Zone:
adinfo Local host name: Joined to domain: Joined as: Pre-win2K name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: rh4 acme.com rh4.acme.com rh4 win2k1.acme.com Default-First-Site Auto Zone 2009-09-30 18:08:34 PDT connected Enabled
The DirectControl Console also shows all machines connected through Auto Zone, under the Zones/Auto Zones node:
81
82
Administrators Guide
Chapter 5
Managing computers
This chapter describes how to add UNIX computers to Active Directory domains, manage computer account properties, and leave the domain. The following topics are covered: Understanding the join operation Deciding who can join computers to the domain Precreating computer accounts Joining a domain interactively or using a script Allowing password resets for computer accounts Designating a computer as a NIS server Changing the zone for the computer Changing the domain for a computer Leaving a domain Customizing configuration settings for a computer Running reports for computers
Directory to add the computer to the domain. By default, the domain controller to contact is determined by the Active Directory site topology or the master domain controller specified for the zone you are joining. If the preferred domain controller is not available, Centrify DirectControl attempts to connect to the next domain controller. If no domain controller can be contacted or the connection takes too long to complete, the join operation fails. If the adjoin program can successfully contact Active Directory, it performs a series of key tasks. For example, when you join the domain, the program does the following: Synchronizes the local computers time with Active Directory to ensure the timestamp of Kerberos tickets are accepted for authentication. Checks whether a computer account already exists for the local computer in Active Directory. It creates a new Active Directory computer account for the local computer, if needed. Updates the Kerberos service principal names used by the host computer, generating new a Kerberos configuration file and krb5.keytab entries, and generating new service keys for the host and http services. Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally on the UNIX host to ensure Centrify DirectControl alone has control of the account. Starts the Centrify DirectControl agent adclient. Once a computer joins the domain, you can use the Centrify DirectControl Administrator Console or Active Directory Users and Computers to manage its properties. By default, the computer will function exactly as it did before joining the domain, allowing local user accounts to log in and existing programs and applications to work as they did previously, but you will have greater control and flexibility to manage access through Active Directory. You can also further customize authentication, for example to allow, ignore,
84
Administrators Guide
or deny individual users or groups permission to access to a computer through Centrify DirectControl Login Settings group policies or by manually modifying the Centrify DirectControl configuration file, centrifydc.conf, on any Centrify DirectControl managed system. By default, the password on the computer account is updated with a new, randomly-generated password every seven days to ensure security. You can customize how frequently the password for the account is changed through the Centrify DirectControl Password change interval group policy or by modifying the Centrify DirectControl configuration file, centrifydc.conf, on any Centrify DirectControl managed system. For more information about using group policies to customize computer settings, see the Group Policy Guide. For more information about customizing configuration parameters in the configuration file, see the Configuration Parameters Reference Guide.
explicit permission. For example, joining the domain might be restricted to domain administrator accounts or delegated within Organizational Units to specifically designated users or groups. Since who can join a domain depends on your organizations policies and is enforced through Active Directory, Centrify DirectControl applies the same rules for UNIX computers joining the domain as have been defined in Active Directory for adding Windows computers to the domain. For example: If any user with a valid domain account can add a Windows computer, adding a UNIX computer does not require an administrative user account and password. If only administrative or delegated users are allowed to add computers, the user adding the UNIX computer must supply a valid administrative or delegated user name and password.
86
Administrators Guide
You can use Active Directory Users and Computers, the Centrify DirectControl Administrator Console, or the Centrify DirectControl Web Console to precreate computer accounts. If you use Active Directory Users and Computers to create the account, however, you need to modify the permissions for the account as described in Allowing password resets for computer accounts on page 91 before joining the domain. To precreate a computer account using the Centrify DirectControl Administrator Console:
1 Click Start > All Programs > Centrify> Centrify
then select the specific zone to which you want to add the computer account.
3 Select Computers, right-click, then click Precreate
Computer.
4 At the Welcome page, click Next. 5 Select Create new computer object to create a new
computer account in the domain, then click Next. If the computer account already exists in the same domain or a different domain, but you want to add a zone profile and delegate the user or group who can join the computer to the domain, click Select existing computer object, then click Browse to search for the existing computer object. After selecting an existing computer account, click Next to continue to Step 7 to select the user or group that should be allowed to join the computer to the domain.
87
6 Type the computer name to use for the new computer account
and specify a location for the computer account object in Active Directory, then click Next. For example:
Do this Type the host name to use for the computer account in Active Directory. Verify the domain name displayed is the appropriate domain for the computer account to join. Click Browse to navigate to a different Active Directory domain. Verify the DNS name for the computer account. You can modify the DNS name for the computer, if needed. For example, if computer names in DNS use a different suffix than the Active Directory domain, you may need to modify the default value displayed. Specify the parent container for the new computer account in Active Directory. In most cases, you should use the default parent container object:
domain_name/Computers
DNS name
Click Change to navigate to a different container object for the computer account.
88
Administrators Guide
the computer to the domain or whether you want to use the precreated computer objects account and password to join the domain. For example, select Allow this user, group, or computer to join the computer to the zone if you want to delegate the permission to join the domain to a specific user, group, or computer account. If you select this option, you can click Next give the permission to the default Domain Admins group, or click Browse to search for another user or group that you want to give permission to join the computer to the domain. For example:
If you dont want to designate a specific user or group to join the domain, select Allow the computer to join itself to the zone. This option generates an automatic password reset on the computer account that allows the precreated computers account and password to be used to perform a self-service join. This option is useful when you want to automate the join operation so that a user name and password are not required, or when you want to restrict the number of Active Directory users who have permission to join the domain.
8 Review your configuration settings, then click Next.
89
Finish. The computer account is created in Active Directory and a zone profile for the computer is added to the Centrify DirectControl Administrator Console in the zones Computers container. The user or group you have designated as the trustee can now join this computer to the domain using the --selfserve command line option.
The adjoin program then prompts for the Active Directory password for the shea@acme.com account:
Active Directory password: xxx
In this example, the user shea is a member of the acme.com domain rather than the sales.acme.com domain this computer is joining. Therefore, the user account must be specified in the
90
Administrators Guide
format. In addition, this example places the local UNIX computer account in a specific, previously-created Centrify DirectControl zone called LinuxDev. This is most common format for the adjoin command line.
user_name@domain_name
If the computer has a precreated computer account in Active Directory, you can run a command similar to the following to join the domain:
adjoin --selfserve domain
For example:
adjoin --selfserve cendura.org
Although you can specify the password for an account as part of the adjoin command line using the --password option, in most cases, you should avoid including it for security reasons. If you are using adjoin in a script, however, you may need to include the --password option or provide another mechanism for inputting a valid password. For more information about using the adjoin command line options, see Appendix A, Using Centrify DirectControl UNIX commands. If the adclient process is able to connect to Active Directory and the join is successful, a confirmation message is displayed. If the connection to Active Directory fails, a warning message is displayed and the join operation fails. If you did not pre-configure a computer account for the local computer in another container, the join operation adds a new computer account to Active Directory in the domain_name/Computers container.
91
password resets. In addition, allowing a computer account to update its own properties enables Centrify DirectControl to display the agent version and maintain operating system information for the computer account. You can assign the self-maintenance permissions for computers by default if you select the Grant computer accounts in the Computers container permission to update their own account information option in the Setup Wizard of if you precreate the computer account with the Precreate Computer Wizard and select the Allow the computer to join itself to the zone option. If you did not select either of those options, however, you can selectively grant this permission on individual computer objects, as needed.
Note
domain, and select Computers to find the computer account to which you want to assign administrative rights.
2 Select the computer account, right click, then select
Properties.
3
Click the Security tab, scroll down the list of group or user names and select SELF. Password permission, click Allow, then click OK.
4 In the list of Permissions for SELF, scroll to the Reset 5 Select the computer account, right-click and select Reset
Account, then click Yes. When the account is reset, click OK.
92
Administrators Guide
zone you are interested in, for example, open the default zone.
3 Right-click, then click Delegate Zone Control. 4 At the Welcome page, click Next. 5 Click Add, select Group from the Find list, then click Find
Now.
6 In the results, select Domain Computers, click OK, then
click Next.
7 Click Add Computers to Zone and optionally, Remove
Computers from Zone, then click Next. In most cases, these are the only administrative tasks you should assign to the computer account. You can, however, give the account additional rights, if needed. For information about the permissions associated with each delegated task, see the Planning and Deployment Guide.
Note
8 Click Finish.
For example, if the computer name is valencia and the Active Directory domain is arcade.com, you would run a command similar to the following:
adjoin arcade.com --user valencia$ --password valencia
93
pane.
4 Select the computer that you want to modify, then click
Properties.
5 Click the Centrify Profile tab. 6 Check the Allow this computer to authenticate NIS users
94
Administrators Guide
By default, this setting adds the computer account as a member attribute of the
domain/Program Data/Centrify/Zones/ZoneName/Computers
/
object. The zone_nis_servers object is a global Active Directory group. It can be converted to a universal group, if needed. For example, if you add a computer that is joined to a different domain than the other computers in the group, you are prompted to change the group type to universal.
zone_nis_servers
The Centrify DirectControl Network Information Service, adnisd, must be running on the designated computer for the computer to service NIS client requests. If the adnisd process in running and receives a request, it will respond to the request with information from the current zone.
Note
pane.
4 Select the computer that you want to modify, then click
Properties.
5 Click the Centrify Profile tab.
95
6 Click Browse and type all or part of the zone name, then click
Find Now.
7 Select the new zone from the list of results, then click OK.
After you change the zone in the Centrify DirectControl Administrator Console, you must restart the Centrify DirectControl Agent on the UNIX computer. For example, on the computer where you have changed the zone, run the following command:
/etc/init.d/centrifydc restart
Alternatively, you can choose to restart the UNIX computer, which restarts all services.
8 Click Yes to acknowledge the need to restart the Centrify
DirectControl Agent on the UNIX computer for the zone information to be updated.
domain. This command disables the computer account in Active Directory but does not delete the computer account. For example, to leave the current domain using the default Administrator user account and password:
adleave
3 Type the Active Directory password for the user account you
96
Administrators Guide
If the adclient daemon is able to connect to Active Directory and the leave operation is successful, a confirmation message is displayed.
4 Run adjoin to join a different Active Directory domain. For
example:
adjoin --user gharris operations.acme.com
In this example, the user gharris is a member of the operations.acme.com domain that this computer is joining.
5 Type the Active Directory password for the user account you
specified. For more information about using the adjoin and adleave commands, see Appendix A, Using Centrify DirectControl UNIX commands.
Leaving a domain
You can remove a computer from a domain at any time by using the adleave command. Leaving the domain removes the UNIX computer from its current Active Directory domain and reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-adjoin states and deleting the /etc/krb5.keytab file. You must leave the domain before you can move a computer account to a new domain or remove Centrify DirectControl from a UNIX computer. Although the adleave command removes the UNIX computer from its current domain, it does not delete the computer account from Active Directory. If you want to completely remove any record of the computer from Active Directory, you must delete the computer object in Active Directory Users and Computers.
Note
97
su -
domain. For example, to leave the current domain using the user account and password raj@acme.com:
adleave --user raj@acme.com
3 Type the Active Directory password for the user account you
specified. If the adclient daemon is able to connect to Active Directory and the leave operation is successful, a confirmation message is displayed and the Centrify DirectControl Agent is stopped.
98
Administrators Guide
99
100
Administrators Guide
Chapter 6
101
information to determine if there are any conflicts and how the existing user population should be mapped into zones. Once you have collected the appropriate information and determined your zone requirements, you can import the existing information into Active Directory and the appropriate zones using the Centrify DirectControl Administrator Console and the Import from Unix wizard. The next sections describe the steps for importing users and groups from an existing identity store into a zone. For more detailed information about planning the migration of an existing user population, including how to analyze and consolidate existing information before importing, see the Planning and Deployment Guide.
Note
102
Administrators Guide
Verify that you can access NIS servers and domain from the Windows network if you want to import information directly from NIS maps rather than export the information to a text file. Verify that you can access individual /etc/group and /etc/passwd files from the Windows network if you want to import information directly from individual /etc/group and /etc/passwd files. Copy any text files from which you want to import information to a file share on the Windows network. Review the /etc/passwd, /etc/group, or text files you generated to remove account entries that dont need to be mapped to Active Directory accounts. You can automatically exclude system accounts with UID or GID values from 0 to 99 during the import process, but may want to remove other accounts prior to the import. You may also want to review the remaining entries to determine whether the entries map to existing Active Directory accounts or require new Active Directory objects.
right-click, then click Import from Unix. For example, select the default zone.
4 Select Unix configuration files and click Browse to locate
103
You can use this option to import any properly-formatted text file, including those generated by running getent passwd and getent group or similar commands. For example:
The text files can be named with any file names you choose, but must be in the proper format for /etc/group and /etc/passwd files for fields to be imported correctly. Although the files can be imported independently, Centrify recommends you import both files at the same time. If you want to import information directly from NIS, you can select Network Information Service (NIS), and type the name of the NIS domain and NIS server from which you want to import information, then click Next. The NIS domain and server must be accessible from the Windows network for information to be imported successfully.
104
Administrators Guide
5 Select the import options you want to use, then click Next. For
example:
Check this option to include the UIDs and GIDs reserved for system accounts
To do this Import all accounts from the data source including accounts with UID or GID values from 0 to 99. By default, DirectControl ignores accounts with UID or GID values from 0 to 99 during the import process. On most systems, UIDs and GIDs in this range are reserved for system or application accounts, such as root, tty, and ftp, which typically do not need to be imported and managed through Active Directory. If you select the Include system accounts option, these accounts will be included in the list of Pending Import Groups and Pending Import Users. You can then choose to map the accounts to Active Directory or remove them. Note There can be other system accounts with UID or GID values greater than 100. By default, DirectControl can only automatically filter the accounts with UID or GID values less than 100. Even if you choose to allow automatic filtering, you may need to remove additional system accounts from the Pending Import list.
105
Select this
To do this
Automatically shorten the Limit UNIX user and group names to a maximum of Unix name to 8 characters 8 characters. By default, DirectControl imports user and groups name as they are defined in the data source. In some operating environments, however, user and group names cannot be longer than 8 characters. If you have an environment that does not support user and group names longer than 8 characters, you can select Automatically shorten the Unix name to 8 characters to automatically remove any extra characters in the name during the import process.
Next. For example, to store pending data for the current zone in an XML file, select Store in XML file and specify the location for the file:
If the file does not already exist in the default location, you are prompted to create it. To select another location for the XML file, click Browse.
7 Review the summary of information to be imported, and check
106
Administrators Guide
want to check for conflicts and potential matching candidates during the import process, then click Finish.
Check this option to look for conflicts during the import process
Note
If you select the Check data conflicts while importing option in the Import from Unix wizard, the import process may take some time to complete if you have a large number of users or groups. If you dont check this option, you must check the status of users or groups before you can map them to users and groups in Active Directory.
When you click Finish to close the Import from Unix wizard, all of the user and group information to be imported is placed in Active Directory or in an XML file as Pending Import. You can then decide how each user and group should be mapped to accounts in Active Directory.
107
group candidates in Active Directory. After this initial check, you need to resolve any conflicts and determine the Active Directory group or user each pending group or user should be mapped to. To check the status of pending information:
1 In the Centrify DirectControl Administrator Console, open
Users or Groups under the zone where you imported user and group information. For example, if you imported information for the default zone, open that zone, then expand the Groups or Users node:
be imported. If you selected the Check data conflicts while importing option in the Import from Unix wizard, the initial check is performed during the import process and each group and user displays the result of the initial check. For example:
108
Administrators Guide
If the status is displayed, you can skip the next step and begin resolving conflicts and mapping the UNIX groups and users to Active Directory accounts. If you did not select the Check data conflicts while importing option in the Import from Unix wizard, Pending Import groups and users do not display any status. For example:
This icon indicates that you need to check for conflicts and potential matching candidates in Active Directory
If the current status is not displayed for the groups and users to be imported, you must check the status before continuing.
3 Select a user or group in the Pending Import list, right-click,
then click Check status to check Active Directory for conflicts between the selected user or group and information already stored in Active Directory and to look for a potential candidate to map the selected user or group to. When you select a Pending Import group and click Check status, Centrify DirectControl checks for an Active Directory group with a common name (CN) or samAccountName that is the same as the pending groups name. If there is a match, Centrify DirectControl displays that Active Directory group as the default candidate for mapping the pending group to an Active Directory group. When you select a Pending Import user and click Check status, Centrify DirectControl checks for an Active Directory user with a common name (CN) that is the same as the pending users GECOS field, or with a samAccountName that is the same as the pending users UNIX user name. If there is a match, Centrify DirectControl displays that Active Directory user account as the default candidate for mapping the pending user to an Active Directory user.
Chapter 6 Importing existing users and groups 109
For example, after you check the status for a group, the icon displayed changes and the potential Active Directory group it matches is displayed:
After you click Check status, the Status field indicates the results of the check and any potential issues you need to resolve
Error, warning, or information icons indicate whether you have checked the status of the group or user
You can check the status of more than one user or group at a time, but it is best to work with subsets of users and groups to reduce the impact on performance and improve the manageability of the import process.
Note
When you check the status of a pending group or user, Centrify DirectControl checks Active Directory for an account that is a potential match. If a potential matching candidate is found in Active Directory, the status for the pending group or user indicates that the UNIX profile is Ready to import. For example: If Centrify DirectControl cant identify a potential candidate in Active Directory or there are other issues, the status for the pending group or user displays a warning, such as No import candidate found. For example: If a pending group or user cannot be imported because of a conflict, the status for the pending group or user describes the type of error encountered. For example:
110
Administrators Guide
Users or Groups under the zone where you imported user and
111
group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Accept.
After you accept the Active Directory candidate for a pending group or user, the group or user is removed from the Pending Import list.
Accepting pending group members
If you accept the default Active Directory candidate for a pending import group, all of the pending members that have an Active Directory candidate associated with them are also imported, and added as members of the Active Directory group. If any of the groups members fail to be imported, the status of the pending import group is changed to Imported, but the group remains in the Pending Import list until the remaining members can be successfully imported.
Modifying pending group members
You can modify the members of a group while it is in a Pending Import or Imported state by selecting the group and viewing its properties. From the Properties dialog box, you can add or remove
112
Administrators Guide
members of the group or find and assign the Active Directory user each member of the group should be associated with.
Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Create new AD group or Create new
AD user.
113
When you select this action, you are prompted to provide the additional information needed to create the group or user account. For example, if you are creating a new group account you are prompted to specify: Location of the container for the group. Active Directory name for the group. Pre-Windows group name. Scope of the group. Similarly, if you are creating a new Active Directory user account you are prompted to specify: Location of the container for the user. Display name for the user. Initial password for the user. Windows logon name for the user.
5 Review your settings, then click Next. 6 Verify that the option to enable the UNIX profile for the group
or user is checked, then click Finish to add the group or user and make the Centrify DirectControl UNIX profile available for the zone. For example:
114
Administrators Guide
If you do not enable the group or user to use DirectControl when creating the account, the pending group or user remains in the Pending Import list with the new Active Directory group or user displayed as the default candidate for importing at a later time. If you choose to add the UNIX profile for group or user later, you can do so by selecting the group or user in the Pending Import list and clicking Accept.
Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Extend existing AD group or
Extend existing AD users to add the selected profile to an existing Active Directory group or user. If an Active Directory user has more than one UNIX profile in a zone, the user must log on to computers in the zone with the UNIX profile name he wants to use. Logging on with the Active Directory user login name (the users samAccountName) may prevent the user from accessing some files because the account has multiple UNIX profiles associated with it.
Note
115
group or user to map the UNIX profile to or click Find Now or Advanced Search to find the Active Directory group or user to which you want to add the UNIX profile.
Type a search string to locate the account, then click Find Now. Select the appropriate Active Directory group or user to which you want to add the UNIX profile, then click OK. Check the Active Directory group or user account displayed, then click Next.
116
Administrators Guide
Active Directory group or user, then click Next to import the information.
7 Click Finish to add the group or user and enable the Centrify
DirectControl UNIX profile for the zone. If you do not enable the group or user to use DirectControl, the new Active Directory group or user becomes the default candidate for importing at a later time by clicking Accept.
Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of groups to be
imported.
3 Select the group in the Pending Import list. 4 Right-click, then click Merge into existing Unix group. 5 Select the UNIX group to which you want to add members, then
click Next.
6 Review your settings, then click Next. 7 Click Finish to update the UNIX profile for the zone.
117
Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Delete. 5 Click Yes to confirm the deletion.
Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Properties.
If you select a pending group, the properties include the UNIX profile, the time of the import, the file location the information
118
Administrators Guide
was imported from, the members of the group, and the status of the group. If you select a pending user, the properties include the UNIX profile, the time of the import, the file location the information was imported from, and the status of the user.
119
the user or group profile that conflicts with the pending user or group, delete the pending user or group rather than import it, or remove the existing profile that conflicts with the pending user or group. For example, assume you are importing a passwd file that includes the UNIX user account pierre with the UID 1001, but there is already an UNIX profile in the zone with the UNIX name pierre and UID of 500. When you check the status for the pending user pierre, its status will indicate there is an error. To resolve a conflict that is preventing a group or user from being imported:
1 In the Centrify DirectControl Administrator Console, open
Users or Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of users or groups to
be imported.
3 Select the group or user, right-click, then click Properties. 4 Change the information for the pending group or user to
eliminate the conflict, then click OK. For example, change the
120
Administrators Guide
UNIX user name of the pending import user pierre to another name, such as pierre2:
5 Click Check status to check for any additional issues that may
need to be resolved. Once you have resolved any issues that prevent an account from being imported, you then need to determine an appropriate course of action. For example, you need to determine whether the conflicting pierre user accounts are used by the same person or refer to different users, so you can decide whether to remove one of the profiles from the zone or if a separate zone is needed.
121
When you check the status for a pending user, you may see a warning displayed if: No matching Active Directory candidate is found. To import the user, you need to identify or create an Active Directory user for the pending user. There is a password hash in the zone-specific attribute for the matching Active Directory user that is different from the password hash for the pending import user. If you accept the matching Active Directory candidate and import the pending user, the Active Directory users password hash will be overwritten. There is another pending user with the same UID or the same UNIX user name. Before importing, you should resolve the UID or user name conflicts between the pending users. There is a UNIX user with the same UID already defined in the zone. Before importing, you should resolve the UID conflict between the existing UNIX profile and the pending user. The pending user belongs to groups that do not exist in the zone. Before importing, you should import all the pending groups the pending user is a member of. The matching Active Directory candidate already has a UNIX profile in the zone. When you check status for a pending group, you may see a warning displayed if: No matching Active Directory candidate is found. To import the group, you need to identify or create an Active Directory group for the pending group. There is another pending group with the same GID or the same UNIX group name. Before importing, you should resolve the GID or group name conflicts between the pending groups.
122
Administrators Guide
There is a UNIX group with the same GID already defined in the zone. Before importing, you should resolve the GID conflict between the existing UNIX profile and the pending group. The matching Active Directory candidate already has a UNIX profile in the zone. In many cases, warnings do not require you to make changes to the properties of a pending user or group. For example, if a group displays the warning that no import candidate is found, it simply means that you need to decide on the appropriate action, such as creating a new Active Directory group or merging the pending groups members into the UNIX profile of another group. If you do need to make changes to a pending user or group to correct any of these potential problems, however, you should click Check status after the change to check for any additional issues that may need to be resolved.
123
124
Administrators Guide
Chapter 7
125
across multiple zones. Creating a profile for an Active Directory group allows you to use Windows role-based access control and group-based filters to manage user access to Centrify DirectControl-managed computers. Associating a group profile with an Active Directory group also enables you to take advantage of nested group membership and group policies applied to a domain or organizational unit (OU) that contains Active Directory groups. Although associating Active Directory security groups with zone-based group profiles can be convenient in many organizations, you are not required to link group profiles to Active Directory groups. In addition, creating a profile for an Active Directory group does not create profiles for any members of the group or automatically give any group members access to the zone where the group profile is created. User accounts must be explicitly given their own profiles and be enabled for the zones they can access, and those users must be explicitly listed as members of one or more Active Directory security groups if you want to use Active Directorys role-based filtering to control access. If you choose to create group profiles for existing Active Directory groups, you can create the profiles using the Centrify DirectControl Administrator Console, Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To create a UNIX profile for a group in a zone using the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name to
which you want to add the Active Directory group. For example, select the default zone. If the zone is not already open, select Zones and right-click, then click Open Zone to find and select the zone you want to use.
126
Administrators Guide
3 Select Groups, right-click, then click Create UNIX Group. 4 Type a search string to locate the Active Directory group for
which you want to create a profile, then click Find Now. For example, type fin to display the Finance Users and Finance Admins groups:
5 Select one or more groups in the results, then click OK. 6 Review the zone profile settings for the group and make any
changes, then click OK. If you selected more than one group, review the profile settings for the each group and modify the default settings, if necessary, then click OK. For example:
127
If you are adding groups with similar names, you may need to modify the UNIX group name to distinguish the groups. For example, if you are adding both the Finance Admins and Finance Users groups to the same zone, you can change the default UNIX group name to finadmin and finuser to make it easier to tell the groups apart. Keep in mind that in some operating environments group names cannot be more than 8 characters and special characters may not be supported. For more information about defining group membership for UNIX users or adding users to their primary group in Active Directory, see Adding Active Directory users to zones on page 144. For more information about the differences in group handling between Active Directory and the UNIX environment or planning access control using group filters, see the Planning and Deployment Guide.
128
Administrators Guide
Any single Active Directory group with an associated group profile in the zone that can be managed in Active Directory. Because users are not added as members of the primary group, the primary group identifier (GID) setting does not affect the users actual Active Directory group membership, eliminating the need to manage primary groups for UNIX users through Active Directory.
129
Centrify DirectControl can add new users as members of a group automatically if you choose to define an Active Directory group as the default primary group for a zone. For information about configuring a zone to automatically add users to the default primary group, see Adding members to a default primary group on page 130.
For more information about defining a user profile and a users primary group, see Understanding group-based filtering for users on page 142. For more information about the differences between Active Directory and local UNIX groups, see Defining groups for UNIX users in the Planning and Deployment Guide. For more information about planning access control using group or user filters, see Configuring user and group filtering in the Planning and Deployment Guide.
accessing DirectControl-managed computers. If you are using an Active Directory group as the default primary group for a zone and want to use the primary group for group-based filtering and control, you may want to automatically update the default primary group with new members whenever you add users to the zone. To automatically add users to the Active Directory group you are using as the default primary group for a zone, you must first manually add a new DWORD key to the registry and set the key to a non-zero value. Adding the registry key displays the Associate Active Directory group membership option in the Zone Properties dialog box. You can then select the Associate Active Directory group membership option to automatically add new users to the Active Directory group you are using as the default primary group for the zone.
registry.
2 Right-click and select New > DWORD Value. 3 Set the name of this registry entry to
After you modify the registry, the Associate Active Directory group membership option is displayed on the General tab in the Zone Properties dialog box.
131
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones to see the list of zones. 3 Select the zone name you want to modify, right-click, then click
Directory group membership option to automatically add users to the Active Directory group you are using as the default primary group for the zone. For example:
Display and check this option to add users to the default group
132
Administrators Guide
5 Click the Members tab and verify that the user account
associated with a new user profile is listed as a member of the group. For example:
Check that new user accounts have been added as members to the group
133
which you want to add a required group. For example, expand the default zone.
3 Expand Groups, then select the group name you want to make
required.
4 Right-click, then select Zone Settings to display the Centrify
134
Administrators Guide
needed, then click OK. For more information about using the adsetgroups command, see Using adsetgroups on page 472 or the adsetgroups man page.
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name to
which you want to add the Active Directory group. For example, select the default zone. If the zone is not already open, right-click, then click Open Zone. For example, select and open the default zone.
3 Select Groups, right-click, then click Create UNIX Group. 4 In the Find Users dialog box, click Browse, then select the
trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev forest, you can select the remote forest, then click OK to add groups from the w2k3r2.dev forest to a current zone in the local forest.
5 Type a search string to locate the group in the selected forest or
136
Administrators Guide
2 In the console tree, click Zones and select the zone name to that
contains the group profile you want to modify. For example, click Zones > Venice Arcade to select the zone named Venice Arcade.
3 In the console tree, expand Groups. 4 Select a group name, right-click, then click Zone Settings. For
example:
5 Edit the UNIX profile as needed, then click OK. For example,
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name to
6 Edit the UNIX profile and any other properties, as needed, then
click OK. For example, click Add to add a group profile for the Active Directory group to another zone.
138
Administrators Guide
If you are not deploying Centrify DirectControl group policies, you can also customize access controls for users and groups with the settings in any computers local Centrify DirectControl configuration file. For more information about setting the parameters in the Centrify DirectControl configuration file, see the Configuration Parameter Reference Guide.
You can assign Active Directory groups to roles without defining a group profile for them. However, the members of the group must have user profiles in the zone for rights and roles to be enforced. For more information about defining rights and roles and assigning groups to roles, see Defining rights and roles on page 165.
139
Whether the group is an orphan. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
140
Administrators Guide
Chapter 8
141
migration of an existing user population and setting up user- or group-based access controls, see the Planning and Deployment Guide.
142
Administrators Guide
143
Directory user in the portland group inherits the group membership and is also a member of the western-div group. By default, however, the UNIX user with a default primary group linked to the Active Directory group portland is not listed as a member of the portland group and does not inherit any nested group relationship. For more information about defining group membership for UNIX users or adding users to their primary group in Active Directory, see Adding Active Directory users to zones on page 144. For more information about the differences in group handling between Active Directory and the UNIX environment or planning access control using group filters, see the Planning and Deployment Guide.
selected zone.
144 Administrators Guide
If you want to add the user to a different zone, click Browse to search for and select the zone to which you want to add the Active Directory user.
4 Type a search string to locate the user account, then click Find
Now. For example, type tes to display the testuser and testadmin users.
5 Select one or more users in the results, then click OK. 6 Review the UNIX profile settings for the user and make any
changes necessary, then click OK. If you selected more than one user, review the UNIX profile settings for the each user and modify the default settings, if necessary, then click OK. For example:
Note
User profile names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters or require that the first character of the user name be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at
145
the end of the user name. In general, other special characters, such as ! and &, are not supported.
which you want to add the Active Directory user. For example, select the default zone. If the zone is not already open, right-click, then click Open Zone. For example, select and open the default zone.
3 Select Users, right-click, then click Add User to Zone. 4 In the Find Users dialog box, click Browse, then select the
remote trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a one- or two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev forest, you can select the remote forest, then click
146
Administrators Guide
OK to add users from the w2k3r2.dev forest to a current zone in the local forest:
147
domainname\username,
so any of these identities can be used to access user information or log on. To identify a user from a trusted external forest, however, you must use either the users UNIX profile name for the zone or the users samAccountName followed by the users domain name in the form of samAccountName@domainname. Using the UNIX profile name or the samAccountName@domainname to identify a user ensures the name is unique when there are cross-forest trust relationships. For example, if an Active Directory user from a trusted external forest (sierra.org) has the Active Directory logon name of sofia.perez and a UNIX profile name of sofiapz, the user can be identified using:
sofia.perez@sierra.org sofiapz
You cannot use sierra\sofia.perez or sofia.perez without the domain to retrieve information or authenticate from a remote forest. In addition, the userPrincipalName (username@domainname) for any user may be different from the samAccountName@domainname. For example, if you use alternate UPN suffixes, the domain name used in the userPrincipalName may be different from the domain name that uniquely identifies the user. Similarly, a users pre-Windows 2000 user logon name (samAccountName) may be different from the user name used in the userPrincipalName. For example, if the Active Directory user sofia.perez@sierra.org has a pre-Windows 2000 user logon name of SIERRA\perez.s, that user would be found as perez.s@sierra.org.
148
Administrators Guide
the group by displaying the users UNIX profile, then clicking Browse.
After you click Browse, you can do one of the following to set the users primary group: Select an Active Directory group from the list of groups that have been enabled for UNIX access in the current zone. If the Active Directory group you want to use is not listed, click Add to search for the Active Directory group you are interested in and add the UNIX profile for that group to the list. Select the Auto-private group to have a UNIX-only private group automatically generated for the user. If you select this option, DirectControl automatically creates a UNIX group profile that uses the users UNIX profile name as the group name and the users UID as the group GID. Automatically-generated groups are not stored or managed in Active Directory. Specify a group identifier (GID) not associated with any Active Directory group in the current zone. To specify a group profile not in the current zone, type the group identifier (GID) for the group. If you select this option, the Centrify DirectControl Administrator Console does not verify whether the group exists. You can enter any value as the primary group identifier (GID). If you plan to use groups that are defined in other zones
149
or are not associated with Active Directory security groups, you should verify that a group profile exists either on the UNIX system or in another zone and identify a scheme for assigning the GID. For example, to select an existing group profile associated with an Active Directory group:
Note
If you select the Auto-private group option, the Centrify DirectControl Agent handles the creation of the UNIX group on the computer when the user logs on.
150
Administrators Guide
contains the user profile you want to modify. For example, click Zones then select the default zone. If the zone is not already open, right-click Zones, then click Open Zone and type a search string to find and select the zone you want to open.
3 In the console tree, expand Users.
151
example:
5 Edit the UNIX profile as needed, then click OK. For example,
contains the user profile you want to modify. For example, click Zones then select the default zone.
152
Administrators Guide
If the zone is not already open, right-click Zones, then click Open Zone and type a search string to find and select the zone you want to open.
