Admin Guide

Centrify Suite, Standard Edition
Administrators Guide
March 2010
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2010 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
11
Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Getting a preview of whats in this release . . . . . . . . . . . . . . . . . . . . . . . . . 12 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using online help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 1
Introduction
21
Understanding identity and access management. . . . . . . . . . . . . . . . . . . 21 Why integrate with Active Directory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 What is the Centrify DirectControl solution?. . . . . . . . . . . . . . . . . . . . . . . . 23 What does DirectAuthorize provide? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 What can you do after you deploy?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Chapter 2
About the Centrify DirectControl architecture and operation
31
Understanding the integration of Windows and UNIX. . . . . . . . . . . . . . . 31 Understanding whats installed on Windows . . . . . . . . . . . . . . . . . . . . . . . 33 Understanding Centrify DirectControl Agents . . . . . . . . . . . . . . . . . . . . . . 37 Understanding the log-on process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Understanding agentless authentication. . . . . . . . . . . . . . . . . . . . . . . . . 43 Chapter 3
Installing and starting Centrify DirectControl
45
Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Installing Centrify Suite 2010 on Windows. . . . . . . . . . . . . . . . . . . . . . . . . 46 Starting Centrify DirectControl for the first time. . . . . . . . . . . . . . . . . . . . 49 Installing the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . . . . . . 52 Chapter 4
Managing zones
55
Understanding Centrify DirectControl zones . . . . . . . . . . . . . . . . . . . . . . . 56 Using the Centrify DirectControl Setup Wizard . . . . . . . . . . . . . . . . . . . . . 56 Creating a new zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Opening and closing zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Delegating control of administrative tasks. . . . . . . . . . . . . . . . . . . . . . . . . 68 Changing zone properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Changing the master domain controller. . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Adding a computer to a zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Changing the location of a zone in Active Directory . . . . . . . . . . . . . . . . 76 Converting a standard DirectControl zone to RFC 2307 . . . . . . . . . . . . . 77 Using the Zone Generator to populate new zones . . . . . . . . . . . . . . . . . . 78 Running reports for zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Searching for profiles in a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Understanding Auto Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Chapter 5
Managing computers
83
Understanding the join operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Deciding who can join computers to the domain. . . . . . . . . . . . . . . . . . . 85 Precreating computer accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Joining a domain interactively or using a script . . . . . . . . . . . . . . . . . . . . 90 Allowing password resets for computer accounts . . . . . . . . . . . . . . . . . . 91 Designating a computer as a NIS server . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Changing the zone for the computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Changing the domain for a computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Leaving a domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Customizing configuration settings for a computer . . . . . . . . . . . . . . . . . 98 Running reports for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Chapter 6
Importing existing users and groups
101
Determining the source for existing user information . . . . . . . . . . . . . . 101 Preparing to import users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Using the Import from UNIX wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Checking for conflicts and matching candidates . . . . . . . . . . . . . . . . . . . 107 Mapping UNIX profiles to Active Directory accounts . . . . . . . . . . . . . . . 111 Resolving conflicts for pending users and groups. . . . . . . . . . . . . . . . . . 119 Resolving other issues for pending users and groups . . . . . . . . . . . . . . 121 Making imported information available to NIS clients. . . . . . . . . . . . . . 123 Chapter 7
Managing group profiles
125
Creating group profiles for Active Directory groups . . . . . . . . . . . . . . . . 125 Managing Active Directory group membership. . . . . . . . . . . . . . . . . . . . 128 Adding members to a default primary group. . . . . . . . . . . . . . . . . . . . . . 130 Marking a group profile as required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Adding groups from another trusted forest . . . . . . . . . . . . . . . . . . . . . . . 135 Modifying zone-specific settings for a group profile . . . . . . . . . . . . . . . 136 Modifying the group objects properties . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Customizing additional settings for groups . . . . . . . . . . . . . . . . . . . . . . . 138 Assigning groups to DirectAuthorize roles . . . . . . . . . . . . . . . . . . . . . . . . 139 Running reports for groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Chapter 8
Managing user profiles
141
Understanding group-based filtering for users . . . . . . . . . . . . . . . . . . . . 142 Using a default primary group for new user profiles . . . . . . . . . . . . . . . 143 Adding Active Directory users to zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Contents
Adding users from another trusted forest . . . . . . . . . . . . . . . . . . . . . . . . 146 Setting or changing a users primary group . . . . . . . . . . . . . . . . . . . . . . . 148 Adding multiple profiles for a user to a zone . . . . . . . . . . . . . . . . . . . . . . 150 Enabling and disabling multiple users in a zone. . . . . . . . . . . . . . . . . . . 151 Modifying zone-specific settings for a user profile. . . . . . . . . . . . . . . . . 151 Modifying the user profile and object properties . . . . . . . . . . . . . . . . . . 152 Working with read-only domain controllers . . . . . . . . . . . . . . . . . . . . . . 153 Applying password policies and changing passwords . . . . . . . . . . . . . 154 Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . 157 Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Customizing other settings for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Assigning users to DirectAuthorize roles . . . . . . . . . . . . . . . . . . . . . . . . . 162 Running reports for users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Chapter 9
Defining rights and roles
165
Understanding DirectAuthorize rights and roles . . . . . . . . . . . . . . . . . . .166 Verifying system requirements for DirectAuthorize. . . . . . . . . . . . . . . . 173 Initializing DirectAuthorize for a zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Defining specific rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Creating roles for job functions in a zone . . . . . . . . . . . . . . . . . . . . . . . . . 198 Assigning users and groups to a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Limiting the scope of a role to a specific computer . . . . . . . . . . . . . . . . 203 Working within assigned roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Cloning and renaming a role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Exporting and importing rights and roles. . . . . . . . . . . . . . . . . . . . . . . . . 209 Modifying rights, roles, and role assignments. . . . . . . . . . . . . . . . . . . . . 213 Viewing rights and roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Running reports for roles and rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Chapter 10
Managing license containers and keys
219
Understanding how licensing works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Adding license containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Assigning a specific license container to a zone. . . . . . . . . . . . . . . . . . . . 224 Viewing the license summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Adding license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Removing a license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Running reports for licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Chapter 11
Generating predefined and custom reports
231
Understanding the importance of reports. . . . . . . . . . . . . . . . . . . . . . . . . 231 Understanding the default report definitions . . . . . . . . . . . . . . . . . . . . . 232 Understanding current and snapshot results . . . . . . . . . . . . . . . . . . . . . . 235 Generating a report from current or saved results . . . . . . . . . . . . . . . . . 237 Creating and modifying report definitions . . . . . . . . . . . . . . . . . . . . . . . . 245 Exporting and importing report definitions . . . . . . . . . . . . . . . . . . . . . . . 251 Configuring SMTP for emailing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Chapter 12
Managing network information with NIS maps
253
Understanding the servicing of NIS client requests . . . . . . . . . . . . . . . . 253 Preparing for agentless authentication . . . . . . . . . . . . . . . . . . . . . . . . . 256 Installing and configuring the NIS server. . . . . . . . . . . . . . . . . . . . . . . . . . 262 Configuring the NIS clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Checking the derived passwd and group maps . . . . . . . . . . . . . . . . . . . . 274 Importing and creating additional NIS maps . . . . . . . . . . . . . . . . . . . . . . 275 Changing the map type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Maintaining map records in Active Directory . . . . . . . . . . . . . . . . . . . . . . 282 Chapter 13
Troubleshooting authentication and authorization
285
Understanding diagnostic tools and log files . . . . . . . . . . . . . . . . . . . . . . 285
Contents
Analyzing zone information in Active Directory . . . . . . . . . . . . . . . . . . . 286 Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . 298 Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . 303 Filtering the objects displayed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Appendix A
Using Centrify DirectControl UNIX commands
311
Understanding when to use command line programs . . . . . . . . . . . . . .313 Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . 314 Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Using adupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Using adgpupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Using adobfuscate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Using adrmlocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410 Using adfixid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412 Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423 Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 Using adkeytab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Using adsmb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 Using adsetgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480 Using addns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482 Using dzdo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Using dzinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Using dzsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Using nisflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Using OpenLDAP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Appendix B
Domain controller versions for Centrify DirectControl Index
513 515
Contents
10
About this guide

The Centrify Suite 2010 is an integrated family of Active Directory-based auditing, access control, and identity management solutions that secure your cross-platform environment and strengthen regulatory compliance initiatives. As the cornerstone of this suite, Centrify DirectControl secures your non-Microsoft platforms using the same authentication and group policy services deployed for your Windows environment. The Centrify Suite 2010, Standard Edition, also provides Centrify DirectAuthorizeTM to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. The Centrify Suite 2010, Enterprise Edition, also includes Centrify DirectAudit to deliver auditing, logging and real-time monitoring of user activity on your non-Microsoft systems. Built on a common architecture, the seamlessly integrated Centrify Suite of solutions helps you improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure your heterogeneous computing environment.
Intended audience
This Administrators Guide provides complete information for managing users, groups, computers, and zones with Centrify DirectControl and Active Directory. This guide is intended for system, network, and database administrators who are responsible for managing user access to servers, workstations, enterprise applications, and network resources. This guide does not, however, cover planning or installation details. For complete information
11
Getting a preview of whats in this release
about planning a deployment and installing Centrify DirectControl on Windows and non-Windows computers, see the Planning and Deployment Guide. Because the Centrify Suite, Standard Edition, includes components that are installed in the Windows environment and on the Linux, UNIX, or Mac OS X computers you intend to manage, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.
Getting a preview of whats in this release

This release of the Centrify Suite, Standard Edition, includes updates and enhancements for DirectControl and related programs. For a summary of whats included in this release, the system requirements for installation, and any other late-breaking information, see the Release Notes included on the Centrify DirectControl CD or in the distribution package.
Using this guide

Depending on your environment and role as an administrator or user, you may want to read portions of this guide selectively. The guide provides the following information: Chapter 1, Introduction, provides an overview of identity management and how Centrify DirectControl works, including a summary of key features and benefits.
12
Chapter 2, About the Centrify DirectControl architecture and operation, provides an overview of the key components of the Centrify DirectControl architecture and how these components provide authentication services. Chapter 3, Installing and starting Centrify DirectControl, summarizes the steps for installing Centrify DirectControl on Windows and on computers to be managed by Centrify DirectControl. For more complete information about installing Centrify DirectControl, see the Planning and Deployment Guide. Chapter 4, Managing zones, describes how to create new zones and how to manage zone properties. Chapter 5, Managing computers, describes how to add computers to an Active Directory domain, how to create and modify computer account properties, and how to change the domain for a UNIX computer. Chapter 6, Importing existing users and groups, describes how to import information from existing identity stores such as the local /etc/passwd and /etc/group configuration files or existing NIS domains. Chapter 7, Managing group profiles, describes how to define UNIX-based profiles for Active Directory groups and how to manage access and profile information for those groups. Chapter 8, Managing user profiles, describes how to define UNIX-based profiles for Active Directory users and how to manage access and profile information for those users. Chapter 9, Defining rights and roles, describes how to define the operations that users in different roles in the organization can perform and how to assign users and groups to roles to enforce the rules you define using DirectAuthorize. Chapter 10, Managing license containers and keys, describes how to view and update Centrify DirectControl license keys.
About this guide
13
Conventions used in this guide
Chapter 11, Generating predefined and custom reports, describes how to generate, filter, and export information about users, groups, computers, zones, and role assignments using the Centrify Report Center. Chapter 12, Managing network information with NIS maps, describes the Centrify DirectControl Network Information Service, how to configure computers to use the Centrify DirectControl Network Information Service for agentless authentication, and how to manage NIS maps stored in Active Directory. Chapter 13, Troubleshooting authentication and authorization, describes how to use diagnostic tools and log files to retrieve information about the operation of Centrify DirectControl. Appendix A, Using Centrify DirectControl UNIX commands, provides reference information for the Centrify DirectControl command line programs. Appendix B, Domain controller versions for Centrify DirectControl, lists the required versions and functional levels of the Microsoft Windows domain controllers that support Centrify DirectControl and Centrify DirectAuthorize, versions 4.2 and later. In addition to these chapters, an index is provided for your reference.
Conventions used in this guide

The following conventions are used in this guide: Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used
14
to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments. Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted. The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 4.2.0 for the Sun Solaris operating system on a SPARC server, the full file name is
centrifydc-4.2.0-sol8-sparc-local.tgz.
Using online help

Centrify DirectControl provides task-based, reference, and context-sensitive online help. To access task-based help or search for help topics, click Help on the right-click menu in the Centrify DirectControl Administrator Console. To view context-sensitive help within dialog boxes, press F1.
About this guide
15
Using online help
In addition, all of the documentation for the Centrify Suite, Standard Edition, is available in searchable Adobe Portable Document Format (PDF).
16
Where to go for more information

The documentation set for the Centrify Suite, Standard Edition, includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further: Release Notes included on the distribution media or in the download package provide the most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation. Quick Start for UNIX Services provides a brief summary of the steps for installing Centrify DirectControl and getting started so you can begin working with the product right away. For more detailed information about installing Centrify DirectControl, see the Planning and Deployment Guide. Evaluation Guide provides information to help you set up an evaluation environment and use Centrify DirectControl to test typical authentication and authorization scenarios, such as resetting user passwords for UNIX computers, preventing a user from accessing unauthorized UNIX computers, or enforcing specific lockout policies when users attempt to log on to UNIX computers using Centrify DirectControl. Planning and Deployment Guide provides guidelines, strategies, and best practices to help you plan for and deploy Centrify DirectControl in a production environment.This guide covers issues you should consider in planning a Centrify DirectControl deployment project. The Planning and Deployment Guide should be used in conjunction with the information covered in the Administrators Guide. Administrators Guide describes how to perform administrative tasks using the Centrify DirectControl Administrator Console
About this guide
17
Where to go for more information
and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment. Web Console Users Guide describes how to perform administrative tasks for zones using the Centrify DirectControl Web Console. The DirectControl Web Console enables you to perform a subset of DirectControl tasks by connecting to a Web server from computers that do not have the Administrator Console installed. Group Policy Guide describes the Centrify DirectControl group policies you can use to customize user-based and computer-based configuration settings. This guide provides an overview of how group policies are applied and how to install and enable DirectControl-specific policies. Configuration Parameters Reference Guide provides reference information for the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies. Administrators Guide for Mac OS X provides information for Mac OS X system administrators about the administrative issues and tasks that are specific or unique to a Mac OS X environment. If you are deploying in an environment with Mac OS X servers or workstations, you should refer to this guide for information about the group policies that only apply to Mac OS X computers and users. NIS Administrators Guide provides information about installing and configuring the Centrify DirectControl Network Information Service (adnisd) and NIS clients to incorporate NIS maps into an Active Directory environment. If you are planning to use both the Centrify DirectControl Agent and Centrify DirectControl Network Information Service to support NIS clients, you should refer to this guide for
18
information about how to import and manage NIS maps in Active Directory. Authentication Guide for Apache describes how to use Centrify DirectControl with Apache servers and applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Apache, you should refer to this supplemental documentation for details about how to configure your Apache server to use Centrify DirectControl and Active Directory. Authentication Guide for Java Applications describes how to use Centrify DirectControl with J2EE applications to provide authentication and authorization services through Active Directory. If you are using Centrify DirectControl with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify DirectControl and Active Directory. Individual UNIX man pages for command reference information for Centrify DirectControl UNIX command line programs. In addition to the Centrify DirectControl documentation, you may want to consult the documentation for your Windows, Linux, UNIX, or Mac OS X operating system, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.
About this guide
19
Contacting Centrify
Contacting Centrify
If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify products, support, services, and upcoming events. For information about purchasing or evaluating Centrify products, send email to info@centrify.com.
20
Chapter 1
Introduction
This chapter provides an introduction to identity, access, and configuration management and to the main components of the Centrify Suite 2010, Standard Edition, including a brief overview of the ways Centrify DirectControl and Centrify DirectAuthorize can help organizations leverage their investment in Active Directory. The following topics are covered: Understanding identity and access management Why integrate with Active Directory? What is the Centrify DirectControl solution? What does DirectAuthorize provide? What can you do after you deploy?
Understanding identity and access management

For most organizations, it is critical to control access to computer and application resources to prevent disruption of service, data tampering, or security breaches. Managing who has access efficiently and securely is especially difficult in heterogeneous environments that may include a combination of Windows, Linux, UNIX, and Mac OS X servers and workstations. In cross-platform environments, securing access to computers and applications typically involves managing multiple identity stores with multiple authentication mechanisms. As the following figure suggests, there are many authentication mechanisms available for
21
Why integrate with Active Directory?
UNIX and Linux systems, but they are typically isolated from each other and managed separately.
Local accounts stored in local files on individual UNIX servers and workstations UNIX and Linux computers NIS and NIS+ servers and account maps provide a central repository for UNIX accounts Kerberos realms and Key Distribution Center provide authentication for some users and services LDAP authentication for LDAP transactions
Windows computers
Active Directory forests with Kerberos authentication and LDAP directory service
Users who have access to more than one application or computer platform often have multiple login accounts with conflicting user name or password policy requirements. In addition, individual applications and services may use any of these standard mechanisms or have their own specialized authentication method. Because managing user accounts and access using all of these different mechanisms across an enterprise is impractical, Centrify DirectControl provides a way to centralize and simplify the management of user accounts and access to computers and applications through Active Directory.
Why integrate with Active Directory?

Many organizations already have a significant investment in their Windows infrastructure, with Windows workstations often used as desktop systems and Windows servers handling critical business
22
services such as messaging or database transactions. For Windows 2000, Windows XP, and Windows Server 2003, Active Directory is the core technology for managing users, computers, and other resources, and, therefore, is a requirement for any organization that manages Windows resources. In addition to being a key component of the organizations infrastructure, Active Directory provides a complete set of tools for authentication, authorization, and directory service, making it an ideal candidate for managing user accounts and access to computer resources. By extending Active Directory to manage Linux, UNIX, and Mac OS X computers, Centrify DirectControl provides administrators with a comprehensive identity and access management solution while reducing administrative complexity and overhead.
What is the Centrify DirectControl solution?