3 In the console tree, expand Users. 4 Select a user name, right-click, then click Properties to display
6 Edit the UNIX profile and any other properties, as needed, then
click OK. For example, click Add to add a UNIX profile for the selected user to another zone.
153
Directory site that contains the connection over which you want to replicate directory information. For example, select DEFAULT-FIRST-SITE.
3 Expand Servers, then select the domain controller for which
4 Click NTDS Settings. 5 In the details pane, right-click the connection over which you
want to replicate directory information, then click Replicate Now. If you choose not to force replication, the changes made to the zone will not take effect until replication is complete for the forest.
154
Administrators Guide
meets all of the criteria, the account is updated with the new information in Active Directory and the user logs on successfully. Centrify DirectControl also enforces the password expiration period, the password reuse policy, account lock out policy, workstation restrictions, and logon hour restrictions if you have defined these policies for any user account. In addition, Centrify DirectControl displays a warning message on the UNIX computer if a users password is about to expire. Administrators can set, reset, or change the password for users using Active Directory or from the UNIX command line. Individual users can also change their own password at any time using the adpasswd command.
For more information about using adpasswd, see Using adpasswd on page 344.
password of an administrative account with the authority to change another users password. To change the password for another user using adpasswd:
1 At the UNIX command line, run the adpasswd command and
specify an Active Directory administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:
adpasswd --adminuser admin@acme.com jane@sales.acme.com
3 Type the new password for the user specified. Because you are
changing another users password, you are not prompted for an old password. For example:
New password:
For more information about using adpasswd, see Using adpasswd on page 344.
disconnected from the network, the user can still log on and use the old password until reconnected to the network. Once the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode. If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the users credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.
Note
You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through Centrify DirectControl group policies or parameter settings in the Centrify DirectControl configuration file. For more information about using group policies and the group policies available, see the Group Policy Guide. For information about changing settings in the configuration file, see the Configuration Parameters Reference Guide.
157
map a local user account to an Active Directory account. Mapping a local UNIX user account to an Active Directory account gives you Active Directory-based control over password policies, such as password length, complexity, and expiration period. Mapping a local account to Active Directory is especially useful for accounts that have special privileges, such as local system accounts or service accounts for applications. By mapping these types of accounts to an Active Directory account and password: You control access to the account because users need to know the Active Directory password for the account. You ensure Active Directory password policies are applied to the account password, so that each password is complex enough or changed frequently enough to be secure. Although this mapping is especially useful for system and application service accounts, you can map any local user account to an Active Directory account. To map a local account to an Active Directory account, you can: Enable and configure the Set user mapping group policy in a Group Policy Object applied to one or more computers. Set the pam.mapuser.username configuration parameter on any individual local computer.
158
Administrators Guide
to open the Group Policy Object in the Group Policy Object Editor.
4 In the Group Policy Object Editor, select Computer
administrative template and any other administrative templates you want to add, click Open, then click OK. For example:
look for the Active Directory user to which the local user is mapped, then click OK. For example, if the local user name is oracle and the Active Directory account you created to map the user to is Oracle Admins:
159
configuration. When users attempt to sign on using the local oracle account, they must provide the password for the Oracle Admins Active Directory account. When you use account mapping in this way, you can ensure the same password policy used for Active Directory passwords applies to local user accounts. For more information about creating and linking Group Policy Objects that include Centrify DirectControl configuration settings, see the Group Policy Guide.
example, assume you want to use one Active Directory account for all of the oracle service accounts in a particular zone. If the zone name is central-div, you can create an Active Directory user account named oracle_central-div.
2 On the UNIX computer, open the Centrify DirectControl
account you want mapped to the Active Directory user you created. You can use environment variables such as $DOMAIN, $ZONE, or $HOSTNAME with this configuration parameter if you used the domain, zone, or host name in the Active Directory account name.
160
Administrators Guide
For example, if you are mapping the local oracle service account and the Active Directory user account you created is named oracle_central-div:
pam.mapuser.oracle: oracle_$ZONE
5 Save the changes to the configuration file, then run the adreload
command to reload the configuration file and have the changes take effect. For more information about editing Centrify DirectControl configuration parameters, see the Configuration Parameters Reference Guide.
If you are not deploying Centrify DirectControl group policies, you can also customize access controls for users with the settings in any computers local Centrify DirectControl configuration file. For more information about setting the parameters in the Centrify DirectControl configuration file, see the Configuration Parameter Reference Guide.
You can assign Active Directory users to roles without defining a user profile for them. However, the Active Directory user must have a user profile in the zone for rights and roles to be enforced.
zone. This report includes the Active Directory display name, the Active Directory logon name, the Active Directory domain for the account, and details about the account status, such as whether the account is configured to expire, locked out, or disabled and the date and time of the accounts last logon. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
163
164
Administrators Guide
Chapter 9
165
166
Administrators Guide
The role assignment for an Active Directory user or group can apply either for an entire zone or for a specific computer in a zone. For example, you can assign the user Chris to the Local_Admin role on the computer fireline to give that user specific rights for that individual computer rather than all computers in the zone. Keep in mind that any computer-based role assignments are added to the role assignments defined for the entire zone. When users log on to a given computer, they get the roles defined at the zone level and the roles assigned to them for that specific computer. If you first assign the user Chris to the Local_Admin role for the entire zone, his rights will apply to all of the computers in the zone, including the fireline computer. If you later decide you only want him to perform Local_Admin operations on the fireline computer, you would need to remove his Local_Admin role assignment that applies to the whole zone.
Note
167
PAM access rights can be added to either type of role to grant access to all PAM-enabled applications or restrict access to specific PAM-enabled applications.
168
Administrators Guide
In this scenario If a user is assigned to at least one The user can run all of the base commands role that grants access to privileged normally available, plus all of the privileged commands commands defined in the roles he is assigned, and any commands defined for his restricted environment role. As long as at least one role grants access to privileged commands, the user is not placed into a DirectAuthorize restricted environment. If all of a user's roles require a restricted environment and all of the roles are expired or not available The user is prevented from logging on. If all of a users roles restrict the user's access rights to specific commands, if all of the roles are expired or not available for a period of time, the user is not allowed to log on until at least one role is available to become the users active role. Note This is the only case where users are prevented from logging on.
For example, the user monte is assigned two roles: backup_ops role has a restricted environment that allows members to run the command tar as root during off-hours. role grants permission to the run rpm as root with no time constraints.
sys_admin
If monte logs on during off-hours when both roles are available, he can run both dzdo rpm and dzdo tar until the time constraints for the backup_ops role take effect and he loses permission to run the tar command as root. If the sys_admin role assignment is temporary and expires, the user monte loses permission to run the privileged commands associated with that role. When the sys_admin role assignment expires, only the backup_ops role assignment applies, and the user monte is placed into a restricted environment when he next logs on.
169
application ftp. If all of the roles are available, the user chris can use ssh, login, and ftp, but no other PAM-enabled applications. Even though the backup_ops role allows access to any PAM-enabled application, the user can only use the PAM-enabled applications that are explicitly defined in the other roles. If you want to use PAM access controls for any roles, you may want to explicitly define a PAM access right that allows access to all PAM-enabled applications using an asterisk (*). You can then add this right to roles as needed to ensure users dont lose rights they should have when they are assigned multiple roles. For example, if the user chris is assigned to the same roles described above but the backup_ops role has the All (*) PAM access right explicitly defined and all of the roles are available, the user chris can use any PAM-enabled application, not just ssh, login, and ftp. Alternatively, you can allow access to all PAM-enabled applications for all roles (no restrictions defined for any roles) or explicitly define restrictions for which PAM-enabled applications users can access in all roles. This eliminates the chance that a user with multiple roles will be denied access to PAM-enabled applications unexpectedly because some role assignments explicitly define access and others do not.
170 Administrators Guide
Because the shell scripting environment allows the operations, the user can effectively access information that the command set defined for his restricted environment does not allow.
Keeping a restricted environment secure
There are many ways sophisticated users can get around limitations placed on a restricted environment. For example, most text editors, such as vi and emacs, allow shell escapes. Giving users permission to run programs that allow shell escapes in a restricted environment enables them to open a new unrestricted environment with none of the restrictions placed on them in their defined environment, Similarly, giving users access to commands that set or modify local time and date settings may allow them avoid time constraints for running commands or the expiration date and time for specific role assignments. In some cases, even individual command line options may provide users with the means to run commands not defined in their restricted environment. For example, allowing the user to run the tar command with --use-compress-program program_name allows user to run the specified program_name even though the
171
program_name
environment. In choosing the commands to allow in a restricted environment, therefore, you should carefully consider ways to plug potential security holes the commands may introduce or whether there are alternative commands that provide the same functionality more securely. For example, if you need to give a user access to an editor, such as vi or vim, you could restrict the ability to execute nested commands to prevent users from opening a new shell from within the editor; see Step 10 on page 188 of Configuring restricted environment rights. Alternatively, you could add the rvi command to the restricted environment instead of vi or vim because rvi doesnt allow the user to open a new shell.
172
Administrators Guide
scope of what tasks a user or group can perform on a specific computer. For example, the user monte is assigned two roles: backup_ops role has a restricted environment that allows members to run the command tar as root during off-hours. The scope of the role assignment is the entire zone, so monte can log on and run the commands allowed for the backup_ops role on any computer in the zone during the hours the backup_ops role is in effect. role grants permission to run rpm as root, but the scope of this role assignment has been changed from the entire zone to only apply on the computer firefly. On the computer firefly, the user monte can log on any time, run any normal user commands, run the privileged command dzdo rpm at any time, and run dzdo tar during the hours the backup_ops role is in effect.
sys_admin
173
The functional level of the Active Directory forest has been raised to Windows Server 2003. You can install the DirectAuthorize console extension with the Centrify DirectControl Administrator Console on computers running Windows 2000 if you also install the Authorization Manager Runtime for Windows 2000 downloadable software package from Microsoft. The authorization store, however, requires the zone to be in a Windows Server 2003 domain and the domain functional level to be Windows Server 2003. For information about downloading the Authorization Manager Runtime for Windows 2000 Server, see the Microsoft Web site.
Note
You should also verify that the Centrify DirectControl Administrator Console you are using and the Centrify DirectControl Agent you want to work with have Centrify DirectControl, version 4.2 or later installed.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name, right-click, then click Properties. For
174
Administrators Guide
4 Click the DirectAuthorize tab. 5 Click Enforce rights and roles. The currently logged on user
and the Domain Admins group are automatically added to the list of users and groups allowed to configure DirectAuthorize. For example:
Note
If the Enforce rights and roles option is not available, you do not have the appropriate permissions to initialize DirectAuthorize. If you have permission to create zones, you should run the Zone Delegation Wizard and assign the Initialize data for DirectAuthorize task to your own account or other appropriate users and groups that should be allowed to perform this task.
Clicking Enforce rights and roles adds the authorization store to the zone and the Roles and Rights nodes to the Centrify DirectControl Administrator Console. It does not impact any existing users access to computers in the zone. Only users who are assigned to roles or who are members of Active Directory groups assigned to roles have their rights enforced for computers in the zone. Users who are not assigned to roles when you click Enforce rights and roles can continue to perform operations as they did before until you assign them to one or
175
more roles. This behavior is intended so that users are not prevented from logging on or performing protected operations unexpectedly. Once they are explicitly assigned one or more roles, their rights will depend on their currently active role(s) and the operations they can perform in the zone may change. Centrify recommends that you configure a limited set of rights, roles, and role assignments and test enforcement before expanding the scope across the user community.
6 Click Add to add users and groups to the list of users and groups
who are allowed to define rights and roles for performing operations on computers managed by DirectControl. You must define at least one user or group with permission to configure DirectAuthorize. After initializing DirectAuthorize for the zone, you can add and remove users and groups from this list at any time. If you remove all users and groups from the list, however, you effectively disable DirectAuthorize and the ability to define rights and roles.
7 Select User or Group to specify the type of account to find. 8 Type a search string to find the user or group objects to add as
rights administrators, select one or more objects from the results, then click OK to return to the DirectAuthorize tab.
9 Click OK to save the zone properties and close the Properties
dialog box. Once you have activated DirectAuthorize for a zone, you can expand the zone to display the Roles and Rights nodes. For example, if you activated DirectAuthorize for a zone named mission, you can expand the mission zone to display the Roles
176
Administrators Guide
DirectAuthorize nodes
177
part of the information to a file and import it into other zones, as needed.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
Right.
6 Type the name of a PAM-enabled application and, if needed, a
detailed description of the application, then click OK. You can use wildcards in the PAM Application Name to perform pattern matching for the application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp.
178
Administrators Guide
The Application Name field supports glob pattern matching syntax. For example, the name can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). For more detailed information about using wildcard patterns and glob syntax, see the glob man page.
Note
Specific application names depends on the application and the operating environment where the application is being accessed. For example, the following table lists several common PAM-enabled applications and the appropriate name to use for them on different platforms:
For this application On telnet Use this name
Common Linux platforms, such as Red login Hat, Debian, SuSE, Centos, and Ubuntu, HP-UX, and Irix Sun Solaris VMware ESX, Oracle Linux, Scientific Linux
telnet remote
ftp
Common Linux platforms, such as Red Hat, Oracle Linux, and Scientific Linux, and VMware ESX
vsftpd
Some Linux platforms, such as Debian, ftp Centos, and Ubuntu, Sun Solaris, HP-UX, Irix graphical desktop Common Linux platforms, such as Red Hat, Debian, Oracle Linux, Centos, Scientific Linux, and Ubuntu Sun Solaris and HP-UX SuSE and Irix ssh Most platforms Debain and Ubuntu
gdm
Rights for these and other common PAM-enabled applications are predefined in the default DirectAuthorize environment, so
179
that you can easily add them to roles, where appropriate. For example:
Depending on the specific operating environment and version you are using, however, you may need to modify the default application name. In addition to enabling access for specific PAM-enabled applications, you may want to add a right for enabling access to all PAM applications for users in administrative roles. You can do this by typing an asterisk (*) as the Application Name. For example:
You can use an asterisk (*) to allow access to all PAM-enabled applications
180
Administrators Guide
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
Restricted Environment.
6 On the General tab, type a name for the restricted environment
and, if needed, a detailed description of what the restricted environment provides. For example, you may want to describe
181
the type of operations allowed in this restricted environment or list the specific commands it supports.
7 Click the Commands tab, then click New. 8 On the General tab in the New Restricted Environment
Command dialog box, type the command name, detailed description, the programs executable file, and select a method
182
Administrators Guide
for matching the path of the command executable and the user account the command should run under.
Do this Type a short descriptive name for the command. The command name is required and must not be more than 29 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (). Type a detailed description for the command. This field is optional.
Description
183
Do this Type one or more commands you want to add as a new restricted environment commands. The Command is a required field and should include any parameters or options, as needed. Depending on the button you select below the Command field (Glob expressions or Regular expressions), you can use glob pattern matching syntax or extended regular expression syntax within the Command field. The default is glob pattern matching. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). You can also use an exclamation point (!) at the start of a command to disallow matching commands. For example, you can prevent users from specifying the program to use for viewing man pages (man P) that may allow them to use programs that are not allowed by specifying the following commands:
!man P* !man * -P* man
Note When using pattern matching, keep in mind that the path is always pre-pended to the command name. Therefore, doing something like using a caret (^) to match the first character of a command does not work because the pattern matches the first character of the path, not the first character of the command name. Commands that start with the exclamation point take precedence over others that dont. For example, if you type the commands !ls l and ls * users will be prevented from running the ls command with the -l option, even though ls * specifies that all options are allowed. If a command is followed by empty quotation marks (""), the command can only run without any options. For more detailed information about using wildcard patterns: With glob syntax, see the glob or glob(7) man page. With extended regular expressions, see the regcomp or regexec man page.
184
Administrators Guide
Do this Specify the type of pattern matching to use for wildcard characters in the Command field and the Match path > Specific path field. Glob expressions, the default, specifies glob pattern matching syntax. The description of the Command field and the Match path fields provides some examples of glob pattern matching. See the glob and glob(7) man pages for detailed information. Regular expressions specifies extended regular expression pattern matching. See the regcomp and regexec man pages for detailed information. Select an appropriate path for matching the command name specified on the different operating environments you support. Select Standard user path to use the local operating systems common set of user directories to match the path of the command specified. Select Standard system path to use the directories the root user would normally get on the local operating environment to match the path of the command specified. Select Specific path if you want to define a custom set of locations for matching the path of the command specified. If you select this option, you can specify one or more paths, separated by a colon. Depending on the button you select above the Match path field (Glob expressions or Regular expressions), you can use wildcard patterns to generate matching path names. For example, with glob pattern matching, the path can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). The path must start with a slash (/), however, unless you are matching all paths (*). For example, if the command you specify is ls and you set the match path to *, the ls command from any path is allowed. If you set the Command to * and the match path to *, then any command from any path is allowed. For more information about using wildcard patterns to expand path names, see the glob or glob(7) man page, or for extended regular expression syntax, see regcomp and regexec.
Match path
185
Do this Select the user account the shell command should run as. Select User running the command to execute the command using the currently logged-on users account. Select Specific user account and type the user account name if you want the command to be executed using a specific user account that is not the logged-on users account.
If you are not configuring environment variables or additional execution attributes, you can click OK after setting the General properties for the command. If you want to configure environment variables or customize additional execution attributes, you can click Apply and go on to the next step.
9 Click the Environment tab if you want to configure the
To customize the environment variables used: Select Reset environment variables if you want to reset the listed set of environment variables when the user runs the restricted environment command. In addition to the listed environment variables, the dzdo.env_keep configuration
186
Administrators Guide
parameter in the centrifydc.conf file defines a default set of environment variables to retain from the current users environment. If you select this option and want to specify additional environment variables to retain from the users environment, click Add, type the environment variable name you want to retain, then click OK to keep the environment variable setting when the user runs the command. Select Remove unsafe environment variables if you want to retain existing environment variables while removing a default set of unsafe environment variables when running the restricted environment command. The list of unsafe environment variables is defined by the dzdo.env_delete configuration parameter in the centrifydc.conf file. If you select this option, and want to specify additional environment variables to remove, click Add, type the environment variable name, then click OK to remove the specified environment variable setting when the user runs the command. Select Add environment variables to define new environment variables to add when running the restricted environment command. Enter variables in a comma-separated list in the form name=value.
Note
You can select Add environment variables and define new environment variables with either of the other options.
187
Do this Check this option to retain the users group membership while executing commands in a restricted environment.
Allow nested command Check this option to allow the restricted execution environment command to start another program or open a new shell. You should uncheck this option if you want to prevent the command from starting another program or opening a new, unrestricted shell while executing an allowed command. Unmask value Set the umask value to use for the restricted shell.
environment.
12 Repeat Step 8 through Step 11 for each command you want to
188
Administrators Guide
When you install DirectAuthorize on a computer, it includes a default restricted environment that provides access rights to a default set of basic commands that enables users to perform common operations such as copy files, list directory contents, view man pages, and display the current working directory. If you want to use this default restricted environment as a starting point for creating your own customized restricted environment, you can import the BasicRestrictedEnvironment.xml file into a zone then modify the list of commands allowed, as needed. By default, the BasicRestrictedEnvironment.xml file is located in the Centrify DirectControl installation directory, for example C:\Program Files\Centrify\Centrify DirectControl. To import the preconfigured restricted environment, select the zone name, right-click, then click All Tasks > Import DirectAuthorize Configuration and follow the prompts displayed to import the definitions from the BasicRestrictedEnvironment.xml file. For more information about importing rights and roles, see Exporting and importing rights and roles on page 209.
Modifying the default restricted environment
After importing the BasicRestrictedEnvironment, you can expand the Restricted Environments node to view it. If you want to modify the commands included, select BasicRestrictedEnvironment in the Centrify DirectControl Administrator Console, right-click, then click Properties. You
189
can then click the Commands tab to add, remove, or modify the default list of commands allowed. For example:
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
190
Administrators Guide
Command.
191
description, the programs executable file, and select a method for matching the path of the command executable.
Do this Type a short descriptive name for the command. The privileged command name is required and must not be more than 60 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (). Note In most cases, the privileged command name is the same as, or similar to, the command executable name. For example, you might use uname, ps, or id to set up rights for the uname, ps, or id programs. If you plan to define a System Administrator role that allows assigned users to run any command as the root user, you may want to use All as the name of the privileged command, then use an asterisk (*) to indicate all commands in the Command field. For detailed instructions about setting up a System Administrator role with permission to execute all commands as root and access all PAM-enabled applications, see Creating a standard system administrator role in the Evaluation Guide. Type a detailed description for the command. This field is optional.
Description
192
Administrators Guide
Do this Type one or more commands you want to add as a new restricted environment commands. The Command is a required field and should include any parameters or options, as needed. Depending on the button you select below the Command field (Glob expressions or Regular expressions), you can use glob pattern matching syntax or extended regular expression syntax within the Command field. The default is glob pattern matching. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). You can also use an exclamation point (!) at the start of a command to disallow matching commands. For example, you can prevent users from specifying the program to use for viewing man pages (man P) that may allow them to use programs that are not allowed by specifying the following commands:
!man P* !man * -P* man
Note When using pattern matching, keep in mind that the path is always pre-pended to the command name. Therefore, doing something like using a caret (^) to match the first character of a command does not work because the pattern matches the first character of the path, not the first character of the command name. Commands that start with the exclamation point take precedence over others that dont. For example, if you type the commands !ls l and ls * users will be prevented from running the ls command with the -l option, even though ls * specifies that all options are allowed. If a command is followed by empty quotation marks (""), the command can only run without any options. For more detailed information about using wildcard patterns: With glob syntax, see the glob or glob(7) man page. With extended regular expressions, see the regcomp or regexec man page.
193
Do this Specify the type of pattern matching to use for wildcard characters in the Command field and the Match path > Specific path field. Glob expressions, the default, specifies glob pattern matching syntax. The description of the Command field and the Match path fields provides some examples of glob pattern matching. See the glob and glob(7) man pages for detailed information. Regular expressions specifies extended regular expression pattern matching. See the regcomp and regexec man pages for detailed information. Select an appropriate path for matching the command name specified on the different operating environments you support. Select Standard user path to use the local operating systems common set of user directories to match the path of the command specified. Select Standard system path to use the directories the root user would normally get on the local operating environment to match the path of the command specified. Select Specific path if you want to define a custom set of locations for matching the path of the command specified. If you select this option, you can specify one or more paths, separated by a colon. Depending on the button you select above the Match path field (Glob expressions or Regular expressions), you can use wildcard patterns to generate matching path names. For example, with glob pattern matching, the path can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). The path must start with a slash (/), however, unless you are matching all paths (*). For example, if the command you specify is ls and you set the match path to *, the ls command from any path is allowed. If you set the Command to * and the match path to *, then any command from any path is allowed. For more information about using wildcard patterns to expand path names, see the glob or glob(7) man page, or for regular expression syntax, see regcomp and regexec.
Match path
194
Administrators Guide
7 Click the Run As tab, then specify the users and groups allowed
to run this privileged command. Select Any user if any user enabled for the zone can run the privileged command. Select User list if only specific user accounts listed can be used to run this privileged command. A user assigned to a role that includes this right can only run the privileged command under the listed user accounts. For example, if you select this option and specify the users root and ben, the command can be run as root or ben. By default, privileged commands run as root. If you select User list, click Add to add a new user name to the list of allowed users. The users a command can run as can be either Active Directory users with a UNIX profile in the zone or local UNIX user accounts. The user account that logs in and invokes the privileged command, however, must be associated with an Active Directory account. For example:
195
environment variables to use or prevent from being used when running the privileged command. For example:
To customize the environment variables used: Select Reset environment variables if you want to reset the listed set of environment variables when the user runs the privileged command. In addition to the listed environment variables, the dzdo.env_keep configuration parameter in the centrifydc.conf file defines a default set of environment variables to retain from the current users environment. If you select this option and want to specify additional environment variables to retain from the users environment, click Add, type the environment variable name you want to retain, then click OK to keep the environment variable setting when the user runs the command. Select Remove unsafe environment variables if you want to retain existing environment variables while removing a default set of unsafe environment variables when running the privileged command. The list of unsafe environment variables is defined by the dzdo.env_delete configuration parameter in
196 Administrators Guide
the centrifydc.conf file. If you select this option, and want to specify additional environment variables to remove, click Add, type the environment variable name, then click OK to remove the specified environment variable setting when the user runs the command.
9 Click the Attributes tab to set other execution attributes for
Do this Check this option to require the user to be authenticated before running a privileged command. If authentication is required, specify whether the password used should be the password for the logged-on user or the target run-as user. Check this option to retain the users group membership while executing a privileged command.
197
Do this Check this option to allow the privileged command to start another program or open a new shell. You should uncheck this option if you want to prevent the privileged command from starting another program or opening a new, unrestricted shell while executing an allowed command. Set the umask value to use for the privileged command or shell to be executed.
Umask value
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones.
198
Administrators Guide
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
4 Select Roles, right-click, then click Add Role. 5 On the General tab, type the role name and description. For
example:
Available Times, then select the days and times to allow or deny access for users assigned to the role. For example, to prevent users from performing the operations defined for the role on weekdays before 7:00 AM, weeknights after 10:00 PM,
199
and on Saturdays and Sundays, you could set the available times like this:
7 Click the PAM Access tab, then click Add. 8 Select the appropriate PAM applications from the list of available
PAM applications, then click Add to add the selected applications to the role. Alternatively, you can click New to create a new PAM access right for this role. Once you create the new PAM access right, it is added to the list of Available Applications for the zone. You should keep in mind that the list of available applications that can be assigned to roles is maintained on a zone-specific basis. You can use wildcards to perform pattern matching for the PAM application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp. To allow a role to access all PAM-enabled applications, use an asterisk (*) as the application name.
Note
command access you want the role to provide. If you want users in this role to use a restricted environment DirectAuthorize shell (dzsh) with a limited set of commands available, click Use restricted environment, then select the restricted environment to use from the list of restricted environments you have defined.
200
Administrators Guide
If you want users in this role to be able to run privileged commands, click Privileged commands, then click Add. You can then select the appropriate privileged commands from the list of available privileged commands and click Add to add the selected privileged commands to the role.
Note
Alternatively, you can click New to create a new privileged command right for this role. Once you create the new privileged command, it is added to the list of Available Privileged Commands for the zone. You can then add the new privileged command to the role. You should keep in mind that the list of available privileged commands that can be assigned to roles is maintained on a zone-specific basis.
10 Click OK to save the changes to the role and close the dialog
box.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
201
4 Select Roles, then select the role name to which you want to
assign users and groups. For example, select the dc_admins role from the list of roles displayed:
5 Right-click, then select Assign Users and Groups. 6 Select the type of object to search for from the Find list. For
example, select User to find user account objects or Group to find group account objects.
7 Type a search string to locate the user or group account, then
click Find Now. For example, type per to display the Performix Admins, Performix Contractors, and Performix Employees groups.
8 Select one or more objects in the results, then click OK.
You can assign any Active Directory user to a role. If the user does not have a profile defined in the current zone, a warning message is displayed. You can continue with the role assignment and add a profile for the user to the zone later to ensure that the role controls the operations the user can perform. If you are assigning an Active Directory group to a role, however, you may want to check whether the members of the group have profiles defined in the current zone to determine whether any profiles need to be added. Theres no warning message for group members without a profile in the zone.
Note
9 Review the role assignment settings for the user or group your
202
Administrators Guide
For example, uncheck Start immediately to select a specific date for the role to become active and uncheck Never expires to select a specific date for the role to expire.
By default, assigning a user or group to a role defines the operations the user or group can perform across all computers in the zone whenever that role is active for that user or group. Alternatively, you can limit the scope of a role assignment for a user or group to one or more specific computers within a zone.
Note
203
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the default zone.
4 Click Computers, then select the computer name to which you
want to assign users and groups. For example, select the magnolia computer object:
the zone.
6 Select the appropriate role name, right-click, then select Assign
example, select User to find user account objects or Group to find group account objects.
8 Type a search string to locate the user or group account, then
click Find Now. For example, type per to display the Performix Admins, Performix Contractors, and Performix Employees groups.
9 Select one or more objects in the results, then click OK.
You can assign any Active Directory user to a role. If the user does not have a profile defined in the current zone, a warning message is displayed. You can continue with the role assignment and add a profile for the user to the zone later to ensure that the role controls the operations the user can perform. If you are assigning an Active Directory group to a role, however, you may want to check whether the members of
Note
204 Administrators Guide
the group have profiles defined in the current zone to determine whether any profiles need to be added. Theres no warning message for group members without a profile in the zone.
10 Review the role assignment settings for the user or group your
selected and make any changes necessary, then click OK. For example, uncheck Start immediately to select a specific date for the role to become active and uncheck Never expires to select a specific date for the role to expire.
205
a user has permission to run a specified command. Users and groups not assigned to roles in the zone are not affected in any way. If you want to use DirectAuthorize in additional zones, you need to manually set Enforce rights and roles zone property for those zones. Once this property is set for a zone to set up its authorization store, you can uncheck the option to temporarily stop the enforcement of rights and roles for the users in a selected zone, if needed.
For more information about running dzdo and using dzdo command line options, see Using dzdo on page 487 or the dzdo man page. The dzdo command does not interfere or interoperate with any UNIX sudo operation or sudoers configuration. Any existing configuration remains in effect and is unaffected by DirectAuthorize.
206
Administrators Guide
Users who are only assigned to one or more restricted environments roles are only allowed to run commands within the DirectAuthorize shell (dzsh). Within the DirectAuthorize shell, user can only be in one active role at a time to prevent ambiguity about the commands the user can run or the user account that should be used to execute those commands. For example, if the user carol is assigned to the lab_staff restricted environment role that specifies the tar command should run as root and to the temps restricted environment role that
207
specifies the tar command should run as tmp_admin, she needs to specify which role she is using for DirectAuthorize to run the tar commands under the proper account. Within the DirectAuthorize shell, users can switch between available restricted environment roles, as needed, using the built-in role command. If a user has been assigned to the Backup Operators (backup_ops) role and the DirectAuthorize Managers (dz_managers) role, he can run the role command to specify which role should be active so that only commands from that role apply. For example, to switch from the backup_ops role to the dz_managers role:
$ role dz_managers Role changed to: dz_managers
For more information about using the role option in a DirectAuthorize shell (dzsh), see the man page for dzsh.
Viewing available roles
The dzinfo command enables users to view information about the roles they have available and what they are allowed to do within their different roles. You may want to add this command to all of your restricted environment roles to allow users to check their definitions and availability within the DirectAuthorize restricted environment shell. For more information about using the dzinfo command, see the man page for dzinfo.
Using a graphical desktop manager in a restricted environment
In some operating environments, users who a placed into a restricted environment may not be able to log on using a graphical user interface desktop manager unless they are explicitly given permission to run the desktop manager or related commands within the dzsh restricted environment. For example, on Red Hat Linux, users must be allowed to run /usr/bin/dbus-launch to log on using KDE or Gnome desktop manager.
208
Administrators Guide
To allow restricted environment users to log on using KDE or Gnome on Red Hat, you must add dbus-launch to the list of allowed commands for the restricted environment users role. If you want to prevent restricted environment users from logging on using the graphical user interface, you can restricted their access to specific PAM-enabled applications such ssh and telnet.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the default zone.
4 Select Roles, then select the name of the role you want to copy. 5 Right-click, then click Clone. 6 Select the Copy of the role name you selected, right-click, then
defined in one zone but create a completely new set of roles for those rights in the import zone.
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name where you have defined the
DirectAuthorize information you want to export, right-click, then click All Tasks > Export DirectAuthorize Configuration.
4 At the Welcome page, click Next. 5 Select the information you want to export, then click Next. For
example, to export all of the information, click All to select all rights, role definitions, and role assignments:
210
Administrators Guide
6 Click Browse to specify a location and file name for the export
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name into which you want to import
DirectAuthorize information, right-click, then click All Tasks > Import DirectAuthorize Configuration.
Note
You must initialize DirectAuthorize for the zone before you can import DirectAuthorize rights, roles, or role assignments. If you cannot select Import DirectAuthorize Configuration, initialize DirectAuthorize for the zone before continuing.
211
DirectAuthorize information you want to import, then click Next. For example:
6 Select the information you want to import, then click Next. For
example, to import only Privileged Commands and PAM Access rights, click Privileged Commands and PAM Access:
212
Administrators Guide
computer.
2 Run the adflush command to clear the DirectControl cache.
For example:
# /usr/sbin/adflush
213
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name in which you have activated
DirectAuthorize and expand the zone. For example, expand the default zone.
4 Select Users, right-click, then select All Tasks > Show User
Rights.
5 Type criteria to find a user, then click Find Now. 6 Select a user in the results, then click OK to display that users
privileged commands the user has permission to run, including the target user under which the command runs and the role
214
Administrators Guide
applications the user has permission to run and the role where the permission to run the application is granted.
215
computer.
2 Run the dzinfo command for a specific user with the username
in the command line. For example, to see the rights and roles assigned to the user sonya:
dzinfo sonya
Alternatively, if you have defined a privileged command to run the dzinfo command as root, you can invoke the program using dzdo. For example:
dzdo dzinfo sonya
If roles and rights have been configured for the user, the command displays information similar to the following:
Zone Status: DirectAuthorize is enabled User: sonya Forced into restricted environment: Yes Role Name --------------role-Lab Staff PAM Application --------------login sshd gdm Avail Restricted Env ----- -------------Yes rs-lab_staff Avail ----Yes Yes Yes Source Roles ----------------------------role-Lab Staff role-Lab Staff role-Lab Staff
Privileged commands: Name Avail Command Source Roles --------------- ----- --------------------------------------------------------(molly has no privileged command rights) Commands in restricted environment: rs-lab_staff Name Avail Command Run As ---------------------- ----------------------------- ---------rs-lab_staff-whoami Yes whoami self rs-lab_staff-pwd Yes pwd self rs-lab_staff-uname Yes uname tim rs-lab_staff-who Yes who self rs-lab_staff-groups Yes groups self
You can run dzinfo without parameters to see the roles for the current user. To see more detailed information, such as the days and times a role is available, you can use the --verbose option. For
216
Administrators Guide
example, to see detailed information for the currently logged on user, you could type the following command:
dzinfo --verbose
You can also use the dzinfo program to test whether a user has the right to run specific commands. For more information about using dzinfo and the dzinfo command line options, see the dzinfo man page.
217
218
Administrators Guide
Chapter 10
219
number of licenses you have purchased, the Centrify DirectControl Administrator Console will display the Manage Licenses dialog box to enable you to add license keys. Once you have installed enough license keys to cover all the configured UNIX, Linux, or Mac OS X computers, the Centrify DirectControl Administrator Console will display at startup and allow you to perform all of the normal administrative tasks.
220
Administrators Guide
provided with permanent license keys that replace any evaluation keys and identify the specific Centrify DirectControl licenses you have purchased. Your capacity for enabling access for standard UNIX services or applications is defined by the total of all of the licenses you purchase and install. For example, if you install three valid license keys that each enable 100 workstations for UNIX login access, you have a total of 300 workstation login licenses available. Each license you purchase has a 24-character registration key that specifies: The type of license granted by the key. The total number of computers that may be enabled under this keys license. If this is an evaluation key, the number of computers is unlimited, but the license count is displayed as zero (0) to indicate no computers are licensed under the evaluation key. The time limit for the key. If the license is a permanent license key, the time limit is not applicable. If the license is an evaluation key, the time is set to 30 days. Because each license key specifies a set number of computers, its common to receive multiple license keys. You can provide these license keys when you install Centrify DirectControl on Windows or after installation using the Centrify DirectControl Administrator Console. For information about using the Centrify DirectControl Administrator Console to add licenses, see Adding license keys on page 227.
221
use those additional containers to control who can use which license keys. For example, you may want to create one license container for application servers and another for workstation licenses. You can then set permissions on the container objects to prevent the workstation administrators from installing the application server license keys and the application server administrators from installing the workstation license keys in their respective containers. To add a new license container object:
1 Open Centrify DirectControl Administrator Console. 2 In the console tree, right-click Centrify DirectControl, then
222
Administrators Guide
click Create.
of object to create, and type a name for the new license container object and click OK.
7 Click OK to close the Browse for container dialog box. 8 When prompted to confirm the creation of the container object,
223
you give the Modify License permission to can then add license keys to the new license container.
and, if needed, the user credentials for connecting to the domain controller, then click OK.
3 In the console tree, select Zones to display the list of zones. 4 Select a zone and right-click, then click Properties. 5 On the General tab, select a specific Licenses container from the
list of available License containers for the zone to use, then click OK. For example:
For more information about setting zone properties, see Managing zones on page 55.
225
To see a summary of the licenses you have installed and activated, including the type of license, the number of computers covered by the license, and the number of licenses currently being used:
1 Open Centrify DirectControl Administrator Console. 2 In the console tree, right-click Centrify DirectControl, then
licenses installed in all of the license containers defined in the forest. The Computers section lists the total number of UNIX shell workstation and server licenses you have installed and activated with licensing keys. Because the number of UNIX shell licenses includes workstations and servers, the Licensed value represents the maximum number of computers authorized to join Active Directory domains in the current forest if All license containers is selected. The number of Used licenses indicates the number of computers currently joined to Active Directory domains that allow access to a UNIX shell or applications.
226
Administrators Guide
The Applications section lists the total number of application licenses of each application type you have installed and activated with licensing keys. The number of Used licenses indicates the number of computer accounts for which you have enabled access to applications. If you want to see licensing information for a specific license container, select the container from the list of available License containers. For example:
Select a specific license container to view only information about the licenses in that container
If you select a specific license container, the Licensed value only represents the number of licenses available in the selected container and the number of Used licenses only represents the licenses used in the zones that are associated with the selected container.
227
license containers.
5 In the License keys section, click Add. 6 Type the new license key, then click OK. 7 Click the Summary tab to view the installed licenses. Note that
license keys are Licensed, that is, available to be used, until you begin adding computers to the domain.
228
Administrators Guide
8 Click OK.
229
230
Administrators Guide
Chapter 11
231
Directory forest and to verify which users have permission to perform specific tasks. Reports can help simplify accounting and auditing of user access and provide the information you require for capacity planning and regulatory compliance. For any report you create you can choose different ways to filter, group, sort, and format the information included. You can also choose to save reports in different file formats so they can be displayed on web sites or imported into other programs.
232
Administrators Guide
The default report definitions provide the following information if you run them unmodified:
This predefined report Authorization Report for Computers Includes this information by default Lists each computer in the zone and indicates which users are allowed to access each computer. The report includes details from the users UNIX profile for each user listed, including the users Active Directory user name, UNIX user name, zone, UID, shell, home directory and primary group. Lists each user account in the zone and includes details from the users UNIX profile for each user listed, including the users UNIX user name, zone, UID, shell, home directory and primary group. Lists computer account information for each computer in each zone, including the computer account name in Active Directory, the computers DNS name, the computers operating system, and the version of the Centrify DirectControl Agent installed on the computer, if available. Lists group information for each group in each zone, including the Active Directory group name, the UNIX group name, the UNIX group identifier (GID), and whether the group is an orphan. Lists the computers that have been licensed for each type of license. With this report, you can see which computers have been licensed as UNIX workstations and which are licensed as application servers. Lists the number of application, computer, and evaluation licenses you have installed and activated with licensing keys, including the total number of each license type, the number of licenses in use, and the number of licenses still available.
Computers Report
Groups Report
233
Includes this information by default Lists account details for the users that have UNIX profiles in each zone. The report includes the Active Directory display name, the Active Directory logon name, the Active Directory domain for the account, and details about the account status, such as whether the account is configured to expire, locked out, or disabled and the date and time of the accounts last logon. Lists the privileged commands that each user has permission to run and the scope to which the users rights apply. The report is sorted by user name and zone for the zones where rights and roles are enforced. Lists the role assignments for each user in each zone. The report includes the domain name, user profile name, the list of roles the user is assigned to in each zone, and the scope to which the users role assignment applies. Lists information from the UNIX profile for each user in each zone. The report includes the users Active Directory user name, UNIX user name, UID, shell, home directory and primary group. Lists the administrative tasks for each zone and the users or groups have been delegated to perform each task. This report indicates which users or groups have permission to perform specific tasks, such as add groups, join computers to a zone, or change zone properties. Lists the zone properties for each zone. The report includes the zone name, list of available shells, the default shell, the default home directory path, the default primary group, the next available UID, reserved UIDs, the next available GID, and reserved GIDs.
Users Report
Zones Report
234
Administrators Guide
retrieve results, then click Current. For example, to retrieve the current information for the Users Report, expand the Users Report report definition, then click Current. Depending on the report definition, the results may be nested under the Current node. For more information about viewing results in the Centrify DirectControl Administrator Console, see Viewing current or saved results in the console on page 236. For information about generating report output from the results, see Generating a report from current or saved results on page 237.
235
right-click, then click Take a Snapshot. For example, to take a snapshot of the results of the User Account Report, select the User Account Report report definition, then click Take a Snapshot.
Select a zone to see the zones users displayed in the results pane
236
Administrators Guide
You can then select a zone to see user information for that zone displayed in the results pane.
You can also select an individual user in the results pane, right-click, and select a user-related task to perform.
237
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Expand the report definition for the type of report you want to
generate. For example, to run the Users Report, expand the Users Report report definition. For example:
previously retrieved results, right-click, then click Display Report. For example:
Note
In most cases, reports only include information for the zones you have currently open. For best performance, close the zones you are not interested in reporting on before generating reports.
238
Administrators Guide
From this window you can customize the report format, save the report as a specific type of document, email the report to another person, or print the report.
is grouped or to add grouping criteria. To add grouping criteria, select a property from the Group based on selected properties list and either Ascending or Descending order, then click Add.
239
To remove grouping criteria, select a property in the Group by list, then click Remove. To change the order in which grouping is done when grouping by more than one property, select a property in the Group by list, then click Move up or Move down. For example, you can group computers by zone, then within each zone by agent version number:
Note
The specific properties you can use to base grouping on depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
3 Click the Sort tab to change how the information in the report
is sorted or to add sorting criteria. To add sorting criteria, select a property from the Sort based on these criteria list and either Ascending or Descending order, then click Add. To remove sorting criteria or change the sort order for a sort criteria, select a property in the Sort by list, then click Remove.
240
Administrators Guide
To change the order in which sorting is done when sorting by more than one property, select a property in the Sort by list, then click Move up or Move down. For example, you can sort results by zone name in ascending or descending order:
Note
The specific properties you can use as sorting criteria depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
report. To remove a property from the report, clear the Column checkbox. To change the display name or column width for a property, select the property name, then type a new column name or set a new column width. To change the column order from left to right, select the property name, then click Move up to shift a column to the left or Move down to shift a column to the right.
241
For example, check the properties you want to include in the report and uncheck the properties to exclude. If you include a property in the report, you can also specify the display name for the column and the column width:
Note
The specific properties you can choose to display or remove depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
5 Click the Font & Color tab to change the fonts and colors used
in the report. Select an report attribute from the list of Display items, then select a font family, size, style, and colors to use for the selected attribute.
242
Administrators Guide
For example, to change the color of a table or group header, select the Table Header or Group Header, then select the Foreground and Background colors to use:
select the type of document to save the report as. You can save the report to any of the following formats: HTML Document
Chapter 11 Generating predefined and custom reports 243
Save to save the report in the selected format. Although you can save a generated report as an XML document and report definitions are XML documents that can be imported and exported from one Centrify DirectControl Administrator Console to another, you cannot use the generated report output as a new report definition or import generated reports into the Centrify DirectControl Administrator Console. To share reports with other administrators, you must export the report definition to XML. Other administrators can then import your report definition and generate their own reports from the imported report definition.
to set page margins or printing options or Report > Print Preview to preview the report output.
2 Click Report > Print to print the report on the default printer.
244
Administrators Guide
folder.
Next. The report definition name can start with an alphabetic character or an underscore character (_), followed by any combination of alphabetic, numeric, underscore (_), hyphen (-) or spaces up to a maximum length of 64 characters. For example:
Sample Zones Report Dept-1331
5 Select the primary object you want to report on, then click
Next. Selecting the primary object controls the properties that are available for reporting. For example, if you select Active Directory Users for the report, the report can include information associated with the Active Directory user account,
Chapter 11 Generating predefined and custom reports 245
such as the account status, password restrictions, or the users address and telephone number. If you select Zone Users, the report can include information about the users UNIX profile but not the Active Directory account status unless you link this criteria to the report in Step 6. The valid primary objects are: Active Directory computer accounts Active Directory group accounts Active Directory user accounts Centrify DirectControl licenses Open zones Zone computers Zone groups Zone users Zones For example, to report on Zones as the primary object, select Zones from the list of objects:
246
Administrators Guide
For a simple report that only includes the properties associated with the primary object, select No then click Next. For a more complex report, select Yes and a criteria to use, then click Next. For example, if you want to include UNIX user information in the report, you can select Yes to add a related link, then select Zones that contain Zone Users:
The specific criteria you can choose depends on the primary object you select. For example, if you are creating a report about Zone Users, you can specify users in open zones, users in all zones, only the users that have been granted access to zone computers, or users that have permission to join a computer to the zone. Linking a primary object to other criteria makes additional properties available for inclusion in the report. For example, if you select Zone Users that are profiles of Active Directory users, you can report on properties associated with the Active Directory user account, such as the account status, the users department, job title, or home phone number. If you select Zone Users that can access zone computers, the report can include computer account properties. You can continue adding relationship criteria to the report and clicking Next, as needed, until you have defined all of the
Chapter 11 Generating predefined and custom reports 247
criteria you want to use to generate the report. The specific objects and relationships you can choose depend on the primary object and each previous selection. When you are finished defining the criteria for the report, select No then click Next.
7 For each object to be included in the report, select the specific
Select each object, then select the properties to include in the report
For example: Select Zones to choose the zone properties to include in the report. Select Zone Computers to choose the computer account properties to include in the report. Select Zone Users to choose which use UNIX profile attributes to include in the report.
8 Select the type of filter you want to apply, if any, then click
Next. To add a filter: Select a property for filtering. The properties you can select as filters depend on the objects and properties you selected in Step 7. For example, if you include the UNIX user name,
248
Administrators Guide
UID, and primary group name in the report, you can filter the report using any or all of these properties. Select the criterion to use when matching the filter string. For example, you can specify that the filter starts with, contains, is, or ends with the specified string. Type the string you want to match, then click Add. Add any other filters, then click Next. For example, to filter a report to include only the information for the domains that starts with ajax in the domain name:
Click Add to add the specified criteria to the list of filters to be applied
249
click Next.
6 Select a new primary object to report on, if needed, then click
Next.
7 Modify any other criteria related to the primary object included
Next.
9 Modify the filters applied, if any, then click Next. For example,
report, including the properties you want to report, the display name for each column, and the column width.
7 Click the Style tab to configure the fonts and colors used in the
HTML, PDF, and Excel versions of the report. Select a document type, then click Configure.
250
Administrators Guide
Select a font family, size, style, and the colors to use for titles, headers, and content of the report.
folder. You can share report definitions by exporting the definition to an XML file and importing it into the Report Center on another computer or into another users Centrify DirectControl Administrator Console. You can also export report definitions to create new reports based on existing report definitions. To export and import previously created report definitions:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, expand the Report Center node. 3 Select the report definition name that you want to export,
Save.
5 In the console tree, select the Report Center, right-click, then
click Import.
6 Navigate to the appropriate directory, select the report
251
and right-click.
3 Select Options. 4 Click the SMTP Configuration tab. 5 Specify a valid senders user name and email address,
a recipients user name and email address, the SMTP server name and port number for outgoing mail, and the server authentication requirements, if any, then click OK.
252
Administrators Guide
Chapter 12
however, you may have computers, devices, or applications that require access to a NIS server. For example, you may have legacy systems with operating systems that the Centrify DirectControl Agent doesnt support or applications that send requests directly to the NIS port and expect a NIS process to be listening there. For computers and applications that submit lookup or authentication requests directly to a NIS server on the NIS port, Centrify DirectControl provides its own Network Information Service. The Centrify DirectControl Network Information Service (adnisd) is a separate process that can be installed on any computer that has the Centrify DirectControl Agent installed. Once this separate service is installed, if a legacy system needs to authenticate a user or look up network information, it sends a NIS client request to the Centrify DirectControl Network Information Service listening on the NIS port. The Centrify DirectControl Network Information Service responds using the information stored in a local cache of data that is generated from the information stored in Active Directory. In this way, the Centrify DirectControl Network Information Service can be used to service agentless authentication requests from computers or devices where the Centrify DirectControl Agent itself cannot be installed. If you want to use the Centrify DirectControl Network Information Service to service NIS client requests, you need to: Identify the zones for which you want to publish information. For example, if you want user and group information broadly available to NIS clients across the network and you have a master zone, you may want to allow agentless authentication for all of the users in that zone. If you want to strictly control which users can be authenticated to NIS clients, you may want to use the Zone Generator to populate a separate agentless-authentication zone that only contains those users and their groups. For each zone that supports agentless authentication, you must specify the Active Directory attribute for storing the password hash.
254
Administrators Guide
Identify the computer(s) that should service NIS client requests in each zone. You can designate any computer that has the Centrify DirectControl Agent installed to also act as the Centrify DirectControl Network Information Server in the zone. Any computer you want to use as the NIS server must be joined to an Active Directory domain. Install and configure the Centrify DirectControl Network Information Service on the selected computers in each zone. Configure clients to use the Centrify DirectControl Network Information Service on the selected computers in each zone. Import and enable the users and groups who need to be authenticated to NIS clients for the zone. You can migrate this information from existing NIS servers or local configuration files by importing passwd and group NIS maps or local /etc/passwd and /etc/group files using the Import from Unix wizard as described in Using the Import from UNIX wizard on page 103, or you can create UNIX profiles for users and groups, as needed. The users and groups must have UNIX profiles stored in Active Directory and enabled for the local computers zone for the Centrify DirectControl Network Information Service to generate the maps it needs to service agentless authentication and lookup requests from NIS clients. Import and manage any additional NIS maps you want to make available to NIS clients. For example, you can import network maps such as netgroup and automount NIS maps or create custom maps using the Centrify DirectControl Administrator Console. Importing existing NIS maps simply provides a mechanism for migrating information to Active Directory. Once the information is stored in Active Directory, any original NIS maps you imported are no longer used. Instead, the Centrify DirectControl Network Information Service uses the information stored in Active Directory to automatically generate the maps it needs to service authentication
Note
Chapter 12 Managing network information with NIS maps 255
and lookup requests. This local cache of data is updated at a regular interval.
256
Administrators Guide
storing the password hash for users and the NIS domain name to use for the zone. For example, if you want to create a new zone, you would follow the steps described in Creating a new zone on page 57 and check the Support agentless client option, then select an attribute such as the altSecurityIndenties for the password hash, and type the NIS domain name to use:
Check this option, then select an Active Directory attribute for the password hash and type the NIS domain name
The Active Directory attributes you can choose for storing the password hash depend on the Active Directory schema you are using and the zone type. The supported attributes for storing the password hash are:
altSecurityIdentities msSFU30Passsword unixUserPassword
The computer account acting as a NIS server for the zone must be able to access the attribute containing the password hash for agentless authentication to be successful. For information about granting a computer account access to the attribute that stores the password hash, see Selecting a computer to service NIS client requests on page 258.
Setting the NIS domain name
By convention, the zone name is most commonly used as the NIS domain name because this makes it easy to identify the scope of the
257
information available to NIS clients. You can specify a different name if you choose. If you dont specify the NIS Domain name in the zone properties, the zone name is used by default. Whether you use the zone name or another name, you need this information to configure the NIS clients. For more information, see Configuring the NIS clients on page 268.
Check this option to identify a computer allowed to respond to NIS client requests in the zone
Selecting the Allow this computer to respond to NIS client requests option adds the computer account to the zone_nis_servers Active Directory group to ensure the computer has the appropriate permissions to authenticate users in response to NIS client requests. When computer accounts are placed in the zone_nis_servers group, they are granted permission to read the attribute that stores the password hash for users in the zone.
258
Administrators Guide
Although this setting enables the computer account to access the password hash, you must manually install and start the Centrify DirectControl Network Information Service on the physical computer before the computer can act as a NIS server.
Regardless of the password synchronization service you choose to use, the service must be installed on all domain controllers in the Active Directory domain where you are enabling agentless authentication.
259
license agreement, select I accept the terms of the license agreement, then click Next.
6 Type your name and company, select who should be able to use
Once installed, the Centrify DirectControl Password Synchronization program will generate the initial password hash when users next change their password, then update the password hash at each password change thereafter. The password hashes are created using DES encryption with a two character salt. If the password hash is stored in the altSecurityIdentities attribute, it has a prefix of cdcPasswordHash, for example, cdcPasswordHash:VkievQ69VhYKc. If the password hash is stored in one of the other supported attributes, it is stored without a prefix. When a user changes his Active Directory password, the Centrify DirectControl Password Synchronization program discovers the zones to which that user has access and updates the appropriate attribute that holds the password hash for that user in each zone.
Note
The initial password hash is only generated when the user changes his password. You may want to force users to change their password at the next logon to get the password set at the earliest
260
Administrators Guide
opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the users password hash has not been set.
Using a Microsoft password synchronization service
If you choose to use one of the password synchronization services provided by Microsoft instead of the Centrify DirectControl Password Synchronization program, follow the instructions provided with the software to install the service. In general, you need to do the following to use the Microsoft password synchronization services: Set the Windows domain to the domain you joined after installing the Centrify DirectControl Agent. Set the NIS domain name to the zone name you specified when you joined the domain. For example, if you are using the default zone, set the NIS domain to default. Set the NIS Server name to the host name of the computer running both the Centrify DirectControl Agent (adclient) and the Centrify DirectControl Network Information Service (adnisd). Give user accounts access to the zone and NIS domain. If you are using the Microsoft Windows Services for UNIX, you need to make this setting by selecting the zone name from the list of NIS domains on the UNIX Attributes tab.
Note
The rest of the fields on the UNIX Attributes tab are not used by Centrify DirectControl, but you are required to enter information for these fields to enable the NIS domain for the user. Therefore, you should specify a UID, Login shell, Home directory, and Primary group for the user account, then click OK.
261
verify the Centrify DirectControl Agent is installed and the local computer is joined to a domain. For example, run the adinfo command to verify the local computer has the Centrify DirectControl Agent installed, is joined to a domain, and can connect to Active Directory:
su Password:
adinfo
Local host name: Joined to domain: Joined as: Current DC: Preferred site:
Zone: ajax.org/Program Data/Centrify/Zones/default Last password set: 2006-12-28 14:47:57 PST CentrifyDC mode: connected
262
Administrators Guide
environment from the Centrify DirectControl CD or a download directory to a local directory. For example, if the operating environment is Solaris 9 SPARC:
cp /tmp/centrifydc-nis-release-sol8-sparc-local.tgz .
If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.
3 If the software package is a compressed file, unzip and extract
If you arent sure about the command to use for the local operating environment, see the release-notes text file included in the package. If you are using an installation program not described in the release-notes text file, such as SMIT or YAST, see the documentation for that program.
All other NIS client requests are ignored. For example, if you want to restrict NIS requests to a single trusted subnet of computers, such as the 172.68.0.0 subnet, you can edit the nisd.securenets configuration parameter in the /etc/centrifydc/centrifydc.conf file to include a line similar to the following:
nisd.securenets: 172.68.0.0/255.255.0.0
You can specify multiple subnets by separating the entries with a comma or a space. For example:
nisd.securenets: 172.68.0.0/255.255.0.0,196.48.0.0/0
To accept NIS client requests from any computer, you can set the nisd.securenets configuration parameter as follows:
nisd.securenets: 0/0
For more information about restricting the computers sending NIS client requests using configuration parameters, see the Configuration Parameters Reference Guide.
For more information about customizing the interval for updating NIS maps, see the Configuration Parameters Reference Guide.
264
Administrators Guide
To explicitly exclude the NIS maps that should not be published, you can make a setting similar to the following in the centrifydc.conf file:
nisd.exclude.maps: group passwd
265
For more information about customizing the interval for updating NIS maps or customizing the NIS maps available using configuration parameters, see the Configuration Parameters Reference Guide.
Note
The adnisd process requires RPC services. If you restart RPC, you also need to restart the adnisd process.
On most other platforms, you can start the adnisd process by running the following command:
/etc/init.d/adnisd start
On Solaris 10 or later, the daemon is controlled through the Solaris Service Management Facility. For example:
svcadm enable nis/centrifydc-server
266
Administrators Guide
When the adnisd process starts, it connects to Active Directory through adclient and does the following: Retrieves the current user, group, network, and custom information thats stored in Active Directory for its zone. Generates additional maps derived from the information retrieved from Active Directory, such as the netgroup.byuser and netgroup.byhost maps generated from the netgroup map and the passwd.byuid, passwd.byname, group.byname, and group.bygid maps generated from the user and group profile information for the local computers zone. Stores the information retrieved or derived from Active Directory in a local cache of NIS map data. After the initial connection, the adnisd process periodically connects to Active Directory through adclient to retrieve updated information for its zone. However, the adnisd process always responds to NIS client requests using the data in its local cache. Because this information is available in the local cache, the adnisd process can respond to NIS requests even if Active Directory is unavailable.
267
The client configuration instructions in this section assume that you are using the zone name as the NIS domain name. If you are not using the zone name, substitute the NIS domain name you specified when you created the zone where applicable. In addition, for more complete information about configuring NIS clients on any platform, you should consult the documentation for that platform.
remove any files in the /var/yp/binding directory. For example, run the following commands:
/sbin/service ypbind stop rm -rf /var/yp/binding/*
2 Set the NIS domain name for the client to the zone name or NIS
268
Administrators Guide
For example, if you have installed the Centrify DirectControl Network Information Service on a computer in the corpHQ zone:
domainname corpHQ
Centrify DirectControl zone and the name of the computer where the Centrify DirectControl Network Information Service is installed.
domain zonename server hostname
For example, edit the /etc/yp.conf to include a line similar to the following:
domain corpHQ server localhost
Note
If your NIS clients are configured for broadcast discovery, you can typically skip this step. service by running the following command:
4 Start the ypbind service. On Red Hat Linux, you can start the
/sbin/service ypbind start
On Debian 3.1, you can start the service by running the nis script. The operation of the nis script is controlled with the file /etc/default/nis. By default, the script starts the NIS client, ypbind. For example, run the following command:
/etc/init.d/nis start
One SuSE Linux 9.3 Professional, you can start the service by running the following command:
/etc/init.d/ypbind start
example:
passwd: compat group: compat
shadow: compat
269
computer to restart all services. The most common services you should restart are:
autofs NSCD cron sendmail
remove any files in the /var/yp/binding directory. For example, run the following commands on Solaris 8 or 9:
kill ypbind rm -rf /var/yp/binding/*
2 Set the NIS domain name for the client to the zone name of the
For example, if you have installed the Centrify DirectControl Network Information Service on a computer in the corpHQ zone:
domainname corpHQ
-c command and enter the name of the computer where the Centrify DirectControl Network Information Service is installed.
This step is not required if you want to use the broadcast option to locate the server when you run the ypbind command. You must use the ypinit command, however, if your network topology would prevent a broadcast from reaching the desired servers. For example, if the router does not transmit broadcasts
Note
270
Administrators Guide
across subnets, you can use the ypinit server on a different subnet. start the service by running:
/usr/lib/netsvc/yp/ypbind
-c command to specify a
If you are using the broadcast option to locate the server, you must start the service with the broadcast option. For example:
/usr/lib/netsvc/yp/ypbind -broadcast
example:
passwd: compat group: compat
shadow: compat
computer to restart all services. The most common services you should restart are:
autofs NSCD cron sendmail
remove any files in the /var/yp/binding directory. For example, run the following commands:
/sbin/init.d/nis.client stop rm -rf /var/yp/binding/*
271
to set the NIS_CLIENT to 1and the NIS_DOMAIN to the name of the Centrify DirectControl zone. For example:
NIS_CLIENT=1 NIS_DOMAIN="zone-name"
the YPSET_ADDR variable to the IP address of the computer where the Centrify DirectControl Network Information Service is installed. For example:
YPBIND_OPTIONS="-ypset" YPSET_ADDR="15.13.115.168"
Note
This step is not required if you want to use the broadcast option to locate the server when you run the ypbind command.
4 Set the NIS domain name for the client to the zone name of the
5 Start the ypbind service. On HP-UX, you can start the service
by running:
/sbin/init.d/nis.client start
example:
passwd: compat group: compat
shadow: compat
computer to restart all services. The most common services you should restart are:
autofs NSCD cron sendmail
272
Administrators Guide
remove any files in the /var/yp/binding directory. For example, run the following command:
stopsrc s ypbind
If the computer is not already a NIS client, you can use the System Management Interface Tool (smit) and the mkclient command to add the NIS client service to the computer.
2 Open the /etc/rc.nfs file and verify that the startsrc
3 Set the NIS domain name for the client to the zone name of the
4 Start the ypbind service. On AIX, you can start the service by
running:
startsrc -s ypbind
example:
passwd: compat group: compat
shadow: compat
computer to restart all services. The most common services you should restart are:
autofs NSCD
273
cron sendmail
To test that the client can connect to the Centrify DirectControl Network Information Service, you may want to run one or more NIS client request commands. For example, you may try the following commands:
ypwhich ypwhich -m ypcat -k mapname
At a minimum, you should see the passwd.* and group.* map names followed by the name of the computer you are using as the NIS server. For example, if the computer running the Centrify DirectControl Agent and Centrify DirectControl Network Information Service is iceberg-hpux, you should see output similar to this:
passwd.byuid iceberg-hpux passwd.byname iceberg-hpux group.byname iceberg-hpux group.bygid iceberg-hpux
These passwd.* and group.* maps are automatically generated based on the information stored in Active Directory for the zone.
274 Administrators Guide
These maps include all of the Active Directory users and groups that have been granted access to the zone. You can view information from any of these maps using a command such as:
ypcat passwd.byname
In this example, the user paul has a password hash, but the users mlopez and jsmith do not have password hashes. If a user account is a new account and no password hash is available, the Centrify DirectControl NIS server sets the password hash field for the users account to ! until the user sets a password. For example, you may see this for users who have not yet generated an initial password hash until they next set their Active Directory password and have the password hash generated. If a users Active Directory account is disabled, locked, requires a password change, or is not enabled for a zone, the Centrify DirectControl NIS server sets the password hash field for the users account to !! until the account is enabled, reset, or updated with a new password. On some platforms, you may see ABCD!efgh12345$67890 as the password hash for users who need to set their password.
Note
Using the Centrify DirectControl Administrator Console, you can: Import network information from standard NIS maps, such as automount, automaster, and netgroup databases. Create new network maps. Create custom maps of information in key/value pairs.
NIS Extensions are installed by default when you run the setup program. If you did not select this option, re-run the setup program and select the Centrify DirectControl Administrator Console > NIS Extensions component. If you have the NIS Extensions installed, you should see the NIS Maps node under each zone. For example:
You should see NIS Maps in you have the NIS Extensions installed
Import Maps.
276 Administrators Guide
domain or import the information from a text file, then click Next. If you are importing maps directly from an NIS server, type the name of the NIS domain and server. If you are importing a map from a text file, click Browse to navigate to the map file you want to import. If Centrify DirectControl can connect to the NIS server and domain, you can import the NIS maps directly from the server. If Centrify DirectControl cannot connect to the NIS server, you should export the NIS map to a text file and then import the information from the text file.
5 Select the NIS maps to import if you are importing directly from
an existing NIS server, or type a map name and describe the file format if importing from a file, then click Next. If you importing from a text file, you need to specify: Map name that describes the type of map being imported. Character used to separate fields in the map file. Column number that defines the start of the key field. Whether to include comments and the character used to designate comment lines. For Centrify DirectControl to correctly interpret the map file, you need to provide the correct information about the file format, such as the type of separator used between fields. Because the NIS server does not include comments in response to service requests, you cannot import comments in NIS maps if you import directly from the NIS server and domain. If you want to import comments recorded in NIS maps, you must save the map to a text file and import from the file.
6 When the import is complete, click Finish. 7 After importing NIS maps, restart the adnisd service.
277
autoMount map
autoMaster map
278
Administrators Guide
Console, select the new empty map, right-click, then click New to add a new individual map record.
The file format and the fields used in individual map records depend on the type of map you are working with.
If the map is
netgroup
Do this to add new records To create a new group: Click New > netgroup. Type a group name and optionally any comments, then click OK. To add members to the new group: Select the group name and right-click. Select Add Member > Entry to add a user, computer, and domain to the group or select Add Member > netgroup to add an existing group as a member of the selected group. For more information about defining fields in netgroup records, see the netgroup man page.
279
If the map is
autoMount
Do this to add new records To create a new automount record: Click New > Map entry. Type the Name to use for mounting a directory. Type the Network path specifies the absolute path to the directory to be mounted. You can also specify mount command line Options or Comments. These fields are optional. For more information about defining fields in automount records, see the automount man page. To create a new automaster record: Click New > Map entry. Type the Mount point used. Type the Map name to be consulted for the specified mount point. You can also specify mount command line Options or Comments. These fields are optional. For more information about defining fields in automaster records, see the automaster man page.
autoMaster
5 In the details pane, select the new map, right-click, then click
adding, then click OK. For example: Type the Key to use in a client request for looking up the corresponding value. Type the Value associated with the key. Type any optional Comments for the key/value pair. For example:
name you want to change. For example, if you have created a map named nethosts, select the nethosts map.
Chapter 12 Managing network information with NIS maps 281
4 Right-click, then click Change Type and select the correct map
type. For example, if the records in nethosts map should consist of a Key, a Value, and an optional Comment, select Generic Map as the map type.
Note
If records have already been defined for the map using the incorrect map type, in most cases, you will need to modify the fields after changing the map type.
want to modify.
4 Right-click, then click Properties to modify the fields for the
282
Administrators Guide
want to remove.
4 Right-click, then click Delete to remove the map from Active
Directory.
name you want to change. For example, if you have created a map named nethosts, select the nethosts map.
4 Right-click, then click Change Type and select the correct map
type. For example, if the records in nethosts map should consist of a Key, a Value, and an optional Comment, select Generic Map as the map type.
283
Note
If records have already been defined for the map using the incorrect map type, in most cases, you will need to modify the fields after changing the map type.
284
Administrators Guide
Chapter 13
285
primarily intended for Centrify DirectControl experts and technical staff. In most cases, you should only enable logging when you need to troubleshoot unexpected behavior, authentication failure, or problems with connecting to Active Directory or when requested to do so by Centrify Technical Support. Other troubleshooting tools, such as command line programs, can be used at any time to collect or display information about your environment.