As the previous section suggests, Centrify DirectControl delivers secure access control and centralized identity management by integrating UNIX, Linux, and Mac OS X servers and workstations, and J2EE and Web platforms with Microsoft Active Directory. Through the Centrify DirectControl Agent, UNIX, Linux, and Mac OS X servers and workstations can become part of an Active Directory domain and act as Active Directory clients. Once part of a domain, you can secure those systems using the same authentication, access control, and group policy services you deploy for Windows computers. Additional modules work with the Centrify DirectControl Agent to provide services such as single sign-on for Web applications and Samba integration. The Centrify DirectControl Management Tools provide an Administrator Console, extensions for Active Directory Users and Computers, out-of-the-box reporting, and account migration tools. With the Centrify DirectControl suite, organizations with diverse IT environments can leverage their investment in Active Directory to:
Chapter 1 Introduction 23
Move to a central directory with a single point of administration for user accounts and security policy. Use Centrify DirectControl Zones to provide secure, granular access control and delegated administration. Extend Web single sign-on to internal end-users and external business partners and customers. Simplify compliance with regulatory requirements. Deploy quickly without intrusive changes to the existing infrastructure.
Moving to a central directory

By consolidating user accounts in Active Directory, organizations can improve IT efficiency and move toward a more secure, connected infrastructure for their heterogeneous environment. Using DirectControl enables an organization to: Strengthen security by consolidating user accounts into Active Directory, making is easy for IT managers to disable the accounts of departing employees, and locate and eliminate security risks posed by orphan accounts. Reduce infrastructure costs by eliminating redundant identity stores, including legacy directories, un-secured NIS servers, dedicated application databases and locally managed /etc/passwd files. Streamline operations by standardizing on a single set of Active Directory-based tools to simplify administrative training and in-house processes for account provisioning, maintenance, and other tasks. Establish consistent password policies across a heterogeneous environment by enforcing Active Directorys rules for password complexity and expiration for all users regardless of where they log in.
24
Enforce consistent security and configuration policies across UNIX, Linux, and Mac OS X servers and workstations by adding Centrify DirectControl group policy templates for computer- and user-based configuration settings to Windows Group Policy Objects. Improve productivity and satisfaction for end-users, who now have only one password to remember, and make fewer Help Desk calls to reset passwords or update their account information.
Using Centrify DirectControl Zones for granular control

With its patent-pending zone technology, Centrify DirectControl delivers the granular access control that real-world enterprises need to securely manage heterogeneous environments. With DirectControl, IT managers can: Segregate logical collections of UNIX, Linux, or Mac OS X computers into Centrify DirectControl Zones within Active Directory. Computers can be organized by department, geography, function, system type, or in any other grouping that makes sense for a particular organization. Use Active Directorys role-based access model to allow users and groups to log on only to the systems in the zones for which they are authorized. Grant system administrators the administrative privileges they need only on the zones where there are computers they need to manage without elevating their privileges for other computers or zones. Enforce consistent security and configuration policies that are specific to the computers within a zone.
Chapter 1 Introduction
25
Extending single sign-on for web applications

Centrify DirectControl provides Active Directory-based single sign-on for intranet and extranet Web applications running on Apache and popular J2EE servers. Centrify DirectControl and the Apache or J2EE add-on module provides: Active Directory-based single sign-on (SSO) through Kerberos and LDAP for end-users accessing intranet applications. Federated identity authentication through Microsoft Active Directory Federation Services (ADFS) for business-to-business and business-to-customer extranet web applications. Support for popular Web application servers running on UNIX, Linux, or Windows. Mapping between Active Directory users and groups and Web application roles to leverage the existing Active Directory infrastructure.
Simplify compliance with regulatory requirements

Centrify DirectControl simplifies the administrative, reporting, and auditing tasks brought on by Sarbanes-Oxley, PCI, HIPPA and other government and industry regulations. The combination of Active Directory and Centrify DirectControl provides the following benefits: IT managers can reliably manage user accounts, set access controls, and enforce security policies across the enterprise from a single point of administration. Zone-based access controls enable IT managers to limit administrative rights and end-user access to sensitive systems, and the Centrify DirectControl Administrator Console makes it easy for IT managers to view and change zone-based access controls. Out-of-the box reports can be used to satisfy auditing requirements and can identify the computers any specific user
26
can access, and which users can access any specific computer or application. By extending Active Directorys password requirements and Group Policy features to UNIX, Linux, and Mac OS X servers and workstations, Centrify DirectControl enables IT managers to enforce consistent, enterprise-wide security policies in a manner that can be verified by auditors. Centrify DirectControl ensures activity on UNIX, Linux, and Mac OS servers and workstations is written to the proper Active Directory logs, providing an audit trail for verifying system access.
Deploying without changes to existing infrastructure

Centrify DirectControls support for open standards and its unified architecture make it easy to deploy without making changes to your existing Active Directory or network infrastructure. Centrify DirectControl offers IT managers the following benefits: Centrify DirectControl does not install any software on domain controllers, and it does not require any changes to the Active Directory schema to store UNIX identity data. Centrify DirectControl supports the native Active Directory schema, the Microsoft Services for UNIX (SFU) schema extension, and the RFC 2307 Active Directory schema introduced with Windows Server 2003 R2. Centrify DirectControl can map multiple UNIX identities to a given Active Directory account, and IT managers can access this UNIX data in Active Directory using ADSI or LDAP commands. Centrify DirectControls unified architecture delivers identity management, access control, and policy enforcement through a core Centrify DirectControl Agent. Additional modules snap in
27
What does DirectAuthorize provide?
to this base agent to provide services such as SSO for Web applications or Samba integration. Centrify accelerates an organizations productivity by offering free downloads of Open Source tools such as OpenSSH and PuTTY, which have been optimized to work seamlessly with Active Directory through Centrify DirectControl.
What does DirectAuthorize provide?

Centrify DirectAuthorize centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. By controlling how users access systems and what they can do on those computers, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. With DirectAuthorize you can: Meet regulatory compliance requirements with a centralized, role-based model for fine-grained delegation of administrative rights on UNIX and Linux systems. Secure your UNIX and Linux infrastructure by eliminating the need to share the passwords of root or super-user accounts with privileged access Implement integrated authentication, authorization and auditing leveraging the same underlying architecture - and at a fraction of cost of alternative solutions Leverage your existing Active Directory infrastructure for role-based entitlement management without the need to deploy additional servers or infrastructure Replace sudo or other complex, script-driven products with a modern, role-based solution that extends beyond controlling privileged commands
28
Deploy a highly available solution for privilege management that works well in a networked environment and does not require changes to your UNIX systems As part of an integrated suite of tools, Centrify DirectControl and Centrify DirectAuthorize provide a simple, scalable solution for managing the cross-platform environment.
What can you do after you deploy?

Once the Centrify DirectControl Agent is deployed on a server or workstation, that computer is considered a Centrify DirectControl managed system. When a computer is managed by Centrify DirectControl, an administrator with the proper permissions can perform the following common tasks: Specify which Active Directory users and groups can log on to a specific UNIX computer or group of computers. Control user access to UNIX computers across the one or more Active Directory forests, regardless of the organizational structure you use and where users are defined in that structure. Map local UNIX accounts, such as service accounts or the root user, to Active Directory accounts for centralized control over the passwords, or set specific local UNIX accounts to be authenticated locally rather than through Active Directory. Define zones and zone properties and delegate the rights necessary to manage UNIX computer, user, and group accounts in any zones to other users, as needed. Configure and apply group policies for UNIX computers and users.
29
What can you do after you deploy?
When a computer is managed by Centrify DirectControl, authorized users can perform the following common tasks: Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp. Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously. Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.
30
Chapter 2
About the Centrify DirectControl architecture and operation

This chapter provides an overview of the Centrify DirectControl architecture and the basic flow of operation for a typical log-on session. For more detailed information about the Centrify DirectControl architecture and the operations handled by different Centrify DirectControl components see the Planning and Deployment Guide. The following topics are covered: Understanding the integration of Windows and UNIX Understanding whats installed on Windows Understanding Centrify DirectControl Agents Understanding the log-on process Understanding agentless authentication
Understanding the integration of Windows and UNIX

Because the Centrify Suite 2010, Standard Edition provides an integration layer between Windows and other operating environments, it consists of the following primary components: On Windows, the Centrify DirectControl Administrator Console and property extensions enable you to add and manage UNIX-specific properties in Active Directory. On non-Windows computers, the Centrify DirectControl Agent enables the local host computer to join an Active Directory domain. Once the Centrify DirectControl Agent is deployed on a server or workstation, that computer is considered a Centrify
31
Understanding the integration of Windows and UNIX
DirectControl managed system and it can join any Active Directory domain you choose. When a Centrify DirectControl managed system joins an Active Directory domain, it essentially becomes an Active Directory client and relies on Active Directory to provide authentication, authorization, policy management, and directory services. The interaction between the Centrify DirectControl Agent on the local computer and Active Directory is similar to the interaction between a Windows XP client and its Active Directory domain controller, including failover to a backup domain controller if the UNIX computer is unable to connect to its primary domain controller. The following figure provides a simplified view of the integration between Windows and UNIX through Centrify DirectControl.
Centrify DirectControl Management Tools Centrify DirectControl property extensions Centrify DirectControl Administrator Console
Windows servers and workstations
Active Directory user Account: chris Password: &tiger1
Centrify DirectControl Agent Package
UNIX, Linux, and Mac OS X servers and workstations
To centrally manage access across different platforms using Microsoft Active Directory, you need to: Prepare the Active Directory environment by installing the Centrify DirectControl Administrator Console on at least one Windows computer to update the Active Directory forest with Centrify DirectControl properties. Ensure each UNIX, Linux, or Mac OS X computer can communicate with an Active Directory domain controller to
32 Administrators Guide
present valid credentials for authentication. For successful communication, the managed computer should be able to resolve the address of its Active Directory domain controller through DNS. Install the Centrify DirectControl Agent (adclient) on the UNIX, Linux, or Mac OS X computers that will be joining an Active Directory domain. Run the join command and specify the Active Directory domain to join on each UNIX, Linux, or Mac OS X computers to be managed. Use Active Directory Users and Computers or the Centrify DirectControl Administrator Console to authorize access to the UNIX, Linux, and Mac OS X computers for specific users and groups. Now that you are familiar with the basics, the next sections provide a closer look at whats included in the Centrify DirectControl administrative tools installed on Windows and the Centrify DirectControl Agent installed on other platforms.
Understanding whats installed on Windows

When you install Centrify DirectControl on a Windows computer, you can choose which components you want to install. After you start the setup program, the Setup Wizard lists the components available. Most of the components are optional and can be installed either together or separately.
Choosing a console for managing DirectControl properties

From the main Centrify DirectControl setup program, you can choose the method you want to use for managing Centrify
Chapter 2 About the Centrify DirectControl architecture and operation
33
DirectControl properties. You do this by selecting one or both of the following components: The Centrify DirectControl property extensions for Active Directory can be installed on any computer that is joined to an Active Directory domain and has Active Directory Users and Computers installed. The property extensions allow you to use Active Directory Users and Computers to store UNIX-specific attributes. You are not required to install the property extensions if you do not intend to use Active Directory Users and Computers to view or manage UNIX-specific attributes. The Centrify DirectControl Administrator Console must be installed on at least one computer that can access domains in Active Directory. The Centrify DirectControl Administrator Console provides a central location for managing UNIX users, groups, and computers and performing administrative tasks, such as importing accounts, running reports, and analyzing account information. The Centrify DirectControl Administrator Console includes a Setup Wizard that updates the Active Directory forest to include Centrify DirectControl properties the first time you start the console. The update to the Active Directory forest does not make any changes to the underlying Active Directory schema you have installed. Some optional components require the Centrify DirectControl Administrator Console to be installed on the same computer. For example, the Extension for NIS Maps can only be installed on a computer where you install the Centrify DirectControl Administrator Console. For more information about installing optional component, see Choosing optional DirectControl components on page 35.
Note
The Centrify DirectControl Administrator Console is a Microsoft Management Console (MMC) snap-in. It is the primary console for
34
managing Centrify DirectControl properties because it provides access to a full spectrum of management activities that are specific to DirectControl. A separate Centrify DirectControl Web Console provides Web-based access to a subset of these administrative activities. The Centrify DirectControl Web Console is not a substitute for the Centrify DirectControl Administrator Console MMC snap-in, but can be used separately to perform common tasks. For more information about adding the Centrify DirectControl Web Console to your environment, see Understanding the DirectControl Web Console on page 36.
Choosing optional DirectControl components

From the setup program, you can also choose to install the following optional components: The Centrify DirectControl Extension for NIS Maps can be installed on any computer where you install the Centrify DirectControl Administrator Console if you want to import and manage NIS maps for network information, such as netgroup and auto.master, in Active Directory. The extension is not required for importing users and groups. The Centrify DirectControl Documentation and Centrify DirectControl Help for the Centrify DirectControl Administrator Console can be installed on any Windows computer and should be installed on the computer where you install the Centrify DirectControl Administrator Console. The Centrify DirectControl Group Policy Editor Extension can be installed on any computer where the Group Policy Object Editor is available if you want to apply Centrify DirectControl group policies to a site, domain, or organizational unit that includes Centrify DirectControl-managed computers or users. The Centrify Toolsin the current release, the tool is the Centrify Zone Generatorcan be installed on any
35
computer where you install the Centrify DirectControl Administrator Console. The Zone Generator enables you to programmically populate new zones with existing information. The following figure provides a simplified view of the architecture.
Windows environment DirectControl Administrator Console DirectControl Property Extensions UNIX environment
Centrify DirectControl Agents
adclient Active Directory Users and Computers adclient Active Directory Domain Controller adclient
Understanding the DirectControl Web Console

The Centrify DirectControl Web Console is a Web-Browser based application hosted by the Microsoft Internet Information Service (IIS). This Web-based console provides a subset of the functionality provided by the Centrify DirectControl Administrator Console. It is intended primarily for zone administrators to enable them to manage zones and licenses from any computer with a Web browser and access to the domain, including UNIX computers that are joined to the domain. The DirectControl Web Console is packaged with its own setup program. It is not included as a component in the main Centrify DirectControl setup program. You can use the separate DirectControl Web Console setup program to install the Centrify DirectControl Web Console on any single computer in the Active Directory forest. After installing, you can then access the console by specifying its URL in a Web browser on any computer with access to the domain.
36
For more information about installing and using the Centrify DirectControl Web Console to perform administrative tasks, see the Web Console Users Guide and the Web Console online help.
Understanding Centrify DirectControl Agents

The Centrify DirectControl Agent makes a UNIX, Linux, or Mac OS X computer look and behave like a Windows client computer to Active Directory. The Centrify DirectControl Agent performs the following key tasks: Joins the UNIX, Linux, or Mac OS X computer to an Active Directory domain. Communicates with Active Directory to authenticate users when they log on and caches credentials for offline access. Enforces Active Directory authentication and password policies. Extends Active Directory group policies to manage configuration settings for UNIX users and computers. Provides a Kerberos environment so that existing Kerberos applications work transparently with Active Directory. Although the individual agents you install are platform-specific, the Centrify DirectControl Agent is a tightly integrated suite of services that work together to ensure seamless operation between existing UNIX programs and applications and Active Directory authentication, authorization, and directory service.
37
Understanding Centrify DirectControl Agents
The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:
Core services for UNIX shell programs and applications Kerberos-enabled applications Other add-on modules: Apache JAAS realm SPNEGO NIS
PAM module
NSS module
Kerberos environment
Centrify DirectControl Service Library Centrify DirectControl adclient Active Directory Domain Controller Centrify DirectControl Agent Command line programs
Cached credentials and search results
As this figure suggests, the Centrify DirectControl Agent includes the following core components: The core Centrify DirectControl Agent is the adclient process that handles all of the direct communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information. The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. The Centrify DirectControl NSS module is added to the nsswitch.conf so that system look-up requests use the Centrify DirectControl agent to look up and validate information using Active Directory through LDAP. The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks,
38
such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks. The Centrify DirectControl Kerberos environment generates a Kerberos configuration file (etc/krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled applications to authenticate through Active Directory. These files are maintained by the Centrify DirectControl Agent and are updated to reflect any changes in the Active Directory forest configuration. The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency. In addition to these core components, the Centrify DirectControl Agent can also be extended with the following add-on modules: The Centrify DirectControl libraries for Apache, Tomcat, JBoss, WebLogic, or WebSphere plug in to the native authentication mechanisms for each Web server to enable you to configure Web applications to use Active Directory for authentication. The Centrify DirectControl Network Information Service (adnisd) is a separate service that works in conjunction with the Centrify DirectControl agent to enable you to store NIS maps in Active Directory and publish that information to NIS clients through Centrify DirectControl. Optional utilities and programs, such as updated Kerberos, OpenSSH, OpenLDAP, Samba, or PuTTY utilities, that have been optimized to work with Centrify DirectControl and Active Directory.
39
Understanding the log-on process

The core Centrify DirectControl Agent components work together to identify and authenticate the user any time a user logs on to a computer using any UNIX command that requires the user to enter credentials. The following steps summarize the interaction to help you understand the process for a typical log on request. The process is similar for UNIX commands that need to get information about the current user or group. The following steps focus on the operation of the Centrify DirectControl Agent rather than the interaction between the Centrify DirectControl Agent and Active Directory. In addition, these steps are intended to provide a general understanding of the operations performed through the Centrify DirectControl Agent and do not provide a detailed analysis of a typical log-on session.
Note
When a user starts the UNIX computer, the following takes place:
1 A login process starts and prompts the user to supply a user
name.
2 The user responds by entering a valid local or Active Directory
user name.
3 The login process, which is a PAM-enabled program, then reads
the PAM configuration file, /etc/pam.conf, and determines that it should use the Centrify DirectControl PAM service, pam_centrifydc, for identification. The UNIX login process then passes the log-in request and the user name to the Centrify DirectControl Pluggable Authentication Module (PAM) service for processing.
4 The PAM service checks parameters in the Centrify
DirectControl configuration file to see if the user name entered is an account that should be authenticated locally. If the user should be authenticated locally, the PAM service passes the log-in request to the next PAM module in the PAM
40
configuration file, for example, to the local configuration file /etc/passwd. If the user is not set to be authenticated locally, the PAM service checks to see if the Centrify DirectControl agent process, adclient, is running. If it is, the PAM service passes the log-in request and user name to adclient for processing.
5 The adclient process connects to Active Directory and queries
the Active Directory domain controller to determine whether the user name included in the request is a Centrify DirectControl user who has access to computers in the current computers zone. If adclient is unable to connect to Active Directory, it queries the local cache to determine whether the user name has been successfully authenticated before. If adclient can connect to Active Directory but the user account does not have access to computers in the current zone or if the user cant be found in Active Directory or the local cache, adclient checks the Centrify DirectControl configuration file to see if the user name is mapped to a different Active Directory user account. If the user name is mapped to another Active Directory account in the configuration file, adclient queries the Active Directory domain controller or local cache to determine whether the mapped user name has access to computers in the current computers zone.
6 If the user has a UNIX profile for the current zone, adclient
receives the zone-specific information for the user, such as the users UID, the users local UNIX name, the users global Active Directory user name, the groups of which the user is a member, the users home directory, and the users default shell.
7 The adclient process queries through the NSS service to
determine whether there are any users logged in with same UID. If there are no conflicts, the log-in request continues and
41
adclient
passes the request to the PAM service to have the UNIX login process prompt for a password.
8 The UNIX login process prompts the user to provide a
password and returns the password to the PAM service.

9 The PAM service checks parameters in the Centrify
DirectControl configuration file to see if any user or group filtering has been specified to allow or deny access to specific user or group accounts. If any filtering has been specified, the current user is either allowed to continue with the login process or denied access.
10 If the current user account is not prevented from logging on by
user or group filtering, the PAM service queries adclient to see if the user is authorized to log on.
11 The adclient process queries the Active Directory domain
controller through Kerberos to determine whether the user is authorized to log on to the current computer at the current time.
12 The adclient process receives the results of its authorization
request from Active Directory and passes the reply to the PAM service. If the user is not authorized to use the current computer or to log in at the current time, the PAM service denies the users request to log on through the UNIX login process. If the users password has expired, the PAM service sends a request through the UNIX login process asking the user to change the password. After the user supplies the password, log-in succeeds. If the users password is about to expire, the PAM service notifies the user of impending expiration through the UNIX login process. If the user is authorized to log on and has a current password, the login process completes successfully. If this is the first time the user has logged on to the computer through Centrify DirectControl, the PAM service creates a new home
directory on the computer in the location specified in the Centrify DirectControl configuration file by the parameter pam.homeskel.dir. The following figure provides a simplified view of a typical log-on process when using Centrify DirectControl.
Check /etc/centrifydc.conf settings for override, allow, deny, password expiration
xxxxx xxxxx xxxxx
Check /etc/pam.conf PAM-enabled services pam_centrifydc
Active Directory Domain Controller
User starts a UNIX log on process using a command such as login, telnet, ssh
Kerberos applications
adclient
UNIX look-up requests
nss_centrifydc Check /etc/nsswitch.conf
Cached credentials and search results
Centrify DirectControl Agent
Kerberos keytab and configuration file
Understanding agentless authentication

The previous section described a typical log-on session for a Centrify DirectControl managed computer where the Centrify DirectControl Agent is installed. For computers and devices where you cannot install a Centrify DirectControl Agent, you may still be able to provide Active Directory authentication by using the Centrify DirectControl Network Information Service (adnisd). The Centrify DirectControl Network Information Service provides agentless authentication from Active Directory for computers that have older or unsupported operating systems but that can be, or already are, configured as NIS clients.
43
Understanding agentless authentication
The following figure provides a simplified view of this environment.