When you run the Analyze command, only the zones that are open are checked. To check for problems with Centrify DirectControl information in the Active Directory forest:
1 Open the Centrify DirectControl Administrator Console. 2 If you are prompted to connect to a forest, specify the forest
286
Administrators Guide
5 Select the types of checks you want to perform, then click Next
Empty zones
287
zone that supports agentless authentication and that the group contains all the NIS servers that have been defined for the zone. The zone_nis_servers group is required to assign permissions to DirectControl-managed computers that act as NIS servers, and should not be manually deleted or modified. This option checks that the group exists and includes all of the computers acting as NIS servers to ensure data integrity. Insufficient permission for agent version upgrade Check whether the computer object in Active Directory has sufficient permission to update the version number property of the Centrify DirectControl Agent in the computers serviceConnectionPoint object. If the computer object does not have permission to change this property, the version number cannot be displayed. Check whether the computer object has sufficient permission to update its operating system property. Check for UNIX profile objects that have no parent objects because the parent object has been deleted. For example, if you delete a zone but do not delete the users, groups, or computers that were part of that zone, some UNIX data will be left in Active Directory. This option removes any UNIX-specific data left in Active Directory after the parent was deleted. Check for zone information created in another zones parent container.
288
Administrators Guide
To do this Check for zone information stored in an obsolete Centrify DirectControl zone format. Check for computer objects that have Centrify DirectControl information associated with them but do not belong to any zone.
Zoneless computers
6 Review the result summary, then click Finish. 7 If the result summary indicates any issues, you can view the
details by selecting Analysis Results in the console tree and viewing the information listed in the right pane. For example:
For additional information, select the warning or error, right-click, then select Properties. For example:
289
290
Administrators Guide
The following table describes the warnings and errors you may see in the Analysis Results after running the Analyze wizard and how to resolve potential issues.
Check Computers joined to multiple zones Result If there are any computers joined to multiple zones, an error is displayed. Responsive action No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if an administrator runs adleave with the --force option then runs adjoin to join the computer to a different domain without removing the old computer profile from Active Directory. You should identify the appropriate zone for the computer, then use the Centrify DirectControl Administrator Console to delete the computer profile from any additional zones.
Duplicate groups in If there are any duplicate No responsive action can be taken zone groups in a zone, a directly within the Analysis Results warning is displayed. for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate group profile to be added to a zone. For example, if two administrators add the same group to a zone using different domain controllers, there will be duplicate group profiles after the domain controllers complete replication. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete the duplicate group profiles from the zone.
291
Result If any duplicate service principal names (SPNs) are found for users or computers in the forest, a warning is displayed.
Responsive action No responsive action can be taken directly within the Analysis Results for this issue. Right-click the warning and click Properties to identify the duplicate SPN. Open the account properties for the user or computer and modify or remove the duplicate servicePrincipalName value.
If there are any duplicate No responsive action can be taken directly within the Analysis Results users in a zone, a warning is displayed. for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate user profile to be added to a zone. For example, if two administrators add the same user to a zone using different domain controllers, there will be duplicate user profiles after the domain controllers complete replication. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete the duplicate user profiles from the zone.
292
Administrators Guide
Result If more than one DirectControl SFU zones is found in the forest, a warning is displayed.
Responsive action No responsive action can be taken directly within the Analysis Results for this issue. Because a DirectControl SFU zone is associated with an Active Directory SFU schema extension, there should be a maximum of one SFU zone in an Active Directory forest. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete any duplicate SFU zones. No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate default container for new zones. Having more than one default parent container for zones can result in an unexpected default value in the Create New Zone wizard. You should use the ADSI Editor to delete any duplicate Zones parent containers from the forest.
293
Result If any zone does not contain users, groups, or computers, a warning is displayed for each type of object. For example, if a zone has computers and groups, but no users, only the user warning is displayed for that zone.
Responsive action No responsive action can be taken directly within the Analysis Results for these issues. In general, this issue occurs early in a deployment before you have populated zones. You should use the Centrify DirectControl Administrator Console to add missing objects to the zone. If the empty zone is not a valid zone, right-click the zone and select Delete. Right-click the error in the Analysis Results, then select Create NIS servers group to create the zone_nis_servers group for agentless authentication. Note that your account must have permission to create this object for the operation to be successful.
Inconsistency in If the Active Directory granting NIS server group zone_nis_servers is permissions not found in a zone configured for agentless authentication, an error is displayed.
zone_nis_servers
If the membership of the Right-click the error in the Analysis Results, then select Fix group group is not consistent membership to modify the with the computers membership list for the zone_nis_servers group. authorized as NIS servers, a Membership inconsistent error is displayed.
If a zone is configured to No responsive action can be taken support agentless directly within the Analysis Results authentication and the for these issues. zone_nis_servers You should verify that all of the group exists but does computers you want to use as NIS not contain all servers in the zone are configured computers in the zone, to allow agentless authentication. an informational alert is displayed.
294
Administrators Guide
Result If a computer account does not have permission to write to the keywords attribute, an error is displayed.
Responsive action Right-click the error in the Analysis Results, then select Grant permission to computer account to update the permissions on the computer account object. Right-click the error in the Analysis Results, then select Grant computer permission to modify operating system properties to update the permissions on the computer account object.
Insufficient If a computer account permissions for OS does not have upgrade permission to modify operating system properties, a warning is displayed.
295
Result If a zone was created using the DirectControl 2.x console and includes a Private Groups container, a warning is displayed.
Responsive action If any computers in the zone are running DirectControl 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove privateGroupCreation attribute to update the zone format. If any computers in the zone are running DirectControl 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and unix_enabled attribute to update the computer profile in the zone. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy attribute to update the group profile in the zone. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and app_enabled attribute to update the user profile in the zone.
If a computer profile was created using the DirectControl 2.x console, the warning Unix computer is in old format is displayed.
If a group profile was created using the DirectControl 2.x console, the warning Unix group is in old format is displayed. If a user profile was created using the DirectControl 2.x console, the warning Unix user is in old format is displayed.
296
Administrators Guide
Result If a computer, group, or user profile exists, but no corresponding Active Directory computer, group, or user object is found, the warning Orphan UNIX data object is displayed.
Responsive action In general, this issue occurs if an administrator removes an Active Directory computer, group, or user object manually using ADSI Editor or Active Directory Users and Computers but the corresponding data is not removed for the UNIX profile. Right-click the warning in the Analysis Results, then select Remove orphan profile to remove all of the UNIX properties associated with the orphan profile. Computer, group, and user profiles are associated with Active Directory computer, group, and user objects through either the managedBy attribute (DirectControl 2.x) or a parentLink value in the keywords attribute (DirectControl 3.x and later). If the links refer to different Active Directory objects, you will see this alert. Right-click the alert in the Analysis Results, then select Overwrite with the active link to remove outdated links. Right-click the warning in the Analysis Results, then select Missing parentLink to add the parentLink value to the keywords attribute.
If a computer, group, or user profile has inconsistent links, an informational Inconsistent links alert is displayed.
If a computer, group, or user profile does not have a parentLink value defined, a Missing parentLink warning is displayed.
297
Check
Result
Responsive action No responsive action can be taken directly within the Analysis Results for these issues. You should move the zone to another parent container or delete and recreate the zone in a different location.
Zone created under If the parent container another zone for a zone is another zone object, an error is displayed.
Zoneless computers
The computer
ObjectName contains
Right-click the warning in the Analysis Results, then select Move Centrify information but to Zone to search for and select the it is not in a zone. zone you want to place the computer in.
Note
addebug
You must type the full path to the command because is not included in the path by default.
298
Administrators Guide
Once you run this command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging. For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it. When you are ready to stop logging activity, run the addebug command.
off
With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors.
299
You can use the following keywords to specify the type of information you want to record in the log file:
Specify this level
FATAL
To log this type of information Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the users console. With this setting, only the most severe problems generate log file messages. System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages. Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages. Informational messages that describe operational status or provide event notification.
ERROR
WARN
INFO
300
Administrators Guide
then click OK. If you enable logging, the log file is located by default in the
Documents and Settings\user_name\Application Data\Centrify DirectControl\Log
folder and is updated as you perform different operations in the Centrify DirectControl Administrator Console.
with the -M command line option. The default size of the buffer is 128K, which should be sufficient to log approximately 500 messages. Because enabling the buffer can impact performance, you should not manually enable the circular buffer or modify its size or logging level unless you are instructed to make the changes by Centrify Support.
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: magnolia ajax.org magnolia.ajax.org ginger.ajax.org Default-First-Site-Name ajax.org/Centrify/Zones/default 2006-12-28 14:47:57 PST connected
302
Administrators Guide
303
domain controller is lost or the managed computer is moved to a new location on the network.
In most cases, you can verify whether a UNIX computer can locate the domain controller and related services by running the ping command and verifying connectivity to the correct Active Directory domain controller or by checking the nameserver entry in the /etc/resolv.conf file. This nameserver entry should be the IP address of one of the domain controllers in the domain you want to join. If the ping command is successful, it indicates the DNS server is aware of the Active Directory domain you want to join and no further changes are needed. If the ping command is not successful, you will need to take further action to resolve the issue.
Resolving issues in locating Active Directory domain controllers
If the UNIX computer cannot find the Active Directory domain controller, there are several ways you can resolve the issue.
304
Administrators Guide
Depending on your environment and specific situation, you should consider doing one of the following: Set up DNS on the target Active Directory domain controller and the manually configure the nameserver entry in the /etc/resolv.conf file to use that domain controller as described in Setting up DNS service on a target domain controller on page 305. Set the Centrify DirectControl configuration file to manually identify the domain controllers you want to use as described in Setting the domain controller in the configuration file on page 307.
305
To configure the DNS service on a Windows Server 2003 domain controller: The specific steps for configuring the DNS server vary depending on whether you are configuring a Windows 2000 Server or a Windows Sever 2003 computer. The following steps describe how to configure DNS on Windows Server 2003. If you are configuring DNS on Windows 2000, you may want to consult your Windows documentation for differences that are specific to your environment.
Note
1 Open the Start Menu and click Manage Your Server. 2 Click Add or remove a role, review the preliminary steps,
If this server role is already configured on this computer, you can skip the next steps and go on to Configuring UNIX to use DNS service on the target domain controller on page 307.
Configure a DNS Server Wizard. Click Next to configure the DNS server lookup zones.
5 Select the Create a forward lookup zone (recommended
domain controllers name, then click Next. In most cases, you should specify a sub-domain of the top-level domain name. For example, if the forest root domain for the organization is acme.com, you might have a sub-domain of labs.acme.com.
8 Select the Allow both nonsecure and secure dynamic
servers, then click Next. Setting at lease one valid IP address ensures that any request the local DNS server cannot answer will be forwarded to a valid enterprise DNS server.
10 Click Finish to complete the configuration of the DNS server.
Once you have configured DNS on the local computer, the local computer uses the local DNS server as its primary DNS server.
Configuring UNIX to use DNS service on the target domain controller
Once you have configured the DNS service to contain the required Active Directory entries, you simply need to modify the UNIX computer to send all DNS lookup requests to the newly configured DNS server. To configure the UNIX computer to use the new DNS server:
1 Open the /etc/resolv.conf file. 2 Set the IP address of the nameserver entry to the IP address of
the DNS server on the Active Directory domain controller you just configured.
For example, if you want to use Centrify DirectControl in a domain called mylab.test and the domain controller for this domain is dc1.mylab.test, you would add the following line to the /etc/centrifydc/centrifydc.conf file:
dns.dc.mylab.test: dc1.mylab.test
307
You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller you want to use if you are not using DNS or if the DNS server cannot locate your domain controllers.
Note
To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:
dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test
Centrify DirectControl will attempt to connect to the domain controllers in the order specified. For example, if the domain controller dc1.mylab.test cannot be reached, Centrify DirectControl will then attempt to connect to dc2.mylab.test. If the Global Catalog for a given domain is on a different domain controller, you can add a separate dns.gc.domain_name entry to the configuration file to specify the location of the Global Catalog. For example:
dns.gc.mylab.test: dc3.mylab.test
You can add as many domain and domain controller entries to the Centrify DirectControl configuration file as you need. Because the entries manually specified in the configuration file override any site settings for your domain, you can completely control DirectControls binding to the domains in your forest through this mechanism. In most cases, you should use DNS whenever possible to locate your domain controllers. Using DNS ensures that any changes to the domain topology are handled automatically through the DNS lookups. The settings in the configuration file provide a manual alternative to looking up information through DNS for those cases when using DNS is not possible. If you use the manually-defined entries in the configuration file and the domain topology is changed by an Active Directory administrator, you must manually update the location of the domains in each configuration file.
Note
308
Administrators Guide
Centrify DirectControl includes a fixdns script that you can use to inspect your environment and make the necessary configuration file changes for you. To run this script, you need to specify the domain controller name and IP address:
fixdns domain_controller_name IP_address
For example if you intend to join the domain mytest.lab and the domain controller for that domain is dc1.mytest.lab and its address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the /etc/hosts and the DirectControl configuration file. This script does not update the /etc/resolv.conf file. If the script cannot locate the domain controller using the existing /etc/resolv.conf settings, it will assume that you want to use settings from the configuration file.
Note
Select Load all zones from connected forest to load all zones in the forest. Uncheck this option to manually load zones. If you select this option, you cannot close any zones
309
except those you opened manually (before selecting the Load all zones... option). Select Show disabled Active Directory accounts to include disabled computer and user accounts in the Centrify DirectControl Administrator Console. Uncheck this option to hide disabled objects. Select Show orphaned computer, user and group profiles to include users and groups that have UNIX profiles without a corresponding user or group object in the Centrify DirectControl Administrator Console. Uncheck this option to hide orphan profiles. Set the Maximum number of items to be displayed in the list to limit the number of objects displayed in the Centrify DirectControl Administrator Console, up the total maximum allowed (65535). This setting applies to most of the objects listed in the Centrify DirectControl Administrator Console, including computers, users, groups, pending users and pending groups. Lowering the maximum number of items displayed improves performance when browsing the listed items. This setting does not affect the number of items you can define, only the number displayed.
4 Click OK.
310
Administrators Guide
Appendix A
311
Using adflush Using adid Using adkeytab Using adsmb Using adsetgroups Using adclient Using adcache Using adreload Using addns Using dzdo Using dzinfo Using dzsh Using nisflush Using OpenLDAP commands
312
Administrators Guide
313
You can use adquery to retrieve information from Active Directory for a user or group. You can use adgpupdate to update computer-based and user-based group policies applied to a UNIX computer. You can use adinfo to collect and display detailed diagnostic and configuration information for a UNIX computer and its Active Directory domain.
The usage information displayed is a summary of the valid command line options and required arguments and a brief description of each option. For more complete information about any command, you can review the information in the commands manual page. For example, to see the manual page for the adleave command:
man adleave
314
Administrators Guide
table lists the result codes that are reserved for use by all of the command line programs.
Result
0
Error name
ERR_SUCCESS
Indicates Successful completion of the operation. Miscellaneous errors occurred during the operation. Usage error occurred during the operation. Operation aborted by user. Root privilege is required for the operation. Computer is not currently joined to any Active Directory domain. Computer is currently joined to an Active Directory domain. another Active Directory domain.
ERR_OTHERS
ERR_USAGES
8 9
ERR_OP_ABORTED ERR_ROOT_PRIV
10
ERR_NOT_JOINED
11
ERR_ALREADY_JOINED
12
13
14
15
The adclient process failed to start. The DNS server is not responding and may be down. Generic DNS problem occurred during the operation. The Active Directory domain name is incorrect or not found in DNS. User name or password provided is not correct. The account specified has been disabled.
16
ERR_DNS_TIMEOUT
17
ERR_DNS_GENERIC
18
ERR_INVALID_DOMAIN_NAME
19
ERR_INVALID_LOGON
20
ERR_ACCOUNT_DISABLED
315
Result
21 22
Error name
ERR_ACCOUNT_EXPIRED ERR_ACCOUNT_EXISTS
Indicates The account specified has expired. The account specified already exists, The account specified was not found in Active Directory. The account password has expired. Unable to find the zone. Invalid Active Directory container object. The account specified does not have sufficient permissions to perform the operation. The time difference between system clocks is outside the acceptable range. Invalid computer account. Invalid credentials. The service ticket is not valid. Policy not matched. Password change rejected. Workstation denied. No matching user was found. No matching group was found. An attempt to open a connection to the adclient process failed. Unable to stop the adclient process. The user has exceeded the number of join operations allowed. The attempt to open a file failed. The attempt to read a file failed.
23
ERR_ACCOUNT_NOTFOUND
24 25 26
27
ERR_INSUFFICIENT_PERM
28
ERR_CLOCK_SKEW
29 30 31 32 33 34 35 36 37
38
ERR_ADLCIENT_STOP
39
ERR_QUOTA_EXCEEDED
40 41
ERR_OPEN_FILE ERR_READ_FILE
316
Administrators Guide
Result
42
Error name
ERR_COPY_FILE
In addition to these common result codes, each program may also provide one or more command- or operation-specific result codes. Command-specific results are included in the command reference section for individual command line programs.
Using adjoin
The adjoin command adds the local host computer to the specified Active Directory domain. The basic syntax for the adjoin program is:
adjoin [options] domain
The domain name should be a fully-qualified domain name, for example, sales.acme.com. If the computer is already a member of another domain, you must leave the old domain by running adleave to remove the computer account from the old domain. Once you have left the old domain, you can run adjoin to join the new domain.
Note
By default, when you run adjoin, the program performs the following tasks: Locates the domain controller for the specified domain and contacts Active Directory. Synchronizes the local computers time with Active Directory to ensure the timestamp of Kerberos tickets is within the acceptable time period to allow for authentication. Checks whether a computer account already exists for the local computer in Active Directory, and creates a new Active Directory computer account for the computer, if needed.
317
Using adjoin
Updates the Kerberos principal service names used by the host computer, generating new /etc/krb5.conf and krb5.keytab files and new service keys for the host and http services. Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally to ensure Centrify DirectControl alone has control of the account. Starts the Centrify DirectControl daemon (adclient). You may join to a specific zone, or if you do not specify a domain, join the default zone, which Centrify DirectControl creates automatically when you are running a licensed copy of DirectControl.
318
Administrators Guide
To do this Specify an Active Directory username with sufficient rights to add a computer to the specified domain and create new computer accounts. For example, depending on the security delegation policies in place, you may need to specify a user account with Domain Administrator privileges. By default, however, any authenticated Active Directory user can join a computer to the domain. You must use the username@domain format to specify the user account if the username is not a member of the domain being joined. Note When specifying username@domain, you cannot use an alternative UPN. You must use the domain defined for your account. If you do not specify the --user option, the default is the Administrator user account. Because this account has special rights that can represent a security risk, many organizations disable or restrict access to it. Therefore, in most cases, you should specify the --user option when joining a domain.
319
Using adjoin
To do this Specify the password for the Active Directory user account performing the join operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
320
Administrators Guide
To do this Specify the distinguished name (DN) of the container or Organizational Unit in which to place this computer account. You can specify the containerDN by: Canonical name (ajax.org/unix/services) You cannot specify a partial name for the canonical name. Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix (cn=services,cn=unix). For example, to place the computer in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
--container ajax.org/UNIX/Services
The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this computer in the
paris.regional.sales.acme.com
organizational unit within the acme.com domain, you would specify: ou=paris, ou=regional, ou=sales If you do not specify a container, the computer account is created in the domains default Computers container. Note The container you specify must already exist in Active Directory or the join operation will fail. In addition, you must have permission to add entries to the specified container.
321
Using adjoin
To do this Specify the host name you want to use for this computer in Active Directory. The maximum length for computer account names in Active Directory is normally 15 or 24 characters and some characters cannot be used. For more information about naming conventions in Active Directory, see the Active Directory documentation. If you do not specify a computername, the computer account name in Active Directory is the same as the local host name. This option is most commonly used if you have a disjointed DNS namespace. For example, if the local UNIX host is a member of the DNS zone ajax.org, but is joining the Active Directory domain emea.ajax.org, you can use this option to join the domain with a computer name that is different from the name of the computer in DNS:
-n finserv.emea.ajax.org
This option can also be used in conjunction with the --alias option if the computer has multiple IP addresses and there are DNS records for those addresses.
322
Administrators Guide
To do this Specify the pre-Windows 2000 name for this computer in Active Directory. The pre-Windows 2000 name is the name stored in the samAccountName attribute. The maximum length for the samAccountName attribute is 19 characters. Note Although the actual limit is 19 characters, it is recommended that you limit the name to 15 characters because some Windows functions use this attribute as a NetBIOS name, which has a 15-character limit. If the name is larger than 15 characters, DirectControl must use less efficient NTLM authentication methods. If you do not specify this option, the default pre-Windows 2000 name is the computer account name truncated at 15 characters. This option enables you to manually specify the pre-Windows 2000 name you want to use. This option is most commonly used if the naming conventions for computer account names result in names that are longer than the 15 character limit. Overwrite the information stored in Active Directory for an existing computer account. This option allows you to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.
-f, --force
323
Using adjoin
To do this Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias. This option would normally be used if a computer has more than one Ethernet port and each port is known by a different DNS name. You can specify more than one --alias option if you need to specify multiple aliases for a single computer.
324
Administrators Guide
To do this Specify the name of the zone in which to place this computer account. If you do not specify a zone, the computer joins the domain in the default zone (a zone named default can be created when you run the Setup Wizard for the first time). Note If you are using the Express mode of DirectControl, you cannot use this option. You must join a domain through Auto Zone by using the --workstation option. If individual zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one default zone, you can use the full canonical name of the zone to specify which default zone to join. If you specify a zone name and the named zone does not exist, the join operation fails. Note If users and groups are unique across the forest and not required to be segregated into zones, you can join the Active Directory domain by using the --workstation option to connect to Auto Zone instead of specifying a zone. The --workstation and --zone options are mutually exclusive. Indicate that you do not want to update the local systems PAM and NSS configuration. If you set this option, you will need to modify the PAM and NSS configuration files manually to work with the adclient daemon.
-C, --noconf
325
Using adjoin
To do this controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
-Z, --zoneserver
domaincontroller
Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the one you are joining. Note You cannot use this option when using the Express deployment mode of DirectControl. Specify the name of the domain controller to use for global catalog operations. You can use this option if the default domain controller is not writable or does not support global catalog operations. Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. If you want to use this option, you should clear the local cache on the client before joining the domain. Set the computer account to use the Data Encryption Standard (DES) for keys.
-T, --trust
-k, --des
326
Administrators Guide
To do this Precreate a computer account in Active Directory without joining the domain. If you use this option, you must also specify the name of the computer account you want to precreate using the --name option. The --precreate option does the following: Creates a computer object in Active Directory in the organizational unit you specify or the Computers container. Resets the computer account password to computers host name (in lower case). Creates an Extension object in the zone. The following permissions are granted to the computer object: Read and Write to: operatingSystemServicePack, operatingSystem, and operatingVersion attributes in Computer object. Reset the computer's password. Read userAccountControl attributes of the Computer object. Validate write to: servicePrincipalName and dNSHostName attributes. By precreating the computer account and its serviceConnectionPoint, you can allow any user to join the computer to a domain without granting any special rights or performing any zone delegation. This option also enables you to create all the computer accounts you want in a batch job and automate how computers join the domain.
327
Using adjoin
To do this Precreate a computer object that is compatible with DirectControl version 2.x and later. You must specify this option if you want the precreated computer object to be compatible with DirectControl version 2.x and later. Use the computer objects account credentials to join the domain. Note You cannot use this option when using the Express deployment mode of DirectControl. To use this option, you must have already precreated the computer account in Active Directory using the Pre-Create Computer wizard. For more information about using the wizard to precreate a computer account, see Precreating computer accounts on page 86. Note If you use the --selfserve option, you dont need to specify a zone for the computer. The computer is automatically made a member of the zone where the precreated object was created. You must, however, specify the Active Directory domain to successfully add the computer to the domain. Display information about each step in the join process as it occurs. This option can be useful in diagnosing join problems. This option also writes log messages to the centrifydc.log file for troubleshooting purposes. Display version information for the installed software.
-S, --selfserve
-V, --verbose
-v, --version
328
Administrators Guide
To do this Join the computer to an Active Directory domain by connecting to Auto Zone rather than by making the computer a member of any specific zone. When joined to Auto Zone, every Active Directory user and group defined in the forest and any users defined in a two-way trusted forest are valid UNIX users or groups. You can use this option when: Active Directory identities are unique for the forest and trusted external forest. Active Directory users and groups only require one set of properties for all computers and do not need to be segregated into zones for any reason. For the join to be successful, all of the domains in the forest and the trusted external forest must be unique. If domains are not unique across the forest trust, you must manually configure a unique prefix for each trusted domain using parameters in the centrifydc.conf configuration file. Note The --workstation and --zone options are mutually exclusively. Specify the fully-qualified domain name you want the local computer to join. There is no default setting, so this argument is required.
domain
Using adjoin
To join the acme.com domain using all of the default options and the Administrator user account, you could type a command line similar to the following:
adjoin acme.com
You are then prompted for the Active Directory Administrator password. If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified host name and Organizational Unit, you could type a command line similar to the following:
adjoin --workstation --user jeff@acme.com --name orlando --container ou=UNIX computers sales.acme.com
You are then prompted to provide the password for the user jeff@acme.com. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name orlando in the UNIX computers Organizational Unit. When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as garcia@mission.org but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:
Note
adjoin --workstation --user garcia@sf.mission.org la.mission.org
To join the acme.com domain using all of the default options and the Administrator user account, you could type a command line similar to the following:
adjoin acme.com
You are then prompted for the Active Directory Administrator password. If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified zone, host name, and Organizational Unit, you could type a command line similar to the following:
adjoin --user jeff@acme.com --zone LinuxDev --name orlando
330
Administrators Guide
You are then prompted to provide the password for the user jeff@acme.com. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name orlando in the UNIX computers Organizational Unit. When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as garcia@mission.org but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:
Note
adjoin --user garcia@sf.mission.org la.mission.org
If zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one default zone, you could type a command line similar to the following:
adjoin --user trey --zone ajax.test/UNIX/Zones/default javadev.ajax.test
Kerberos configuration file Most platforms Solaris Kerberos keytab file Most platforms Solaris NSS configuration file Most platforms
331
Using adjoin
File location
/etc/pam.conf /etc/pam.d/system-auth /etc/pam.d/* /usr/lib/security/metho ds.cfg /etc/security/user
AIX AIX
In addition, the following files are created in the /var/centrifydc directory by running adjoin or by starting the Centrify DirectControl Agent for the first time:
Name
daemon
Purpose This is the pipe which clients open to communicate to the agent. Cache of objects from the Domain Controller Cache of objects from the Global Catalog Cache index Cache index Cache index Cache index Cache index Cache index Cache index Cache index The domain name The domain controller host name The host name used to join The current schema version The preferred site
dc.cache
gc.cache dcdn.idx extmgr.idx gcdn.idx gid.idx gname.idx search.idx uid.idx uname.idx kset.domain kset.domaincontroller kset.host kset.schema kset.site
332
Administrators Guide
Name
kset.zone kset.zonename reg/*/*/*
Purpose The Zone GUID Readable zone name Group Policy registry files downloaded from AD
Error name
ERR_JOIN_ATTRMAP
Indicates The mapping of computer account properties to Active Directory attributes failed. If you encounter this problem, you may need to map all attributes, then rerun the adjoin command.
333
Using adjoin
Result
157
Error name
ERR_JOIN_UPDATE
Indicates The computer failed to join the domain. If you encounter this problem, you may need to take corrective action: Check whether the computers hostname exceeds 15 characters. If the hostname exceeds 15 characters, shorten it or use the --name option to specify a name that is 15 characters or less, then rerun the adjoin command. Check whether the computer's primary DNS suffix matches the Active Directory domain DNS name or another allowed primary DNS suffix. If the DNS suffix does not match the Active Directory domain or is not an allowed primary DNS suffix, you may need to change the DNS or domain configuration, then rerun the adjoin command. A stronger authentication method is required by Active Directory. If you encounter this problem, you should set the LDAP traffic encryption parameter, adclient.ldap.packet.encrypt, to Allowed or Required in the Centrify DirectControl configuration file, then rerun the adjoin command. There was an unexpected referral response. This is usually caused by an erroneous replication object in Active Directory. If you encounter this problem, you should check the zone container for replication errors, then rerun the adjoin command.
158
ERR_STRONGER_AUTH_NEEDED
159
ERR_UNEXPECTED_LDAP_REFERRAL
334
Administrators Guide
Result
160
Error name
ERR_SPN_NOT_UNIQUE
Indicates The servicePrincipalName (SPN) was not unique. Each SPN must be unique across the Active Directory forest. If you encounter this problem, you should use a servicePrincipalName that is unique across the forest, then rerun the adjoin command. You can search for duplicate service principal names using the Analyze wizard. The domain server was specified using an IP address. If you encounter this problem, you should specify the domain controller name using a fully-qualified DNS name. The attempt to change to the data directory failed. The domain specified is not in the same forest or is not a trusted domain. If you encounter this problem, you should check the trust relationship for the domain or use a different domain, then rerun the adjoin command. Multiple zones were detected. If you encounter this problem, you should check the zones defined, then rerun the adjoin command and specify only one zone.
161
ERR_SERVERNAME_INVALID
162
ERR_CHANGE_DIR
163
ERR_DOMAIN_NOT_TRUSTED
164
ERR_MULTIPLE_ZONES_FOUND
Using adleave
The adleave command removes the local host computer from its current Active Directory domain. Once a computer has become a member of a domain, you must run the adleave command to leave that domain before you can move a computer to a new domain.
335
Using adleave
By default, when you run adleave, the program performs the following tasks: Contacts Active Directory and deactivates the computer account associated with the local UNIX host. The program does not remove the computer account from Active Directory. To remove the computer account entirely, you must delete it from Active Directory manually with Active Directory Users and Computers. Reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-join states, deleting the /var/centrifydc/* files, and deleting /etc/krb5.keytab. When you join a domain, the Kerberos configuration file, /etc/krb5.conf, and keytab file, /etc/krb5.keytab, are automatically generated for you. Because the /etc/krb5.conf file can contain entries used by other applications, it is not removed automatically when you leave a domain. If you leave the domain, you should check whether this file is used by any other applications or if it has been manually edited. If it is not used by other applications, you can safely delete the file after leaving the domain. Stops the Centrify DirectControl daemon (adclient).
Note
336
Administrators Guide
To do this Identify an Active Directory user account with sufficient rights to remove a computer from the domain. You must use the username@domain format to specify the user account if the username is not a member of the computer's current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account performing the leave operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. controller that you prefer to use to disconnect from the domain. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
-Z, --zoneserver
domaincontroller
Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the domain you are leaving. Note You cannot use this option when using the Express deployment mode of DirectControl.
337
Using adleave
To do this Indicate that you do not want to revert the local system's PAM and NSS configuration files to their original state. Normally, if you leave a domain, any changes that have been made to the PAM and NSS configuration files to work with the adclient daemon during the join operation are removed. If you set this option to leave the file changes in place, you should review the PAM and NSS configuration files for potential changes. Note Be sure to review and, if necessary, edit the PAM and NSS configuration files before you use this option. If you don't take precautions before using this option, the computer may become inoperable and require a reboot in single user mode to fix the problem. Indicate that you want to force the local computers settings to their pre-join conditions even if the adleave command cannot connect to Active Directory or is not successful in deactivating the Active Directory computer account. You must use this option if the Active Directory computer account has been modified or deleted so that the host computer can no longer work with it.
-f, --force
338
Administrators Guide
To do this Indicate that you do not want to revert any group policies applied to the computer to their original state. Note This option has no effect when using the Express deployment mode of DirectControl as group policies are not supported by Centrify DirectControl Express. Normally, if you leave a domain, any group policy changes that have been applied to UNIX configuration files are reverted to restore the files to their pre-join state. Remove the computer account from Active Directory. Restore system configuration files to their pre-join state without leaving the domain. Display version information for the installed software. Display detailed information for each operation.
-r, --remove
-R, --restore
-v, --version
-V, --verbose
You are then prompted for the Active Directory Administrator password. To remove a computer from its current domain using a specific user account and without reverting the PAM and NSS configuration files
339
Using adleave
to their pre-join state, you could type a command line similar to the following:
adleave --user raj@acme.com --noconf
You are then prompted for the password for the user raj@acme.com. To revert all computer settings to their pre-join state even if unable to deactivate the host computer's in Active Directory account, you could type a command line similar to the following:
adleave --force
Error name
ERR_STOP_NIS_ADCLIENT
Indicates The adleave command was unable to stop the adnisd or adclient process. If you encounter this problem, you may need to manually stop the processes, then rerun the adleave command. The adleave command was unable to delete all content. The attempt to leave the domain failed. If you encounter this problem, you may need to rerun the adleave command with the --force option. The adleave command was unable to connect to domain controller. If you encounter this problem, you may need to rerun the adleave command with the --force option. Time is not synchronized between the local system clock and the domain controller.
157
ERR_DELETE_CONTENT
158
ERR_LEAVE_FAILED
159
ERR_CONNECT_DC
160
ERR_SYNC_TIME
340
Administrators Guide
Using adcheck
The adcheck command can be used to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The domain should be a fully-qualified domain name, for example, sales.acme.com. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them. By default, adcheck performs the following tests: Operating system check to verify that the operating system is supported and at the correct patch levels, and that there is sufficient disk space. Network check to verify DNS and SSH. Active Directory check to verify various aspects of the Active Directory configuration, including the domain name, time and domain synchronization, and checking up to 10 domain controllers (which can be extended by an adcheck parameter for large domains). The adcheck program is run automatically when you install the Centrify DirectControl Agent by running the install.sh program or the graphical-user-interface installer on a Mac OS X platform.
Note
To run adcheck you must be logged in as root. The basic syntax for the adcheck program is:
adcheck [--alldc] [--siteonly] [--bigdomain number] [--xml filename][--test os|net|ad] [--servername domainController] [--verbose] [--version]
341
Using adcheck
To do this Check all domain controllers. This option overrides the --siteonly and --bigdomain options. The --servername option overrides this option. If you do not specify --alldc, --siteonly, or --servername, adcheck checks the number of domain controllers specified by the --bigdomain option (default is 10). Check all domain controllers for the first detected site. This option overrides the --bigdomain option. The --alldc and --servername options override this option. Specify the number of domain controllers to check. The default is 10. The --alldc --siteonly, and --servername options override this option. Specify the filename in which to generate XML output. Run only one or two of the tests, as follows: os Operating system check net Network check ad Active Directory check Specify the domain controller to connect to when performing the network checks. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information. This option overrides the --alldc, --siteonly, and --bigdomain options. Display diagnostic information about the host, the domain, and the domain controller. Display version information for the installed software.
-s, --siteonly
-s, servername
domainController
-V, --verbose
-v, --version
342
Administrators Guide
Using adlicense
The adlicense command can be used to enable or disable licensed features on a local computer. If you execute adlicense with no options, it displays the current mode, either licensed or express. In licensed mode, a computer has access to group policies and may join any existing zones. In express mode (licensing is disabled) a computer may not download or execute group policies and cannot join a zone. The computer is automatically joined to Auto Zone. To run adlicense you must be logged in as root. The basic syntax for the adlicense program is:
adlicense [--licensed] [--express] [--verbose] [--version]
To do this Enable licensed features, including the ability to use group policies and join a specific zone. After you enable licensed features, the computer is still joined to Auto Zone. You may keep the computer joined to Auto Zone or join a specific zone, in which case, you must first leave the zone with adleave, then rejoin the domain with the adjoin --zone command. To enable licensing, you must have installed a valid license key. Enabling licensing consumes a license.
343
Using adpasswd
To do this Disable licensed features. This option unmaps group policies and prevents the machine from joining any specific zones. The computer is automatically joined to Auto Zone. If you are running in licensed mode, and execute adlicense --express to switch to Express mode, a license is restored. Note You cannot use this option if the machine is currently joined to a zone. You must first leave the domain, then connect to Auto Zone when rejoining the domain. Display detailed information about the operation performed. Display version information for the installed software.
-V, --verbose
-v, --version
Using adpasswd
The adpasswd command changes the password for an Active Directory user account. It can be used to change the password of the current user executing the command or to change the password of another Active Directory user. If you want to change the password for any Active Directory account other than your own, you must provide the user name and password of an administrative account with the authority to change that users password. The basic syntax for the adpasswd program is:
adpasswd [options] [user[@domain]]
If a user@domain is specified in the command line, you must provide an administrative user name and password for an Active Directory account with the authority to set passwords for other Active Directory users. If a user@domain is not specified in the command line, this command can only be used to change the password for the current user account. Because adpasswd allows a user to change his or her own password, you do not need to be logged in as root to run this command.
344 Administrators Guide
Note
Changing a users password with this command updates the users Active Directory account. Once changed, the new password must be used for all activities that are authenticated through Active Directory, including logging on to the UNIX shell, logging on to Windows computers, and accessing applications on both UNIX and Windows.
To do this Identify an Active Directory user account with sufficient rights to modify another Active Directory user account. You must use the adminuser@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the default is the Administrator user account. Directory administrative account when changing another users Active Directory password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. However, if adpasswd detects Kerberos credentials, it uses those for the command, and if these credentials are not sufficient, you receive an error message rather than a prompt for a password. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
adminuser[@domain]
345
Using adpasswd
To do this Check the validity of a users password. This option is used to verify whether a specified user can log on with the specified password. Specify the current password for the Active Directory user account. This option is only used when the user executing the command is trying to change the password for his own account. This option is ignored if the administrator is trying to change the password for another user account. If you are trying to changing your own password and do not provide the current password at the command line, you are prompted to enter the old password before the command executes. Specify the new password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the new password and confirm the new password by retyping it before the command executes. The new password must meet the Active Directory domain password policy requirements for length and complexity. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Display version information for the installed software.
-v, --version
346
Administrators Guide
To do this Specify the Active Directory user account for the password change. You must use this option if you are changing another Active Directory users account password. You should not use this option when changing your own account password. If a user name is not specified, the default is always the current users account. You must use the user@domain format to specify the account if the user is not a member of the host computers current domain.
The following command illustrates changing the password for another user account, jane@acme.com, which is in a domain outside the host computers own Active Directory domain. Because this example changes the password for another user, the command specifies an Active Directory administrative account, admin@acme.com, with the authority to change the password for Janes account:
adpasswd --adminuser admin@acme.com jane@acme.com
You are then prompted for the administrator password and the users new password because these values arent provided in the command line.
Administrator password: xxx New password for jane@acme.com: xxx
347
Using adupdate
To check whether a user can log on with a specific password, you can use the --validate option. For example:
adpasswd --validate pablo@acme.com Password: xxx
If the user name and password are valid and can be authenticated by Active Directory, a successful validation message is displayed. If the user name and password specified cannot be authenticated, the command displays a message indicating the authentication failure:
Password validate failed for user pablo Account cannot be accessed at this time Please contact your system administrator
Error name
ERR_PASSWDFILE_MISS
Indicates The password could not be updated because the passwd file could not be found. The password could not be updated because the passwd file was being used by another program.
157
ERR_PASSWDFILE_BUSY
Using adupdate
The adupdate command enables administrators to perform user and group account management tasks from the command line on any Centrify DirectControl-managed system. These user and group management tasks you can perform include the following: Adding a new user to a zone
348
Administrators Guide
Modifying a users UNIX profile Disabling and enabling a users access to a zone Deleting users from a zone Adding an Active Directory group to a zone Modifying a groups UNIX profile Managing the groups membership Deleting an existing Active Directory group from a zone Synchronizing the time on the local computer with its domain controller Each of these tasks can include command line options that enable the task to be accomplished using a script. The basic syntax for the adupdate program is as follows:
adupdate add|delete|modify user|group [options]
You must specify the administrative task to perform, then whether the task applies to a user or group before you specify any other command line options. In addition, the options required to complete an administrative task depend on which task you are performing. For more information about the syntax and the options you need to use for each task, see the appropriate section for the administrative task you are performing.
Note
You must specify the Active Directory user that the new UNIX user profile should be associated with. In specifying the Active
349
Using adupdate
Directory user, you must use the user@domain format if the user is a member of a domain other than the host computers domain.
Setting options for a new user profile
You can use the following options with the adupdate command:
Use this option
-a, --admin user[@domain]
add user
To do this Identify an Active Directory user account with sufficient rights to add a new user profile or new user account to Active Directory in the current domain. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account. Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes.
350
Administrators Guide
To do this Specify the Active Directory user that the new UNIX user profile should be associated with. This option is required. You can use the users Windows login name, for example, the samAccountName attribute or the users userPrinicpalName attribute to identify the Active Directory account. The name you specify can also include spaces if properly quoted according to the rules of the UNIX shell you are using. For example, if you want to specify a first name and last name:
--user 'Kay Li'
You should use the user@domain format to specify the login name if the user is not a member of the host computers currently joined domain. If you are also using the --create option to create a new Active Directory user and do not specify the --first name option in the command line, the name you specify for the --user loginname is also used for the displayName and CN attributes in Active Directory.
-C, --create
Create a new Active Directory user. If you dont specify this option, the user account you specify for the --user option must already exist in Active Directory. Specify the UNIX home directory for the new user. The default home directory path is set by appending the users login name to default_home. For example, if the users login name is kay:
/default_home/kay
-d, --home
home_directory
Note You cannot specify this option when connected to Auto Zone.
351
Using adupdate
To do this Specify the group name or numeric identifier of the users primary group. Note You cannot specify this option when connected to Auto Zone. If you specify a group name, the group name must exist in Active Directory. If you specify a numeric group identifier (GID), the group identifier should refer to a group with an existing UNIX profile defined for the zone. By default, a users primary group is the value specified as the default group GID for the zone, if one is defined, or the next available UID and GID if you are using user-specific primary groups. List additional groups the user is a member of. Use commas to separate group names. For example:
--groups qa02,sap,javax
initial_group
-G, --groups
groupname,[...]
You can specify the groups by UNIX group name or samAccountName attribute. The groups you specify do not need to have a UNIX profile already defined for the zone. There is no default group list. By default, only a users initial group is defined.
-u, --uid uid_value
Specify the numeric value of the user identifier (UID) for the UNIX user account. Note You cannot specify this option when connected to Auto Zone. This value must be a positive integer and must be unique in the zone unless you specify the -o option to allow duplicate values. If you do not specify the --uid option, the next available UID in the zone is used by default. You should not specify UID values between 0 and 99. Values between 0 and 99 are typically reserved for system accounts.
352
Administrators Guide
To do this Allow the UID value for the new user to be the same as the UID used in another user profile. Note You cannot specify this option when connected to Auto Zone. Specify the users login shell. If you dont specify this option, the system selects the default login shell for the operating environment when the user logs on. Note You cannot specify this option when connected to Auto Zone. Create the users home directory automatically if it does not already exist. Note You cannot specify this option when connected to Auto Zone. If you specify this option and the --skeleton option, the files and directories contained in skeleton_directory are copied to the new home directory. If you dont specify the --skeleton option, the files contained in the directory specified by the pam.homeskel.dir configuration parameter are copied to the new home directory instead. The --skeleton option is only valid in conjunction with the --make-home option. If you dont specify this option, the adupdate command does not create the users home directory or copy any files. Specify the first name of the Active Directory user. The name you specify is mapped to the givenName LDAP attribute and is used as the first component for the displayName and cn attributes. If you dont specify this option, the givenName attribute is left blank and the samAccountName is used for the displayName and cn attributes. This option is ignored if you are not using the --create option to create an Active Directory account.
skeleton_directory]
353
Using adupdate
To do this Specify the last name of the Active Directory user. The name you specify is mapped to the sn LDAP attribute and is used as the second component for the displayName and cn attributes if the --first name option is specified. This option is ignored if you are not using the --create option to create an Active Directory account. Specify the initial password for the new user account. If you not specify a password for the user, you are prompted to enter and re-enter the password before the command executes. Whether you specify the user's password at the command line or when prompted, the password must adhere to the domains password policy requirements for length and complexity. Generate and display an initial password for the new user account. This option enables the account to be created with a random password, which can then be reset later when the user logs on.
-w, --new-password
password
-W, --show-password
354
Administrators Guide
To do this Specify the distinguished name (DN) of the container or Organizational Unit (OU) in which to place this user account. The DN represents the direct parent object for the user. You can specify the containerDN by: Canonical name (ajax.org/unix/services) Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix(cn=services,cn=unix). For example, to place the account in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
--container ajax.org/UNIX/Services
containerDN
The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this user in the
paris.regional.sales.acme.com organizational unit within the acme.com
domain, you would specify: ou=paris, ou=regional, ou=sales Note You must specify a container for the new user object when creating a new user account with the adupdate command. You can use the domains default Users container object, for example, ajax.org/Users, or any other existing parent container object. If the container you specify does not exist in Active Directory, however, the user account will not be created. In addition, you must have permission to add entries to the specified container.
355
Using adupdate
To do this Specify the servicePrincipalName to use as the service principal name for this user account. Specifying a service principal name is particularly useful for if you intend to use prevalidated authentication. To specify the servicePrincipalName, you should use the format:
service/samAccountName
servicePrincipalName
For example, to add a service principal for the prevalidation service, preval, for the user account kai:
--spn preval/kai kai -V, --verbose
Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX login name for the user in the current zone.
-v, --version
UNIXlogin
To add a new UNIX profile for Active Directory user Wilson Perez if you are logged on with a user account with permission to add new users to the domain, you could type a command line similar to the following:
adupdate add user -U wilson perez@ajax.org wilson
You are then prompted for the password for the new account and to retype the password for the new account. To add a new user account when your current user account does not have permission to add new users to the domain, you must provide the user name and password for an account with permission to add new users to the domain. For example, if the user paolo@acme.com is an administrator with permission to add users to the atlas.acme.com domain, you could type a command line similar to the following:
adupdate add user --uid 2367 --admin paolo@acme.com --create --user chris@atlas.acme.com --first Chris --last Roberts chris
356
Administrators Guide
You are then prompted for the password for the paolo@acme.com account. If the user name and password for the administrators account are valid, you are then prompted for the password for the new account and to retype the password for the new account.
program is:
You can use the following options with the adupdate command:
Use this option To do this
modify user
with sufficient rights to modify user profiles in the current domain. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account.
357
Using adupdate
To do this Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes. Change the UNIX login name for the specified user. For example, to change the login name for the UNIX user james from jim to james:
adupdate modify user --login james jim
Note You cannot specify this option when connected to Auto Zone. This option does not make any other changes. If you use this option, you should also use other options to create a new home directory name that reflects the new login name or move the contents of the users old home directory to a new home directory name.
358
Administrators Guide
To do this specified user. Note You cannot specify this option when connected to Auto Zone. You can use this option in conjunction with the --move-home option to move the contents of a users current home directory to a new home directory. The new home directory is created automatically if it does not already exist.
-d, --home home_directory Create a new UNIX home directory for the
-m, --move-home
Move the contents from a users old home directory to a new home directory. Note You cannot specify this option when connected to Auto Zone. of the users primary group. Note You cannot specify this option when connected to Auto Zone. If you specify a group name, the group name must exist in Active Directory. If you specify a numeric group identifier (GID), the group identifier must refer to an existing group with a UNIX profile defined for the zone. By default, a users primary group is the value specified as the default group GID for the zone, if one is defined, or the next available UID and GID if you are using user-specific primary groups.
-G, --groups
groupname,[...]
Modify the additional groups the user is a member of. Use commas to separate group names. For example:
--groups qa02,sap,javax
You can specify the groups by UNIX group name or samAccountName attribute. The groups you specify do not need to have a UNIX profile already defined for the zone. There is no default group list. By default, only a users initial group is defined.
359
Using adupdate
To do this Modify the numeric value of the user identifier (UID) for the UNIX user account. Note You cannot specify this option when connected to Auto Zone. This value must be a positive integer and must be unique in the zone unless you specify the -allow-duplicate option to allow duplicate values. If you do not specify the --uid option, the next available UID in the zone is used by default. You should not specify UID values between 0 and 99. Values between 0 and 99 are typically reserved for system accounts. Allow the UID value for the user to be the same as the UID used in another user profile. Note You cannot specify this option when connected to Auto Zone. Change the users login shell. Note You cannot specify this option when connected to Auto Zone. If you dont specify this option, the system selects the default login shell for the operating environment when the user logs on. Lock or unlock a users account in Active Directory. Change whether the specified user should be forced to enter a password at the next logon. Change the Use DES encryption types for this account setting in Active Directory for the specified user.
-o, --allow-duplicate
360
Administrators Guide
To do this Specify the servicePrincipalName to add for this user account. Specifying a service principal name is particularly useful for if you intend to use prevalidated authentication. To specify the servicePrincipalName, use the format:
service/samAccountName
servicePrincipalName
For example, to add a service principal for the prevalidation service, preval, for the user account kai:
--spn preval/kai kai -x, --remove-spn
servicePrincipalName
Specify the servicePrincipalName to remove for this user account. For example, to remove the service principal for the prevalidation service, preval, for the user account kai:
--remove-spn preval/kai kai
Enable or disable access to the current zone for the specified user. Note You cannot specify this option when connected to Auto Zone. Unlock a user account that has been locked because of failed password attempts.
-U, --unlock
361
Using adupdate
To do this Add, delete, or modify the value of an extended attribute for the user. Note You cannot specify this option when connected to Auto Zone. Typing a plus sign (+) before the attribute name adds the extended attribute if it doesn't exist. Typing a minus sign (-) before the attribute name removes the attribute, if it exists. For example, to set the value of the extended attribute aix.rlogin:
adupdate modify user -X +aix.rlogin=true jae
Note Extended attributes are only applicable on AIX computers. You can use adquery and the keyword help to view a list of the supported extended attributes. For example:
adquery user --extattr help -V, --verbose
Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX login name for the user in the current zone. The user must exist and be enabled for UNIX access in the same zone as the computer.
-v, --version
UNIXlogin
To change the UID for a UNIX user profile if you are logged on with an account with permission to modify user information in the domain, you could type a command line similar to the following:
adupdate modify user --uid 700 jcole
To change the UNIX user name and home directory for the UNIX user jim to kuoj if you are logged on with an account with permission to modify user information in the domain, you could type a command line similar to the following:
adupdate modify user --login kuoj --home /home/kuoj --move-home jim
362
Administrators Guide
To force a the user kuoj to change his password the next time he logs on, you could type a command line similar to the following:
adupdate modify user --forcepw on kuoj
You may need to refresh the console you are using to verify changes were made.
Note
is:
You can use the following options with the adupdate command:
User this option
-a, --admin user[@domain]
delete user
To do this Identify an Active Directory user account with sufficient rights to remove an Active Directory user account from the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory.
363
Using adupdate
To do this Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Remove the users home directory on the Centrify DirectControl-managed system. Remove the associated Active Directory user account from Active Directory without interactive confirmation. Confirm the deletion of the UNIX profile or Active Directory user account interactively before removing the user. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX user profile name or Active Directory user login name (samAccountName@domain) for the user in the current zone. The user must exist and be enabled for UNIX access in the same zone as the computer. If the user name you specify does not uniquely identify the user, you must include the domain name in the command line. For example:
kris@iowa.arcadia.net
-R, --rmhome
-r, --remove
-i, --interactive
-V, --verbose
-v, --version
user[@domain]
364
Administrators Guide
To remove the UNIX user profile from the current zone if you are logged in with a user account with permission to delete user information from the domain, you could type a command similar to the following:
adupdate delete user -V sunni
To remove a UNIX profile account if your current user account does not have permission to delete users from the domain, you must provide the user name and password for an account with permission to delete users from the domain. For example, if the user paolo@acme.com is an administrator with permission to remove user profiles from the domain, you could type a command similar to the following:
adupdate delete user --admin paolo@acme.com -V sunni
You are then prompted for the Active Directory password for the paolo@acme.com account. If the user name and password for the administrators account are valid, the user profile is removed from Active Directory. If you also want to remove the Active Directory user account, you could type a command similar to the following:
adupdate delete user --admin paolo@acme.com --verbose --remove --interactive sunni
After you provide the Active Directory password for the paolo@acme.com account, this command connects to Active Directory and prompts you to confirm whether you want to delete the account:
Delete Centrify user CN=Sunni Ashton,CN=Users,DC=ajax,DC=org ? (Yes/No)
You can then type y to confirm that you want to delete the user. You may need to refresh the console you are using to verify changes were made.
Note
365
Using adupdate
program is:
You can use the following options with the adupdate command:
User this option
-a, --admin user[@domain]
add group
To do this Identify an Active Directory user account with sufficient rights to add a new Active Directory group to the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password in the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Create a new UNIX group profile and Active Directory group.
-C, --create
366
Administrators Guide
To do this Specify the group name to be associated with the new UNIX group in canonical form or by its samAccountName attribute in Active Directory. This option is required and is used for the samAccountName, displayName, and LDAP common name (cn) attributes in Active Directory. Specify the numeric value of the group identifier (GID) for the new group profile. Allow the GID value for the new group to be the same as the GID used in another group profile. Make the new group a required group for all of the users who are members of the group. Required groups cannot be removed when users change their active set of groups using the adsetgroups command. (RDN) of the container or Organizational Unit in which you want to place this group account. The RDN represents the direct parent object for the group. Note You must specify a container for the new group object when creating a new group with the adupdate command. You can use the domains default Users container object, for example, ajax.org/Users, or any other existing parent container object. If the container you specify does not exist in Active Directory, however, the group account will not be created. In addition, you must have permission to add entries to the specified container.
-g, --gid
-o, --allow-duplicate
-R, --required
367
Using adupdate
To do this Specify the type of Active Directory security group to create. The valid group types are domain local, global across domains, or universal. If you dont specify the group type, the group is added as a global group by default. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group.
-V, --verbose
-v, --version
groupname
To add the group profile qa002 to the Active Directory QA group if you are logged in with a user account with permission to add groups to the domain, you could type a command line similar to the following:
adupdate add group -g 9000 -G ajax.org/Users/QA qa002
To create a new Active Directory group with a UNIX profile if you are logged in with a user account with permission to add groups to the domain, you could type a command line similar to the following:
adupdate add group --create --container Users --gid 9000 --group ajax.org/Users/QA --type universal qa002
program is:
368
Administrators Guide
You can use the following options with the adupdate group command:
User this option
-a, --admin user[@domain]
modify
To do this Identify an Active Directory user account with sufficient rights to modify an Active Directory group. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password in the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Modify the numeric group identifier (GID) for the specified group profile. Allow the GID value for the group to be the same as the GID used in another group profile. Modify the UNIX group name for the specified group. Add a new user or group as a member of the specified group.
-g, --gid
-o, --allow-duplicate
369
Using adupdate
To do this Remove a user or group as a member of the specified group. Make the specified group a required group for all of the users who are members of the group. Required groups cannot be removed when users change their active set of groups using the adsetgroups command. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group. The group must exist and be enabled for UNIX access in the same zone as the computer.
-R, --required
-V, --verbose
-v, --version
groupname
To change the GID for a UNIX group profile if you are logged on with an account with permission to modify group information in the domain, you could type a command similar to the following:
adupdate modify group --gid 700 javax
To add a new user to the UNIX group javax if you are logged on with an account with permission to modify group information in the domain, you could type a command similar to the following:
adupdate modify group --member jcole -V javax
To add a group or user as a new member of a UNIX group, the group or user must be enabled for UNIX access in the host computers zone. In addition, you can only specify one new user or group member each time you run this command. To remove a group or user from the list of members for a group, you could type a command similar to the following:
adupdate modify group --remove luis -V javax
370
Administrators Guide
Deleting a group
You can use adupdate delete group to remove an existing group profile from the current zone or delete an Active Directory group. The basic syntax for the adupdate
Setting options for deleting a group
delete group adupdate delete group [options] groupname
program is:
To do this Identify an Active Directory user account with sufficient rights to remove an Active Directory user account from the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Confirm the deletion of the group profile interactively before removing the group.
-i, --interactive
371
Using adupdate
To do this Remove the Active Directory group associated with the group profile. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group. The group must exist and be enabled for UNIX access in the same zone as the computer.
-V, --verbose
-v, --version
groupname
To remove the UNIX group profile from the current zone when you are logged in with an account with permission to delete groups from the domain, you could type a command line similar to the following:
adupdate delete group performx
If you also want to remove the Active Directory group associated with the UNIX group, you could type a command similar to the following:
adupdate delete group --admin paolo --verbose --remove --interactive unixdev
After you provide the Active Directory password for the paolo account, this command connects to Active Directory and prompts you to confirm whether you want to delete the group. For example:
Delete Centrify group CN=Unix developers,CN=Users,DC=ajax,DC=org ? (Yes/No)
You can then type y to confirm that you want to delete the group. You may need to refresh the console you are using to verify changes were made.
Note
372
Administrators Guide
Indicates A Centrify DirectControl setting could read. The type of zone you are attempting to update is obsolete and no longer supported. The user profile you are attempting to add already exists in the zone. The user you are attempting to add already exists in Active Directory. The users UID already exists in the zone. The group profile could not be found. A default group has not been defined for the zone. If a default primary group does not exist for a zone, you must specify the GID of the users primary group.
157
ERR_NOT_SUPPORT_ZONE
158
ERR_USER_IN_ZONE
159
ERR_USER_IN_AD
160
ERR_DUP_UID
161
ERR_NOT_FIND_CENTRIFY_GROUP_OBJ
162
ERR_NOT_SPECIFY_INIT_GROUP
373
Using adupdate
Indicates You must specify a container for the Active Directory object you are adding. The Centrify DirectControl user profile cannot be added, for example, because the user name or UID already exist in the zone. The home directory could not be created. The automatic creation of the users home directory will be skipped. The attempt to add a user failed. The attempt to synchronize system clocks failed. The user account cannot be updated in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to modify the user account. The attempt to modify the user profile failed. The attempt to delete the user profile failed. The user account cannot be deleted in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to delete the user. The group profile you are attempting to add already exists in the zone.
164
ERR_CANNOT_ADD_CENTRIFY_USER
165
ERR_CANNOT_CREATE_HOME_DIR
166
ERR_SKIP_CREATE_HOME_DIR
167 168
ERR_ADD_USER_FAILED ERR_TIME_SYNC_FAILED
169
ERR_CANNOT_UPDATE_USER
170
ERR_MOD_USER_FAILED
171
ERR_DEL_USER_FAILED
172
ERR_CANNOT_DELETE_USER
173
ERR_GROUP_IN_ZONE
374
Administrators Guide
Indicates The group you are attempting to add already exists in Active Directory. The Active Directory group could not be found. The groups GID already exists in the zone. The Centrify DirectControl group profile cannot be added, for example, because the group name or GID already exist in the zone. The attempt to add a group failed. The group account cannot be updated in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to modify the group. The attempt to modify the group failed. The group cannot be deleted in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to delete the group. The attempt to delete the group failed.
175
ERR_NOT_FIND_AD_GROUP_OBJ
176
ERR_DUP_GID
177
ERR_CANNOT_ADD_CENTRIFY_GROUP
178 179
ERR_ADD_GROUP_FAILED ERR_CANNOT_UPDATE_GROUP
180
ERR_MOD_GROUP_FAILED
181
ERR_CANNOT_DELETE_GROUP
182
ERR_DEL_GROUP_FAILED
Using adquery
The adquery command enables you to query Active Directory for information about users and groups from the command line on a Centrify DirectControl-managed system. The options you can use
Appendix A Using Centrify DirectControl UNIX commands 375
Using adquery
depend on whether you are looking up user information or group information. You can look up information for a specific user or group or for all of the users or groups in a zone. The basic syntax for the adquery program is as follows:
adquery user|group [options] [username|groupname]
You can specify a single option in the command line to have the information returned as one value per line suitable for use in scripts. If you specify multiple options in the command line, the information returned is formatted in a list with field labels identifying each value.
You can specify the username in any supported format. If the user name includes any blank spaces, the name should be enclosed by quotation marks. For example, if you want to specify an Active Directory account name consisting of a first name and a last name, you can type a command similar to the following:
adquery user --samname --enabled "Jae Park"
You can use the following options with the adquery command:
Use this option
-h, --home
user
To do this Display the specified users home directory or the home directory for all users in the zone.
376
Administrators Guide
To do this Display the specified users primary group identifier (GID) or the primary group identifier (GID) for all users in the zone. List the UNIX-enabled groups the user is a member of. List all of the Active Directory groups the user is a member of. Active Directory groups are listed by canonical name. Display the users default shell. Display the user identifier (UID) for the specified user or for all users in the zone. Display the displayName attribute for the user or for all users in the zone. Display the contents of the GECOS field for the user or for all users in the zone. Display the UNIX login name for the specified user or for all users in the zone. Display the Active Directory logon name for the specified user or for all users in the zone. Display the Active Directory security identifier (SID) for the specified user or for all users in the zone. Display the Kerberos user principal name (UPN) for the specified user or for all users in the zone. Display the Kerberos service principal name (SPN) for the specified user or for all users in the zone. Display the Active Directory canonical name for the specified user or for all users in the zone.
-G, --groups
-a, --adgroups
-p, --display
-o, --gecos
-n, --unixname
-M, --samname
-i, --sid
-P, --principal
-S, --service
-C, --canonical
377
Using adquery
To do this Display the UNIX password hash for the specified user if you are using password synchronization between Active Directory and DirectControl-managed computers. You must be logged on as the root user or querying Active Directory for your own account information to retrieve the password hash. Display the date the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date the current password for the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date after which the user may change their password. You must be either logged on as the root user or be querying Active Directory for your own account information to retrieve this information. Display the date of the last password change for the user. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user is locked because of failed attempts to log on. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information.
-x, --acct-expire
-w, --pwd-expire
-c, --pwd-nextchange
-l, --pwd-lastchange
-k, --locked
378
Administrators Guide
To do this Determine whether the Active Directory account for the user has been disabled. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user has been enabled for UNIX access in the current zone. Display the distinguished name (dn) for the specified user or for all users in the zone. List the value of the users Active Directory userWorkstations attribute, which specifies the machines from which the user may log into the domain. If the output is blank, the user is not restricted to a particular machine. List all of the information returned by the other command line options for the user. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the separator character or string (char) to use between fields. The default separator between fields is a colon (:). For example:
jae:uid:525
-e, --enabled
-D, --dn
-W, --userWorkstations
-A, --all
-F, --cache-first
(char) to use between the values in a list. The default separator between values in a list is a comma (,). For example:
jae:unixGroups:testlab,dev2
379
Using adquery
To do this Add the users UNIX user name as a prefix when returning single values. This option formats the information returned to include the users UNIX name when you are querying for a specific attribute, such as the users UID or displayName. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the users UNIX name and a label identifying each attribute by default. Display the list of extended attributes or the value of a specified extended attribute. Note Extended attributes are only applicable on AIX computers. You can use the keyword help to view a list of the supported extended attributes. For example:
adquery user --extattr help
-X, --extattr
To look up the value of a specific extended attribute, include the name of the attribute in the command line. For example, to look up the value of the aix.rlogin extended attribute:
adquery user -X aix.rlogin jae -v, --version
380
Administrators Guide
You must use the canonical format for the group name if specifying the Active Directory group name. For example, if you want to specify the Active Directory group name, you can type a command similar to the following:
adquery group ajax.org/Users/TestExpert Team
You can use the following options with the adquery command:
Use this option
-m, --members
group
To do this List the UNIX members of the specified group or of all groups in the zone. List the Active Directory members of the specified group or of all groups in the zone. List Active Directory members of the specified group or all groups in the form: name@domain; for example,
jsmith@AJAX.COM
-a, --admembers
-s, --sammembers
-g, --gid
Display the group identifier (GID) for the specified group or of all groups in the zone. Display whether membership in the specified group is required or not. For more information about required groups, see adsetgroups. Display the UNIX group name for the group. Display the Active Directory name for the group. Display the Active Directory security identifier (SID) for the group. Display the Active Directory canonical name for the group. Display the distinguished name (dn) for the group.
-q, --required
-n, --unixname
-M, --samname
-i, --sid
-C, --canonical
-D, --dn
381
Using adquery
To do this List all of the information returned by the other command line options for the group. If you use this option without specifying a group name, the command lists details for all of the groups in the zone. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the character or string (char) to use as the separator between an attribute name and its value. The default separator between attributes and values is a colon (:). For example:
unixname:qa-euro
-F, --cache-first
-R,--list-separator char
Specify the character or string (char) to use as the separator between the values in a list. The default separator between values in a list is a comma (,). For example:
unixGroups:unixdev,testexpe
-f, --prefix
Add the UNIX group name as a prefix when returning single values. This option formats the information returned to include the UNIX group name when you are querying for a specific attribute, such as the group GID or membership list. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the UNIX group name and a label identifying each attribute by default.
382
Administrators Guide
To do this Display the scope and group type for a specified group. The valid group types are: local security global security universal security Display version information for the installed software.