Computers with older, unsupported operating systems (agentless systems)
Active Directory Domain Controller NIS client request submitted to the NIS listening port adnisd adclient Zone: ConsumerDivision
xxxxx xxxxx xxxxx
Centrify DirectControl managed system
Local cache
NIS maps generated from information in Active Directory and served by adnisd in response to NIS client requests
In this scenario, the Centrify DirectControl zone acts as the NIS domain for a group of computers or devices that are configured as NIS clients. Those clients submit requests to the Centrify DirectControl Network Information Service, adnisd, listening on the NIS port. The Centrify DirectControl Network Information Service periodically contacts the Centrify DirectControl Agent, adclient, to get updated information from Active Directory and generates a set of maps that it stores locally. The Centrify DirectControl Network Information Service can then use the information in these maps to respond to NIS client requests for authentication or other services.
44
Chapter 3
Installing and starting Centrify DirectControl

This chapter provides a summary of the steps for installing Centrify Suite 2010 on Windows and UNIX computers and starting Centrify DirectControl for the first time. For more detailed information about preparing your environment and installing Centrify Suite 2010 and Centrify DirectControl, see the Planning and Deployment Guide. The following topics are covered: Preparing for installation Installing Centrify Suite 2010 on Windows Starting Centrify DirectControl for the first time Installing the Centrify DirectControl Agent
Preparing for installation

Before installing Centrify DirectControl:
1 Verify that you have Active Directory installed and that you have
access to at least one Windows computer acting as a domain controller for the Active Directory forest to which you want to add UNIX computers.
2 Check whether the domain controller you have access to or
another computer is the primary DNS server. You should also verify the DNS server allows secure dynamic updates and your domain controllers are configured to publish updated service locator (SRV) records.
45
Installing Centrify Suite 2010 on Windows
To verify DNS is configured to allow communication, use the ping command to try to connect to the domain controller from the UNIX computer and to connect to the UNIX computer from the domain controller.
Note
3 Check whether the Windows computer where you intend to
install the Centrify DirectControl Administrator Console has the Active Directory Users and Computers MMC snap-in installed if you want to use Active Directory Users and Computers to manage DirectControl-enabled accounts. Active Directory Users and Computers is not required if you only plan to use the Centrify DirectControl Administrator Console to manage DirectControl-enabled accounts.
4 Verify that you have a user account and password with sufficient
rights to update the Active Directory forest with container objects and root level access for installing the Centrify DirectControl Agent on non-Windows computers.
5 Verify that all of the computers where you are planning to install
Centrify DirectControl components meet the basic system requirements for installing Centrify DirectControl. You can check operating system, disk space, DNS resolution, network connectivity, and other requirements on target agent computers by running the optional adcheck program. The adcheck program helps to ensure target computers meet the system requirements necessary to install the Centrify DirectControl Agent and join an Active Directory domain. For more information about using this program, see the Planning and Deployment Guide.

To install the Centrify Suite 2010 on Windows:
1 Log on to the Windows computer and locate the appropriate
Admin_Tools folder for the Windows 32-bit or Windows 64-bit
46
environment on the Centrify DirectControl CD or in the folder extracted from a Centrify DirectControl download package.
2 Double-click the appropriate setup program for the Windows
32-bit or Windows 64-bit environment to start the installation of the Centrify Suite 2010. If the current computer configuration must be updated before installing, the setup program displays the updates required and allows you to install the required programs. After you have installed the required programs, you can restart the setup program.
3 At the Centrify Suite 2010 Welcome page, click Next. 4 Select the type of Centrify Suite 2010 you want to install, then
click Next. For example:

Select this Helpdesk Administrator To do this Install the Centrify Suite 2010, Helpdesk Edition, which provides Centrify DirectControl properties for use with Active Directory Users and Computers and the Centrify PuTTY remote terminal emulator application. Install the Centrify Suite 2010, Standard Edition, which provides the following: Centrify DirectControl Administrator Console. Centrify DirectControl Web Console. Console extensions for Centrify DirectAuthorize, NIS maps, and Group Policies Objects. Centrify Zone Generator. Centrify PuTTY remote terminal emulator. Install the Centrify Suite 2010, Enterprise Edition, which includes all of the components in the Centrify Suite 2010, Standard Edition, plus the following: Centrify DirectAudit Administrator Console. Centrify Password Synchronization program.
Standard Administrator
Enterprise Administrator
Chapter 3 Installing and starting Centrify DirectControl
47
Select this Developer Edition
To do this Install the Centrify Suite 2010, Developer Edition, which includes all of the components in the Centrify Suite 2010, Enterprise Edition, plus the following: Console extensions for integrating with Microsoft Identity Integration Server. Centrify SDK sample programs and documentation
5 Check the list of Centrify Suite 2010 packages included in the
type of suite you selected, then click Next to proceed if you want to install the default set of packages. If you want to skip the installation of any package on the local computer, click to uncheck the item you want to skip, then click Next.
6 Verify the packages you have selected for installation, then click
Next.
7 The Centrify Suite 2010 setup program then starts the setup
program for each item you selected to install. Follow the prompts displayed for each package to complete its installation. For example, if you are installing the Centrify DirectControl Administrator Console, you are prompted to: Review the terms of the license agreement. Type your name and organization. Select the folder location for installing DirectControl components. Select the components and extensions you want to install. Specify whether you want to disable the publisher verification to skip verification for best startup performance or force verification when applications are started. Verify your installation settings, then click Next.
48
8 When setup is complete for all of the packages you are installing
as part of the suite, click Finish to close the Centrify Suite 2010 setup program.
Starting Centrify DirectControl for the first time

When you start the Centrify DirectControl Administrator Console for the first time, the Setup Wizard is displayed to configure the Active Directory forest and set the default properties for your first Centrify DirectControl Zone. To start the Setup Wizard and update the Active Directory forest:
1 Log onto the computer where you installed the Centrify
DirectControl Administrator Console and click Start > All Programs > Centrify> Centrify DirectControl.
2 Verify the name of the domain controller displayed is a member
of the Active Directory forest you want to update or type the name of a different domain controller if you want to connect to a different forest, then click OK.
3 At the Welcome page, click Next. 4 Select Use currently connected user credentials to use
your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.
5 Select a location for installing license keys in Active Directory,
then click Next. The default container for license keys is domain_name/Program Data/Centrify/Licenses. To create or select a container object in a different location, click Browse. You can also add other License containers in other locations later using the Manage Licenses dialog box.
6 Review the permission requirements for the container, then
click Yes to confirm your selection.

Chapter 3 Installing and starting Centrify DirectControl 49
Starting Centrify DirectControl for the first time
7 Select whether to install the evaluation license keys or
permanent license keys. If you have purchased licenses and want to install those license keys, select Install the following license keys, type the 24-character license key you received, then click Add or click Import to import the keys directly from a file.
8 Select Create default zone container and specify a location
for the Zones container, then click Next. The default container location for zones is
domain_name/Program Data/Centrify/Zones.
The default zone and any other zones you create are placed in this container location by default. You can create a new container object or select an existing container object.
Note
When you select this option, Centrify DirectControl creates both the parent container for zones and a default first zone for evaluation or a pilot deployment. You can modify the properties for the default zone after running the Setup Wizard, if needed, or remove the zone if you choose not to use it.
9 Select Create default zone, then click Next to configure the
default zone.
10 Select the container location and type for the default zone, type
a description of the zone, and specify the master domain controller to use for the zone, then click Next.
11 Check the Specify a zone that contains Unix profile
information for users and groups option if you want to add users or groups from an existing zone in the Active Directory forest. If you check this option, click Find to search for and select the zone that contains existing user and group profiles, then click Next.
Note
In most cases, you leave this option unchecked when creating a default zone for evaluation or a pilot deployment.
50
This option is more useful when adding zones after completing the initial configuration of Centrify DirectControl.
12 Type the numeric user identifier (UID) you want to start with
for new UNIX users in this zone, then click Next.

13 Type the numeric group identifier (GID) you want to start with
for new UNIX groups in this zone, then click Next.

14 Type the default location you want to use when creating new
home directories for new UNIX users, then click Next.

15 Select the type of UNIX shell you want to use as the default for
users in this zone, click Set as default, then click Next.

16 Click Browse to select the Active Directory group you want to
use as the default primary group for users in the default zone, type the UNIX group identifier (GID) and UNIX group name to use, then click Next.
17 Click Next if you are configuring a standard Centrify
DirectControl zone without agentless authentication. For more information about agentless authentication, see the Planning and Deployment Guide.
18 Check the Grant computer accounts in the Computers
container permission to update their own account information option to give each UNIX computer account permission to manage its own account password, then click Next.
19 Select Register administrative notification handler for
Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the data stored in Centrify UNIX profiles, then click Next.
20 Select Activate Centrify profile property pages if you
want to be able to display the properties in Centrify DirectControl profiles in any Active Directory context, then click Next.
51
Installing the Centrify DirectControl Agent
This setting is not required to display the Centrify DirectControl property pages when using Active Directory Users and Computers or the Centrify DirectControl Administrator Console. If you only need to access Centrify DirectControl properties from Active Directory Users and Computers or the Centrify DirectControl Administrator Console, leave this option unchecked and click Next.
21 Review and confirm your configuration settings, click Next,
then click Finish. For information about modifying zone properties after configuring the first zone, see Changing zone properties on page 71.

Depending on your environment, you may have several options for installing the Centrify DirectControl Agent. The instructions summarized here assume you are using the standard Centrify DirectControl installation script, install.sh. For information about the other options available or more detailed information about any step, see the Planning and Deployment Guide. To install the Centrify DirectControl Agent on a computer:
1 Log on or switch to the root user if you are installing on a
computer running Linux or UNIX, or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.
Note
You are not required to log on as the root user on Mac OS X computers, but you must know the password for the Administrator account to complete the installation. local computers operating environment, if it is not automatically mounted.
2 Mount the cdrom device using the appropriate command for the
52
3 Change to the appropriate directory on the CD or on the
network where the Centrify DirectControl agent package is located. For example, to install on a Linux computer from the Centrify DirectControl CD, change to the Agent_Linux directory:
cd Agent_Linux
Similarly, if you are installing on a Mac OS X computer, change to the Agent_Mac directory.
4 Run the install.sh script to start the installation of Centrify
DirectControl on the local computers operating environment. For example:

./install.sh
Follow the prompts displayed to select the services you want to install and the tasks you want to perform. For example, you can choose whether you want to join a domain or restart the local computer automatically at the conclusion of the installation.
Joining an Active Directory domain

If you do not join the domain when you run the installation script, you can do so manually using the adjoin command on any computer where the Centrify DirectControl Agent is installed or by selecting Applications > Utilities > Directory Access and configuring the Centrify DirectControl service on Mac OS X computers. For more information about running adjoin, see Using adjoin on page 317 or the adjoin man page. For information about configuring the Centrify DirectControl service on Mac OS X computers, see the Mac-specific information in the Administrators Guide for Mac OS X.
Restarting UNIX services after joining the domain

You may need to restart some services on UNIX computers where you have installed the Centrify DirectControl Agent so that those
53
services will reread the name switch configuration file. As an alternative to restarting individual services, you may want to reboot the system to restart all services. Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.
Note
54
Chapter 4
Managing zones
This chapter describes how to use the Centrify DirectControl Administrator Console to create zones and manage zone properties. It also shows how to manage without zones by using Auto Zone. The following topics are covered: Using the Centrify DirectControl Setup Wizard Creating a new zone Opening and closing zones Delegating control of administrative tasks Changing zone properties Changing the master domain controller Adding a computer to a zone Changing the location of a zone in Active Directory Converting a standard DirectControl zone to RFC 2307 Using the Zone Generator to populate new zones Running reports for zones Searching for profiles in a zone Understanding Auto Zone For information about zone types, strategies for using zones, and planning the migration of users and groups to zones, see the Planning and Deployment Guide.
55
Understanding Centrify DirectControl zones
Understanding Centrify DirectControl zones

A Centrify DirectControl zone is similar to an Active Directory organizational unit (OU) or NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify account and access management and the migration of information from existing sources to Active Directory. How you use zones, or even whether you use zones, will depend primarily on the needs of your organization. In some organizations, a single default zone is sufficient. In other organizations, using multiple zones may be a necessity. Although using multiple zones can provide flexibility for managing user accounts and computer access, Centrify DirectControl does not require it. The Centrify DirectControl Setup Wizard will guide you through the configuration of a default zone, and you can use this default zone to add computers to the domain for as long as it is practical to do so. You only need to be concerned with planning and populating additional zones if multiple zones would be useful for your organization. You can then create the additional Centrify DirectControl zones as you need them. On the other hand, you may choose to define no zones at all, not even the default zone, by connecting to a domain through Auto Zone. With Auto Zone, every Active Directory user and group defined in the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined machine.
Using the Centrify DirectControl Setup Wizard

The Centrify DirectControl Setup Wizard starts automatically the first time you start the Centrify DirectControl Administrator Console. In most cases, the only time you need to run the Setup Wizard is to perform this initial configuration of the Active Directory forest. You can, however, use the Setup Wizard after the initial configuration if you want to change your configuration. For example, if you want to change the location of the default container
object for new zones, you can re-run the Setup Wizard to make this change. When you re-run the Setup Wizard, the steps you see depend on the specific steps you took during the initial configuration of Centrify DirectControl. Follow the instructions displayed to make changes to the Centrify DirectControl environment.
Creating a new zone

In most cases, you create the first Centrify DirectControl zone the first time you start the Centrify DirectControl Administrator Console. This default zone is created automatically when you select Create default zone container in the Setup Wizard. The default zone enables you to set up an evaluation environment or pilot deployment without configuring any of the zones properties. When you create new zones outside of the Setup Wizard, however, you need to set each zones properties appropriately. Zone properties allow you to control important default settings for zone, such as the UID and GID range to use, the default home directory path for new users, and whether the zone supports agentless authentication for NIS clients.
Note
Unless you join to the domain through Auto Zone (see Understanding Auto Zone on page 80), you must either create the default zone using the Setup Wizard, or create at least one new zone before you begin adding computers to the Active Directory domain. Computers are automatically added to the default zone when you join them to the domain unless you specify a different zone, or join to Auto Zone. For more information about configuring zone properties for an existing zone, see Changing zone properties on page 71. Whether you choose to create the default zone or not, you can use the Create New Zone wizard to create as many zones as you need. You can create the zones in the default Zones container object or in other containers or organizational units within Active
Chapter 4 Managing zones
57
Creating a new zone
Directory. To create new zones, however, you must be a domain administrator or have the permissions described in the Planning and Deployment Guide. Once you create a zone, you can delegate administrative tasks to other users and groups through the Zone Delegation Wizard. In most cases, only the user who creates a zone has the appropriate rights to delegate administrative tasks to other users. To create a new Centrify DirectControl zone:
1 Open the Centrify DirectControl Administrator Console. 2 If you are not currently connected to the appropriate forest,
specify the domain controller to which you want to connect.

3 In the console tree, select Zones and right-click, then click
Create New Zone.
58
4 Type the zone name and description and specify the parent
container, object type, and primary domain controller for the new zone, then click Next. For example:
For this Zone name
Do this Type a name for the zone. The zone name can start with any alphanumeric character or an underscore character (_), followed by any combination of alphabetic, numeric, underscore (_), hyphen (-), or period (.) characters up to a maximum length of 64 characters. For example:
paris1.france-tgv.org
59
Creating a new zone
For this Container
Do this Specify the parent container for this zone. By default, the parent location is the container you specified in the Setup Wizard. If you want to select a different location for this zone, click Browse and navigate to the container or organizational unit you want to use as the parent for this zone. If you are not using the default parent container, you can click Create to create a new container or organizational unit or select an existing container or organizational unit, then click OK. Note In selecting a location for a zone, keep in mind that individual zones should never be nested inside of another named zone. You can use any other Active Directory parent container or organizational unit, but not another zone object. In addition, you should never put any Active Directory objects, such as user or computer objects into zone containers. For more information about planning how to add Centrify DirectControl objects to Active Directory, see the Planning and Deployment Guide. Select Container or Organizational Unit to specify whether the zone should be created as a container object or an organizational unit object. If the parent container for the zone is a generic container object, the zone must be created as a container object. If the parent container is an organizational unit, the zone must be created as organizational unit. You cannot apply Group Policy Objects to generic container objects. Type a description of the zone. You can use the description to provide more detailed information about how computers are grouped. For example, if you are grouping computers by location, you may want to use the location in the zone description. If you are organizing computers by department, you may want to specify the department in the description.
Object type
Description
60
For this Domain controller
Do this Type the fully-qualified name of the primary domain controller to use for the zone. Specifying a master domain controller forces the Centrify DirectControl Administrator Console to connect to the master domain controller for all zone-related operations, such as adding and removing users and groups. Using a master domain controller helps to ensure data integrity by preventing administrators using other domain controllers from updating zone information and potentially creating duplicate UID or GID values or orphan data.
5 Check the Maintain backward compatibility option and
select whether you want to maintain compatibility with DirectControl 2.0 or DirectControl 3.0 if you want to manage computers with 2.x or 3.x DirectControl Agents in the zone you are creating. For example, if you want the zone to include computers with DirectControl 3.0.x agents, you can check Maintain backward compatibility and DirectControl 3.0 UNIX agent, then click Next:
If none of the computers to be included in the zone have an older version of the DirectControl Agent installed, you can leave this
61
Creating a new zone
option unchecked and click Next to create a new zone exclusively for DirectControl 4.x agents. Selecting Maintain backward compatibility and an agent version creates a zone with slightly different properties than when this option is not selected. This option does not prevent any DirectControl Agents from joining the zone, but adding computers with 2.x or 3.x agents to a zone created strictly for 4.x agents is not a supported configuration. If you have computers with 2.0.x or 3.0.x agents that you dont want to upgrade, you should check the Maintain backward compatibility option to ensure compatibility. If all of the computers to join the zone will have the 4.0 or later agent installed, you should leave the Maintain backward compatibility option unchecked.
6 Select the type of zone to create, then click Next. The zone type
identifies the schema definition to use for storing UNIX attributes in Active Directory.
62
Depending on the Active Directory schema you have installed and the functional level of the Active Directory forest, you can choose one of the following zone types:
Select this zone type Standard DirectControl zone To do this Store UNIX properties using the standard Active Directory schema. In a standard DirectControl zone, individual users can have multiple UNIX profiles (user name, UID, shell, home directory, and primary group), and each user can be a member of as many standard zones as needed. Standard DirectControl zones can include users from any trusted domain or forest as members. This zone type is available when you use the standard Active Directory schema or when you use the Microsoft Services for UNIX or R2 schema extensions. The functional level of the domain and forest can be Windows 2000, Windows Server 2003, or Windows Server 2008. Because the Standard DirectControl zone supports more Active Directory configurations than other zone types, it is the most commonly used zone type.
63
Creating a new zone
Select this zone type DirectControl SFU zone
To do this Store UNIX properties using the Microsoft Windows Services for UNIX (SFU) schema extension. In a DirectControl Services for UNIX (SFU) zone, UNIX properties are stored as part of the Active Directory user object. Each user can only belong to one SFU zone and only users in the same domain as the zone can be members of the zone. This zone type is only available if you installed the Windows Services for UNIX (SFU) schema installed. The functional level of the Active Directory forest can be Windows 2000 or Windows Server 2003 for this zone type. Note If you select this zone type and click Next, you are prompted to select the Windows domain and to specify the NIS domain. Centrify DirectControl doesnt validate the NIS domain name, however. If the domain name you specify doesnt exist, Centrify DirectControl can successfully create the zone and store UNIX properties in the SFU schema, but Active Directory Users and Computers will not display the UNIX Attributes tab. If the NIS domain you specify doesnt exist, you must use the Centrify DirectControl Administrator Console to enter UNIX attributes. Store UNIX properties using the Microsoft RFC 2307-compliant schema extension. This zone type is only available if you installed the Windows Server 2003, R2 schema installed and have raised the functional level of the Active Directory forest to Windows Server 2003.
Standard DirectControl RFC 2307-compatible zone
64
Select this zone type
To do this
DirectControl RFC 2307-compatible Store UNIX properties using the SFU zone Microsoft RFC 2307-compliant Services for UNIX (SFU) schema extension. This zone type is only available if you have raised the functional level of the Active Directory forest to Windows Server 2003 or Windows Server 2008.
For more information about the implications of selecting a zone type and the relationship between zone type and the Active Directory schema, see the Planning and Deployment Guide. For more information about Microsoft Services for UNIX (SFU), see the Microsoft Services for UNIX documentation. For more information about the RFC 2307 specification, see the original Request for Comments available at http://www.faqs.org/rfcs/rfc2307.
Note
7 Check the Specify a zone that contains UNIX profile
information for users and groups option if you want to add users or groups from an existing zone in the Active Directory forest. This option enables you to use the existing profile information for users and groups when you add them to the new zone. If you check this option, click Find to search for and select the zone that contains the existing user and group profiles, then click Next. When you add users or groups with profiles in the selected zone to the zone you are currently creating, their UNIX profiles have the same UIDs and GIDs in the new zone as they had in the selected zone. This option is especially useful if you have a DirectControl zone or a Microsoft Services for UNIX (SFU) zone that contains master data you want to use in multiple zones.
Note
8 Type the numeric user identifier (UID) you want to start with
for new UNIX users in this zone, then click Next.
65
Creating a new zone
9 Type the numeric group identifier (GID) you want to start with
for new UNIX groups in this zone, then click Next.