-v, --version
This command returns the results for the unixdev group in the following format:
unixname:unixdev gid:400 required:false dn:CN=Unix Developers,CN=Users,DC=ajax,DC=org groupType:global security samAccountName:Unix Developers sid:S-1-5-21-3619768212-1024502798-2657341593-1106 canonicalName:ajax.org/Users/Unix Developers members:ajax.org/Users/Ashish Menendez,ajax.org/Users/Ben Waters,ajax.org/Users/Monte Fisher,ajax.org/Users/Jae Kim,ajax.org/Users/Jay W. Reynolds,ajax.org/Users/Pierre Leroy,ajax.org/Users/Rae Parker,ajax.org/Users/Zoe Green unixMembers:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Similarly, if you want to see a complete list of details about the user jae@ajax.org, you would type:
adquery user --all jae@ajax.org
This command returns the results for the user in the following format:
unixname:jae
383
Using adquery
uid:409 gid:400 gecos:Jae Kim home:/home/jae shell:/bin/bash dn:CN=Jae Kim,CN=Users,DC=ajax,DC=org samAccountName:jae display:jae sid:S-1-5-21-3619768212-1024502798-2657341593-1185 userPrincipalName:jae@AJAX.ORG servicePrincipalName: canonicalName:ajax.org/Users/Jae Kim passwordHash:x accountExpires:Never passwordExpires:Thu Apr 12 15:21:04 2007 nextPasswordChange:Fri Mar 2 14:21:04 2007 lastPasswordChange:Thu Mar 1 14:21:04 2007 accountLocked:false accountDisabled:false zoneEnabled:true unixGroups:unixdev,testexpe memberOf:ajax.org/Users/Unix Developers, ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert Team
When you specify a single attribute in the command line, the information is displayed as one value per line without any attribute label or identifier. For example, if you want to return the canonical name for the qa-euro group as an unlabeled value, you would type:
adquery group --canonical qa-euro
This command displays the canonical name without any prefix or label:
ajax.org/Users/QA Europe
Similarly, if you want to return only the UID for the user rae@ajax.org, you would type:
adquery user --uid rae@ajax.org 10003
To list a single attribute about multiple groups or users, you can specify the additional groups or users in the command line. For example, to see a list of the UNIX user names of Active Directory
384
Administrators Guide
members for the testexp, performx and unixdev groups, you would type:
adquery group --members testexp performx unixdev
This command returns the UNIX user names of the members in each group in the following format:
ben,fisher,jae,jolie,rae zoe ashish,ben,fisher,jae,jay,pierre,rae,zoe
If you want the results to include the UNIX user name or group name, you can add the --prefix option to the command line. For example, to include the UNIX group name with a membership list for the testexp, performx and unixdev groups, you would type:
adquery group --members --prefix testexp performx unixdev
This command returns the members in each group in the following format:
testexp:ben,fisher,jae,jolie,rae performx:zoe unixdev:ashish,ben,fisher,jae,jay,pierre,rae,zoe
When you query multiple attributes for a user or group, the results display the UNIX user or group name, followed by an attribute label to identify the attribute values displayed. For example, to return the samAccountName and unixGroups for the users rae, ben, ashish, and jae, you would type:
adquery user --samname --groups rae ben ashish jae
This command returns the requested information for each user in the following format:
rae:samAccountName:rae-old rae:unixGroups:unixdev,testexpe,perform2 ben:samAccountName:ben ben:unixGroups:qualtrak,unixdev,testexpe ashish:samAccountName:ashish ashish:unixGroups:qualtrak,unixdev jae:samAccountName:jae jae:unixGroups:unixdev,testexpe,perform2
385
Using adquery
If you dont specify a username or groupname in the command line, the adquery command returns information for all users or all groups in the current zone. The format of the output depends on whether you specify a single attribute or multiple attributes and any other options you set. For example, to list the UNIX group names and GIDs for all of the groups in the current zone, you would type:
adquery group --gid --prefix
This command returns the group names and GIDs in the following format:
unixdev:400 oracle:700 qualtrak:800 performi:401 perform2:402 financeu:403 testexpe:404 integrit:405
Similarly, to return a list of UIDs and display names for all of the users in the current zone, you would type:
adquery user --uid --display
For example:
rae-old:uid:10003 rae-old:displayName:Rae S. Parker jay:uid:501 jay:displayName:Jay W. Reynolds zoe:uid:502 zoe:displayName:Zoe Green ben:uid:503 ben:displayName:Ben Waters ashish:uid:504 ashish:displayName:Ashish Menendez fisher:uid:505 fisher:displayName:Monte Fisher pierre:uid:506 pierre:displayName:Pierre Leroy lynn:uid:507 lynn:displayName:Lynn Hogan tess:uid:508 tess:displayName:Tess Adams jolie:uid:509 jolie:displayName:Jolie Ames-Anderson jae:uid:510
386
Administrators Guide
jae:displayName:Jae Kim
Using adgpupdate
The adgpupdate command requires that you are running DirectControl with a license.
Note
The adgpupdate command retrieves group policies from the Active Directory domain controller and applies the policy settings to the local computer and current user immediately. Under normal conditions, without running this command, group policies are updated automatically every 90 to 120 minutes by default. If you want a policy change to take effect immediately, however, you can force the group policy to be refreshed by running the adgpupdate command. Upon updating the group policy, the adgpupdate command then resets the timer for the next automatic update to occur in the next 90 to 120 minutes. Automatic group policy updates occur at a random interval between 90 and 120 minutes to prevent multiple computers from connecting to and requesting updates from the Active Directory domain controllers at the same time. However, both the default interval of 90 minutes and the default offset period of 30 minutes can be configured to other values using group policy settings. Therefore, the automatic group policy update may occur more or less frequently in your environment. For information about setting computer and user group policies, see the Group Policy Guide. For information about customizing the group policy update, see the Configuration Parameters Reference Guide.
Note
By default, the adgpupdate command updates both the computer-based group policies and the user-based group policies for the user who is currently logged in and running the adgpupdate command. With a command line setting, you can restrict the group
387
Using adgpupdate
policies updated to be only computer group policies or only the current users group policies, if needed.
To do this Restrict the group policy update to either Computer group policy or User group policy. Displays information about each step in the group policy update process as it occurs. This option is useful for troubleshooting purposes. Display version information for the installed software.
-V, --verbose
-v, --version
If you only want to update computer group policy on the local computer, you can type a command similar to the following:
adgpupdate --target Computer
Note
To update user policies on a computer, you must be logged on as a valid Active Directory user. If you are not logged on as a valid Active Directory user, running adgpupdate will refresh the
388
Administrators Guide
Using adinfo
The adinfo command displays detailed Active Directory, network, and diagnostic information for a local UNIX computer. Options control the type of information and level of detail displayed. The basic syntax for the adinfo program is:
adinfo [option] [--user username[@domain]] [--password password]
The --domain, --gc, --zone, --zonedn, --site, --server, and --name options are intended for use in scripts to return the current Active Directory domain, global catalog domain controller, zone, site, domain controller, and computer account name, respectively. The other options provide more detailed or operation-specific information. You can use the --user and --password options in conjunction with the --all, --support, --diag, or --auth option to specify the user name and password of an Active Directory account with permission to read the computer account information in the Active Directory domain controller you are accessing. If you run adinfo while logged in as root, you do not need to specify the --user or --password option because the command uses the Active Directory account associated with the local host. If you run the adinfo command with a user account that doesnt have permission to read the computer account information in Active Directory, some information may not be available in the command output.
389
Using adinfo
To run the adinfo --support command, you must be logged in as root. You are not required to log in as root for any of the other adinfo options.
Note
If you do not specify an option, adinfo returns the basic set of configuration details for the local computer, which is equivalent to specifying adinfo --all.
To do this Return the name of the local computers Active Directory domain. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory domain controller used for global catalog operations. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory zone or Auto Zone if a computer is joined to Auto Zone and not a member of any specific zone. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2.
-G, --gc
-z, --zone
390
Administrators Guide
To do this Return the distinguished name (DN) of the local computers Active Directory zone or the distinguished name (DN) of the computers Active Directory domain if the computer is joined to Auto Zone. The distinguished name is the name that uniquely identifies an entry in the directory, beginning with the most specific attribute and continuing with progressively broader attributes. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory site. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the fully-qualified name of the local computers Active Directory domain controller. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the fully-qualified name of the local computers computer account name in Active Directory. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2.
-s, --site
-r, --server
-n, --name
391
Using adinfo
To do this Return the following information: Local host name Domain the computer is joined to Computer account name in Active Directory Local preferred site Centrify DirectControl zone The date and time that the password was last reset for the computers Active Directory computer account Current operational mode indicating whether the computer is connected to Active Directory or running in disconnected mode Note If you use this option but the user account doesnt have permission to read the computer account information in Active Directory, the command output does not indicate whether shell access has been enabled or information about the last password set.
392
Administrators Guide
To do this Return all of the information supplied by the --all option and the following additional information: The current configuration parameters set in
/etc/centrifydc/centrifydc.conf
The key list from /etc/krb5.keytab This option is typically used to send complete diagnostic information to a file, which can then be sent to Centrify Technical Support for analysis. By default, the output for the command is written to the file /tmp/adinfo_support.txt. You can save the output in a different location or using a different file name by using the optional --output argument. To send --support output to stdout, use a hyphen (-) in the command line in place of the filename. Note The root account is required if you want to retrieve the Kerberos key version stored in Active Directory for comparison with the local Kerberos key.
393
Using adinfo
To do this Return the diagnostic information for the host computer and a specific Active Directory domain. If you dont specify the domain, the command returns information for the computer's current domain. Specifying a domain is useful when an attempt to join the computer to an Active Directory domain fails. By specifying adinfo --diag and the domain you tried to join, you can better diagnose why an attempt to join failed. This option returns the following information: Local host name. Local IP address. List of the DNS servers for the specified domain. Host name or IP address of the DNS server supplied by the domain controller. Whether the domain controller has up-to-date global catalog data so that it can become the global catalog, if necessary. Functional level of the specified Active Directory domain. Functional level of the domain's Active Directory forest. Functional level of the domain controller. Name of the Active Directory forest to which the specified domain belongs. Name of the computer account in Active Directory for this computer. Kerberos key version for this computer. List of Kerberos service principal names this computer has registered with Active Directory. Note You should use the root user account when you use this option. If you dont use the root account, the command will not be able to bind to domain controller or locate the computer account. The root account is also required to compare the local key version with the key version stored in Active Directory.
394
Administrators Guide
To do this Return the parsed contents of the Centrify DirectControl configuration file. Display whether the computer is currently connected to Active Directory or running in disconnected mode. If the adclient process is not currently running at all, this option will return the agent status as down. Note You should use the root user account when you use this option to display the appropriate status. If you dont use the root account, the command will not be able to check the adclient lock file to confirm whether adclient is running or not. Test the availability of the ports Centrify DirectControl requires for authentication through Active Directory. Display detailed information about each operation as it is performed. You can use this option in combination with other options. Display version information for the installed software. Identify an Active Directory user account with sufficient rights to read the computer account information. You must use the username@domain format to specify the user account if the username is not a member of the computers current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
-m, --mode
-T, --test
-V, --verbose
-v, --version
-u, --user
username[@domain]
-p, --password
userpassword
395
Using adinfo
To do this Authenticate the user name and password for the user specified with the --user option against the specified domain. If you dont specify a domain, the user is validated against the currently joined domain. This option only validates the user name and password you enter can be authenticated by Active Directory. You cannot use this option in combination with other options to display other types of information Connect to a specific domain controller to perform network diagnostics. You can use this option in combination with any of the other options. Display the service principal names (SPNs) associated with the computer account.
-S, --servername
domain_controller
-C, --computer
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Pre-win2k name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: magnolia ajax.org magnolia.ajax.org magnolia ginger.ajax.org Default-First-Site-Name ajax.org/Program Data/Centrify/Zones/default 2006-12-21 11:37:22 PST connected Enabled
You can also use adinfo in shell scripts to return specific information, such as the domain a computer has joined. For example, the following command returns the host computers current domain and no other information:
adinfo --domain
396
Administrators Guide
For example:
ajax.org
The adinfo --diag command can also be useful in diagnosing Active Directory configuration issues and Kerberos problems. For example, in addition to other information, the --diag option returns the Kerberos key version for the UNIX computer. The key version is stored both locally and in the computers Active Directory account. It is incremented when a service principals password key changes. If the local key differs from the Active Directory account key version, it indicates that the local key is no longer in sync with the Active Directory key and this may cause authentication to fail. By running adinfo --diag and checking the Key Version: field you can determine whether the key versions are the same or out of sync. If the versions are different, the Key Version field shows both keys and indicates which is local and which comes from Active Directory. If the computer isnt joined to a domain, it has no local key and the following is displayed:
Key Version: local key version unavailable
If the computer is joined to a domain other than the specified domain, the Active Directory key is shown as:
<unavailable>
If the computer has joined a domain, the adinfo --diag command displays information similar to the following truncated example:
Host Diagnostics uname: Linux magnolia 2.4.21-15.EL #1 Thu Apr 22 00:27:41 EDT 2004 i686 OS: Red Hat Enterprise Linux ES Version: 3 (Taroon Update 2) Number of CPUs: 1 IP Diagnostics Local host name: magnolia FQDN host name: magnolia (domain missing?) Local IP Address: 192.168.147.135 Domain Diagnostics: Domain: ajax.org Subnet site: Default-First-Site-Name DNS query for: _ldap._tcp.ajax.org Found SRV records: ginger.ajax.org:389 Testing Active Directory connectivity: Domain Controller: ginger.ajax.org ldap: 389/udp - good
397
Using adinfo
ldap: 389/tcp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good Domain Controller: ginger.ajax.org:389 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG DNS query for: _gc._tcp.AJAX.ORG Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org:3268 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG Retrieving zone data from ajax.org Centrify DirectControl 2.x zones: ConsumerDiv - ajax.org/Program Data/Centrify/Zones/ConsumerDiv Manufacturing - ajax.org/Program Data/Centrify/Zones/Manufacturing London - ajax.org/Program Data/Centrify/Zones/London Centrify Microsoft SFU zones: default - ajax.org/Program Data/Centrify/Zones/default Computer Account Diagnostics Joined as: magnolia Key Version: 5 Service Principal Names: nfs/magnolia.ajax.org nfs/magnolia host/magnolia.ajax.org host/magnolia ftp/magnolia.ajax.org ftp/magnolia cifs/magnolia.ajax.org cifs/magnolia HTTP/magnolia.ajax.org HTTP/magnolia Centrify DirectControl Status Running in connected mode
To test whether a specific user can be authenticated by a specific Active Directory domain controller, you could type a command similar to the following:
adinfo --auth --user rae --servername ginger.ajax.org
You are then prompted for the Active Directory password for the user rae account. If Active Directory can authenticate the user, a confirmation message similar to the following is displayed:
Password for user rae is correct
398
Administrators Guide
To test connectivity and the availability of required ports on the Active Directory domain controller, you could type a command similar to the following:
adinfo --test
If the computer is joined to a domain and the connection to Active Directory succeeds, the command displays information similar to the following:
Domain Diagnostics: Domain: ajax.org DNS query for: _ldap._tcp.ajax.org DNS query for: _gc._tcp.ajax.org Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org ldap: 389/tcp - good ldap: 389/udp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good ntp: 123/udp - good
Indicates The computer account password has been changed. If you encounter this error, you may need to manually reset the computer account password in Active Directory, then rerun the adinfo command. A Kerberos format error occurred when reading the Kerberos configuration file. You should rename or remove the configuration file, then rerun the adinfo command. The server name must be a fully-qualified domain name.
157
ERR_KRB_READ_FORMAT
158
ERR_NOT_FQDN_NAME
399
Using addebug
Using addebug
The addebug command is used to start or stop detailed logging activity for Centrify DirectControl on a local UNIX computer. The basic syntax for the addebug program is:
addebug [on | off| clear]
If you run the addebug on command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/log/centrify_client.log file. Therefore, you should also check that file location if you enable logging. If you do not specify an option, addebug displays its current status, indicating whether logging is active or disabled.
To do this Start logging all Centrify DirectControl daemon activity. Stop logging Centrify DirectControl daemon activity. Clear the existing log file, then continue logging activity to the cleared log file.
off
clear
400
Administrators Guide
You must type the full path to the command because addebug is not included in the path by default.
Note
This command records information in the /var/log/centrifydc.log file similar to the following:
... Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Joining domain garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Getting the KDC List for garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Updating config file with domain garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Created user LDAP connection Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Destroying binding to 'garfield.com' Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Attempting connection to server Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connecting to odie.garfield.com:389 Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connected ...
For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time. To discontinue logging, type:
addebug off
Using adobfuscate
The adobfuscate command allows you to obscure sensitive data in a log file, such as email addresses, hostnames, and usernames, before sending the file to Centrify for analysis. You create a pattern file using regular expressions to identify specific patterns in the file. The command reads the pattern file and replaces items matched by the patterns with generic values.
401
Using adobfuscate
The adobfuscate command operates in two passes. The first pass searches for patterns (as defined in the pattern file) in the log file and creates a map file that contains the specific values to be hidden, as well as a unique token to replace each one. For example, in the pattern file you can search for hostnames (see Examples of using adobfuscate on page 405 for specific information on how to use regular expressions in the pattern file to identify items in the log file to hide). In the map file, adobfuscate creates a list of specific hostnames and replacement value tuples; for example:
centrify.com ajax.com hostcom_0 hostcom_1
The second pass applies the value-token tuples in the map file to the log file, replacing each instance of the value with its corresponding token. For example, each instance of centrify.com in the log file is replaced by hostcom_0. By default, adobfuscate performs the first pass only, although you can use the --both option to perform both. Once you create a map file, you can hand edit it to add other known hostnames, email addresses and so on, and if you are sure you have identified all sensitive names that might be in a log file, you can run this map file against any log file without performing the first pass each time. The basic syntax for the adobfuscate program adobfuscate [options] [user[@domain]] is:
402
Administrators Guide
To do this Perform both passes of adobfuscate. The first pass searches the log file for patterns specified in the pattern file and creates a map file that contains values to be replaced and the token to replace them with. The second pass reads the the map file and replaces the patterns in the log file with the replacement token. When you specify the --both option, the replacement values created by pass one are used during pass two, rather than read from a map file. By default (if you do not specify the --both option), only pass one is performed. Specify the input log file. It must be a text-based file in which lines are separated by the newline character. Note Although the purpose of this command is to hide sensitive information in log files generated by Centrify DirectControl commands, you can specify any valid text file. The default input file is log.txt.
403
Using adobfuscate
To do this Specify the map file to create, or use, depending on the pass you are running. When you run only the first pass of adobfuscate (the default operation), this option (--mapfile) specifies the map file to create. When you run only the second pass of adobfuscate (--obfuscate), this option specifies the map file to apply to the log file. Note If you use the --both option to run both passes, you do not need to specify a map file because the command creates replacement values during the first pass, and applies them to the log file during the second pass. The map file contains a list of lines, each with a value and replacement token, separated by a tab; for example:
centrify.com ajax.com rdavis@ajax.com hostcom_0 hostcom_1 email_1
Run the second pass of the operation only. The second pass reads replacement values from the specified map file and replaces matching values in the specified log file with the appropriate tokens. The default input file is log.txt. The default map file is map.txt. Specify the input pattern file to use. The pattern file contains regular expressions to find sensitive information (email addresses, hostnames, and so on) to replace with generic tokens. The default pattern file is:
/etc/centrifydc/adobfuscate.conf.
You can use this file as is, or use it as a template to create your own pattern file.
404
Administrators Guide
To do this Print verbose information while the command runs. Specify multiple --verbose options to increase the verbosity level. The maximum is 2.
log file. Centrify DirectControl provides a standard pattern file that you can use as is, or as a template to create your own pattern file.
2 Run the first pass of adobfuscate, and specify the pattern file
you just created, to create a map file that contains all the specific names to replace as well as a replacement value for each name.
3 Run the second pass of adobfuscate, and specify the map file
you just created, to apply the replacement values to each specified name in the log file. The following example steps you through this process. Creating a pattern file In the pattern file, you use regular expressions to identify sensitive names that you want obscured in the log file. Each line in the pattern file uses the following syntax:
action reg-expr-pattern repl-token
where:
action
match
Replace any items that match the patterns. exclude Keep the item even if it matches the pattern. reg-expr-pattern A regular expression pattern to identify sensitive names in the log file, such as email addresses and hostnames.
405
Using adobfuscate
repl-token The
token to replace names of each type in the log file. For example, specific email addresses are replaced by email_n, .com hostnames by hostcom_n, and so on. The easiest way to create a pattern file is to modify the sample file provided by Centrify DirectControl: /etc/centrifydc/adobfuscate.conf. The following shows the pattern matching definitions from this file:
#You can define your own sensitive data by using the following format. #[action type][regular expression] [substitute value] #The action type has two optional values: match | exclude . #Lines of 'match' specify patterns that should be obfuscated and must have substitute value argument. #Lines of 'exclude' specify patterns that shouldn't be matched. match /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}/ email match /[A-Z0-9-]+[A-Z0-9.-]+\.com/ hostcom match /[A-Z0-9-]+[A-Z0-9.-]+\.net/ hostnet match /[A-Z0-9-]+[A-Z0-9.-]+\.org/ hostorg match /[A-Z0-9-]+[A-Z0-9.-]+\.test/ hosttest match /[A-Z0-9-]+[A-Z0-9.-]+\.land/ hostland
/util\.ulimit/
The purpose of this list is to retain specific items in the log file that may be useful for analyzing a problem, but would otherwise be obscured because they match one of the specified patterns. You should browse this list and remove any specific items that you do not want to appear in a log file you send to Centrify. Running the first pass of adobfuscate After you create a pattern file, you can run the first pass of adobfuscate to create a map file:
adobfuscate -f /var/log/centrifydc.log -m myMap
This command applies the default pattern file (/etc/centrifydc/adobfuscate.conf) to the centrifydc log file
406
Administrators Guide
and creates a map file called myMap. Suppose the log file contains the following text (hostnames are in bold-face type so you can easily see them):
Mar 23 11:04:56 lynx1 adnisd[2247]: WARN <main> adnisd No NIS maps found on server win2k-1.acme.com Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 ldap fetch> base.bind.ldap win_serv-1.acme.com:389 fetch dn="" filter="(objectclass=*)" timeout=7 Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 get object> base.bind.ldap win_serv-1.acme.com:389 pagedSearch base="CN=Groups,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=mkline,DC=local" filter="(displayName=$CimsGroupVersion2)" Mar 23 11:09:57 lynx2 adnisd[2247]: WARN <main> adnisd No NIS maps found on server win2k-1.acme.com
By applying the pattern file, adobfuscate creates a map file with the following entries:
win2k-1.acme.com win_serv-1.acme.com hostcom_0 hostcom_2
The entry, base.bind.ldap, has the form of a hostname, and as such would normally be replaced with a hostname_n token; however, the default adobfuscate pattern file contains an entry to exclude it, so it remains in the log file:
Note
exclude /base.bind.ldap
Running the second pass of adobfuscate Now run the second pass (-o option) of adobfuscate specifying the map file you just created, to obscure hostnames in the log file:
adobfuscate -f /var/log/centrifydc.log -m myMap -o
As you can see, specific hostnames have been replaced with generic host name tokens.
407
Using adrmlocal
codes when errors are encountered. The following table lists these command-specific result codes.
Result
6
Error name
ERR_OTHERS
Indicates Error when parsing the patter file or the map file. Usage error. Could not open file.
7 40
ERR_USAGES ERR_OPEN_FILE
Using adrmlocal
The adrmlocal command reports and removes local user names that duplicate Active Directory user names. The basic syntax for the adrmlocal program is:
adrmlocal [--interactive] [--commit] [--force] [--version]
The adrmlocal command displays a report of users who are in both a local user database, for example, the local user accounts defined in the /etc/passwd file, and in Active Directory to allow you to check for duplicate user names. You can remove selected duplicate local user names interactively or remove all duplicate local users without prompting. If you run this command with the --interactive option, the command prompts you to remove the local user account or skip each duplicate user, regardless of whether the users UID or GID in /etc/passwd matches the information for the user name in Active Directory. If you run this command with the --commit option, the command removes duplicate users if there are not UID or GID conflicts but prompts you to remove or skip local users that have UID or GID conflicts. If you run this command with the --force option, the command removes all duplicate local users whether without prompting. To delete local user accounts in a NIS domain, you should run the adrmlocal command on the NIS master server. After running the
408
Administrators Guide
command, you must update the NIS passwd maps to make the updated information available to your NIS servers.
To do this Be prompted interactively for confirmation that you want to remove the duplicate local user account before performing the delete operation. Remove duplicate local users if the UID and GID is the same in the local database and Active Directory. If the UID or GID for a local user conflicts with the information stored in Active directory, this option prompts you to determine whether a local user account should be deleted or not. Remove all duplicate local user names without prompting even if there are UID or GID conflicts. Display version information for the installed software.
-c, --commit
-f, --force
-v, --version
This command displays a summary of the conflicts found, then prompts you to decide whether each duplicate user should be deleted. For example:
3 local user(s) that are duplicated with AD users: adam:uid(505):gid(503):ADuid(10001):ADgid(10000) Conflicted with AD chin:uid(506):gid(504):ADuid(10009):ADgid(10000) Conflicted with AD liz:uid(507):gid(505):ADuid(10005):ADgid(10000) Conflicted with AD Delete local user adam ? (Yes/No)
409
Using adfinddomain
Indicates The attempt to load the local password file failed. The attempt to check for duplicate user accounts failed. The attempt to load the local group file failed. The attempt to check for duplicate user accounts failed.
157
ERR_NOT_CHECK_DUP_LOCAL_USER
158
ERR_NOT_LOAD_GROUP_FILE
159
ERR_NOT_CHECK_DUP_LOCAL_GROUP
Using adfinddomain
The adfinddomain command displays the domain controller associated with the Active Directory domain you specify. The basic syntax for the adfinddomain program is:
adfinddomain [--format name|ldap|ip] [--port] [--verify] [--version] [domain | $]
If you dont specify a domain, the command returns information for the domain the local computer is joined to. If you specify a dollar sign ($) instead of a domain, the command returns the host name and, optionally the port number, for the Global Catalog server.
410
Administrators Guide
To do this Control the format of the information displayed for the domain controller. For example, if you set the format to name, the command displays the host name of the domain controller. Similarly, you can specify the format to be the format used for LDAP requests or to be the fully-qualified host name of the domain controller.
adfinddomain -f ldap ldap:://fire.arcade.org
Include the port number in the output. Check whether the specified domain controller is currently operational. Display version information for the installed software. Specify the domain name or the global catalog for which you want to display information.
-v, --version
[domain | $]
To display the host name for the global catalog server, type:
adfinddomain $ zen.ajax.org
To include the port number for the domain controller or global catalog, type:
adfinddomain --format name --port ajax.org ginger.ajax.org:389
or:
adfinddomain $ --port
411
Using adfixid
zen.ajax.org:3268
Indicates The command is unable to obtain the IP address for the server. The command is unable to find the domain controller for the domain specified. You should verify the domain name, then try rerunning the adfinddomain command.
157
ERR_UNDETECT_SERVICE
Using adfixid
The adfixid command can be used to resolve UID and GID conflicts and change the ownership of a local users files to match the user and group IDs defined for the user in Active Directory. The basic syntax for the adfixid program is:
adfixid [--commit] [--commit-all] [--report filename] [--usermap filename] [--groupmap filename] [--id id_range] [--xdev] [--follow] [--undo] [--restart] [--version] [--verbose] directory
The adfixid command compares the local password database, for example, the local /etc/passwd and /etc/group files, to the UNIX profile entries for the DirectControl zone that are retrieved from Active Directory. To perform this comparison, adfixid checks for local UNIX user and group names that match the user and group names in the UNIX profiles defined for the current zone. The command then generates a report of the local users and groups that have UIDs or GIDs that conflict with the information stored in Active Directory. You can then use adfixid to change the
412 Administrators Guide
ownership of local users files and directories to match the user and group ID values defined in Active Directory for the zone, eliminating UID and GID conflicts. Although adfixid bases its comparison on the local UNIX user or group name matching the zone UNIX user or group name to check for UID and GID conflicts and change file ownership, the local password store may have local UNIX user and group names that do not match any of the UNIX user and group names defined for the zone. In some cases, these local users and groups may have a UNIX profile for the zone, but under a different user or group name. To accommodate this situation, you can use a mapping file to specify how the user and group names in the local database map to the user and group names in the UNIX profiles for the current zone. You can then run adfixid with the --usermap or --groupmap option to check for UID or GID conflicts and change file ownership, as needed. By default, running the adfixid command simply lists the local users and groups that have UID or GID conflicts and require file ownership changes. If you run this command with the --commit option, adfixid searches local file systems, starting with the directory you specify, for files owned by users defined in the /etc/passwd file, and changes the ownership and group information to match the information defined for the zone. If you run this command with the --commit-all option, adfixid also updates the /etc/passwd and /etc/group files to contain the new ID values. The local computer must be joined to an Active Directory domain and in a valid zone to perform most operations. This requirement is not necessary to generate a report with the --report option or to undo a previous operation with the --undo option. In addition, to run adfixid with the --commit, --commit-all, or --undo options, you must be logged in as root.
Note
Because of the operations it performs, running the adfixid command can take a significant period of time to complete its
413
Using adfixid
execution. Therefore, in most cases, you should limit the scope of directories to be traversed at any one time and run this command when there is minimal network traffic.
To do this Commit file ownership UID and GID changes to the file system. If you do not specify this option, by default, adfixid only displays a list of the users and groups that require ownership changes. Commit the file ownership UID and GID changes to the file system and update the local /etc/passwd and /etc/group files with the new UID and GID values, as needed. Specify the name of a file that maps local UNIX user names to zone UNIX user names. This option is useful when user names have been rationalized in the DirectControl zone but may not match the names in the local database file. The format of the user mapping file is:
local_UNIX_name zone_UNIX_name
-C, --commit-all
-u, --usermap
filename
If a local UNIX user name is not in the mapping file, its assumed to already match a zone UNIX user name. If no match is found, the name is ignored. If the UID for the ignored name conflicts with a zone UNIX user UID, the UID of the local UNIX user is changed to a value in the UID range set aside for conflict-resolution. For information about setting the value range for conflict resolution, see the --id option.
414
Administrators Guide
To do this Specify the name of a file that maps local UNIX group names to zone UNIX group names. This option is useful when group names have been rationalized in the DirectControl zone but may not match the names defined in the local database file. The format of the group mapping file is:
local_UNIX_group zone_UNIX_group
filename
If a local UNIX group name is not in the mapping file, its assumed to already match a zone UNIX group name. If no match is found, the name is ignored. If the GID for the ignored name conflicts with a zone UNIX group GID, the GID of the local UNIX group is changed to a value in the GID range set aside for conflict-resolution. For information about setting the value range for conflict resolution, see the --id option.
-r, --report filename
Generate an audit log of every chown command that was executed by the adfixid command. You can use a hyphen (-) as the filename to output information to standard out. You can generate the report at the same time as the --commit operation, or at any later time. By default, the audit file is /etc/centrifydc/adfixid.log. Note This option is only valid at the same time you perform a --commit or --commit-all operation or after you have performed one of those operations. You cannot use this option to generate a preview report of changes that a --commit operation would perform. Use the adfixid command with no command line options to review conflicts prior to making file system changes. You can then use the --commit and --report options to generate a report of the changes performed. For example:
adfixid --commit --report chown_rpt1
415
Using adfixid
To do this Specify a range of values for assigning new UIDs or GIDs to use in resolving UID or GID conflicts. The id_range parameter can be of the form <start_value>-<end_value> to specify the start and end values of the range. For example:
--id 90000-110000
The default range is 50000-60000. If you specify a single number, that value becomes the starting value for the range and the end value is MAXUID. If a local UNIX UID or GID conflicts with a zone UID or GID, the local value is mapped to a value in the specified range. For example, if a local UNIX user has a UID of 126 that conflicts with a zone UNIX user UID, the local UNIX user UID would be mapped to UID 50126 by default. If the target UID value of 50126 is already used in the zone, the next sequential value, 50127, is used instead.
-x, --xdev
Prevent the adfixid command from running across file system mount points. By default, the adfixid command traverses all local, non-NFS, file system mount points. Specify that you want the adfixid command to follow symbolic links to update the target files and directories. By default, the adfixid command only updates the link file itself, if necessary, and does not traverse into symbolically-linked directories.
-f, --follow
416
Administrators Guide
To do this Ignore the results of a previous run. By default, the adfixid command skips files that were changed by a previous run of the command. Using this option resets the adfixid audit log so that adfixid is not aware of what files were previously changed. If you have previously run adfixid and made changes the file owner but did not resolve conflicts between the /etc/passwd and /etc/group files and Active Directory, using this option ignores the changes previously made and makes them again when the conflicts between the local files and Active Directory are detected. Reverse the action of a previous --commit operation. All files that had the owner and/or group id changed are set back to their original values. If the /etc/passwd or /etc/group files were updated using a --commit-all operation, this change is also reversed. Display version information for the installed software. Display the file and directory names are they are processed. This option is useful when running this command on a large file system, such as the root file system, so you can track its progress. If you specify this option, the adfixid command: Lists every file it examines. Reports every change of ownership performed for the files and directories examined. Lists any files or directories being skipped. Without this option, the adfixid command does not display its progress and may appear to stop running when it is processing a large number of files and directories on large file systems.
-U, --undo
-v, --version
-V, --verbose
417
Using adfixid
To do this Specify the directory or directories in which to start the search for the user files to be changed. By default, adfixid only searches local file systems, starting with the root (/) level of file system. You can, however, specify a network file system on the command line, if needed. You can use this parameter to change the file ownership for selected directories or if you want to change the file ownership in stages. For example, you may want to change the ownership for a limited number of directories before committing changes across the whole file system on a given computer. If you specify a network file system, such as an NFS or CIFS mount point, you should be sure that you do not run the command remotely on the same files from different computers. Running this command remotely from more than one computer may cause the file ownership changes to be overwritten with incorrect information. Note File ownership changes are logged in the audit file on a per-machine basis. If you run this command for a network file system, the change is recorded in the audit file on the local computer. If you run the command again from a second computer, that computer has no record that the file ownership has been previously changed.
418
Administrators Guide
To simply see a list of the local users and groups with UID or GID conflicts requiring resolution, you can run the following command:
adfixid
If you want to make the file ownership changes and resolve user and group conflicts, you can run the following command:
adfixid --commit
The file ownership for the local user gsmith will be changed from UID and GID 1006 to UID and GID 1007. The file ownership for the local user ballen will be changed from UID and GID 1007 to UID and GID 1006. The local user joe appears as a UID conflict because the local UNIX user name is different from the zone UNIX user name. Similarly, the local user kane is be ignored because there is no mapping between the local UNIX user name and the zone UNIX user name. For these users, you would need to create and specify a user mapping file. The local user jfrank is not defined in the zone, but his local UID and GID conflicts with the user tyoung who has a profile defined in this zone. The adfixid command will assign a UID and GID from the temporary range, for example 51345, and
419
Using adfixid
change the ownership (chown) of all of files owned by the local user jfrank to that UID. To create a user mapping file, use a text editor and add an entry to map the local UNIX user account joe to the jcool zone UNIX user. For example:
vi defaultzone_usermap
Add an entry to map the local users to zone users as needed. For example:
joe jcool kane klewis
You can then run the adfixid command and specify the user mapping file. For example:
adfixid --usermap defaultzone_usermap --commit
This command will change the file ownership for the files owned by the local user kane to UID and GID 10226. The command will not change the files owned by the local user joe because once mapped there is no UID or GID conflict between the local UNIX user and the zone UNIX user.