10 Type the default location you want to use when creating new
home directories for new UNIX users, then click Next.

11 Select the type of UNIX shell you want to use as the default for
users in this zone, click Set as default, then click Next.

12 Select the Active Directory group you want to use as the default
primary group for new users: Click Browse to find the existing Active Directory group to make the default primary group. In the browser, select the group to use, then click OK. Click Create to create a new Active Directory group to use as the default primary group for users in the current zone. If you are creating a new Active Directory group, you need to specify the parent container for the group, the group name, and the group scope, then click OK. For example:
Once you have selected or created the Active Directory group to use, review the UNIX profile for the group, then click Next.
13 If you want to allow agentless authentication through the
Centrify DirectControl Network Information Service in the current zone, select the Support agentless clients option, then select the Active Directory attribute for storing the
66
password hash and the name of the NIS domain the zone maps to, then click Next. If you are not allowing computers or devices to submit NIS client requests to the Centrify DirectControl Network Information Service on a Centrify DirectControl-managed computer, you can leave this option unchecked and click Next to continue creating the zone.
14 Check the selections you have made, then click Finish to
complete the zone configuration.
Opening and closing zones

Because zone properties and UNIX-specific objects are organized into zones, you must open a zone to work with its contents. You can have multiple zones open at the same time, but you must explicitly open each zone to work with it. Once you open a zone, it stays open until you close it. For performance reasons, however, you should close any zones you arent actively working with.
Opening a zone
To open a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones and right-click, then click
Open Zone.
3 Type all or part of the name of the zone you want to open, then
click Find Now.

4 Select the zone to open from the list of results, then click OK.
You can use the CTRL and SHIFT keys to select multiple zones. Once you open the zones you want to work with, you should save your changes when you exit the Centrify DirectControl Administrator Console, so that the open zones are displayed by default the next time you start the console. When you save your
Chapter 4 Managing zones 67
Delegating control of administrative tasks
console settings, the next time you start the Centrify DirectControl Administrator Console, the console display will be the same as when you last used the console.
Closing a zone
To close an open zone:
1 In the console tree, select the specific zone name you want to
close and right-click, then click Close.

2 Click Yes to confirm that you want to close the zone.

You can use the Centrify DirectControl Administrator Console to give specific users and groups permission to perform specific types of administrative tasks within each zone. For example, assume you have a zone called Finance and you want to set up different types of permissions for the different kinds of users who access computers in this zone. Through the Centrify DirectControl Administrator Console, you can assign specific permissions to individual users and groups. For example, you can delegate: The group FinanceITStaff to perform All administrative tasks within a zone, so that all members of that group can change zone properties; add, modify, and remove user and group profiles in the zone; join and remove computers from the zone; and delete the zone. The group FinanceManagers to add, modify, and remove user and group profiles from the zone. The group FinanceUsers to change zone properties, but perform no other tasks. The users jason.ellison and noah.stone permission to delete the zone.
68
To delegate which users and groups have control over the objects in a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones, then select and expand the
zone you are interested in, for example, open the default zone.
3 Right-click, then click Delegate Zone Control. 4 At the Welcome page, click Next. 5 Click Add to find the users, groups, or computer accounts to
which you want to delegate specific tasks.

6 Select the type of accountUser, Group, or Computerto
search for, type all or part of the account name, then click Find Now.
7 Select one or more accounts from the list of results, then click
OK.
8 When you are finished adding users and groups to which you
want to assign administrative tasks, click Next.

9 Select the tasks you want to delegate to the user or group, then
click Next. For example, if you want all of the members of the group you selected in the previous step to be able perform all administrative tasks for a zone, check the All task.
69
The domain administrator who creates a zone has full control over the zones properties and permission to delegate administrative tasks to other users. The user who creates a zone is also the only user who can add NIS maps to the zone. The right to create NIS maps is exclusive to the creator of a zone because it requires permission to create containers in Active Directory. The zone creator can, however, grant other users permission to add, remove, or modify NIS map entries. For each zone you create, you should identify at least one user or group that can be delegated to perform all administrative tasks. For example, if you have a Finance zone, you may want to create a Finance Admins group in Active Directory and then delegate All tasks to that group so that members of that group can manage the zone. Although you are not required to create or use a zone administrator group for every zone, assigning the management of each zone to a specific user or group simplifies the delegation of administrative tasks. If you choose to use a finer grain control, for example, allowing one group to only join computers to the domain and zone and another to only add and remove users, you should ensure the members of those groups know their restricted roles. In addition, any user or group assigned the Add users or Add groups task should also be assigned the Change zone properties task to enable the next UID and next GID properties to be updated each time a user or group is added to a zone. If you dont assign the Change zone properties task, you must manually increment the next UID and GID values.
Note
For information about the permissions set in the Zone Delegation Wizard, see the Planning and Deployment Guide.
10 Review your selections, then click Finish.

Note
If you delegate administrative tasks to one or more groups that have members logged on, you should inform the group members that they may need to log out and log back on before they can perform the administrative tasks assigned to the group.
70
Changing zone properties

As noted in Creating a new zone on page 57, zone properties allow you to control the default settings for users and groups in the zone. Although you typically set zone properties when you create a zone, you can change the zone properties for an existing zone at any time, if needed. For example, after creating a zone you may find you need to change the default starting point for user IDs or group IDs. To change the properties for an existing zone:
1 Open the Centrify DirectControl Administrator Console. 2 If prompted to connect to a forest, specify a domain controller,
and, if needed, the user credentials for connecting to the domain controller, then click OK.
3 In the console tree, select Zones to display the list of zones. 4 Select a zone and right-click, then click Properties. For
example:
71
Changing the master domain controller
5 Click the appropriate tab to configure the default properties for
the current zone, then click OK.

Click this tab General To do this View the location of the zone in Active Directory and the zone type. Modify the zone description. View whether a master domain controller has been defined for the zone. Select a specific Licenses container for the zone to use. Add or remove support for agentless authentication in the current zone. Configure the access control list of permissions for the zone. Specify a zone that contains UNIX profile information that you want to use when adding users or groups from an existing zone. Add or remove UNIX shells from the list of available shells for the zone. Set the default UNIX shell to use for the zone. Define the pattern to use when creating a new home directory for a new UNIX user. Set the default Active Directory group that users in this zone should be members of. Set the default value for the next numeric user identifier (UID) in the zone. Add and remove reserved UID values. Set the default value for the next numeric group identifier (GID) in the zone. Add and remove reserved GID values.
Default Value
UID Manager
GID Manager

When you create new zones, you have the option to specify a master domain controller that you want to use for the zone. Setting a master domain controller helps to ensure data integrity
72
because it prevents other domain controllers from adding and removing users and groups in a zone and introducing duplicate UIDs or GIDs. If you choose not set the master domain controller or the master domain controller is unavailable, it is possible for administrators to add users to the zone with the same UID because they are connecting to different domain controllers. Using a master domain controller ensures that the administrators cannot add new users with duplicate UIDs. If you choose to use a master domain controller for a zone, you should avoid changing it, if possible. If you do need to change the master domain controller, however, you should keep the following in mind: The zone information is only updated in the new master domain controller when replication is complete. If you connect to the old domain controller and view zone information, the zone will display the old domain controller as its master domain controller until replication is complete for all domain controllers. Reports and forest analysis will not report the correct master domain controller for the zone until replication is complete between the new master domain controller and the previous master domain controller. You cannot refresh the information displayed in the Centrify DirectControl Administrator Console until replication is complete between the new master domain controller and the previously connected domain controller. You should for zone information to be replicated to all domain controllers before you add any new users or groups to the zone you are modifying to prevent duplicated UIDs. After changing the master domain controller for one or more zones, you should run the Analyze command to check the Active Directory forest and verify that no duplicate UIDs or GIDs have been introduced.
73
Changing the master domain controller for one zone

To change the master domain controller for a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones to display the list of zones. 3 Select the zone name for which you want to set a new master
domain controller. For example, select the default zone.

4 Right-click, then click Change Master Domain Controller. 5 Type the fully-qualified domain name for the new domain
controller, then click OK. For example:
Note
If there are other administrators managing this zone, you should notify them before changing the master domain controller and make this change while they are logged out. Depending how long it takes for replication to complete across the domain controllers in the Active Directory forest, you may want to schedule this change for a time when no administrators need access to zone information.
6 Click Yes to confirm that you want to change the master domain
controller for the zone.
Changing the master domain controller for multiple zones

If you are using the same master domain controller for multiple zones, you may need to change the domain controller for all of the zones at once. For example, if several zones use the server ginger.ajax.org as their master domain controller and the server has a hardware failure or other problem requiring it to be taken down, all of the zones using that domain controller need to connect to a
new master domain controller. To change the master domain controller for multiple zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones to display the list of zones in
the details pane.

3 Use SHIFT-CLICK and CTRL-CLICK to select zone names for
which you want to set a new master domain controller. For example:
4 Right-click, then click Change Master Domain Controller. 5 Type the fully-qualified domain name for the new domain
controller, then click OK. For example:
You should notify all Centrify DirectControl administrators before changing the master domain controller for multiple zones and, if possible, make this change while they are logged out. Depending how long it takes for replication to complete across the domain controllers in the Active Directory forest, you may want to schedule this change for a time when no administrators need access to zone information.
Note
6 Click Yes to confirm that you want to change the master domain
controller for all of the selected zones.
75
Adding a computer to a zone
Adding a computer to a zone

There are three ways to add a computer to a zone: By specifying a zone when you join the domain using adjoin. By selecting a zone when you create or modify the computer account properties. By connecting to Auto Zone when you join the domain using adjoin. If you dont specify the zone when you join the domain, or connect to Auto Zone, computers are added to the default zone. If you did not create the default zone, however, you must specify a zone for each computer to successfully join an Active Directory domain. For more information about specifying the zone, joining the domain, and modifying computer properties, see Chapter 5, Managing computers.
Changing the location of a zone in Active Directory

If you want to move a zone from one container object to another in Active Directory, you can do so manually using ADSI Edit to edit the zone containers object properties. If you change the location for a zone, you must then restart the Centrify DirectControl Agent on the computers in that zone so that they recognize the new zone location. After you move the ZoneName object to a new parent container or organizational unit, run the following command to restart the Centrify DirectControl Agent on the computers in the zone:
/usr/share/centrifydc/bin/centrifydc restart
76
Converting a standard DirectControl zone to RFC 2307

Standard DirectControl zones can be converted to standard DirectControl RFC 2307-compliant zones if you deploy the Active Directory RFC 2307 schema in your environment. To convert a standard DirectControl zone to DirectControl RFC 2307-compliant zone:
1 Open the Centrify DirectControl Administrator Console. 2 If prompted to connect to a forest, specify a domain controller,
3 In the console tree, select Zones to display the list of zones. 4 Select a zone name, right-click, then click All Tasks >
Convert to DirectControl 4.0 Standard Zone.

Note
This task is only available for zones created with an earlier version of Centrify DirectControl or for zones that were created with Centrify DirectControl, version 4.0 or later, but configured to maintain compatibility for 2.x and 3.x DirectControl agents.
5 At the Welcome page, click Next. 6 Select whether you want to create a new converted zone from
the existing zone or convert the existing zone in place, then click Next. Select Create a new zone based on the existing zone to copy the existing zone to a new zone name. If you select this option, you must use adleave to remove the computers from the old zone, then run adjoin to join the computers to the new zone. Select Alter the zone in place to change the zone type without creating a new zone. Changing the zone type changes how some properties are stored. If you select this option, computers can remained joined to the existing zone, but some
Chapter 4 Managing zones 77
Using the Zone Generator to populate new zones
information may be removed or overwritten. If you select this option, skip to Step 8.
7 If you are creating a new zone from the existing zone, specify the
new zone location and the new zone name, then click Next.
8 Review the summary of the operation to be performed, then
Next.
9 Click Finish to complete the zone conversion.
Using the Zone Generator to populate new zones

The Zone Generator is a separate tool that enables you to create new zones from selected members of existing zones. With the Zone Generator, you can propagate identical user and group information across multiple zones or populate a new zone by specifying the users and groups defined in other zones that should have access to the new zone. The Zone Generator eliminates the need to manually enter identical identity information for users and groups who have access to multiple zones as you move from an environment with UID and GID conflicts to a rationalized user space where each new account has a consistent UID or GID across multiple zones. Zone Generator reads information from an XML-based zone generation file. The zone generation file defines one or more input zones and any user or group filters that should be used to populate an output zone. When you run the Zone Generator, you specify the zone generation file to use and the Zone Generator uses the information in the file to populate one or more empty zones according your specifications. For more information about using the Zone Generator, including the syntax to use in the zone generation file and example zone definitions, see the Planning and Deployment Guide.
78
Running reports for zones

To view information about zones, you can run the following default report definitions or create your own custom reports: The Zone Delegation Report lists the administrative tasks for each zone and the users or groups have been delegated to perform each task. The Zones Report lists zone properties for each zone. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
Searching for profiles in a zone

You can search for the UNIX profiles for computers, groups, or users within a zone. To search for profiles in a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones to display the list of zones. 3 Select a zone to search and right-click, then click Find profiles. 4 Select the type of profile you want to find. For example, select
Computers to search for a computer objects UNIX profile.

5 Type all or part of the name of the profile you want to find, then
click Find Now.

6 Select the profile from the list of results, then right-click and
select Properties to view all Active Directory properties or Zone Settings to view only the Centrify DirectControl profile.
79
Understanding Auto Zone

Ordinarily, when you join a UNIX computer to a domain, you must perform a certain amount of configuration in Centrify DirectControl, such as defining a zone, adding Active Directory users and groups to the zone, and enabling group policies. Auto Zone greatly simplifies the process of joining a domain. Auto Zone essentially is one super zone for the forest. With Auto Zone, UNIX attributes that are normally defined in the zone to which the Mac OS X machine is joined, are derived from user attributes in Active Directory, or from DirectControl configuration parameters. By default, when you join a domain by connecting to Auto Zone, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine. Although all users and groups have default access to all machines joined to Auto Zone, you may still control access to a machine by setting parameters, such as pam.deny.users and pam.deny.groups in the Centrify DirectControl configuration file. See the Centrify DirectControl Configuration Parameters Reference Guide.
Note
Although certain group policies are provided to simplify Auto Zone configuration, using Auto Zone does not require enabling any group policies. In fact, you can join a domain by connecting to Auto Zone without installing the Centrify DirectControl Console on any machines in the forest. However, any group policies that are defined in the domain, are enforced on machines joined to Auto Zone.
80
Joining a domain by connecting to Auto Zone

To join a domain by connecting to Auto Zone, you can use the adjoin command line tool with the --workstation option; for example:
adjoin acme.com --workstation
If you then run the adinfo command, it shows that you are connected to Auto Zone:
adinfo Local host name: Joined to domain: Joined as: Pre-win2K name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: rh4 acme.com rh4.acme.com rh4 win2k1.acme.com Default-First-Site Auto Zone 2009-09-30 18:08:34 PDT connected Enabled
The DirectControl Console also shows all machines connected through Auto Zone, under the Zones/Auto Zones node:
81
82
Chapter 5
Managing computers
This chapter describes how to add UNIX computers to Active Directory domains, manage computer account properties, and leave the domain. The following topics are covered: Understanding the join operation Deciding who can join computers to the domain Precreating computer accounts Joining a domain interactively or using a script Allowing password resets for computer accounts Designating a computer as a NIS server Changing the zone for the computer Changing the domain for a computer Leaving a domain Customizing configuration settings for a computer Running reports for computers
Understanding the join operation

To begin authenticating users and authorizing access to UNIX resources through Active Directory, UNIX computers must be added to the appropriate Active Directory domains in the Active Directory forest. You do this by using the Centrify DirectControl adjoin command. When you run adjoin, the program locates the appropriate domain controller for the domain you specify and contacts Active
83
Understanding the join operation
Directory to add the computer to the domain. By default, the domain controller to contact is determined by the Active Directory site topology or the master domain controller specified for the zone you are joining. If the preferred domain controller is not available, Centrify DirectControl attempts to connect to the next domain controller. If no domain controller can be contacted or the connection takes too long to complete, the join operation fails. If the adjoin program can successfully contact Active Directory, it performs a series of key tasks. For example, when you join the domain, the program does the following: Synchronizes the local computers time with Active Directory to ensure the timestamp of Kerberos tickets are accepted for authentication. Checks whether a computer account already exists for the local computer in Active Directory. It creates a new Active Directory computer account for the local computer, if needed. Updates the Kerberos service principal names used by the host computer, generating new a Kerberos configuration file and krb5.keytab entries, and generating new service keys for the host and http services. Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally on the UNIX host to ensure Centrify DirectControl alone has control of the account. Starts the Centrify DirectControl agent adclient. Once a computer joins the domain, you can use the Centrify DirectControl Administrator Console or Active Directory Users and Computers to manage its properties. By default, the computer will function exactly as it did before joining the domain, allowing local user accounts to log in and existing programs and applications to work as they did previously, but you will have greater control and flexibility to manage access through Active Directory. You can also further customize authentication, for example to allow, ignore,
84
or deny individual users or groups permission to access to a computer through Centrify DirectControl Login Settings group policies or by manually modifying the Centrify DirectControl configuration file, centrifydc.conf, on any Centrify DirectControl managed system. By default, the password on the computer account is updated with a new, randomly-generated password every seven days to ensure security. You can customize how frequently the password for the account is changed through the Centrify DirectControl Password change interval group policy or by modifying the Centrify DirectControl configuration file, centrifydc.conf, on any Centrify DirectControl managed system. For more information about using group policies to customize computer settings, see the Group Policy Guide. For more information about customizing configuration parameters in the configuration file, see the Configuration Parameters Reference Guide.
Deciding who can join computers to the domain

Active Directory provides various mechanisms for controlling who is allowed to join computers to the domain. There are two basic scenarios: Any user with a valid domain account can add a computer to the domain. This is the default configuration for Windows. It permits any successfully authenticated user to add as many as ten computers to the domain. Many enterprises leave their domains set up this way so that administrative access is not required for a computer to join the domain. Permission to add a computer to the domain is restricted to a set of privileged users. When permission to add a computer to the domain is restricted, a user adding the computer must log in with an account that has appropriate administrative rights and provide a password. If your organization restricts who can add computers to the domain, joining the domain might require
Chapter 5 Managing computers 85
Precreating computer accounts
explicit permission. For example, joining the domain might be restricted to domain administrator accounts or delegated within Organizational Units to specifically designated users or groups. Since who can join a domain depends on your organizations policies and is enforced through Active Directory, Centrify DirectControl applies the same rules for UNIX computers joining the domain as have been defined in Active Directory for adding Windows computers to the domain. For example: If any user with a valid domain account can add a Windows computer, adding a UNIX computer does not require an administrative user account and password. If only administrative or delegated users are allowed to add computers, the user adding the UNIX computer must supply a valid administrative or delegated user name and password.

If joining the domain is restricted to privileged users, you may want to precreate computer accounts for your UNIX computers before they join the domain. By creating the computer account before joining the domain, you can: Specify a particular user or group with permission to join the computer to the domain, so that users can add their own workstations to the domain without any special rights or permissions. Create the organizational structure you want to use for UNIX computers in Active Directory, minimizing the need to move the computer account after joining the domain. Set other properties for the computer account, such as the delegation properties for the computer account, so that when the computer joins the domain it is configured appropriately without requiring you to perform additional steps.
86
You can use Active Directory Users and Computers, the Centrify DirectControl Administrator Console, or the Centrify DirectControl Web Console to precreate computer accounts. If you use Active Directory Users and Computers to create the account, however, you need to modify the permissions for the account as described in Allowing password resets for computer accounts on page 91 before joining the domain. To precreate a computer account using the Centrify DirectControl Administrator Console:
1 Click Start > All Programs > Centrify> Centrify
DirectControl to start the Centrify DirectControl Administrator Console.