Indicates The UID or GID range you have specified is not large enough to accommodate the number of new UIDs or GIDs needed to resolve account conflicts. You should try rerunning the command with a larger range of values or with no ending UID or GID value. The attempt to load the local password file failed.
157
ERR_LOAD_PASSWD_FILE
420
Administrators Guide
Indicates The attempt to load the local group file failed. The attempt to undo changes made during a previous run of adfixid failed because the private log file used for recording the changes made could not be opened for reading. You should check the permissions on the log file and whether the account used to run the adfixid command has read permission for the file. The attempt to create a report of the changes by adfixid failed because the private log file could not be opened for reading. You should check the permissions on the log file and whether the account used to run the adfixid command has read permission for the file. The attempt to open and write to the private log file failed. You should check the permissions on the log file and whether the account used to run the adfixid command has write permission for the file. The attempt to load the specified user mapping file failed. You should verify the mapping file exists in the location specified and that the account used to run the adfixid command has read permission for the file, then try rerunning the adfixid command. The attempt to load the specified group mapping file failed. You should verify the mapping file exists in the location specified and that the account used to run the adfixid command has read permission for the file, then try rerunning the adfixid command. The attempt to map local group GIDs to Active Directory GIDs failed.
159
ERR_CANNOT_UNDO_CHANGES
160
ERR_CANNOT_CREATE_REPORT
161
ERR_OPEN_LOG_TO_WRITE
162
ERR_LOAD_USER_MAP
163
ERR_LOAD_GROUP_MAP
164
ERR_GENERATE_GROUP_MAP
421
Using adfixid
Indicates The attempt to map local user UIDs to Active Directory UIDs failed. The attempt to open a directory failed. You may see this error if a specified target directory or subdirectory is not accessible of if the account used to run the adfixid command does not have permission to access one or more directories to be searched.
166
ERR_OPEN_DIR
422
Administrators Guide
Using adflush
The adflush command can be used to clear the Centrify DirectControl cache on a local computer. The basic syntax for the adflush program is:
adflush [option]
To do this Remove DirectAuthorize information from the adclient authorization store cache. Remove stored DNS information from the adclient local cache. Clear the adclient local cache of all data even if the Centrify DirectControl Agent is currently disconnected from Active Directory. Remove only domain controller and global catalog objects from the cache. Display detailed information about the operation. Display version information for the installed software.
-d, --dns
-f, --force
-o, --objects
423
Using adid
To display verbose output and force the local cache to be cleared when the Centrify DirectControl Agent (adclient) is running in disconnected mode without access to Active Directory, you would type:
adflush --verbose --force
Using adid
The adid command can be used to display the real and effective UIDs and GIDs for the current user or a specified user. The basic syntax for the adid program is:
adid [option] [username|uid]
The adid command is intended as a replacement for the standard id program to look up user and group information for a specified user. For Active Directory users, the adid command is more efficient than the standard id program because it can request the users group membership list directly through the Centrify DirectControl Agent, resulting in better performance. For the standard id program, requesting a users group membership requires the program to search through all the groups on the system to find which groups include the user as a member. If you run the adid command and specify a user who is not an Active Directory user, the adid command transfers the request to the local id program with the same arguments you have specified.
424
Administrators Guide
-a
-n, --name
-u, --user
--help
To display the user ID and group ID for a specific user name, you can type:
adid alan uid=505(alan) gid=100(users)
To display the user ID and group ID for a specific user ID, you can type:
adid 505 uid=505(alan) gid=100(users)
425
Using adkeytab
To display only the user ID for a specific user name, you can type:
adid --user sloane 506
Using adkeytab
The adkeytab command allows you to create and manage Kerberos key tables (*.keytab files) and coordinate changes with the Kerberos key distribution center (KDC) provided by Active Directory. With the adkeytab command you can: Create new service accounts and new key table files. Add new Kerberos service principals to existing key tables. Adopt Kerberos service principals for an existing Active Directory account and update the key tables and centrifydc.conf entries to manage the adopted account. Change the password for a computer or service account and update the keys in its key table. Reset a key table that is corrupt or out of sync with the KDC in Active Directory to ensure that the account password and Kerberos keys are synchronized. Delete a service principal from a service account and remove its keys from the key table. Delete a service account from Active Directory and removed its key table and all related keys from the centrifydc.conf file.
Note
adkeytab
The specific options you can use on the command line for depend on the task you want to perform. See the appropriate section for information about which options to use for each task. In addition to the task-specific options, however, you can use the [-V, --verbose] option in conjunction with any task to display detailed information about the operations being performed for diagnostic purposes.
426
Administrators Guide
427
Using adkeytab
changes, a new key is generated for each service principal in the table and stored as a new keytab entry with an updated key version number. Older versions of the keys are retained in the key table as separate entries with earlier version numbers up to a specified number of versions, after which theyre removed from the table. In addition, each service principal has at least one entry for each type of key encryption it supports. Therefore, a single service principal typically has many entries in the key table. In its role as the Kerberos key distribution center (KDC), Active Directory has a computer account for each computer in the network and stores service principals and keys for each computer. It also has a service account for each service offered on a computer, and stores the service principals and keys for each service with the service account. When you add a UNIX computer to an Active Directory domain, the adjoin command creates a computer account in Active Directory and a local keytab file on the computer that adclient can use for authentication. The centrifydc.conf configuration file specifies the Kerberos service principals the computer offers, the location for the computers keytab files, and the number of key versions maintained for each service principal. After the computer has joined the domain, adclient manages the computers computer account and its associated keytab file, changing the account password and the Kerberos keys at a set interval. The adclient process does not, however, maintain keytab files for service accounts, add new keytab files, or notify Active Directory of keytab changes for service accounts. To create and manage the keytab files for service accounts, you can use the adkeytab command. The adkeytab program then uses adclient to communicate the keytab information for service accounts to Active Directory so that it can be synchronized in the KDC.
428
Administrators Guide
assumes the user is the root administrator and prompts for a password. For security, the password you enter is not echoed on the screen.
adkeytab adkeytab -u username
prompts for the password for the specified user. The password you enter is not echoed on the screen.
adkeytab adkeytab -p adkeytab assumes the user is the root administrator. Be aware that in this form of adkeytab, the password is visible on the command line. adkeytab -u -p
Be aware that in this form of adkeytab, the password is visible on the command line. Use the Kerberos kinit utility to build up a credential cache for the root user so authentication is automatic. Typically, you use kinit when performing a series of operations that requires Kerberos credentials. By default, kinit is installed with Centrify DirectControl. See the kinit(1) man page for more information.
429
Using adkeytab
Specify Direct Control's computer account credentials for LDAP authentications. Typically, you use Direct Control's computer account credentials if adkeytab operations are being performed on Direct Controls own computer service account and the system keytab. Use the following form of adkeytab:
adkeytab -m
To create or delete new service accounts, you need permission to the container in which you are creating or deleting the account, as follows: To create a new service account, you need Create account objects permission. To delete a service account, you need Delete permission.
account objects
In addition, each adkeytab operation requires specific permissions to Active Directory attributes of the object being created or modified. For example, to add an SPN, you need read permission to the following attributes:
objectCategory cn sAMAccountName userPrincipalName msDS-KeyVersionNumber
430
Administrators Guide
The following table summarizes the permissions you need for each type of adkeytab operation.
---------------------------- Operation ---------------------------Permission / Attribute
objectCategory userAccount Control cn sAMAccount Name userPrincipal Name service PrincipalName msDS-KeyVersion Number changePassword restPassword
Adopt Adopt Adopt Modify Modify Change (local) (Force) SPN UPN Passwd
R RW R R R R R W R R R R R R R RW R R R RW R W R R R RW R R R R RW R R R R R W R R R
Reset Passwd
R
R R R R R W W
You can verify or modify permissions to an Active Directory object in a number of ways, including: Open the Properties page for the object in Active Directory Users and Computers and use the Security tab to set Read and Write permissions for specific attributes. See Microsoft TechNet: Assign, change, or remove permissions on Active Directory objects or attributes for more information. Use the dsacls command-line utility to set attribute permissions for the object. See Microsoft TechNet: Dsacls Overview for more information.
431
Using adkeytab
computer, and notifies the KDC in Active Directory of the new service account and keys for the computer. The basic syntax for creating new service accounts and keytab files and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --new --principal principal --keytab filename --container containerDN [options] account-name
Setting options for creating a new service account and key table
To do this Create a new service account in Active Directory and a new key table for the account that is stored locally as a keytab file. If you use this option to generate a new service account and keytab file, adkeytab notifies the KDC in Active Directory of the key table contents. If you use this option, you must also specify a keytab file name using the --keytab option and an account-name that is unique in the current domain.
432
Administrators Guide
To do this Specify a service principal to add to the new key table. You must specify at least one service principal when creating a new service account. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command generates the full principal name by expanding the name to include the account name at this computer, creating a fully-qualified domain name for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
http/firefly@ARCADE.COM http/firefly.arcade.com@ARCADE.COM
principal
If you specify the service type with either a long or short host name, the adkeytab command will only generate the exact principal name specified. Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
-K, --keytab filename
Specify the name and location of the new keytab file to create. For filename, specify either the relative or full path to the file you are creating. For example:
--keytab /etc/krb5/test.keytab
433
Using adkeytab
To do this
-c, --container containerDN Specify the Active Directory name of the container (CN) or organizational unit (OU) into which the new service account should be placed. You can specify the containerDN by: Canonical name (ajax.org/unix/services) Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix(cn=services,cn=unix). For example, if you want to place the account in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
--container ajax.org/UNIX/Services
Note The account used to run the adkeytab command must have permission to add objects to the container or organizational unit you specify.
434
Administrators Guide
To do this keys for each of the service principals you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
435
Using adkeytab
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are: Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the
adclient.krb5.permitted.encryption.types
configuration parameter.
-T, --trust
Set the Trust for delegation option in Active Directory for the new service account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. For example, if the new service account is trusted for delegation, it can forward ticket-granting tickets and perform other delegated actions. Setting this option may require the adkeytab command to run using an account with administrator permission.
436
Administrators Guide
To do this Specify that all service principals for this account will use the Data Encryption Standard (DES) for keys. Setting this option enables the Use DES encryption types for this account flag in the userAccountControl attribute of the service account. You can use this option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. Note If you use the --des option, the --encryption-type parameter is ignored. Specify the domain in which this service account should be created. This option is used to create accounts in a domain other than the currently joined domain. If you do not specify this option, adkeytab creates the new service account in the currently joined domain by default. Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. Overwrite an existing Active Directory object with the new account information. This option removes any existing service principals, keytab files and centrifydc.conf entries related to the specified account-name, in preparation for creating a new service account and key table. Note This option is not required for precreated accounts that are inactive. This option is only required if the existing account is active and needs to be replaced.
-U, --upn
userPrincipalName
-f, --force
437
Using adkeytab
To do this Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command. Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to add an account object to the domain. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
438
Administrators Guide
To do this Specify a pre-Windows 2000 account name for the object in Active Directory. This option sets the samAccountName attribute for the Active Directory object you are creating. You should use this option: If the account-name you are using for the object exceeds 20 characters. If you want the samAccountName attribute for the object to be different from the account-name. Note The samAccountName attribute (also known as the pre-Windows 2000 name) can be a maximum of 20 characters. The attribute must be unique within the Active Directory forest. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
Specify the global catalog computer you want to search to check for duplicate samAccountName attributes. Using this option enables you to avoid replication delays. Display detailed information about the operation being performed. Create the specified account-name object in Active Directory. You must specify an account-name that is unique in the current domain. In addition, the account-name must be the last argument specified in the command line.
-V, --verbose
account-name
To create a new DES-encrypted service account and accompanying key table, you would type a command similar to the following:
adkeytab --new --keytab /etc/krb5/mydatabase.keytab --principal data1 --principal data2 --des --container ajax.org/users --user oracleadm mydatabase
This command example uses the Oracle administrator account, oracleadm, to create a dedicated service account named
Appendix A Using Centrify DirectControl UNIX commands 439
Using adkeytab
for an Oracle server that offers the Kerberos-enabled services data1 and data2. The command also creates a keytab file for the service account at /etc/krb5/mydatabase.keytab and adds the data1 and data2 service principals to the new keytab file, and creates DES-encoded keys for each service principal.
mydatabase
If you were to run this command, you would need to specify the password for the oracleadm account when prompted for the command to complete its execution. When a new keytab file is created successfully, entries for its service principals are also added to the centrifydc.conf file. For example, the following command:
adkeytab --new --keytab /etc/krb5/mydatabase.keytab --container "arcade.net/UNIX/Accounts" --principal hr_db --principal ap_db --encryption-type des-cbc-md5 --user oracleadm mydatabase
440
Administrators Guide
To do this Add a service principal to an existing account in Active Directory and generate the appropriate keys for the new service principal in the accounts keytab file. If you don't specify an account-name, the adkeytab command adds the service principal to the computer account in the currently joined domain.
441
Using adkeytab
To do this Specify a service principal to add to the specified key table. You must specify at least one service principal. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account name at this computer, creating a fully-qualified domain name (FQDN) for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
http/firefly@ARCADE.COM http/firefly.arcade.com@ARCADE.COM
principal
Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
442
Administrators Guide
To do this Specify the number of password hash entries (key version numbers) to keep in the keytab file. For the kvno, specify a positive integer between 1 and 253. If you omit the --entries parameter, the default number is 3. Note that --entries is only relevant for 2003 or newer key distribution centers (KDC). For Windows 2000, adkeytab manufactures key version numbers as long as the krb5.generate.kvno configuration parameter is true (which is the default setting). In the following circumstances the entries setting is ignored and only one password hash entry is kept: If the KDC is Windows 2000 and the centrifydc.conf parameter krb5.generate.kvno is set to false. If the KDC is Windows 2003 or newer but the dsHeuristics attribute is set to 00000000010000001. For more information about the dsHeuristics bit see http://support.microsoft.com/kb/870987.
443
Using adkeytab
To do this keys for each service principal you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
444
Administrators Guide
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the service principal will not be added and an error is displayed. You should verify that the encryption types you want to use are listed for the
adclient.krb5.permitted.encryption.types
configuration parameter.
-m, --machine
Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
445
Using adkeytab
To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to add a service principal to the account object in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file to add. For filename, you can specify either the relative or full path to the file. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default.
446
Administrators Guide
To do this Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. performing this operation. Using this option enables you to avoid replication delays.
userPrincipalName
-s, --server hostname Specify the domain controller you want to use for
-V, --verbose
Display detailed information about the operation being performed. Specify the account-name to which you are adding a service principal. If you dont specify an account-name, adkeytab adds the service principal to the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
account-name
To add a new DES-encrypted service principal for oracle to the key table that belongs to the service account mydatabase, you would type a command similar to the following:
adkeytab --addspn --principal oracle --des mydatabase
To add a DES-encrypted service principal for Oracle databases named oracle_d1 and oracle_d2 to the computer account key table in the currently joined domain:
adkeytab --addspn --prinicipal oracle_d1 --prinicipal oracle_d2 --encryption-type des-cbc-md5
447
Using adkeytab
file. You can also specify additional service principal names and encryption types.
centrifydc.conf
The basic syntax for adopting the service principals associated with an existing account and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --adopt --keytab filename [options] account-name
To do this Add the appropriate keytab and centrifydc.conf entries to adopt an existing account and its service principals for management through Centrify DirectControl.
448
Administrators Guide
To do this Specify an additional service principal for the account in the key table. This option is not required as long as the existing account has at least one service principal already defined. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account name at this computer, creating a fully-qualified domain name (FQDN) for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
http/firefly@ARCADE.COM http/firefly.arcade.com@ARCADE.COM
principal
Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
449
Using adkeytab
To do this keys for each service principal you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
450
Administrators Guide
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are: Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the
adclient.krb5.permitted.encryption.types
configuration parameter.
-m, --machine
Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
451
Using adkeytab
To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to read the Active Directory account object and update the userAccountControl attribute, if necessary. If you are specifying additional service principal names, the user must also have sufficient privileges to update the account's servicePrincipalName attribute. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account.
452
Administrators Guide
To do this Overwrite an existing Active Directory object with the new account information. This option removes any existing service principals, keytab files and centrifydc.conf entries related to the specified account-name, in preparation for creating a new service account and key table. Note This option is not required for precreated accounts that are inactive. This option is only required if the existing account is active and needs to be replaced. Update the password hashes in the local keytab file without changing the password in Active Directory. If you use this option, you must also specify the password value with the --newpassword option. This option can be useful in cluster environments where you run adkeytab to force a password change on the Active Directory object and the local keytab on a master server, then run adkeytab with the --change-password and --local options on the backup computers to synchronize the new password in the keytab files on those computers. Specify a new password to substitute for the old password. If you do not specify this option, adkeytab generates a random password. Set the Trust for delegation option in Active Directory for the new service account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. For example, if the new service account is trusted for delegation, it can forward ticket-granting tickets and perform other delegated actions. Setting this option may require the adkeytab command to run using an account with administrator permission.
-l, --local
-w, --newpassword
newpassword
-T, --trust
453
Using adkeytab
To do this Specify that all service principals for this account will use the Data Encryption Standard (DES) for keys. Setting this option enables the Use DES encryption types for this account flag in the userAccountControl attribute of the service account. You can use this option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. Note If you use the --des option, the --encryption-type parameter is ignored. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. performing this operation. Using this option enables you to avoid replication delays.
-U, --upn
userPrincipalName
-s, --server hostname Specify the domain controller you want to use for
-V, --verbose
Display detailed information about the operation being performed. Specify the existing account-name that you want to manage keytab entries for using Centrify DirectControl. If you dont specify an account-name, adkeytab adopts the service principals associated with the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
account-name
454
Administrators Guide
To adopt the existing service principals for the existing service account name oracle_acct, you could type a command similar to this:
adkeytab --adopt --user oracleadm --keytab /etc/krb5/oracle_hr.keytab oracle_acct
In a cluster environment, you can use adkeytab --new to create a new account principal on the primary cluster server and set its password to a known value. You can then run adkeytab --adopt with the --local and --newpassword options on all of the other computers in the cluster to create a local copy of the keytab file. For example:
adkeytab --adopt --local --newpassword password --user oracleadm --keytab /etc/krb5/oracle_hr.keytab oracle_acct
After running this command, all of the computers in the cluster are synchronized with the same password.
455
Using adkeytab
Update the password hashes in the local keytab file without changing the password in Active Directory. If you use this option, you should also specify the password value with the --newpassword option. This option can be useful in cluster environments where you run adkeytab to force a password change on the Active Directory object and the local keytab file on a master server, then run adkeytab with the --change-password and --local options on the backup computers to synchronize the new password in the keytab files on those computers. Specify a new password to substitute for the old password. If you do not specify this option, adkeytab generates a random password. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
-w, --newpassword
newpassword
-m, --machine
456
Administrators Guide
To do this Specify an Active Directory user other than the current user to execute adkeytab. The user must have sufficient rights to read the computer account password. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, the adkeytab command uses the current users Kerberos credentials by default. If there are no cached credentials, the adkeytab command uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
-V, --verbose
457
Using adkeytab
To do this Specify the account-name for which you are changing the password. If you don't specify an account-name, the adkeytab command changes the password of the computer account object for the local computer in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
To change the password for the computer account mission-sf in the currently joined domain to use a new randomly-generated password, you would type a command similar to the following:
adkeytab -C
To explicitly set the password for the service account mysql-sf in Active Directory, you would type a command similar to the following:
adkeytab --change-password --newpassword miles8! mysql-sf
Note
Single quotes are required around the password in this example because the password contains a special character that would be misinterpreted by the UNIX shell.
If the Centrify DirectControl Agent is running in disconnected mode because of a password problem, the computer
458
Administrators Guide
account credentials are invalid and cannot be used to reset the service account password. The basic syntax for resetting a key table and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --reset [options] [account-name]
Running adkeytab with the --reset option resets the current password for the computer account thats stored in Active Directory, regenerate keys for the accounts service principals, writes those keys into the accounts keytab file, then reports the keys to the KDC in Active Directory.
Setting options for resetting a key table
To do this Reset an accounts key table and synchronize its contents with the key distribution center in Active Directory. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
-m, --machine
459
Using adkeytab
To do this Specify an Active Directory user other than the current user to execute adkeytab. The user must have sufficient rights to read the computer account password. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, the adkeytab command uses the current users Kerberos credentials by default. If there are no cached credentials, the adkeytab command uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
-V, --verbose
460
Administrators Guide
To do this Specify the account-name for which you are resetting the key table. If you don't specify an account-name, the adkeytab command resets the key table for the local computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
To reset the key table that belongs to the service account mydatabase, you would type a command similar to the following:
adkeytab --reset mydatabase
To specify an Active Directory user account that is not a member of the same domain as the currently joined domain:
adkeytab --reset --user jason@arcade.com mydatabase
You are then prompted to provide the password for the jason@arcade.com account.
To do this Remove a service principal from an existing account in Active Directory and remove its keys from the accounts keytab file.
461
Using adkeytab
To do this Specify a service principal to remove from the specified key table. You must specify at least one service principal. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to delete. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command removes all service principal names that start with the specified service type. If you specify the service type with either a long or short host name, the adkeytab command will only remove the exact principal name specified. Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
principal
-m, --machine
462
Administrators Guide
To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to delete a service principal from the account object in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
463
Using adkeytab
To do this Specify the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. Display detailed information about the operation being performed. Specify the account-name from which you are removing a service principal. If you dont specify an account-name, adkeytab removes the service principal from the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
userPrincipalName
-V, --verbose
account-name
To remove the service principal oracle_d1 from the key table that belongs to the service account berlin_db, you would type a command similar to the following:
adkeytab --delspn --principal oracle_d1 berlin_db
464
Administrators Guide
proceed, the command then removes the keytab file and any related keys in the centrifydc.conf file. You can use the --force option to skip checking for missing components and force the adkeytab command to proceed silently with the delete operation. To use this command to delete service accounts, you must specify a user with sufficient rights to remove account objects in Active Directory, and key tables and related keys in the centrifydc.conf file on the local computer. The basic syntax for removing service accounts from Active Directory using the adkeytab command is:
adkeytab --delete [options] account-name
To do this Remove a service account object from Active Directory and remove its key table and all related key entries from the centrifydc.conf file. Specify the full path to the keytab file you want to remove. This setting is optional because the information is usually found in the Centrify DirectControl configuration file (centrifydc.conf ). If the keytab files are not defined in centrifydc.conf, however, you can use this option to identify the keytab file to remove. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
465
Using adkeytab
To do this Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command. Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to delete account objects in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Skip any checking for missing components and proceed with the delete operation, ignoring any errors encountered.
-f, --force
466
Administrators Guide
To do this Display detailed information about the operation being performed. Specify the account-name of the service account you want to remove.
account-name
To remove the service account berlin_db, you would type a command similar to the following:
adkeytab --delete --user oracleadm berlin_db
If you are using Windows Server 2008 domain functional level, the following additional encryption types are supported:
aes128-cts aes256-cts
For more information about configuring the supported encryption types using group policy, see the Group Policy Guide. For more information about configuring encryption types using configuration
467
Using adkeytab
parameters in the centrifydc.conf file, see the Configuration Parameters Reference Guide.
Indicates The encryption type specified is not valid or not supported. Check the list of supported encryption types, then try rerunning the command. The key table name you specify must be an absolute path, starting with the root directory (/). Verify the full path to the keytab file, then try rerunning the command. The keytab file specified already exists. The keytab file name or path contains illegal or invalid characters. The attempt to change ownership for the keytab file failed. The attempt to change permissions to 0600 for the keytab file failed.
157
ERR_KEYTAB_NOT_ABSOLUTE_PATH
158
ERR_KEYTAB_EXISTS
159
ERR_KEYTAB_ILLEGAL
160
ERR_CHG_OWNERSHIP_FAILED
161
ERR_CHG_MODE_FAILED
468
Administrators Guide
Indicates The Active Directory object, keytab file, and account configuration keys were not found. Some account components were not found. The centrifydc.conf file may be locked by another process. You should try manually removing the lock by deleting centrifydc.conf.lck, then try rerunning the command. You must associate one keytab file with one Active Directory account. The service principal name (SPN) specified is not unique in the forest. You should rerun the command using a unique service principal name. The attempt to delete a service principal name failed. The service account specified includes a computer name. The keytab file is corrupted or has been removed. You have not specified a password for updating the local keytab file. The local option requires you to specify the accounts new password.
163
ERR_NOT_FIND_ACC_COMPONENT
164
ERR_DEAD_LOCK
165
ERR_NO_KEYTAB_WITH_ACC
166
ERR_SPN_EXISTS
167
ERR_DEL_SPN_FAILED
168
ERR_SRV_ACC_NOT_HAVE_COMPUTER_NAME
169
ERR_KETTAB_CORRUPTED
170
ERR_NEED_NEW_PASSWD
469
Using adsmb
Indicates The distinguished name (dn) specified is invalid. If you encounter this error, the container path may be missing one or more attributes. Verify the full path, then rerun the command. An unexpected referral response was received. This error is usually caused by an erroneous replication object in Active Directory. The domain controller for the specified domain could not be found or is unavailable.
172
ERR_REPLICATION_ERRONEOUS
173
ERR_NOT_FIND_DC
Using adsmb
The adsmb command allows you to perform various file operations, such as get a file, write a file, or display the contents of a directory using the Centrify DirectControl smb stack. You can run this command using your log-on credentials or using the credentials for the local computer account. To use the local computers credential, you must have root-level permission. You can specify the domain controller to use or use the nearest domain controller for the joined domain.
Note
You can use this command in conjunction with group policies to copy files and directories to and from Windows file shares.
The basic syntax for the adsmb program is: adsmb file_operation -s share [-c credentials] [-m] [-C] [-T] [-h [hostname]] [-r remote_file] [-l local_file] The valid file_operations are get, getnew, put, putnew, dir, delete, mkdir, and rmdir.
470
Administrators Guide
To do this Get one or more files from a specified share. Get one or more files if the copy of the file on the specified share is newer than the local copy of the file. Put one or more files into the specified share. Put one or more files if the local copy of the file is newer than the copy of the file on the specified share. List the contents of a directory. Delete one or more files. Create a new directory. Remove a directory. Specify the share name. Specify the credentials to use in performing the selected operation. Use the local computers credentials. Convert carriage return line feeds (CRLF) in a file to line feeds (LF). Display the timestamp information in a computer-readable format. By default, the adsmb command displays timestamp information in a human-readable format. Specify the host name of an Active Directory domain controller. If you dont specify a host name with this option, the command uses the nearest domain controller for the joined domain. Specify the remote file or directory to work with. You can use forward slashes in remote file names. Specify the local file or directory to work with.
put putnew
-m -C
-T
-h [hostname]
-r remote_file
-l local_file
471
Using adsetgroups
To get the file autorun.bat from the system volume (sysvol) of the nearest domain controller using the computer credentials and place it in the local /tmp directory, you would type a command similar to the following:
sudo adsmb get -s sysvol -m -r arcade.com/lab/autorun.bat -l /tmp/autorun.bat
Using adsetgroups
The adsetgroups command enables you to view or change the list of groups available for the current user. The basic syntax for the adsetgroups program is:
adsetgroups [-a,--all] [-l,--list] [-r, --required] [-o, --optional] [-m, --samname] [-n, --number] [-R,--remove] [-c, --clear] [-i, --init] [-s --save] [-q, --quiet] [-v, --version] group
On most UNIX systems, a user can only be a member of a limited number of groups at once. Because of this limitation, it is useful to be able to change a users group membership to add and remove groups when necessary. The adsetgroups command allows you to dynamically manage the set of Active Directory groups that are available to a UNIX account. If you run the adsetgroups command with no arguments, it displays the current group list for the current user. If you specify a list of groups on the command line, those groups are added to or removed from the users current group list, and a new shell is invoked.
472
Administrators Guide
To add or remove groups, the local computer must be joined to a domain and zone. If you specify that membership in a specific group is required in a zone, that group cannot be removed from the currently active set of groups. Any time the list of groups is changed, for example, using the --init, --clear or when specifying a list of group names to add or remove on the command line, a new shell is created.
To do this Display all the Active Directory groups that the current user is a member of. Display the current set of supplementary groups for the current UNIX user account. Display only the required groups. Display only the groups that are not required. Display the samAccountName attribute for the group instead of the groups UNIX group name. Display the group identifier (GID) value for the group. Remove all of the specified groups from the currently active set of groups. This option creates a new shell.
-l, --list
-n, --number
473
Using adsetgroups
To do this Start with an empty list of groups. If you have previously saved a list of groups, you can use this option to clear the existing list and specify a different set of groups. For example, to replace an existing set of groups with the single group athena, you would run a command similar to the following:
adsetgroups --clear athena
This command would change the list of groups for the user to be the single group athena unless some of the users other groups have been marked as required. This option creates a new shell.
-i, --init
Start with the last saved list of groups. This option creates a new shell. Save the current list of groups. This option sets the default list of groups for the current user when the user logs on. The saved list of groups is used when you run the adsetgroups command with the --init option. Suppress any warning or new shell messages. Display version information for the installed software. List the groups to add or remove.
-s, --save
group
To add the groups delta1 and portland_lab to the current set of groups, and save this list as the default for the current user, you would type a command similar to the following:
adsetgroups --save delta1 portland_lab
To remove the groups oxford and westlake from the current set of groups for the current user, you would type a command similar to the following:
adsetgroups --remove oxford westlake
474
Administrators Guide
Error name
ERR_SETUID
Using adclient
Most Centrify DirectControl operations are managed by the central daemon process adclient. This daemon is automatically started when the system is first booted. The daemon generally remains running as long as the computer is powered up so that it can handle all of the authentication and authorization interaction between Active Directory and the UNIX shell programs or Web applications that need this information. Although you can run adclient directly from the command line to control the operation of the Centrify DirectControl Agent on a local computer, it is recommended that you do so only under the direction of Centrify support. Typically, you should start and stop adclient from a startup script; see Using the startup script on page 476.
Notes
On AIX computers, you cannot start adclient directly from the command line. On AIX, you should use the centrifydc startup script or the system resource controller commands, such as startsrc, stopsrc, and lssrc. For example, to start adclient with the -d and -F options on AIX, you can use a command such as:
startsrc -s centrifydc -a -d -F
The basic syntax for running adclient at the command line is:
adclient [-x] [-d] [-F]
475
Using adclient
To do this Stop the Centrify DirectControl Agent if it is currently running. Set the Centrify DirectControl Agent to run in debug mode when it is restarted. Flush the Active Directory cache when the Centrify DirectControl Agent is restarted. Enable in-memory logging of Centrify DirectControl Agent operations.
-d
-F
-M
For example, to flush the cache when the Centrify DirectControl Agent starts:
adclient -F
476
Administrators Guide
To manually start the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc start
To manually stop the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc stop
To manually stop then restart the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc restart
You can also check whether the daemon is currently running or stopped. To view the current status of the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc status
Using adcache
The adcache command enables you to manually clear the local Centrify DirectControl cache on a computer. You can use this command to dump all cache files or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space. By default, the program dumps all cache files. Before running adcache, you should stop the adclient process using the following command:
/usr/share/centrifydc/bin/centrifydc stop
477
Using adcache
To do this Specify the full path to the cache file you want to check or clear. Run the command without displaying any output. This option is useful for running the command as a scheduled maintenance job. Check the Centrify DirectControl cache for a specific key value. Reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items. To use this option, you must be run the adcache command as root. If you use this option, adcache stops and restarts the adclient process.
-q, --quiet
-r, --reorg
478
Administrators Guide
153, _PwSync(s):altSecurityIdentities, _SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153, _ShellEnabled(s):True, _Uid(s):504, _UnixName(s):andre, _dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org, _extendedObjUSN(s):127065, _groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>, <GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e 6c4d8d89c0919f4a2b6e>, _hashTimestamp(s):1190416207, _maxPwdAge(s):-1, _minPwdAge(s):128323800679025000, _objectCategory(s):Person, _pacGroups(s):0105000000000005150000009447c1d70eac103d99d0 639e94040000,0105000000000005150000009447c1d70eac103d99d06 39e00020000,0105000000000005150000009447c1d70eac103d99d063 9e01020000, _passwordHash(s):b450a7940716ea44d980322df1773b10, _passwordSalt(s):$1$wJkhxUEB$, _server(s):ginger.ajax.org, _userPrincipalName(s):andre@AJAX.ORG, accountExpires(s):9223372036854775807, cn(s):Andre Garcia, displayName(s):Andre Garcia, msDS-KeyVersionNumber(s):3, name(s):Andre Garcia, objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC= ajax,DC=org, objectClass(s):top,person,organizationalPerson,user, primaryGroupID(s):513, pwdLastSet(s):-1, sAMAccountName(s):andre, uSNChanged(s):1, userAccountControl(s):512, userPrincipalName(s):andre@ajax.org, ----------------------------------------------------------
To reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items, you would run the following command:
adcache --reorg
You should run the adcache --reorg command on a regular basis in a cron job to remove negative results and to prevent the cache from consuming too much disk space. Depending on how quickly
479
Using adreload
the size of the Centrify DirectControl cache tends to increase in your environment, you may want to schedule this command to run approximately once a week.
Indicates The Centrify DirectControl Agent is currently running. You should stop the adclient process, then attempt to rerun the command. The cache may be corrupt.