2 In the console tree, select Zones to display the list of zones,
then select the specific zone to which you want to add the computer account.
3 Select Computers, right-click, then click Precreate
Computer.
4 At the Welcome page, click Next. 5 Select Create new computer object to create a new
computer account in the domain, then click Next. If the computer account already exists in the same domain or a different domain, but you want to add a zone profile and delegate the user or group who can join the computer to the domain, click Select existing computer object, then click Browse to search for the existing computer object. After selecting an existing computer account, click Next to continue to Step 7 to select the user or group that should be allowed to join the computer to the domain.
Chapter 5 Managing computers
87
6 Type the computer name to use for the new computer account
and specify a location for the computer account object in Active Directory, then click Next. For example:
For this Computer name Domain
Do this Type the host name to use for the computer account in Active Directory. Verify the domain name displayed is the appropriate domain for the computer account to join. Click Browse to navigate to a different Active Directory domain. Verify the DNS name for the computer account. You can modify the DNS name for the computer, if needed. For example, if computer names in DNS use a different suffix than the Active Directory domain, you may need to modify the default value displayed. Specify the parent container for the new computer account in Active Directory. In most cases, you should use the default parent container object:
domain_name/Computers
DNS name
Create the computer object in the container
Click Change to navigate to a different container object for the computer account.
88
7 Select whether you want to allow a specific user or group to join
the computer to the domain or whether you want to use the precreated computer objects account and password to join the domain. For example, select Allow this user, group, or computer to join the computer to the zone if you want to delegate the permission to join the domain to a specific user, group, or computer account. If you select this option, you can click Next give the permission to the default Domain Admins group, or click Browse to search for another user or group that you want to give permission to join the computer to the domain. For example:
If you dont want to designate a specific user or group to join the domain, select Allow the computer to join itself to the zone. This option generates an automatic password reset on the computer account that allows the precreated computers account and password to be used to perform a self-service join. This option is useful when you want to automate the join operation so that a user name and password are not required, or when you want to restrict the number of Active Directory users who have permission to join the domain.
8 Review your configuration settings, then click Next.
89
Joining a domain interactively or using a script
9 Review the confirmation of the operation performed, then click
Finish. The computer account is created in Active Directory and a zone profile for the computer is added to the Centrify DirectControl Administrator Console in the zones Computers container. The user or group you have designated as the trustee can now join this computer to the domain using the --selfserve command line option.
Joining a domain interactively or using a script

As described in Understanding the join operation on page 83, you join a computer to the domain by running the adjoin command directly on a computer. You run this command once for each UNIX computer you want to add to a domain in the forest. In most cases, the administrator or a designated user runs the command interactively at the command line, but the command can be included in a script to automate joining a domain. Whether you join the domain interactively from the command line or using a script, there are several arguments you can use to specify information such as the zone the computer should be part of, a user name and password for an account with permission to join the domain, or the Organizational Unit you want to place the computer in. For example, the following command connects to Active Directory as the user shea@acme.com to add the local computer to the LinuxDev zone and the sales.acme.com domain:
adjoin --user shea@acme.com --zone LinuxDev sales.acme.com
The adjoin program then prompts for the Active Directory password for the shea@acme.com account:
Active Directory password: xxx
In this example, the user shea is a member of the acme.com domain rather than the sales.acme.com domain this computer is joining. Therefore, the user account must be specified in the
90
format. In addition, this example places the local UNIX computer account in a specific, previously-created Centrify DirectControl zone called LinuxDev. This is most common format for the adjoin command line.
user_name@domain_name
If the computer has a precreated computer account in Active Directory, you can run a command similar to the following to join the domain:
adjoin --selfserve domain
For example:
adjoin --selfserve cendura.org
Although you can specify the password for an account as part of the adjoin command line using the --password option, in most cases, you should avoid including it for security reasons. If you are using adjoin in a script, however, you may need to include the --password option or provide another mechanism for inputting a valid password. For more information about using the adjoin command line options, see Appendix A, Using Centrify DirectControl UNIX commands. If the adclient process is able to connect to Active Directory and the join is successful, a confirmation message is displayed. If the connection to Active Directory fails, a warning message is displayed and the join operation fails. If you did not pre-configure a computer account for the local computer in another container, the join operation adds a new computer account to Active Directory in the domain_name/Computers container.
Allowing password resets for computer accounts

By default, most computer accounts do not have permission to reset their own account password. This prevents the delegation of administrative rights for the computer to the local computer account. If you want to give a computer account administrative rights in a zone, you need to modify the computer account to allow
91
Allowing password resets for computer accounts
password resets. In addition, allowing a computer account to update its own properties enables Centrify DirectControl to display the agent version and maintain operating system information for the computer account. You can assign the self-maintenance permissions for computers by default if you select the Grant computer accounts in the Computers container permission to update their own account information option in the Setup Wizard of if you precreate the computer account with the Precreate Computer Wizard and select the Allow the computer to join itself to the zone option. If you did not select either of those options, however, you can selectively grant this permission on individual computer objects, as needed.
Note
Checking for the appropriate permissions

To check whether a computer account allows password resets, you need to view the permission settings for the account. To check and modify the permissions for a computer account:
1 Open Active Directory Users and Computers, expand the
domain, and select Computers to find the computer account to which you want to assign administrative rights.
2 Select the computer account, right click, then select
Properties.
3
Click the Security tab, scroll down the list of group or user names and select SELF. Password permission, click Allow, then click OK.
4 In the list of Permissions for SELF, scroll to the Reset 5 Select the computer account, right-click and select Reset
Account, then click Yes. When the account is reset, click OK.
92
Assigning administrative rights to computer accounts

To give administrative rights to the computer account:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones, then select and expand the
zone you are interested in, for example, open the default zone.
3 Right-click, then click Delegate Zone Control. 4 At the Welcome page, click Next. 5 Click Add, select Group from the Find list, then click Find
Now.
6 In the results, select Domain Computers, click OK, then
click Next.
7 Click Add Computers to Zone and optionally, Remove
Computers from Zone, then click Next. In most cases, these are the only administrative tasks you should assign to the computer account. You can, however, give the account additional rights, if needed. For information about the permissions associated with each delegated task, see the Planning and Deployment Guide.
Note
8 Click Finish.
Joining the domain using the computer account

On the computer to which you have given administrative rights, run the adjoin command and set the user name parameter to the computer name with a dollar sign ($) appended and the password to the computer name.
adjoin domain --user computername$ --password computername
For example, if the computer name is valencia and the Active Directory domain is arcade.com, you would run a command similar to the following:
adjoin arcade.com --user valencia$ --password valencia
93
Designating a computer as a NIS server
Designating a computer as a NIS server

If you are using one or more Centrify DirectControl-managed computers as a NIS server to provide agentless authentication to NIS client requests or to publish NIS network maps, you can identify those computers in the Centrify DirectControl Administrator Console. To identify a computer that services NIS client requests in a zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones, then open the zone where the
computer account is located.

3 Click Computers to display the list of computers in the details
pane.
4 Select the computer that you want to modify, then click
Properties.
5 Click the Centrify Profile tab. 6 Check the Allow this computer to authenticate NIS users
option, then click OK. For example:
Select this option to designate this computer as a NIS server
94
By default, this setting adds the computer account as a member attribute of the
domain/Program Data/Centrify/Zones/ZoneName/Computers
/
object. The zone_nis_servers object is a global Active Directory group. It can be converted to a universal group, if needed. For example, if you add a computer that is joined to a different domain than the other computers in the group, you are prompted to change the group type to universal.
zone_nis_servers
The Centrify DirectControl Network Information Service, adnisd, must be running on the designated computer for the computer to service NIS client requests. If the adnisd process in running and receives a request, it will respond to the request with information from the current zone.
Note
Changing the zone for the computer

If you dont specify the zone when you join the domain, or connect to Auto Zone, the computer is added to the default zone created in the Setup Wizard when you start the Centrify DirectControl Administrator Console for the first time. Over time, you may want to migrate computer accounts from one zone to another. You can change the zone information for a computer at any time, if needed. To change the zone for a computer:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones, then open the zone where the
computer account is located.

3 Click Computers to display the list of computers in the details
pane.
4 Select the computer that you want to modify, then click
Properties.
5 Click the Centrify Profile tab.
95
Changing the domain for a computer
6 Click Browse and type all or part of the zone name, then click
Find Now.
7 Select the new zone from the list of results, then click OK.
After you change the zone in the Centrify DirectControl Administrator Console, you must restart the Centrify DirectControl Agent on the UNIX computer. For example, on the computer where you have changed the zone, run the following command:
/etc/init.d/centrifydc restart
Alternatively, you can choose to restart the UNIX computer, which restarts all services.
8 Click Yes to acknowledge the need to restart the Centrify
DirectControl Agent on the UNIX computer for the zone information to be updated.
Changing the domain for a computer

Once a computer joins a domain, you must leave that domain by using the adleave command before you can join a new domain. To change the domain for a computer:
1 Log in as or switch to the root user. For example:
su -
2 Run adleave to remove the computer account from the old
domain. This command disables the computer account in Active Directory but does not delete the computer account. For example, to leave the current domain using the default Administrator user account and password:
adleave
3 Type the Active Directory password for the user account you
specified or the Administrator account.
96
If the adclient daemon is able to connect to Active Directory and the leave operation is successful, a confirmation message is displayed.
4 Run adjoin to join a different Active Directory domain. For
example:
adjoin --user gharris operations.acme.com
In this example, the user gharris is a member of the operations.acme.com domain that this computer is joining.
specified. For more information about using the adjoin and adleave commands, see Appendix A, Using Centrify DirectControl UNIX commands.
Leaving a domain
You can remove a computer from a domain at any time by using the adleave command. Leaving the domain removes the UNIX computer from its current Active Directory domain and reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-adjoin states and deleting the /etc/krb5.keytab file. You must leave the domain before you can move a computer account to a new domain or remove Centrify DirectControl from a UNIX computer. Although the adleave command removes the UNIX computer from its current domain, it does not delete the computer account from Active Directory. If you want to completely remove any record of the computer from Active Directory, you must delete the computer object in Active Directory Users and Computers.
Note
To remove a computer from its current domain:

1 Log in as or switch to the root user. For example:
97
Customizing configuration settings for a computer
su -
2 Run adleave to remove the computer account from the old
domain. For example, to leave the current domain using the user account and password raj@acme.com:
adleave --user raj@acme.com
specified. If the adclient daemon is able to connect to Active Directory and the leave operation is successful, a confirmation message is displayed and the Centrify DirectControl Agent is stopped.
Customizing configuration settings for a computer

You can configure many aspects of the environment for individual computers by applying a Group Policy Object to a site, domain, or organizational unit that includes Centrify DirectControl-managed computers and enabling Centrify DirectControl group policies. For example, you can use policies to customize PAM operations, the length of time to wait for connections between the Centrify DirectControl agent and Active Directory, or how frequently to change the computer account password. For information about the group policies available and how to enable them, see the Group Policy Guide. If you are not deploying Centrify DirectControl group policies, you can also customize the configuration settings in any computers local Centrify DirectControl configuration file. For more information about setting the parameters in the Centrify DirectControl configuration file, see the Configuration Parameter Reference Guide.
98
Running reports for computers

To view information about computer accounts, you can run the following default report definitions or create your own custom reports: The Computer Access Report lists which users are allowed to access each computer. The report includes details from the users UNIX profile for each user listed, including the users Active Directory user name, UNIX user name, zone, UID, shell, home directory and primary group.administrative tasks for each zone and the users or groups have been delegated to perform each task. The Computers Report lists computer account information for each computer in each zone, including the computer account name in Active Directory, the computers DNS name, the computers operating system, and the version of the Centrify DirectControl Agent installed on the computer, if available. The License Detail Report lists the specific computers licensed as UNIX workstations and application servers. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
99
Running reports for computers
100
Chapter 6
Importing existing users and groups

This chapter describes how to import users and groups from an existing identity store and map those users and groups to Active Directory users and groups with the Centrify DirectControl Administrator Console. If you are not importing existing users and groups from local configuration files, such as /etc/passwd and /etc/group, or existing NIS domains, you can skip this chapter. The following topics are covered: Determining the source for existing user information Preparing to import users and groups Using the Import from UNIX wizard Checking for conflicts and matching candidates Mapping UNIX profiles to Active Directory accounts Resolving conflicts for pending users and groups Resolving other issues for pending users and groups Making imported information available to NIS clients
Determining the source for existing user information

In many cases, you may already have UNIX account information defined in local configuration files (such as /etc/passwd and /etc/group) or in a networked identity store, such as NIS, NIS+, or LDAP, or in both. If you do, you can import that information and map it to Active Directory users and groups. To prepare for migration, you first need to determine where each computer gets its user information. You also need to analyze the existing
101
Preparing to import users and groups
information to determine if there are any conflicts and how the existing user population should be mapped into zones. Once you have collected the appropriate information and determined your zone requirements, you can import the existing information into Active Directory and the appropriate zones using the Centrify DirectControl Administrator Console and the Import from Unix wizard. The next sections describe the steps for importing users and groups from an existing identity store into a zone. For more detailed information about planning the migration of an existing user population, including how to analyze and consolidate existing information before importing, see the Planning and Deployment Guide.
Note
Preparing to import users and groups

With the Import from UNIX wizard, you can import directly from NIS servers and domains or from properly-formatted text files, such as local /etc/passwd and /etc/group files or files generated using the getent passwd and getent group commands. Each identity store may require its own zone, at least during initial deployment, and, therefore, is imported separately. To prepare for an import: Identify each source of user information and analyze the information to determine your zone requirements. Run getent passwd, getent group, or niscat commands to export user information and save it in properly-formatted text files. These commands enable you to import user information from multiple identity stores, for example, both local files and NIS domains, or from a source that cannot be imported directly, such as NIS+ servers and domains.
102
Verify that you can access NIS servers and domain from the Windows network if you want to import information directly from NIS maps rather than export the information to a text file. Verify that you can access individual /etc/group and /etc/passwd files from the Windows network if you want to import information directly from individual /etc/group and /etc/passwd files. Copy any text files from which you want to import information to a file share on the Windows network. Review the /etc/passwd, /etc/group, or text files you generated to remove account entries that dont need to be mapped to Active Directory accounts. You can automatically exclude system accounts with UID or GID values from 0 to 99 during the import process, but may want to remove other accounts prior to the import. You may also want to review the remaining entries to determine whether the entries map to existing Active Directory accounts or require new Active Directory objects.
Using the Import from UNIX wizard

To import user and group information from local /etc/group and /etc/passwd files or data exported from another identity store to a properly-formatted text file:
1 Open Centrify DirectControl Administrator Console. 2 In the console tree, open Zones. 3 Select the zone into which you want to import users and groups,
right-click, then click Import from Unix. For example, select the default zone.
4 Select Unix configuration files and click Browse to locate
the passwd and group files to import, then click Next.
Chapter 6 Importing existing users and groups
103
You can use this option to import any properly-formatted text file, including those generated by running getent passwd and getent group or similar commands. For example:
The text files can be named with any file names you choose, but must be in the proper format for /etc/group and /etc/passwd files for fields to be imported correctly. Although the files can be imported independently, Centrify recommends you import both files at the same time. If you want to import information directly from NIS, you can select Network Information Service (NIS), and type the name of the NIS domain and NIS server from which you want to import information, then click Next. The NIS domain and server must be accessible from the Windows network for information to be imported successfully.
104
5 Select the import options you want to use, then click Next. For
example:
Check this option to include the UIDs and GIDs reserved for system accounts
Select this Include system accounts
To do this Import all accounts from the data source including accounts with UID or GID values from 0 to 99. By default, DirectControl ignores accounts with UID or GID values from 0 to 99 during the import process. On most systems, UIDs and GIDs in this range are reserved for system or application accounts, such as root, tty, and ftp, which typically do not need to be imported and managed through Active Directory. If you select the Include system accounts option, these accounts will be included in the list of Pending Import Groups and Pending Import Users. You can then choose to map the accounts to Active Directory or remove them. Note There can be other system accounts with UID or GID values greater than 100. By default, DirectControl can only automatically filter the accounts with UID or GID values less than 100. Even if you choose to allow automatic filtering, you may need to remove additional system accounts from the Pending Import list.
105
Select this
To do this
Automatically shorten the Limit UNIX user and group names to a maximum of Unix name to 8 characters 8 characters. By default, DirectControl imports user and groups name as they are defined in the data source. In some operating environments, however, user and group names cannot be longer than 8 characters. If you have an environment that does not support user and group names longer than 8 characters, you can select Automatically shorten the Unix name to 8 characters to automatically remove any extra characters in the name during the import process.
6 Select a location for storing pending import data, then click
Next. For example, to store pending data for the current zone in an XML file, select Store in XML file and specify the location for the file:
If the file does not already exist in the default location, you are prompted to create it. To select another location for the XML file, click Browse.
7 Review the summary of information to be imported, and check
the Check data conflicts while importing option if you
106
want to check for conflicts and potential matching candidates during the import process, then click Finish.
Check this option to look for conflicts during the import process
Note
If you select the Check data conflicts while importing option in the Import from Unix wizard, the import process may take some time to complete if you have a large number of users or groups. If you dont check this option, you must check the status of users or groups before you can map them to users and groups in Active Directory.
When you click Finish to close the Import from Unix wizard, all of the user and group information to be imported is placed in Active Directory or in an XML file as Pending Import. You can then decide how each user and group should be mapped to accounts in Active Directory.
Checking for conflicts and matching candidates

The process of moving information from Pending Import to UNIX profiles in Active Directory is a manual one. It requires you to review each group and user object and determine how it should be handled. To move a user or group from Pending Import to a UNIX profile attached to an Active Directory user or group account, you must first check for potential conflicts and for potential matching user or
107
group candidates in Active Directory. After this initial check, you need to resolve any conflicts and determine the Active Directory group or user each pending group or user should be mapped to. To check the status of pending information:
1 In the Centrify DirectControl Administrator Console, open
Users or Groups under the zone where you imported user and group information. For example, if you imported information for the default zone, open that zone, then expand the Groups or Users node:
2 Click Pending Import to display the list of users or groups to
be imported. If you selected the Check data conflicts while importing option in the Import from Unix wizard, the initial check is performed during the import process and each group and user displays the result of the initial check. For example:
108
If the status is displayed, you can skip the next step and begin resolving conflicts and mapping the UNIX groups and users to Active Directory accounts. If you did not select the Check data conflicts while importing option in the Import from Unix wizard, Pending Import groups and users do not display any status. For example:
This icon indicates that you need to check for conflicts and potential matching candidates in Active Directory
If no status is displayed, you must check the status before importing
If the current status is not displayed for the groups and users to be imported, you must check the status before continuing.
3 Select a user or group in the Pending Import list, right-click,
then click Check status to check Active Directory for conflicts between the selected user or group and information already stored in Active Directory and to look for a potential candidate to map the selected user or group to. When you select a Pending Import group and click Check status, Centrify DirectControl checks for an Active Directory group with a common name (CN) or samAccountName that is the same as the pending groups name. If there is a match, Centrify DirectControl displays that Active Directory group as the default candidate for mapping the pending group to an Active Directory group. When you select a Pending Import user and click Check status, Centrify DirectControl checks for an Active Directory user with a common name (CN) that is the same as the pending users GECOS field, or with a samAccountName that is the same as the pending users UNIX user name. If there is a match, Centrify DirectControl displays that Active Directory user account as the default candidate for mapping the pending user to an Active Directory user.
Chapter 6 Importing existing users and groups 109
For example, after you check the status for a group, the icon displayed changes and the potential Active Directory group it matches is displayed:
After you click Check status, the Status field indicates the results of the check and any potential issues you need to resolve
Error, warning, or information icons indicate whether you have checked the status of the group or user
You can check the status of more than one user or group at a time, but it is best to work with subsets of users and groups to reduce the impact on performance and improve the manageability of the import process.
Note
When you check the status of a pending group or user, Centrify DirectControl checks Active Directory for an account that is a potential match. If a potential matching candidate is found in Active Directory, the status for the pending group or user indicates that the UNIX profile is Ready to import. For example: If Centrify DirectControl cant identify a potential candidate in Active Directory or there are other issues, the status for the pending group or user displays a warning, such as No import candidate found. For example: If a pending group or user cannot be imported because of a conflict, the status for the pending group or user describes the type of error encountered. For example:
110
Mapping UNIX profiles to Active Directory accounts

After you check the status of a pending group or user, you can choose the appropriate action to take to map the pending group or user to an Active Directory group or user. The actions you can take depend on the object you select and its current state. For example, if you select a pending group, you can choose to: Accept the default Active Directory candidate for the selected group if a candidate is identified. Create a new Active Directory group and attach the selected UNIX group profile to it. Extend an existing Active Directory group to include the selected UNIX group profile. Merge the members of the selected UNIX group with an existing UNIX group in Active Directory. Delete the selected UNIX group. View and modify the properties of the selected UNIX group. You should map pending group profiles to Active Directory groups before mapping pending user profiles to Active Directory users to ensure the necessary groups are available for Pending Import users.
Note
Accepting the Active Directory candidate

If Centrify DirectControl found a potential match for the group or user in Active Directory, it displays the matching candidate in the details pane. If the matching candidate is the appropriate group or user to map the pending group or user to, you can accept the suggested candidate. To accept the Active Directory group or user candidate suggested by Centrify DirectControl:
Users or Groups under the zone where you imported user and
111
group information.
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Accept.
After you accept the Active Directory candidate for a pending group or user, the group or user is removed from the Pending Import list.
Accepting pending group members
If you accept the default Active Directory candidate for a pending import group, all of the pending members that have an Active Directory candidate associated with them are also imported, and added as members of the Active Directory group. If any of the groups members fail to be imported, the status of the pending import group is changed to Imported, but the group remains in the Pending Import list until the remaining members can be successfully imported.
Modifying pending group members
You can modify the members of a group while it is in a Pending Import or Imported state by selecting the group and viewing its properties. From the Properties dialog box, you can add or remove
112
members of the group or find and assign the Active Directory user each member of the group should be associated with.
Creating a new Active Directory account

If Centrify DirectControl did not find a potential match for the group or user in Active Directory, you may need to add a new Active Directory account for the pending group or user. To create a new Active Directory group or user object for the group or user you are importing:
Users or Groups under the zone where you imported user and group information.
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Create new AD group or Create new
AD user.
113
When you select this action, you are prompted to provide the additional information needed to create the group or user account. For example, if you are creating a new group account you are prompted to specify: Location of the container for the group. Active Directory name for the group. Pre-Windows group name. Scope of the group. Similarly, if you are creating a new Active Directory user account you are prompted to specify: Location of the container for the user. Display name for the user. Initial password for the user. Windows logon name for the user.
5 Review your settings, then click Next. 6 Verify that the option to enable the UNIX profile for the group
or user is checked, then click Finish to add the group or user and make the Centrify DirectControl UNIX profile available for the zone. For example:
Check this option to enable the UNIX profile
114
If you do not enable the group or user to use DirectControl when creating the account, the pending group or user remains in the Pending Import list with the new Active Directory group or user displayed as the default candidate for importing at a later time. If you choose to add the UNIX profile for group or user later, you can do so by selecting the group or user in the Pending Import list and clicking Accept.
Adding a profile to an existing Active Directory account

If Centrify DirectControl did not find a potential match for the group or user in Active Directory but an appropriate Active Directory account exists, you need to select the Active Directory group or user account that should be extended to include the UNIX profile. To extend an existing Active Directory group or user object to include the UNIX profile you are importing:
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Extend existing AD group or
Extend existing AD users to add the selected profile to an existing Active Directory group or user. If an Active Directory user has more than one UNIX profile in a zone, the user must log on to computers in the zone with the UNIX profile name he wants to use. Logging on with the Active Directory user login name (the users samAccountName) may prevent the user from accessing some files because the account has multiple UNIX profiles associated with it.
Note
115
5 Click Next if Centrify DirectControl displays the appropriate
group or user to map the UNIX profile to or click Find Now or Advanced Search to find the Active Directory group or user to which you want to add the UNIX profile.
Click Advanced Search to find an appropriate Active Directory group or user
Type a search string to locate the account, then click Find Now. Select the appropriate Active Directory group or user to which you want to add the UNIX profile, then click OK. Check the Active Directory group or user account displayed, then click Next.
116
6 Review how the pending group or user will be mapped to the
Active Directory group or user, then click Next to import the information.
7 Click Finish to add the group or user and enable the Centrify
DirectControl UNIX profile for the zone. If you do not enable the group or user to use DirectControl, the new Active Directory group or user becomes the default candidate for importing at a later time by clicking Accept.
Merging pending group members into an existing group

If Centrify DirectControl did not find a potential match for a Pending Import group in Active Directory, you may want to merge the members of the Pending Import group into a group that already has a UNIX profile in the zone. To add the members of a selected group to a UNIX group profile that already exists in the zone:
Groups under the zone where you imported user and group information.
2 Click Pending Import to display the list of groups to be
imported.
3 Select the group in the Pending Import list. 4 Right-click, then click Merge into existing Unix group. 5 Select the UNIX group to which you want to add members, then
click Next.
6 Review your settings, then click Next. 7 Click Finish to update the UNIX profile for the zone.
117
Deleting a UNIX profile for a pending group or user

If there are no suitable candidates to map a UNIX profile to, you may want to remove a pending group or user from the Pending Import list. To remove a pending import group or user:
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Delete. 5 Click Yes to confirm the deletion.
Viewing or modifying properties for a pending group or user

If there are conflicts between a pending UNIX profile and information in Active Directory, you may need to modify the properties associated with the pending group or user before you can take any other action. To display or modify the details about a pending group or user:
be imported.
3 Select the group or user in the Pending Import list. 4 Right-click, then click Properties.
If you select a pending group, the properties include the UNIX profile, the time of the import, the file location the information
118
was imported from, the members of the group, and the status of the group. If you select a pending user, the properties include the UNIX profile, the time of the import, the file location the information was imported from, and the status of the user.
Resolving conflicts for pending users and groups

After you check Active Directory for potential conflicts and matching candidates, you may have several users and groups that indicate there are issues that need to be resolved before the user or group can be imported. There are several reasons why a pending user or group cannot be imported immediately. For example, pending groups cannot be imported if: The groups GID is negative. There is another UNIX group with the same GID already defined in the zone. There is a UNIX group with the same group name already defined in the zone. The matching Active Directory candidate already has a UNIX profile in the zone. Similarly, pending users cannot be imported if: The users UID is negative. The users primary group GID is negative. There is a UNIX user with the same user name already defined in the zone. The users primary group GID does not exist in the zone or is pending import as a private group. These types of errors ( ) must be resolved before you can import the user or group. To resolve these issues, you can modify the properties for the pending user or group, modify the properties of
119
Resolving conflicts for pending users and groups
the user or group profile that conflicts with the pending user or group, delete the pending user or group rather than import it, or remove the existing profile that conflicts with the pending user or group. For example, assume you are importing a passwd file that includes the UNIX user account pierre with the UID 1001, but there is already an UNIX profile in the zone with the UNIX name pierre and UID of 500. When you check the status for the pending user pierre, its status will indicate there is an error. To resolve a conflict that is preventing a group or user from being imported:
be imported.
3 Select the group or user, right-click, then click Properties. 4 Change the information for the pending group or user to
eliminate the conflict, then click OK. For example, change the
120
UNIX user name of the pending import user pierre to another name, such as pierre2:
5 Click Check status to check for any additional issues that may
need to be resolved. Once you have resolved any issues that prevent an account from being imported, you then need to determine an appropriate course of action. For example, you need to determine whether the conflicting pierre user accounts are used by the same person or refer to different users, so you can decide whether to remove one of the profiles from the zone or if a separate zone is needed.
Resolving other issues for pending users and groups

In addition to the errors that prevent a pending user or group from being imported, there are several conditions that generate a warning ( ) to indicate that there are issues you may want to resolve before importing. These issues do not prevent you from importing the user or group, but indicate potential problems that you should try to resolve before importing the pending user or group by taking an appropriate action.
121
Resolving other issues for pending users and groups
When you check the status for a pending user, you may see a warning displayed if: No matching Active Directory candidate is found. To import the user, you need to identify or create an Active Directory user for the pending user. There is a password hash in the zone-specific attribute for the matching Active Directory user that is different from the password hash for the pending import user. If you accept the matching Active Directory candidate and import the pending user, the Active Directory users password hash will be overwritten. There is another pending user with the same UID or the same UNIX user name. Before importing, you should resolve the UID or user name conflicts between the pending users. There is a UNIX user with the same UID already defined in the zone. Before importing, you should resolve the UID conflict between the existing UNIX profile and the pending user. The pending user belongs to groups that do not exist in the zone. Before importing, you should import all the pending groups the pending user is a member of. The matching Active Directory candidate already has a UNIX profile in the zone. When you check status for a pending group, you may see a warning displayed if: No matching Active Directory candidate is found. To import the group, you need to identify or create an Active Directory group for the pending group. There is another pending group with the same GID or the same UNIX group name. Before importing, you should resolve the GID or group name conflicts between the pending groups.
122
There is a UNIX group with the same GID already defined in the zone. Before importing, you should resolve the GID conflict between the existing UNIX profile and the pending group. The matching Active Directory candidate already has a UNIX profile in the zone. In many cases, warnings do not require you to make changes to the properties of a pending user or group. For example, if a group displays the warning that no import candidate is found, it simply means that you need to decide on the appropriate action, such as creating a new Active Directory group or merging the pending groups members into the UNIX profile of another group. If you do need to make changes to a pending user or group to correct any of these potential problems, however, you should click Check status after the change to check for any additional issues that may need to be resolved.
Making imported information available to NIS clients

You can make user and group information stored in Active Directory available to computers and applications without the Centrify DirectControl Agent through NIS client requests and the optional Centrify DirectControl Network Information Service. The Centrify DirectControl Network Information Service is a separate daemon process, adnisd, that can receive and respond to NIS client requests using the information stored in Active Directory. For more information about deciding whether to use the Centrify DirectControl Network Information Service to service authentication requests, see the Planning and Deployment Guide. For information about configuring the Centrify DirectControl Network Information Service and NIS clients, see Managing network information with NIS maps on page 253.
123
Making imported information available to NIS clients
124
Chapter 7
Managing group profiles

This chapter describes how to give Active Directory groups access to DirectControl-managed computers in Centrify DirectControl zones and how to manage group profiles and properties using the Centrify DirectControl Administrator Console. The following topics are covered: Creating group profiles for Active Directory groups Managing Active Directory group membership Adding members to a default primary group Adding groups from another trusted forest Modifying zone-specific settings for a group profile Modifying the group objects properties Customizing additional settings for groups Assigning groups to DirectAuthorize roles Running reports for groups This chapter focuses on adding and managing UNIX profiles and performing related tasks. For information about planning user and group migration and access controls, see the Planning and Deployment Guide.
Creating group profiles for Active Directory groups

You can create a Centrify DirectControl group profile for any existing domain local, global, or universal security groups you have defined in the Active Directory forest. A group profile consists of zone-specific settings but the same profile information can be used
125
Creating group profiles for Active Directory groups
across multiple zones. Creating a profile for an Active Directory group allows you to use Windows role-based access control and group-based filters to manage user access to Centrify DirectControl-managed computers. Associating a group profile with an Active Directory group also enables you to take advantage of nested group membership and group policies applied to a domain or organizational unit (OU) that contains Active Directory groups. Although associating Active Directory security groups with zone-based group profiles can be convenient in many organizations, you are not required to link group profiles to Active Directory groups. In addition, creating a profile for an Active Directory group does not create profiles for any members of the group or automatically give any group members access to the zone where the group profile is created. User accounts must be explicitly given their own profiles and be enabled for the zones they can access, and those users must be explicitly listed as members of one or more Active Directory security groups if you want to use Active Directorys role-based filtering to control access. If you choose to create group profiles for existing Active Directory groups, you can create the profiles using the Centrify DirectControl Administrator Console, Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To create a UNIX profile for a group in a zone using the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name to
which you want to add the Active Directory group. For example, select the default zone. If the zone is not already open, select Zones and right-click, then click Open Zone to find and select the zone you want to use.
126
3 Select Groups, right-click, then click Create UNIX Group. 4 Type a search string to locate the Active Directory group for
which you want to create a profile, then click Find Now. For example, type fin to display the Finance Users and Finance Admins groups:
5 Select one or more groups in the results, then click OK. 6 Review the zone profile settings for the group and make any
changes, then click OK. If you selected more than one group, review the profile settings for the each group and modify the default settings, if necessary, then click OK. For example:
Chapter 7 Managing group profiles
127
Managing Active Directory group membership
If you are adding groups with similar names, you may need to modify the UNIX group name to distinguish the groups. For example, if you are adding both the Finance Admins and Finance Users groups to the same zone, you can change the default UNIX group name to finadmin and finuser to make it easier to tell the groups apart. Keep in mind that in some operating environments group names cannot be more than 8 characters and special characters may not be supported. For more information about defining group membership for UNIX users or adding users to their primary group in Active Directory, see Adding Active Directory users to zones on page 144. For more information about the differences in group handling between Active Directory and the UNIX environment or planning access control using group filters, see the Planning and Deployment Guide.
Managing Active Directory group membership

By default, a users Active Directory group membership only impacts the computers the user can access in a zone if: The Active Directory user has a user profile defined and enabled in the zone, and The Active Directory user is listed as a member of an Active Directory group that has a group profile defined in the zone.
Identifying a primary group

In most UNIX environments, a users primary group identifier (GID) is a private group that exists solely for that user. The user is not included as a member of the primary group. Centrify DirectControl follows this convention, allowing a users primary group to be: A UNIX-only private group that is not linked to an Active Directory group or managed in Active Directory.
128
Any single Active Directory group with an associated group profile in the zone that can be managed in Active Directory. Because users are not added as members of the primary group, the primary group identifier (GID) setting does not affect the users actual Active Directory group membership, eliminating the need to manage primary groups for UNIX users through Active Directory.
Using Active Directory group membership

Although users are not normally listed as members of their primary group, users must be listed as members of a group to do the following: Use group membership to control access to computers within a zone. Users must be listed as members of any Active Directory groups you define as filters for them to be allowed or denied access based on group membership. Therefore, you must add users as members of their primary group if you want to use the primary group to control access to computers within a zone. Use nested group membership for finer-grain control over user action. For example, assume you have a user profile with the primary group name portland and GID 623. This group profile is associated with the Active Directory group Portland IT which is also listed as a member group of the West Coast Unit Active Directory group. An Active Directory user in the Portland IT group inherits the group membership and is also a member of the West Coast Unit group. The user with a default primary group identifier 623, however, is not added as a member of the portland group and does not inherit any nested group relationship from the Portland IT and West Coast Unit groups. Therefore, by default, you only need to manage Active Directory group membership when you need to use role-based groups or nested groups.
129
Adding members to a default primary group
Using an Active Directory group as a primary group

There is no requirement for you to manage any primary groups for individual users in Active Directory. Each user can a primary group ID not linked to any Active Directory group at all. Because the primary group is not associated with an Active Directory group, you dont need to add members or manage the group in any way. If appropriate for your environment, you can then use membership in any of a users other Active Directory groups to enforce group-based access controls. If you decide to use an Active Directory group as a users primary group ID, however, you should check the Active Directory users who are listed as members of the group and add the user as a member, if needed.
Note
Centrify DirectControl can add new users as members of a group automatically if you choose to define an Active Directory group as the default primary group for a zone. For information about configuring a zone to automatically add users to the default primary group, see Adding members to a default primary group on page 130.
For more information about defining a user profile and a users primary group, see Understanding group-based filtering for users on page 142. For more information about the differences between Active Directory and local UNIX groups, see Defining groups for UNIX users in the Planning and Deployment Guide. For more information about planning access control using group or user filters, see Configuring user and group filtering in the Planning and Deployment Guide.

As discussed in Identifying a primary group on page 128, setting the primary group ID in a users UNIX profile does not affect the users actual Active Directory group membership. It simply identifies a primary group name and GID for the user when
accessing DirectControl-managed computers. If you are using an Active Directory group as the default primary group for a zone and want to use the primary group for group-based filtering and control, you may want to automatically update the default primary group with new members whenever you add users to the zone. To automatically add users to the Active Directory group you are using as the default primary group for a zone, you must first manually add a new DWORD key to the registry and set the key to a non-zero value. Adding the registry key displays the Associate Active Directory group membership option in the Zone Properties dialog box. You can then select the Associate Active Directory group membership option to automatically add new users to the Active Directory group you are using as the default primary group for the zone.
Updating the registry

To display the Associate Active Directory group membership option in the Zone Properties dialog box:
1 Start the Registry Editor, and open the
HKEY_LOCAL_MACHINE\Software\Centrify\CIMS
registry.
2 Right-click and select New > DWORD Value. 3 Set the name of this registry entry to
EnableGroupMembershipAssociation and the value to one.

4 Click File > Exit to close the Registry Editor.
After you modify the registry, the Associate Active Directory group membership option is displayed on the General tab in the Zone Properties dialog box.
Setting the zone property to add users to the primary group

To automatically add new users to the default primary group for the zone:
131
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones to see the list of zones. 3 Select the zone name you want to modify, right-click, then click
Properties to display the Zone Properties dialog box.

4 Click the General tab then check Associate Active
Directory group membership option to automatically add users to the Active Directory group you are using as the default primary group for the zone. For example:
Display and check this option to add users to the default group
Verifying group membership

To verify that new users are automatically listed as group members after a user profile is added to the zone:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and expand the zone name for
which you want you want to check group membership.

3 Click Groups, then select the default primary group name. 4 Right-click, then click Properties to display Active Directory
properties for the group.
132
5 Click the Members tab and verify that the user account
associated with a new user profile is listed as a member of the group. For example:
Check that new user accounts have been added as members to the group
133
Marking a group profile as required
Marking a group profile as required

On most UNIX systems, a user can only be a member of a limited number of groups at once. Because of this limitation, it is useful to be able to change a users effective group membership to add and remove groups when necessary. You can use the adsetgroups command to dynamically manage the set of Active Directory groups that are available to a UNIX account. You also have the option to specify that membership in a specific group is required in a zone. If you specify that a group is required, users who are members of the group cannot remove the required group profile from their currently active set of groups. To mark a group as required:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and expand the zone name for
which you want to add a required group. For example, expand the default zone.
3 Expand Groups, then select the group name you want to make
required.
4 Right-click, then select Zone Settings to display the Centrify
Profile for the group.
134
5 Check the Users are required to be members of this
group option. For example:
Check this option to make the group required
6 Click Permissions to set specific permissions for this group, if
needed, then click OK. For more information about using the adsetgroups command, see Using adsetgroups on page 472 or the adsetgroups man page.
Adding groups from another trusted forest

In most cases, when you create a profile for a group in a zone, the Active Directory group already exists in the local Active Directory forest. You can, however, also add profiles for remote groups to a zone without adding them to the local forest. If you have established a two-way external or forest trust relationship with a remote Active Directory forest, you can add groups from that remote forest to Centrify DirectControl zones. You add remote groups to the zone in the same way you add profiles for local Active Directory groups except that you must select the remote forest or domain before searching for the group. To add groups from another trusted forest to a Centrify DirectControl zone:
Chapter 7 Managing group profiles 135
Modifying zone-specific settings for a group profile
which you want to add the Active Directory group. For example, select the default zone. If the zone is not already open, right-click, then click Open Zone. For example, select and open the default zone.
3 Select Groups, right-click, then click Create UNIX Group. 4 In the Find Users dialog box, click Browse, then select the
trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev forest, you can select the remote forest, then click OK to add groups from the w2k3r2.dev forest to a current zone in the local forest.
5 Type a search string to locate the group in the selected forest or
domain, then click Find Now.