157
ERR_CACHE_CORRUPT
Using adreload
The adreload command enables you to force the Centrify DirectControl Agent (adclient) to reload configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. Running this command enables changes made to the configuration properties to take effect without restarting the adclient process. Running adreload, however, does not reload the properties set with the following configuration parameters:
adclient.ldap.timeout adclient.ldap.socket.timeout adclient.udp.timeout adclient.clients.threads adclient.clients.threads.max adclient.use.all.cpus adclient.clients.listen.backlog adclient.dumpcore
480
Administrators Guide
For the configuration parameters listed above, you must restart the adclient process for changes to take effect. The basic syntax for running the adreload program is:
adreload
481
Using addns
Using addns
The addns command enables you to dynamically update DNS records on an Active Directory-based DNS server in environments where the DHCP server cannot update DNS records automatically. For example, if you are using an Active Directory-based DNS server configured for secure updates with a router acting as a DHCP server, the router cannot automatically register its DHCP clients with the DNS server because it has no way of establishing a security context that will allow the update. By running the addns command, you can use Kerberos credentials to establish a security context for updating the DNS records in the Active Directory-based DNS server. With the addns command, you can: Create or update a local hosts IP addresses in DNS. Create or update a specified hosts IP addresses in DNS. Update pointer records in DNS. Remove the local or another hosts DNS records. Remove the local or another hosts IP addresses in DNS. In most cases, you do not need to use this command if a hosts IP address is managed by a Windows-based DNS server and the host obtains its IP address from a Windows-based DHCP server because the DHCP server updates the DNS record for the host automatically. If you are not using a Windows-based DNS server, you should use nsupdate or a similar command appropriate to the operating environment of the DNS server to update DNS records.
Note
482
Administrators Guide
To do this Create or update the IP address (A) and domain name pointer (PTR) records in the DNS server for the local or specified computer hostname. Remove the DNS records for the local or specified computer hostname. Use the local computer accounts Active Directory credentials to establish a security context with the DNS server. Specify an Active Directory username with sufficient rights to add, update, and delete records in the relevant DNS zones. You must use the username@domain format to specify the user account if the username is not a member of the joined domain. If you do not specify the --user option, the credentials for the currently logged-on user are used by default. If there are no Kerberos credentials for the current user and you are not using the computer account credentials, the Administrator user account is used to establish the security context.
-D, --delete
-m, --machine
483
Using addns
To do this Specify the password for the Active Directory user account performing the add, update, or delete operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. For better security, you should do one of the following instead of specifying the password in the command line: Allow the addns command to prompt for the password. Use kinit to establish a valid credential cache before running the addns command. Use the --machine option to use the computer account credentials to establish the security context. records to. You can use this option more than once to specify multiple DNS servers. If you do not specify this option, the addns program attempts to discover the DNS servers available on its own.
userpassword
-s, --server servername Specify the DNS server to send the DNS update
-d, --domain domainname Specify the fully qualified domain name of the
DNS domain name to be updated. If you do not specify this option, the DNS domain name for the local host is used.
-n, --name hostname
Specify the name of the host to update IP records for. If you do not specify this option, the local host name is used. Specify one or more IP addresses to use in the update. You can specify this option multiple times to support multi-homed hosts. If no IP addresses are provided, the addns program attempts to determine the current settings.
484
Administrators Guide
To do this Display detailed information about the operation being performed. Display version information for the installed software.
-v, --version
If there are no valid cached credentials or the current user credentials do not have sufficient permissions to perform the update, you can specify a user name and password to use for the establishment of the security context. For example:
addns --update --user rae@arcade.com
To update the IP addresses for a computer other than the local host, you can specify the host name on the command line. For example, to update the IP addresses in the DNS records for the computer picasso on the DNS server fire.arcade.com using the user rae to
485
Using addns
establish the security context, you would type a command similar to this:
addns --update --user "rae" --server "fire.arcade.com" --domain "arcade.com" --name "picasso" --ipaddr "172.128.1.25" --ipaddr "172.128.1.26"
To remove the DNS record for a local host using the local computers account credentials to establish the security context, you would type a command similar to this:
addns --delete --machine
To use the --machine option, you must invoke the addns command as the root user and the account principal in Active Directory must have sufficient rights to modify records in the relevant DNS zones. Using the computer account credentials is particularly useful when an automated script, such as /sbin/dhclient-script, is used to keep the DNS records up to date.
Note
There are several configuration parameters that can be used to customize the behavior of the addns program. For more information about using configuration parameters and modifying the Centrify DirectControl configuration file, /etc/centrifydc.conf, see the Configuration Parameters Reference Guide.
Error name
ERR_NOT_LOCATE_DC
Indicates The domain controller could not be located for the domain. If you encounter this problem, you may need to server name and IP address of the domain controller and verify it is properly configured in the DNS server, then rerun the addns command.
486
Administrators Guide
Using dzdo
The dzdo command enables a user to execute a privileged command as root or another specified user. The basic syntax for using the dzdo program is:
dzdo [options] command
The dzdo command requires that you are running Centrify DirectControl with a license.
Note
The dzdo program allows an authorized user to execute a command as the superuser or another user in the Active Directory authorization store. The dzdo program provides functionality that is similar to the UNIX sudo command, except its privileged commands are defined in the Centrify DirectControl Administrator Console and stored in an Active Directory authorization store. In addition, only Active Directory users with a profile in the zone where DirectAuthorize rights and roles are enforced can use dzdo to run commands. You can, however, use dzdo to run privileged commands with either an Active Directory or local user as the target user. If you do not specify a user, dzdo attempts to execute the command as the root user by default. The real and effective UID and GID are set to match those of the target user as specified in the users UNIX profile. You can configure privileged commands to require that users authenticate themselves by typing their own account password or the target users account password. For example, if a privileged command right is configured in DirectAuthorize to run as the root user and to authenticate using the target users password, running the command requires the user to know and enter root password. Once authenticated, the user may then run dzdo privileged commands without re-entering a password for a short period of time. By default, the password timeout is 5 minutes but can be modified by specifying a different value with the dzdo.password_timeout configuration parameter in the centrifydc.conf file. You can use the -v option with dzdo to
487
Using dzdo
update the time stamp without running a command. The password prompt itself will also time out if the users password is not entered within the password timeout interval. The dzdo program determines who is an authorized user by consulting the Active Directory authorization store maintained by DirectAuthorize. If a user who is not authorized tries to run a privileged command using dzdo, a warning message is displayed except in the case where unauthorized users try to run dzdo with the -l or -v flags. This allows users to determine for themselves whether or not they are allowed to use dzdo. The dzdo program logs both successful and unsuccessful command execution attempts to the syslog authpriv facility or the auth facility if the authpriv facility is not supported on the platform. Unsuccessful command executions are logged as errors and include the name of the user who attempted the execution, the user the unsuccessful execution ran as, and the command the user attempted to run.
Using dzedit
The dzedit program enables you to edit a file as another user. It is similar to using dzdo with the -e option. The basic syntax for using the dzedit program is:
dzedit [options] file
To use the dzedit program, you must have a role with permission to run dzedit as a privileged command or as an allowed restricted environment command. You can configure the right to run dzedit using the DirectAuthorize tab in the Centrify DirectControl Administrator Console. If a user is granted permission to run dzedit by DirectAuthorize, the program does the following when invoked: Creates temporary copies of the files to be edited with the file owner set to the invoking user.
488
Administrators Guide
Starts the editor specified by the VISUAL or EDITOR environment variable edit the temporary files. If neither environment variable is set, the dzedit program uses the editor listed in the editor sudoers variable. If the specified file does not exist, it is created. If the files are modified, dzedit copies the temporary files back to their original location and the temporary versions are removed. If dzdo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain as a temporary file. Unlike most dzdo commands, the dzedit program is run with the invoking users environment unmodified.
Note
The dzedit program makes temporary copies of the files to be edited before invoking the editor to prevent users from issuing a shell escape in the editor that would then allow the user to run any command as the target user. By using dzedit to edit the temporary file then replace the original file after editing, users cant use a shell escape in an editor to open a new shell and run any command as the target user.
To do this Run the specified command in the background. Note that if you use the -b option, you cannot use shell job controls to manipulate the process. Edit one or more specified files rather than running a command. Note This option is the same as using the dzedit program.
-e file
489
Using dzdo
To do this Set the HOME environment variable to the home directory of the target user (root by default) as specified in the user's UNIX profile. By default, dzdo does not modify HOME, but you can change the default behavior by setting the dzdo.always_set_home or dzdo.set_home configuration parameters in the centrifydc.conf configuration file. Note This option has no effect if you select the Reset environment variables option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Display the usage message for the dzdo command. Run the login shell for the user the command is being run as. This option simulates an initial login by changing to the target user's home directory, invoking a shell, setting the HOME, SHELL, USER, LOGNAME, and PATH environment variables, and unsetting all other environment variables. Remove the user's login timestamp entirely. This option does not require a password. After using this option, however, the next time the user attempts to run dzdo, the program will prompt for a password. Invalidate the users login timestamp by setting the time on it to the epoch. This option does not require a password. After using this option, however, the next time the user attempts to run dzdo, it will prompt for a password. This option allows a user to revoke dzdo permissions from a .logout file. Lists the allowed and forbidden commands for the current user on the local host computer.
-h -i
-K
-k
-l
490
Administrators Guide
To do this Preserves the user's group membership unaltered. By default, dzdo will set the group membership to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. Note This option overrides the Preserve group membership option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Allows you to override the default password prompt and use a custom one. The following percentage (%) escapes are supported: %u expands to the invoking user's login name. %U expands to the login name of the target user the command will run as, for example, root by default. %h expands to the local computers host name without its domain name. %H expands to the local computers host name including the domain name. %% collapses into a single % character. You can use this option with dzdo or dzedit. Reads the password from standard input instead of the terminal device. You can use this option with dzdo or dzedit. Runs the shell specified by the SHELL environment variable, if it is set, or the shell as specified in the users UNIX profile.
-p prompt
-S
-s
491
Using dzdo
To do this Runs the specified command as a user other than root. Note The dzdo command will recognize any username that is an equivalent of the username specified for the command to be run. For example, if permission is given to bob.smith (the Active Directory name) to run adinfo as a a privileged command, and if bob.smith has a UNIX profile name, for example, bsmith, you can specify bsmith when you use dzdo to run adinfo:
dzdo -u bsmith adinfo
To specify a user by UID instead of the users login name, use '#uid'. For example, to run adquery as a privileged command and as the user with the numeric UID of 101, you could type a command similar to the following: Note Be certain to put single quotes around #uid.
dzdo -u '#101' adquery
Displays version information for the installed software, including the version of the UNIX sudo program that dzdo is based on. Validates and updates the user's login timestamp, prompting for the users password, if necessary. This option extends the dzdo timeout for another 5 minutes or the timeout period set in the centrifydc.conf configuration file. This option does not run a command. Enables you to pass environment variable values to the command you are running as part of the dzdo command line. Note This option has no effect if you select the Reset environment variables option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Indicates that the dzdo program should stop processing command line arguments. It is most useful when used in conjunction with the -s option.
-v
VAR=value
--
492
Administrators Guide
493
Using dzdo
To prevent command spoofing, dzdo checks the current directory last when searching for a command in the users PATH. You should note, however, that the actual PATH environment variable is not modified and is passed unchanged to the program that dzdo attempts to execute.
494
Administrators Guide
timestamp with a bogus date on systems that allow users to change file ownership.
To do this Set the HOME environment variable to the home directory of the target user, for example, root unless the -u option is used. This effectively means that the -H flag is always implied. The parameter value can be true or false. The default value is false.
495
Using dzdo
To do this List the environment variables to check for the special characters % or / in the value and remove the variables with values that contain those characters from the users environment. Variables with % or / characters are removed regardless of whether you have selected the Reset environment variables option for the command in the Centrify DirectControl Administrator Console. The default list of variables to check is displayed when you run the dzdo -V command as root. You can customize the list by modifying this configuration parameter in the centrifydc.conf file. The parameter value can be a comma-separated list of environment variable names. Specify the default list of environment variables to preserve in the users environment. This configuration parameter only applies if you have selected the Reset environment variables option for the command in the Centrify DirectControl Administrator Console. The variables specified with this parameter are preserved in addition to the default list of variables displayed when you run the dzdo -V command as root. The parameter value can be a comma-separated list of environment variable names. Specify the default list of environment variables to be removed from the users environment. This configuration parameter only applies if you have selected the Remove unsafe environment variables option for the command in the Centrify DirectControl Administrator Console. The variables specified with this parameter are removed in addition to the default list of variables displayed when you run the dzdo -V command as root. The parameter value can be a comma-separated list of environment variable names.
dzdo.env_keep
dzdo.env_delete
496
Administrators Guide
To do this Set the HOME environment variable to the home directory of the target user when the -s option is used. The parameter value can be true or false. The default value is false. Specify whether the dzdo program should inform the user when it cannot find a command in the users PATH. By default, the parameter value is true and the program will display an error statement indicating that the command could not be found in the users PATH. You can set this configuration parameter to false if you want to prevent dzdo from indicating whether a command was not allowed or simply not found. Control whether dzdo displays a warning message about using the program before displaying the password prompt. The valid parameter values are: once to display the warning message only the first time the command is run. never to never display a warning message. always to display the warning message every time the program is invoked. The default value is once. Specify the full path to a file containing the warning message you want displayed. If this parameter is not set, a default message is displayed. Require authentication once per-tty rather than once per user. The parameter value can be true or false. The default value is false. Specify the message displayed if a user enters an incorrect password. The parameter value can be any text string enclosed by quotation marks. The default value is "Sorry, try again." Specify the directory where dzdo stores user timestamp files. The default is directory is /var/run/dzdo.
dzdo.path_info
dzdo.lecture
dzdo.lecture_file
dzdo.tty_tickets
dzdo.badpass_message
dzdo.timestampdir
497
Using dzdo
To do this operations during which a user need not re-authenticate. The default parameter value is 5 minutes.
dzdo.passwd_timeout
Specify the number of minutes before the dzdo password prompt times out. The default parameter value is 5 minutes.
For more information about setting configuration parameters in the centrifydc.conf file, see the Configuration Parameters Reference Guide.
To shut down a computer, you would type a command similar to the following:
% dzdo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home partition, you would type a command similar to the following:
% dzdo sh -c "cd /home ; du -s * | sort -rn > USAGE"
Note that this example command line opens a sub-shell (sh) before running the commands that generate the listing. Running the commands in a sub-shell is required to make the cd command and file redirection work. However, allowing the user to open a new shell as a privileged command can inadvertently result in giving the user root access in the invoked shell and is not recommended in most cases.
498
Administrators Guide
Using dzinfo
The dzinfo command displays detailed information about the DirectAuthorize configuration for a one or more specified users on the local computer. If you do not specify a user, dzinfo returns information for the currently logged on user. The basic syntax for the dzinfo command is:
dzinfo [username] [--commands] [--diag] [--pam] [--roles] [--test command] [--verbose] [--all] [--version]
Notes
To specify one or more user names on the command line, you must be logged on as root.
The dzinfo command requires that you are running Centrify DirectControl with a license. By default, the dzinfo command displays all roles and rights for the specified user, including role availability settings, start or expiration times, and DirectAudit integration. The --commands, --pam, and --roles options are intended to limit the information displayed to a single set of rights. For example, you can use the --pam option to display only the PAM-enabled applications that the specified user is allowed to access. Similarly, the --commands option lists only the commands that the user is allowed to run. The commands listed, however, may be privileged commands that can be invoked using dzdo or commands that are allowed in restricted environments. The --roles option lists only the roles the user has been assigned. If you dont specify one of these options to limit the information displayed, the dzinfo command returns information for all three sets of rights.
499
Using dzinfo
To do this Specify the Active Directory user by UNIX profile name or Active Directory name that you want to display DirectAuthorize details for. You can specify this option multiple times to retrieve and display the information for multiple users. If you don't specify the username, the command returns information for the currently logged on user. Note You must be logged on as root to specify a user name. Display only information about the privileged or restricted environment commands the user can run. This option displays all of the commands the user is allowed to run as privileged commands or restricted environment commands. Include extended, diagnostic information in the command output. This option is intended for troubleshooting potential problems with the authorization store. Display only information about the PAM-enabled applications the user has permission to access. Display only the roles to which the specified user is assigned.
-c, --commands
-d, --diag
-p, --pam
-r, --roles
500
Administrators Guide
To do this Check whether the specified command can be run by the user using dzdo or in a restricted environment. The command argument must be enclosed by quotation marks and be the full path to a specific executable (a binary or a script). The specified command is then tested both as a privileged command using dzdo, and as a restricted environment command for the specified user. You must specify the full path to the command you want to test in order to fully distinguish it from other commands of the same name that may be in your current $PATH. For example, this option enables you to test whether jae_m can run /bin/ls even if root accesses the ls command in /sbin/ls:
dzinfo jae_m -t bin/ls
Provide more complete information about the DirectAuthorize configuration in the command output. Provide the most complete information about the DirectAuthorize configuration in the command output, including information about environment variables. Display version information for the installed software. This option cannot be combined with any other options.
-A, --all
-v, --version
501
Using dzinfo
If roles and rights have been configured for the user, the command displays information similar to the following:
Zone Status: DirectAuthorize is enabled User: molly Forced into restricted environment: Yes Role Name --------------role-Lab Staff PAM Application --------------login sshd gdm Avail Restricted Env ----- -------------Yes rs-lab_staff Avail ----Yes Yes Yes Source Roles ----------------------------role-Lab Staff role-Lab Staff role-Lab Staff
Privileged commands: Name Avail Command Source Roles --------------- ----- --------------------------------------------------------(molly has no privileged command rights) Commands in restricted environment: rs-lab_staff Name Avail Command Run As ---------------------- ----------------------------- ---------rs-lab_staff-whoami Yes whoami self rs-lab_staff-pwd Yes pwd self rs-lab_staff-uname Yes uname tim rs-lab_staff-who Yes who self rs-lab_staff-groups Yes groups self
To test whether the user sonya is authorized to run the uname command, you could type a command similar to the following:
dzinfo sonya --test "/usr/bin/adflush"
To display more detailed information, such as the available hours for a role or the user a privileged command should run as in the results, you would type a command similar to the following:
dzinfo jcool --verbose
502
Administrators Guide
sshd
Yes
Backup Operator
Privileged commands: Name Avail Command Path Run As Auth Exec Source Roles -------------- ----- ------------------ --------- ---------------- ---- ---- ----------(jcool has no privileged command rights)
Commands in restricted environment: BUShell Name Avail Command --------------- ----- -------------------ls Yes ls cat Yes cat dzinfo Yes dzinfo cpio Yes cpio tar Yes tar mount Yes mount
To only display the privileged and restricted environment commands allowed for the user rex, you would type a command similar to the following:
dzinfo rex --commands
Commands in restricted environment: rs-backup_ops Name Avail Command --------------- ----- ----------------------------rs-backup_ops-tar Yes tar rs-backup_ops-rpm Yes rpm
Indicates Command executed successfully. The attempt to execute the command generated unexpected errors. The command line contained a usage error. Root privilege is required to perform the selected operation.
7 9
503
Using dzsh
Using dzsh
The dzsh restricted environment shell is a customized Bourne shell for DirectAuthorize that provides environment variables, job control, command history, and command access as defined by DirectAuthorize roles. The restricted environment only allows the user to run the specific commands that have been defined in the users assigned DirectAuthorize roles.
Note
The dzsh command requires that you are running Centrify DirectControl with a license.
If a user is assigned to one or more roles with a restricted environment, only one of those roles may be designated as the active role at any point in time and only the commands defined for that active role are allowed to run. Within the restricted environment, however, the user can change the active role or view information about the roles available by running the role command. The role command allows the user to list, change, and query information about the currently active and available roles. Although dzsh can be used as the interpreter for a script (for example, #!/usr/bin/dzsh), this is not the intended, or recommended usage. Instead, the dzsh shell is intended to function as an interactive shell for restricted environment users. Those users can be given the right to run specific scripts as well as commands, where the scripts should be interpreted by an existing system shell application. Commands in a restricted environment can be executed as the current user or a specified user. If a command is configured in DirectAuthorize to be executed as a specific user, the dzsh shell automatically reforms the command and executes it as the specified user, without requiring another command, such as sudo, to be used.
504
Administrators Guide
Because the shell scripting environment allows the operations, the user can effectively access information that the command set defined for his restricted environment does not allow.
The basic syntax for using the built-in role command is:
role [role_name] [-h] [-l]
If no command line options are specified, running the built-in role command displays the name of the currently active role.
505
Using dzsh
You can use the following options with the role command in a DirectAuthorize restricted environment shell:
Use this option
role_name
-h -l
To do this Change the active role to the role_name specified. Display the usage message. List the available restricted environment roles for the current user.
506
Administrators Guide
To list all of the roles for the current user and their status, you would type a command similar to this:
$ role -l test_lab web_maint backup_team $
If the user attempts to run a command that is not allowed in the current role and restricted environment, the dzsh shell will reject the command. For example:
$ clear clear: command not allowed
To switch between roles that allow the id command to run as root (in the test_lab role) or the current user (in the backup_team role), you would type the following command to set the active role to test_lab:
$ role test_lab Role changed to: test_lab
You can then run id in that role and view the results. For example:
$ id uid=0(root) gid=0(root) groups=10000(samson) context=user_u:system_r:unconfined_t
To change the active role to backup_team, you can type the following command:
$ role backup_team Role changed to: backup_team
If you run id in the new active role, you will notice the difference in the results. For example:
507
Using nisflush
Using nisflush
The nisflush command can be used to clear the Centrify DirectControl Network Information Service cache on a local computer. The Centrify DirectControl Network Information Service cache stores the NIS maps for network information that are retrieved from Active Directory. The nisflush command requires that you are running DirectControl with a license.
Note
To run the nisflush command, you must be logged in as the root user.
To do this Clear the cache of all data even if the Centrify DirectControl Agent, adclient, is currently disconnected from Active Directory. Display the usage message.
-h, --help
508
Administrators Guide
cache. You can also use this command as part of routine housekeeping to free up disc space. To clear the cache of NIS maps for network information from the Active Directory, you would type:
nisflush
To clear the cache of NIS maps for network information from the Active Directory when the local computer is disconnected from the network, you would type:
nisflush --force
To do this
Use the local machine credentials from the /etc/krb5.keytab file. This option requires root user access. Disable line wrapping when printing out LDIF entries.
-r
The Centrify DirectControl distribution of OpenLDAP also provides extended URL support for Active Directory. With
509
Centrify DirectControl LDAP commands, you can use the following URLs to connect to Active Directory computers:
Use this
ldap://domain_name
To do this
Connect to the appropriate domain controller for the specified domain within the Active Directory site. Connect to the joined domain.
Connect to the Global Catalog domain controller for the joined domain. You can use the optional domain_name parameter to specify a domain in a different forest.
ldap:// gc://[domain_name]
The Centrify DirectControl distribution of OpenLDAP includes the following commands: ldapsearch ldapadd ldapmodify ldapmodrdn ldapcompare ldapdelete The ldappasswd and ldapwhoami commands do not work with Active Directory. For more information about using the OpenLDAP commands or the standard options available, see the man page for each command.
Note
510
Administrators Guide
DirectControl Agent, adclient. With the ldapproxy configuration, the LDAP server submits LDAP client search requests through adclients secure connection to Active Directory and returns the results as unformatted results without any translation or interpretation of the data (search-only mode).
environment from the Centrify DirectControl CD or download directory to a local directory. For example, if the operating environment is Solaris 9 SPARC:
cp /tmp/centrifydc-ldapproxy-release-sol8-sparc-local.tgz .
If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.
3 If the software package is a compressed file, unzip and extract
If you arent sure about the command to use for the local operating environment, see the release-notes text file included in the package. If you are using an installation program not described in the release-notes text file, such as SMIT or YAST, see the documentation for that program.
Appendix A Using Centrify DirectControl UNIX commands 511
file to set the dc=domain,dc=com in the suffix line to the domain the local computer has joined. For example:
vi /usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf ... # LDAP Proxy configuration database suffix directory index centrifydc "dc=ajax,dc=org" /usr/share/centrifydc/var/openldap-data objectClass eq
file:
/usr/share/centrifydc/libexec/slapd -f \ /usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf
You can then use the ldapsearch command to search Active Directory for entries. For example, to search Active Directory for the Administrator account (cn=Administrator), you could type a command similar to this:
/usr/share/centrifydc/bin/ldapsearch -h localhost -x -b "dc=domain,dc=com" "(cn=Administrator)"
512
Administrators Guide
Appendix B
513
Direct Direct Control Authorize Notes 4.2 1.1 Yes No Reduced performance - W2000 does not support important features such as Privilege Attribute Certificate (PAC) or Service for User (S4U). Supports NIS and Samba
Mixed Windows types in Windows 2000 Yes forest and functional level Pure Windows 2003
No Yes Yes Yes Yes Must use DirectControl 4.2 to take advantage of updated encryption algorithm.
Yes
Pure Windows 2003r2 Yes Mixed Windows types (2003+) in Windows Yes 2003 forest and functional level Pure Windows 2008 in Windows 2000, 2003 and 2008 forest and functional levels Windows 2008 Read-Only Domain Controllers
Yes
See Notes
514
Administrators Guide
Index
A
account mapping groups pending import 116 other local users 158 purpose of 157 Active Directory DNS configuration 45 enabling existing users 144 forest integrity for zones 286 functional level 174 mapping Unix fields 108 role assignments 202, 204 Windows infrastructure 22 Active Directory Users and Computers group properties 126 installing properties pages 47 managing computer properties 84 user properties 144 adcache command reference 477 examples 478 options 478 adcheck command reference 341 adclient log file 285 starting and stopping 475 addebug command reference 400 examples 400 options 400 adfinddomain command reference 410 examples 411 options 411 adfixid examples 418, 423, 508 options 414 overview 412 adflush command reference 423 options 423 adgpupdate examples 388 options 388 adid command reference 424 examples 425 options 425 adinfo command reference 389 displaying help 314 examples 396 introduction 302 options 390 when to use 314 adjoin command reference 317 displaying help 314 examples 329 operations performed 83 options 319 when to use 313 adkeytab adding service principals 440
515
deleting accounts 464 deleting service principals 461 encryption types 467 file entries 427 new service accounts 431 overview 426 password changes 455 reset key tables 458 adleave changing a computers domain 96 command reference 335, 499 displaying help 314 examples 339 options 337 when to use 313 adlicense options 342, 343 adlicense command reference 343 Administrator Console purpose 34 adnisd client configuration 268 configuring IP addresses 263 installing 262 map update interval 264 publishing maps selectively 265 starting 266 adobfuscate command reference 401 examples 405 options 403 adpasswd command reference 344 displaying help 314 examples 347 options 345 when to use 313 adquery command reference 375
examples 383 group 380 user 376 adreload examples 481, 485 options 481, 483 adrmlocal examples 409 options 409 adsetgroups command reference 472 examples 474 options 473 adsmb command reference 470 examples 472 options 471 adupdate add group 365, 368 add user 349 delete group 371, 372 delete user 365 displaying help 314 modify group 368, 370 modify user 357 overview 348 agentless authentication derived maps 274 designating the NIS server 258 installing the password filter 260 introduction 43 Microsoft services 261 NIS domain name 257 password synchronization 259 storing the password hash 257 zone property 256 applications access rights 166 authentication issues 22
516
Administrators Guide
C
Centrify DirectControl access control summary 29, 30 command line programs 313 daemon 475 diagnostic information 302 DirectAuthorize extension 166 documentation 17 log files 298 managed system 29, 31, 32 optional tools 36 password enforcement 154 platform-dependent components 31 prerequisites 45 property extensions 34 release information 12 solution overview 23 to 28 starting the first time 49 support for UNIX services 37 technical support 20 troubleshooting issues 285 updating license keys 221 Centrify DirectControl Agent architecture 38 key tasks 37 Centrify web site 20 command line programs basic usage 313 displaying help 314 location 313 man pages 314 computer accounts changing the zone 95 domain changes 96 password interval 85
pre-join creation 86 reporting 233 role assignment 172, 203 running adjoin 83 secured by password 84 conventions, documentation 14
D
daemon enabling logging 285 introduction 475 diagnostic information 302, 397 DirectAuthorize application names 178 authorization store 174 configuring rights 177 console extension 166 identifying administrators 176 initializing 174 privileged commands 166 restricted environments 166 rights defined 166 role definition 166 system requirements 173 disconnected operation account changes 156 credential storage 156 documentation additional 17 audience 11 conventions 14 installing on Windows 35 latest information 12 online help 15 summary of contents 12 to 14 domain controllers adding DNS server role 306 setting manually 307 testing connectivity 304
Index
517
Domain Name Server (DNS) manual setting 305 nameserver entry 304 server role 303, 306 services provided 303 testing connectivity 304 using a forwarder 305 Windows requirement 45 duplicate UNIX users 287 dzdo command reference 487 examples 498 options 489, 500 dzinfo creating a privileged command 215 current user information 216 running for a specified userr 215 dzsh shell 166
H
heterogeneous environments 21
I
identity management importance 21 multiple mechanisms 22 simplifying 23 importing from Unix accessibility from Windows 103 NIS maps 103 to 107 pending state 107 installation DirectAuthorize requirements 173 license keys 50 restarting services 53 running setup on Windows 46 to 49
E
evaluation license key 220
G
GID new zone creation 66 starting value 51 glob pattern matching 184 to 185, 193 to
194
J
join operation command reference 317 key tasks performed 84 specifying arguments 90 user restrictions 85
global catalog, defining manually 308 group policy editor extension 35 groups computer-based role assignment 203 default GID setting 51, 66 exporting roles 210 filters for access control 129 importing roles 211 nesting 129 NIS import 103 to 107
K
keytab files 427
L
licensing adding keys 227 deleting keys 229 during installation 50 evaluation key 220
518
Administrators Guide
introduction 219 multiple keys 221 permanent keys 221 reports 229, 233 types 220 updating keys 221 viewing a summary 226 Linux naming convention 15 NIS clients 268 log files adinfo output 302 enabling 298 location 299, 400 performance impact 299 purpose 285
maps published 265 network information 276 support for 254 testing access 274 nisflush command reference 508 example 508 options 508 NSS configuration modification 38 reverting to pre-join state 97
O
online help 15, 35 OpenLDAP 509
M
man pages displaying 314 source of information 19 managed system 29, 32 Microsoft Services for UNIX (SFU) duplicate zones 287 password synchronization 259, 261 support for 27
P
PAM configuration access rights 166 agent component 38 application names 178 reverting to pre-join state 97 typical log on process 40 password management changing your own 155 disconnected mode 156 policy definition 154 policy enforcement 30 resetting for other users 155 to 156 synchronization 261 pattern matching glob 184 to 185, 193 to 194 regular expressions 184 to 185, 193 to
194
N
Network Information Service (NIS) additional maps 275 agentless authentication 43 client configuration 268 configuring IP addresses 263 custom maps 280 deleting maps 283 extension for maps 35 importing maps 103 to 107 installing adnisd 262 maintaining maps 282
pending import group information 108 manual process 107 NIS information 107 primary groups
Index
519
selecting the default type 51 privileged command command reference 487 privileged commands adding to a role 201 configuring rights 190 defined 166 execution attributes 197 run-as user 195 running with dzdo 206 property extensions 34
Q
Quick Start 17
R
regular expression pattern matching 184 to 185, 193 to 194 Release Notes 12 reporting forest analysis 286 group information 233 license information 233 privileged command rights 217 purpose of 231 role assignments 217 saving 243 to 244 zone information 234 restricted environments adding shell commands 182 to 188 creating 180 defined 166 limitations 171, 505 selecting for a role 200 rights collected in roles 166 enforcing 205 exporting 210 importing 211
node displayed 176 operation types 166 PAM access 178 privileged commands 190 reporting 217 roles assigning users and groups 201 availability 166, 199 cloning 209 computer-based scope 172, 203 configuring PAM access 200 creating 198 enforcing 205 exporting 210 importing 211 job functions 198 making active 207 node displayed 176 privileged commands 201 reporting 217 restricted environment access 200 scope defined 203 start and expiration 202 root user adinfo options 302 adleave operation 336 adnisd installation 262, 511 changing the domain 96 enabling logging 298 installation requirement 52 join operation 317 leaving the domain 97 local override account 161
S
Setup Wizard creating the Zones container 50
520
Administrators Guide
T
technical support 20 troubleshooting daemon operation 285 enabling logging 298 forest integrity 286 using adinfo 302
U
UID new zone creation 51, 65 reserved values 72 starting value 51 universal groups 125 UNIX authentication mechanisms 22 available shells 72 command line programs 313 importing local users 103 knowledge of 12 man pages 314 naming convention 15 restarting services 53 server licenses 220 UNIX computers changing the zone 95 domain changes 96 joining a domain 83 restricting who can join 86 server and workstation licenses 220 UNIX groups derived maps 274 duplicate information 287 using user-specific groups 149 UNIX users derived maps 274 duplicate information 287 enabling in Active Directory 144 local account mapping 157
users account mapping 157 account status report 234 computer-based role assignment 203 default UID setting 51, 65 disconnected logins 156 exporting roles 210 group-based filtering 142 importing roles 211 NIS import 103 to 107 password policies 154 reporting 234 reserved UID values 72 role assignment 201 to 203
W
web applications licensing 220 Windows DirectAuthorize requirements 173 integrating UNIX computers 32 knowledge of 12 reliance on Active Directory 23 workstation licenses 220
Z
zones adding computers 76 advantages of using 56 available shells 72 changing default properties 71 changing for a computer 95 checking integrity 286 closing 68 configuring the default zone 50 creating additional 57 to 67 default GID setting 51, 66 default UID setting 51, 65 delegating control 68
Index
521
home directory setting 51, 66 importance of properties 57 opening 67 parent container 50 reports 234 understanding the use of 56 using multiple 56
522
Administrators Guide