6 Select one or more groups in the results, then click OK. 7 Review the UNIX profile settings for the group and make any
changes necessary, then click OK.
Modifying zone-specific settings for a group profile

You can modify the zone-specific settings in a UNIX profile for an Active Directory group using the Centrify DirectControl Administrator Console, Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To modify the zone-specific settings for a group profile associated with an Active Directory group using Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console.
136
2 In the console tree, click Zones and select the zone name to that
contains the group profile you want to modify. For example, click Zones > Venice Arcade to select the zone named Venice Arcade.
3 In the console tree, expand Groups. 4 Select a group name, right-click, then click Zone Settings. For
example:
5 Edit the UNIX profile as needed, then click OK. For example,
click Permissions to set any special permissions on the selected group.
Modifying the group objects properties

You can modify the group profile or group object properties for an Active Directory group using the Centrify DirectControl Administrator Console, the Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To view and modify the zones where an Active Directory group has a group profile and other group object properties using the Centrify DirectControl Administrator Console:
Chapter 7 Managing group profiles 137
Customizing additional settings for groups
which you want to add the Active Directory group.

3 In the console tree, expand Groups. 4 Select a group name, right-click, then click Properties to
display all of the properties for the selected group.

5 Click the Centrify Profile tab. For example:
6 Edit the UNIX profile and any other properties, as needed, then
click OK. For example, click Add to add a group profile for the Active Directory group to another zone.
Customizing additional settings for groups

You can configure many aspects of the environment for individual groups by enabling and applying Centrify DirectControl group policies. For example, you can set Centrify DirectControl group policies to bypass Active Directory authentication for specific groups or to allow users in some groups to be approved from prevalidation. For more information about working with group policies, see the Group Policy Guide.
138
If you are not deploying Centrify DirectControl group policies, you can also customize access controls for users and groups with the settings in any computers local Centrify DirectControl configuration file. For more information about setting the parameters in the Centrify DirectControl configuration file, see the Configuration Parameter Reference Guide.
Assigning groups to DirectAuthorize roles

DirectAuthorize enables you to centrally manage the operations users can perform on DirectControl-managed computers. With DirectAuthorize, you define specific operations users can perform and assign those rights to specific roles. You can then assign groups to different roles to control which operations the members of the group are allowed to perform, the computers where they are allowed to perform those operations, and when they should be allowed or denied permission to perform those operations.
Note
You can assign Active Directory groups to roles without defining a group profile for them. However, the members of the group must have user profiles in the zone for rights and roles to be enforced. For more information about defining rights and roles and assigning groups to roles, see Defining rights and roles on page 165.
Running reports for groups

To view information about group accounts and profiles, you can run one or more default reports or create your own custom reports. The default Groups Report lists group profile information for each group in each zone, including the following: Active Directory group name. UNIX group name. Numeric group identifier (GID).
139
Running reports for groups
Whether the group is an orphan. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
140
Chapter 8
Managing user profiles

This chapter describes how to give Active Directory users access to the DirectControl-managed computers in Centrify DirectControl zones and how to manage user profiles and properties using the Centrify DirectControl Administrator Console. The following topics are covered: Understanding group-based filtering for users Using a default primary group for new user profiles Adding Active Directory users to zones Adding users from another trusted forest Setting or changing a users primary group Adding multiple profiles for a user to a zone Enabling and disabling multiple users in a zone Modifying zone-specific settings for a user profile Working with read-only domain controllers Applying password policies and changing passwords Working in disconnected mode Mapping local UNIX accounts to Active Directory Setting a local override account Customizing other settings for users Assigning users to DirectAuthorize roles Running reports for users This chapter focuses on adding and managing UNIX user profiles and performing related tasks. For information about planning the
141
Understanding group-based filtering for users
migration of an existing user population and setting up user- or group-based access controls, see the Planning and Deployment Guide.
Understanding group-based filtering for users

As discussed in Managing Active Directory group membership on page 128, creating a profile for an Active Directory group does not automatically give any group members access to the zone where the group profile is created. Instead, you need to create a Centrify DirectControl user profile for the individual users who have access to each zone. Once the users profile exists, however, the users group membership can be used to allow or deny access to specific computers in a zone. To use group filtering to control access to computers within a zone: The Active Directory user must have a user profile defined in the zone. The Active Directory user must be listed as a member of the group. A group policy or configuration parameter must be enabled to specify whether members of the group are allowed or denied access. For more information about planning access control using group and user filters, see the Planning and Deployment Guide.
142
Using a default primary group for new user profiles

Any time you create a new zone, you have the option of defining an Active Directory group to use as the default primary group for new users in that zone. Using an Active Directory group as the default primary group for new users allows you to use Windows role-based access control and group-based filters to manage user access to Centrify DirectControl-managed computers. However, if you make a group profile that is associated with an Active Directory group the default primary group for new users, you should keep in mind that users are not added to that Active Directory group by default. It simply identifies a primary group name and GID for the user when accessing UNIX computers. If you use a group profile associated with an Active Directory group as the default primary group in a zone and you want to use the primary group for any group-based filtering and access control, you can do the following: Manually add the appropriate user accounts as members of the Active Directory group associated with the primary group. Set a zone property to automatically add new users to the Active Directory group. If you use a group profile associated with an Active Directory group as the default primary group in a zone and users are not listed as members of their primary group: You should use other Active Directory groups and group profiles rather than the primary group for group filtering to control access to computers within a zone. Users should be listed as members of any groups you define as filters for them to be allowed or denied access based on group membership. Any nested group membership you have defined for the primary group will not be reflected in its users group membership. For example, if you define the Active Directory group portland as a member of the western-div Active Directory group, an Active
Chapter 8 Managing user profiles
143
Adding Active Directory users to zones
Directory user in the portland group inherits the group membership and is also a member of the western-div group. By default, however, the UNIX user with a default primary group linked to the Active Directory group portland is not listed as a member of the portland group and does not inherit any nested group relationship. For more information about defining group membership for UNIX users or adding users to their primary group in Active Directory, see Adding Active Directory users to zones on page 144. For more information about the differences in group handling between Active Directory and the UNIX environment or planning access control using group filters, see the Planning and Deployment Guide.
Adding Active Directory users to zones

Any existing Active Directory user can be enabled to access computers in any zone. In many organizations, UNIX users already have Active Directory accounts to access resources in the Windows network. If appropriate user accounts already exist in Active Directory, you can enable access to Linux, UNIX, and Mac OS X computers by adding a UNIX profile to the zones each user has permission to access. You can add Active Directory users to zones using the Centrify DirectControl Administrator Console, Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To add users to a Centrify DirectControl zone using the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 On the Centrify DirectControl Administrator Console main
page, click Add User to Zone.

3 Click Add to add an Active Directory user to the currently
selected zone.
If you want to add the user to a different zone, click Browse to search for and select the zone to which you want to add the Active Directory user.
4 Type a search string to locate the user account, then click Find
Now. For example, type tes to display the testuser and testadmin users.
5 Select one or more users in the results, then click OK. 6 Review the UNIX profile settings for the user and make any
changes necessary, then click OK. If you selected more than one user, review the UNIX profile settings for the each user and modify the default settings, if necessary, then click OK. For example:
Note
User profile names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters or require that the first character of the user name be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at
145
Adding users from another trusted forest
the end of the user name. In general, other special characters, such as ! and &, are not supported.
Adding users from another trusted forest

In most cases, when you add a user profile to a zone, the Active Directory user already exists in the local Active Directory forest. You can, however, also add remote users to a zone without adding them to the local forest. If you have established a one- or two-way trust relationship with a remote or external Active Directory forest, you can add users from that remote forest to Centrify DirectControl zones. You add remote user accounts to the zone in the same way you add profiles for local Active Directory users except that you must select the remote forest or domain before searching for the user account. To add users from another trusted forest to a Centrify DirectControl zone:
which you want to add the Active Directory user. For example, select the default zone. If the zone is not already open, right-click, then click Open Zone. For example, select and open the default zone.
3 Select Users, right-click, then click Add User to Zone. 4 In the Find Users dialog box, click Browse, then select the
remote trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a one- or two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev forest, you can select the remote forest, then click
146
OK to add users from the w2k3r2.dev forest to a current zone in the local forest:
Local forest Trusted forest
5 Type a search string to locate the user in the selected forest or
domain, then click Find Now.

6 Select one or more users in the results, then click OK. 7 Review the UNIX profile settings for the user and make any
changes necessary, then click OK.
Identifying users from remote forests

Users from a remote forest are identified in the Centrify DirectControl Administrator Console with the following icon:
Using valid logon names for users from a remote forest

If you add users from trusted external forests to a zone, you should be aware that those users can only log on or be identified using: UNIX profile name enabled for the zone. Full Active Directory user name and home domain name. When users are defined in a local forest, they can be located in Active Directory by their UNIX profile name, their userPrincipalName, or their samAccountName in the form of their user logon name alone or in its full pre-Windows 2000 format of
147
Setting or changing a users primary group
domainname\username,
so any of these identities can be used to access user information or log on. To identify a user from a trusted external forest, however, you must use either the users UNIX profile name for the zone or the users samAccountName followed by the users domain name in the form of samAccountName@domainname. Using the UNIX profile name or the samAccountName@domainname to identify a user ensures the name is unique when there are cross-forest trust relationships. For example, if an Active Directory user from a trusted external forest (sierra.org) has the Active Directory logon name of sofia.perez and a UNIX profile name of sofiapz, the user can be identified using:
sofia.perez@sierra.org sofiapz
You cannot use sierra\sofia.perez or sofia.perez without the domain to retrieve information or authenticate from a remote forest. In addition, the userPrincipalName (username@domainname) for any user may be different from the samAccountName@domainname. For example, if you use alternate UPN suffixes, the domain name used in the userPrincipalName may be different from the domain name that uniquely identifies the user. Similarly, a users pre-Windows 2000 user logon name (samAccountName) may be different from the user name used in the userPrincipalName. For example, if the Active Directory user sofia.perez@sierra.org has a pre-Windows 2000 user logon name of SIERRA\perez.s, that user would be found as perez.s@sierra.org.
Setting or changing a users primary group

By default, the primary group for a user is the UNIX group name and numeric identifier associated with the Active Directory group defined as the default primary group for the zone. You can change
148
the group by displaying the users UNIX profile, then clicking Browse.
After you click Browse, you can do one of the following to set the users primary group: Select an Active Directory group from the list of groups that have been enabled for UNIX access in the current zone. If the Active Directory group you want to use is not listed, click Add to search for the Active Directory group you are interested in and add the UNIX profile for that group to the list. Select the Auto-private group to have a UNIX-only private group automatically generated for the user. If you select this option, DirectControl automatically creates a UNIX group profile that uses the users UNIX profile name as the group name and the users UID as the group GID. Automatically-generated groups are not stored or managed in Active Directory. Specify a group identifier (GID) not associated with any Active Directory group in the current zone. To specify a group profile not in the current zone, type the group identifier (GID) for the group. If you select this option, the Centrify DirectControl Administrator Console does not verify whether the group exists. You can enter any value as the primary group identifier (GID). If you plan to use groups that are defined in other zones
149
Adding multiple profiles for a user to a zone
or are not associated with Active Directory security groups, you should verify that a group profile exists either on the UNIX system or in another zone and identify a scheme for assigning the GID. For example, to select an existing group profile associated with an Active Directory group:
Note
If you select the Auto-private group option, the Centrify DirectControl Agent handles the creation of the UNIX group on the computer when the user logs on.
Adding multiple profiles for a user to a zone

It is possible for an Active Directory user to have more than one UNIX profile defined in a zone. If you attempt to add a new UNIX profile for an Active Directory account that already has a UNIX profile in the current zone, the Centrify DirectControl Administrator Console displays a warning but allows you to continue. If an Active Directory user has more than one UNIX profile in a zone, however, the user must log on to computers in the zone with the UNIX profile name he wants to use. Logging on with the Active Directory user login name (the users samAccountName attribute) may prevent the user from accessing some files because the account has multiple UNIX profiles, and UIDs, associated with it.
150
Enabling and disabling multiple users in a zone

Once users have been added to a zone, you can enable or disable their UNIX profiles for the zone at any time. You can also enable or disable the UNIX profiles for multiple users at once. To enable or disable the UNIX profile for multiple users in a zone, select all of the user names to enable or disable using the CTRL or SHIFT keys, right-click, then click Enable UNIX Account or Disable UNIX Account.
Modifying zone-specific settings for a user profile

You can modify the zone-specific settings in a UNIX profile for an Active Directory user using the Centrify DirectControl Administrator Console, Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To modify the zone-specific settings in a user profile for an Active Directory user using the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name that
contains the user profile you want to modify. For example, click Zones then select the default zone. If the zone is not already open, right-click Zones, then click Open Zone and type a search string to find and select the zone you want to open.
3 In the console tree, expand Users.
151
Modifying the user profile and object properties
4 Select a user name, right-click, then click Zone Settings. For
example:
5 Edit the UNIX profile as needed, then click OK. For example,
click Permissions to set any special permissions on the selected user.
Modifying the user profile and object properties

You can modify the user profile or user object properties for an Active Directory user account using the Centrify DirectControl Administrator Console, the Centrify DirectControl Web Console, Active Directory Users and Computers, or programmatically using the Centrify DirectControl Windows API. To view and modify the Centrify DirectControl and Active Directory object properties using the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click Zones and select the zone name that
contains the user profile you want to modify. For example, click Zones then select the default zone.
152
If the zone is not already open, right-click Zones, then click Open Zone and type a search string to find and select the zone you want to open.
3 In the console tree, expand Users. 4 Select a user name, right-click, then click Properties to display
all of the properties for the selected user.

5 Click the Centrify Profile tab. For example:
6 Edit the UNIX profile and any other properties, as needed, then
click OK. For example, click Add to add a UNIX profile for the selected user to another zone.
Working with read-only domain controllers

If the Active Directory forest includes read-only domain controllers, you should force replications when adding or modifying users and groups in a zone. Forcing replication ensures that the new information is available right away. To force replication after updating a zone:
153
Applying password policies and changing passwords
1 Click Start > Administrative Tools > Active Directory
Sites and Services.

2 In the console tree, expand Sites, then select the Active
Directory site that contains the connection over which you want to replicate directory information. For example, select DEFAULT-FIRST-SITE.
3 Expand Servers, then select the domain controller for which
you want to force replication. For example:
4 Click NTDS Settings. 5 In the details pane, right-click the connection over which you
want to replicate directory information, then click Replicate Now. If you choose not to force replication, the changes made to the zone will not take effect until replication is complete for the forest.
Applying password policies and changing passwords

Centrify DirectControl enforces all of the password policies you have defined in Active Directory for the UNIX accounts you enable. Therefore, if you create a new UNIX user account that requires a password change the next time the user logs on, the user is prompted to change the password the next time she logs on to either a Windows or UNIX computer. When the user provides a new password, Centrify DirectControl checks the new password to make sure it conforms to Active Directory policies for length and complexity. If the new password
154
meets all of the criteria, the account is updated with the new information in Active Directory and the user logs on successfully. Centrify DirectControl also enforces the password expiration period, the password reuse policy, account lock out policy, workstation restrictions, and logon hour restrictions if you have defined these policies for any user account. In addition, Centrify DirectControl displays a warning message on the UNIX computer if a users password is about to expire. Administrators can set, reset, or change the password for users using Active Directory or from the UNIX command line. Individual users can also change their own password at any time using the adpasswd command.
Changing your own password

If you attempt to log in but your password has expired, you are prompted to provide your old password, a new password, and to confirm your new password. You can also change your own password at any time using adpasswd. To change your own password using adpasswd:
1 At the UNIX command line, run the following command:
adpasswd
2 Type your old password. When changing your own password,
you must always provide your old password.

3 Type the new password. The password should conform to
Active Directory password policies.

4 Retype the new password.
For more information about using adpasswd, see Using adpasswd on page 344.
Changing another users password

The adpasswd command can be used to change the password of another Active Directory user if you provide the user name and
Chapter 8 Managing user profiles 155
Working in disconnected mode
password of an administrative account with the authority to change another users password. To change the password for another user using adpasswd:
1 At the UNIX command line, run the adpasswd command and
specify an Active Directory administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:
adpasswd --adminuser admin@acme.com jane@sales.acme.com
2 Type the password for the administrative account. For example:

Administrator password: xxx
3 Type the new password for the user specified. Because you are
changing another users password, you are not prompted for an old password. For example:
New password:
4 Retype the new password.

Repeat password:
For more information about using adpasswd, see Using adpasswd on page 344.
Working in disconnected mode

Once an Active Directory user logs on to a UNIX computer successfully, the authentication is cached by the Centrify DirectControl Agent. These credentials can then be used to authenticate the user in subsequent log on attempts if the user is disconnected from the network or an Active Directory domain controller is not available. If there are changes to an account while the account is running in disconnected mode, the changes dont take effect until the user reconnects to Active Directory to start a new session or access a new service. For example, if a user account is disabled or has its password changed in Active Directory while the user is
disconnected from the network, the user can still log on and use the old password until reconnected to the network. Once the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode. If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the users credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.
Note
You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through Centrify DirectControl group policies or parameter settings in the Centrify DirectControl configuration file. For more information about using group policies and the group policies available, see the Group Policy Guide. For information about changing settings in the configuration file, see the Configuration Parameters Reference Guide.
Mapping local UNIX accounts to Active Directory

By default, local UNIX user accounts are still valid on the UNIX computers that join the Active Directory domain. You can then use Centrify DirectControl group policies or configuration parameter settings to control any special handling for select accounts. For example, you can use group policy or configuration parameters to
157
map a local user account to an Active Directory account. Mapping a local UNIX user account to an Active Directory account gives you Active Directory-based control over password policies, such as password length, complexity, and expiration period. Mapping a local account to Active Directory is especially useful for accounts that have special privileges, such as local system accounts or service accounts for applications. By mapping these types of accounts to an Active Directory account and password: You control access to the account because users need to know the Active Directory password for the account. You ensure Active Directory password policies are applied to the account password, so that each password is complex enough or changed frequently enough to be secure. Although this mapping is especially useful for system and application service accounts, you can map any local user account to an Active Directory account. To map a local account to an Active Directory account, you can: Enable and configure the Set user mapping group policy in a Group Policy Object applied to one or more computers. Set the pam.mapuser.username configuration parameter on any individual local computer.
Configuring group policy to map local accounts

To map a local UNIX user account to an Active Directory user with the Centrify DirectControl User Map group policy:
1 Create an Active Directory user account. 2 Install the Group Policy Editor Extension, if you have not
already done so.

3 Create or select a Group Policy Object and link to an
appropriate site, domain, or organizational unit, then click Edit
158
to open the Group Policy Object in the Group Policy Object Editor.
4 In the Group Policy Object Editor, select Computer
Configuration > Centrify Settings, right-click, then select Add/Remove Templates.

5 Click Add, select the centrifydc_settings.xml
administrative template and any other administrative templates you want to add, click Open, then click OK. For example:
Select the centrifydc_settings.xml policy template to set DirectControl configuration policies
6 Select DirectControl Settings > Set user mapping policy,
right-click, then click Properties.

7 Click Enabled, then click Add. 8 Type the local account name in UNIX User. 9 Type the Active Directory account name or click Browse to
look for the Active Directory user to which the local user is mapped, then click OK. For example, if the local user name is oracle and the Active Directory account you created to map the user to is Oracle Admins:
159
10 Click Add to create other user maps or click OK to save this
configuration. When users attempt to sign on using the local oracle account, they must provide the password for the Oracle Admins Active Directory account. When you use account mapping in this way, you can ensure the same password policy used for Active Directory passwords applies to local user accounts. For more information about creating and linking Group Policy Objects that include Centrify DirectControl configuration settings, see the Group Policy Guide.
Using the pam.mapuser parameter to map local accounts

To map a local user account to an Active Directory user by modifying the Centrify DirectControl configuration file:
1 Create the Active Directory user account you want to use. For
example, assume you want to use one Active Directory account for all of the oracle service accounts in a particular zone. If the zone name is central-div, you can create an Active Directory user account named oracle_central-div.
2 On the UNIX computer, open the Centrify DirectControl
configuration file /etc/centrifydc/centrifydc.conf.

3 Locate the pam.mapuser.root configuration parameter and
uncomment the line to change the default setting.

4 Modify the local account mapping to identify the local user
account you want mapped to the Active Directory user you created. You can use environment variables such as $DOMAIN, $ZONE, or $HOSTNAME with this configuration parameter if you used the domain, zone, or host name in the Active Directory account name.
160
For example, if you are mapping the local oracle service account and the Active Directory user account you created is named oracle_central-div:
pam.mapuser.oracle: oracle_$ZONE
5 Save the changes to the configuration file, then run the adreload
command to reload the configuration file and have the changes take effect. For more information about editing Centrify DirectControl configuration parameters, see the Configuration Parameters Reference Guide.
Setting a local override account

In most cases, every computer should have at least one account that can be authenticated locally to ensure you can access the system when the network or Active Directory is not available or Centrify DirectControl is not running. By default, the local override account is set to the root user so that even if you map the root account to an Active Directory account, you can always log on locally using root@localhost and the local root account password. You can change the default root override account or add additional local users using the Allow localhost users group policy or by modifying the computers Centrify DirectControl configuration file.
Customizing other settings for users

You can configure many aspects of the environment for individual users by enabling and applying Centrify DirectControl group policies. For example, you can set Centrify DirectControl group policies to bypass Active Directory authentication for specific users or allow some users to be preapproved for authentication on computers they have never used. For more information about working with group policies, see the Group Policy Guide.
Chapter 8 Managing user profiles 161
Assigning users to DirectAuthorize roles
If you are not deploying Centrify DirectControl group policies, you can also customize access controls for users with the settings in any computers local Centrify DirectControl configuration file. For more information about setting the parameters in the Centrify DirectControl configuration file, see the Configuration Parameter Reference Guide.
Assigning users to DirectAuthorize roles

DirectAuthorize enables you to centrally manage the operations users can perform on DirectControl-managed computers. With DirectAuthorize, you define specific operations users can perform and assign those rights to specific roles. You can then assign users to different roles to control which operations they are allowed to perform, the computers where they are allowed to perform those operations, and when they should be allowed or denied permission to perform those operations. For more information about defining rights and roles and assigning users to roles, see Defining rights and roles on page 165.
Note
You can assign Active Directory users to roles without defining a user profile for them. However, the Active Directory user must have a user profile in the zone for rights and roles to be enforced.
Running reports for users

To view information about user accounts and profiles, you can run one of more default reports or create your own custom reports: The default Users Report lists information from the UNIX profile for each user in each zone, including the users Active Directory user name, UNIX user name, UID, shell, home directory and primary group. The default User Account Report lists account details for the Active Directory users that have UNIX profiles in each
zone. This report includes the Active Directory display name, the Active Directory logon name, the Active Directory domain for the account, and details about the account status, such as whether the account is configured to expire, locked out, or disabled and the date and time of the accounts last logon. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
163
Running reports for users
164
Chapter 9
Defining rights and roles

This chapter describes how to activate and use DirectAuthorize to define specific rights and assign users to specific roles to establish role-based access controls on a zone-by-zone or computer-by-computer basis. The following topics are covered: Understanding DirectAuthorize rights and roles Verifying system requirements for DirectAuthorize Initializing DirectAuthorize for a zone Defining specific rights Creating roles for job functions in a zone Assigning users and groups to a role Limiting the scope of a role to a specific computer Working within assigned roles Cloning and renaming a role Exporting and importing rights and roles Modifying rights, roles, and role assignments Viewing rights and roles Running reports for roles and rights
165
Understanding DirectAuthorize rights and roles

DirectAuthorize provides a console extension to the main Centrify DirectControl Administrator Console that enables you to centrally manage the operations users can perform on DirectControl-managed computers. In DirectAuthorize, a right represents a specific operation a user is allowed to perform. Rights can be defined for the following types of operations: PAM Access rights identify the specific PAM-enabled applications the user can access. Restricted Environments provide strictly controlled access to a defined subset of shell commands in a customized DirectAuthorize restricted environment shell (dzsh). Privileged Commands identify specific commands the user can run and whether those commands can be run under the users own account or as another user account. Individual rights to perform specific operations can be combined to define a role. In most cases, a role is a collection of rights that reflect the needs of a specific job function, such as a database administrator, backup operator, or web site developer. Roles can be active and available for use during specific hours of the day or days of the week. For example, you can specify that the Backup Operator role is only available on Wednesdays and Fridays between the hours of 5:00PM and 9:00PM. When you assign users and groups to the role, they are allowed to perform the operations associated with the role during the days and times you have defined for the role. An individual Active Directory user or group role assignment can be given an effective starting date and time, an expiration date and time, or both. For example, if the user Jae needs to be a database administrator temporarily for four weeks in August, you can assign this user to the Database Administrator role with a start date of Monday, August 4th, and an expiration date of Friday, August 29th.
166
The role assignment for an Active Directory user or group can apply either for an entire zone or for a specific computer in a zone. For example, you can assign the user Chris to the Local_Admin role on the computer fireline to give that user specific rights for that individual computer rather than all computers in the zone. Keep in mind that any computer-based role assignments are added to the role assignments defined for the entire zone. When users log on to a given computer, they get the roles defined at the zone level and the roles assigned to them for that specific computer. If you first assign the user Chris to the Local_Admin role for the entire zone, his rights will apply to all of the computers in the zone, including the fireline computer. If you later decide you only want him to perform Local_Admin operations on the fireline computer, you would need to remove his Local_Admin role assignment that applies to the whole zone.
Note
Understanding what rights provide

Before you enforce any rights or roles, all users have a base set of rights that allow them to perform tasks on the computers in their environment. As you begin planning and defining rights and roles, you should keep in mind that essentially they fall into one of two categories: Rights that grant users additional privileges to perform tasks they are not allowed to perform with their base set of rights. Rights that constrain users to a subset of explicitly defined tasks. If you create a SysAdmin role that includes the privileged command rights for reboot and adflush, users assigned to that role have all of their base rights plus permission to run the privileged commands dzdo reboot and dzdo adflush. If you create a BackOps role that uses a restricted environment, users assigned to that role can only run the subset of commands that have been defined for that environment.
Chapter 9 Defining rights and roles
167
PAM access rights can be added to either type of role to grant access to all PAM-enabled applications or restrict access to specific PAM-enabled applications.
Understanding how multiple roles are combined

You can assign a user to multiple roles with different rights, active hours, and start and expiration times. When users are assigned to multiple roles, their rights are additive.
In this scenario If all of a users roles grant access to The user can run all of the base commands privileged commands and have no normally available to individual users plus all time constraints of the privileged commands defined in the roles he is assigned. If his role assignment for one role expires or is unavailable at specific times, the privileges granted for that role dont apply but all of his other rights remain in effect. If all of users roles require a restricted environment and have no time constraints The user can only work in a DirectAuthorize restricted environment shell (dzsh) and must use the role command to identify which role should be active. Within the restricted environment, the user can then only run the commands associated with the active role.
168
In this scenario If a user is assigned to at least one The user can run all of the base commands role that grants access to privileged normally available, plus all of the privileged commands commands defined in the roles he is assigned, and any commands defined for his restricted environment role. As long as at least one role grants access to privileged commands, the user is not placed into a DirectAuthorize restricted environment. If all of a user's roles require a restricted environment and all of the roles are expired or not available The user is prevented from logging on. If all of a users roles restrict the user's access rights to specific commands, if all of the roles are expired or not available for a period of time, the user is not allowed to log on until at least one role is available to become the users active role. Note This is the only case where users are prevented from logging on.
For example, the user monte is assigned two roles: backup_ops role has a restricted environment that allows members to run the command tar as root during off-hours. role grants permission to the run rpm as root with no time constraints.
sys_admin
If monte logs on during off-hours when both roles are available, he can run both dzdo rpm and dzdo tar until the time constraints for the backup_ops role take effect and he loses permission to run the tar command as root. If the sys_admin role assignment is temporary and expires, the user monte loses permission to run the privileged commands associated with that role. When the sys_admin role assignment expires, only the backup_ops role assignment applies, and the user monte is placed into a restricted environment when he next logs on.
169
Understanding roles with PAM access rights

Roles that grant privileged command rights or restricted environment rights can also include PAM access rights. If you dont specify any PAM access rights in any of a users roles, the user can access computers in the zone using any PAM-enabled application. If any of a users roles has PAM access rights defined, the user can only use the PAM-enabled applications specified. For example, if the user chris is assigned to the following roles: backup_ops role that has no PAM access rights defined. role that has access rights for the PAM-enabled applications sshd and login.
sys_admin publishers
role that has access rights for the PAM-enabled
application ftp. If all of the roles are available, the user chris can use ssh, login, and ftp, but no other PAM-enabled applications. Even though the backup_ops role allows access to any PAM-enabled application, the user can only use the PAM-enabled applications that are explicitly defined in the other roles. If you want to use PAM access controls for any roles, you may want to explicitly define a PAM access right that allows access to all PAM-enabled applications using an asterisk (*). You can then add this right to roles as needed to ensure users dont lose rights they should have when they are assigned multiple roles. For example, if the user chris is assigned to the same roles described above but the backup_ops role has the All (*) PAM access right explicitly defined and all of the roles are available, the user chris can use any PAM-enabled application, not just ssh, login, and ftp. Alternatively, you can allow access to all PAM-enabled applications for all roles (no restrictions defined for any roles) or explicitly define restrictions for which PAM-enabled applications users can access in all roles. This eliminates the chance that a user with multiple roles will be denied access to PAM-enabled applications unexpectedly because some role assignments explicitly define access and others do not.
Understanding the limitations of the restricted environment

The restricted environment does not enforce rights for commands run outside of the shell. For example, if using a graphical desktop manager, the user can run commands and applications that are launched from menu selections in the graphical user interface. In addition, limiting the users command set in the dzsh shell does not prevent the user from running built-in shell commands, accessing the file system, or seeing process or system information. For example, even in a restricted environment with no rights to run any commands, a dzsh user could get a process listing using the following script:
for i in /proc/[0-9]*; do read PROC < $i/cmdline; echo $PROC; done
Because the shell scripting environment allows the operations, the user can effectively access information that the command set defined for his restricted environment does not allow.
Keeping a restricted environment secure
There are many ways sophisticated users can get around limitations placed on a restricted environment. For example, most text editors, such as vi and emacs, allow shell escapes. Giving users permission to run programs that allow shell escapes in a restricted environment enables them to open a new unrestricted environment with none of the restrictions placed on them in their defined environment, Similarly, giving users access to commands that set or modify local time and date settings may allow them avoid time constraints for running commands or the expiration date and time for specific role assignments. In some cases, even individual command line options may provide users with the means to run commands not defined in their restricted environment. For example, allowing the user to run the tar command with --use-compress-program program_name allows user to run the specified program_name even though the
171
program_name
is not an allowed command in their restricted
environment. In choosing the commands to allow in a restricted environment, therefore, you should carefully consider ways to plug potential security holes the commands may introduce or whether there are alternative commands that provide the same functionality more securely. For example, if you need to give a user access to an editor, such as vi or vim, you could restrict the ability to execute nested commands to prevent users from opening a new shell from within the editor; see Step 10 on page 188 of Configuring restricted environment rights. Alternatively, you could add the rvi command to the restricted environment instead of vi or vim because rvi doesnt allow the user to open a new shell.
Assigning non-zone users to roles

Users must have a profile in a zone before they can perform any operations on DirectControl-managed computers or be granted privileged or restricted command access. However, you can assign users to roles prior to adding their profiles to the zone. Assigning users to roles before they have a profile in the zone enables you to define what they can and cant do before they have access to computers in the zone at all. If a user has a profile in the zone, he has basic rights to run commands on computers in the zone until you assign him to a role that restricts what he can do. If you assign him to a role first, he only has the rights associated with his role when you add a profile for his account to the zone. There is no period of time when he has unrestricted access as a zone user.
Assigning users to roles on specific computers

You can assign users or groups to specific roles on specific computers. You cannot, however, create computer-specific rights or computer-specific roles. Rights and roles are always defined for the entire zone. You can then use roles assignment to limit the
172
scope of what tasks a user or group can perform on a specific computer. For example, the user monte is assigned two roles: backup_ops role has a restricted environment that allows members to run the command tar as root during off-hours. The scope of the role assignment is the entire zone, so monte can log on and run the commands allowed for the backup_ops role on any computer in the zone during the hours the backup_ops role is in effect. role grants permission to run rpm as root, but the scope of this role assignment has been changed from the entire zone to only apply on the computer firefly. On the computer firefly, the user monte can log on any time, run any normal user commands, run the privileged command dzdo rpm at any time, and run dzdo tar during the hours the backup_ops role is in effect.
sys_admin
Verifying system requirements for DirectAuthorize

DirectAuthorize is an optional component that you can install on any computer where you install the Centrify DirectControl Administrator Console but it has unique system requirements that are not necessary for the main Centrify DirectControl Administrator Console. Therefore, before you initialize and begin using DirectAuthorize, you should verify the computer where you plan to or have installed this component meets the following requirements: The computer is running Windows Server 2003 with SP1 or later, Windows XP with SP2 or later, Windows Vista SP1 or later, or Windows Server 2008. Alternatively, you can install the separate Windows Server 2003 Administration Tools Pack (adminpak.msi) if you are using an older version Windows Server 2003 or Windows XP.
173
Initializing DirectAuthorize for a zone
The functional level of the Active Directory forest has been raised to Windows Server 2003. You can install the DirectAuthorize console extension with the Centrify DirectControl Administrator Console on computers running Windows 2000 if you also install the Authorization Manager Runtime for Windows 2000 downloadable software package from Microsoft. The authorization store, however, requires the zone to be in a Windows Server 2003 domain and the domain functional level to be Windows Server 2003. For information about downloading the Authorization Manager Runtime for Windows 2000 Server, see the Microsoft Web site.
Note
You should also verify that the Centrify DirectControl Administrator Console you are using and the Centrify DirectControl Agent you want to work with have Centrify DirectControl, version 4.2 or later installed.

Before you can begin defining rights and roles, you must initialize DirectAuthorize to set up the authorization store in the Active Directory forest. To prepare the DirectAuthorize authorization store in Active Directory and begin controlling access to commands and applications through rights and roles:
If you are prompted to connect to a forest, specify the forest domain or domain controller to which you want to connect.
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name, right-click, then click Properties. For
example, select the default zone, right-click, then click Properties.
174
4 Click the DirectAuthorize tab. 5 Click Enforce rights and roles. The currently logged on user
and the Domain Admins group are automatically added to the list of users and groups allowed to configure DirectAuthorize. For example:
Note
If the Enforce rights and roles option is not available, you do not have the appropriate permissions to initialize DirectAuthorize. If you have permission to create zones, you should run the Zone Delegation Wizard and assign the Initialize data for DirectAuthorize task to your own account or other appropriate users and groups that should be allowed to perform this task.
Clicking Enforce rights and roles adds the authorization store to the zone and the Roles and Rights nodes to the Centrify DirectControl Administrator Console. It does not impact any existing users access to computers in the zone. Only users who are assigned to roles or who are members of Active Directory groups assigned to roles have their rights enforced for computers in the zone. Users who are not assigned to roles when you click Enforce rights and roles can continue to perform operations as they did before until you assign them to one or
175
more roles. This behavior is intended so that users are not prevented from logging on or performing protected operations unexpectedly. Once they are explicitly assigned one or more roles, their rights will depend on their currently active role(s) and the operations they can perform in the zone may change. Centrify recommends that you configure a limited set of rights, roles, and role assignments and test enforcement before expanding the scope across the user community.
6 Click Add to add users and groups to the list of users and groups
who are allowed to define rights and roles for performing operations on computers managed by DirectControl. You must define at least one user or group with permission to configure DirectAuthorize. After initializing DirectAuthorize for the zone, you can add and remove users and groups from this list at any time. If you remove all users and groups from the list, however, you effectively disable DirectAuthorize and the ability to define rights and roles.
7 Select User or Group to specify the type of account to find. 8 Type a search string to find the user or group objects to add as
rights administrators, select one or more objects from the results, then click OK to return to the DirectAuthorize tab.
9 Click OK to save the zone properties and close the Properties
dialog box. Once you have activated DirectAuthorize for a zone, you can expand the zone to display the Roles and Rights nodes. For example, if you activated DirectAuthorize for a zone named mission, you can expand the mission zone to display the Roles
176
and Rights nodes in the Centrify DirectControl Administrator Console:
DirectAuthorize nodes
Defining specific rights

Rights describe specific operations that users in a given role are allowed to perform. You can define rights to control: Who has permission to run specific privileged commands in a zone. These rights provide functionality similar to the UNIX sudo command but are configured using DirectAuthorize settings and its authorization store rather than through a sudoers configuration file. Who can access which PAM applications in a zone. Who must use a restricted environment within a zone. You can define rights and roles separately or at the same time because they are essentially intertwined. If you have clearly identified job functions and the operations required for each role, you may want to start by defining the roles and then add rights from within each role. If you have clearly identified the set of operations for which you want to control access, such as commands that should only be run as root or a similar privileged account, you may want to start by defining the rights that may be common across roles, then add them to those roles, as needed. Whether you start by describing roles or individual rights, the definitions and assignments are specific to the zone where you configure them. Once configured, though, you can export all or
177
part of the information to a file and import it into other zones, as needed.
Configuring rights for access to PAM applications

To set up a right for access to a PAM application:
2 In the console tree, select Zones to display the list of zones. 3 Select a zone name in which you have activated DirectAuthorize
and expand the zone. For example, expand the mission zone to display the Roles and Rights objects.
4 Click Rights to display the types of rights you can configure.
5 Select PAM Access, right-click, then click Add PAM Access
Right.
6 Type the name of a PAM-enabled application and, if needed, a
detailed description of the application, then click OK. You can use wildcards in the PAM Application Name to perform pattern matching for the application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp.
178
The Application Name field supports glob pattern matching syntax. For example, the name can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). For more detailed information about using wildcard patterns and glob syntax, see the glob man page.
Note
Specific application names depends on the application and the operating environment where the application is being accessed. For example, the following table lists several common PAM-enabled applications and the appropriate name to use for them on different platforms:
For this application On telnet Use this name
Common Linux platforms, such as Red login Hat, Debian, SuSE, Centos, and Ubuntu, HP-UX, and Irix Sun Solaris VMware ESX, Oracle Linux, Scientific Linux
telnet remote
ftp
Common Linux platforms, such as Red Hat, Oracle Linux, and Scientific Linux, and VMware ESX
vsftpd
Some Linux platforms, such as Debian, ftp Centos, and Ubuntu, Sun Solaris, HP-UX, Irix graphical desktop Common Linux platforms, such as Red Hat, Debian, Oracle Linux, Centos, Scientific Linux, and Ubuntu Sun Solaris and HP-UX SuSE and Irix ssh Most platforms Debain and Ubuntu
gdm
dtlogin xdm sshd ssh
Rights for these and other common PAM-enabled applications are predefined in the default DirectAuthorize environment, so
179
that you can easily add them to roles, where appropriate. For example:
Depending on the specific operating environment and version you are using, however, you may need to modify the default application name. In addition to enabling access for specific PAM-enabled applications, you may want to add a right for enabling access to all PAM applications for users in administrative roles. You can do this by typing an asterisk (*) as the Application Name. For example:
You can use an asterisk (*) to allow access to all PAM-enabled applications
7 Click OK to save the PAM access right.
Configuring restricted environment rights

To set up a right for a restricted environment:
180
5 Select Restricted Environments, right-click, then click New
Restricted Environment.
6 On the General tab, type a name for the restricted environment
and, if needed, a detailed description of what the restricted environment provides. For example, you may want to describe
181
the type of operations allowed in this restricted environment or list the specific commands it supports.
7 Click the Commands tab, then click New. 8 On the General tab in the New Restricted Environment
Command dialog box, type the command name, detailed description, the programs executable file, and select a method
182
for matching the path of the command executable and the user account the command should run under.
For this Name
Do this Type a short descriptive name for the command. The command name is required and must not be more than 29 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (). Type a detailed description for the command. This field is optional.
Description
183
For this Command
Do this Type one or more commands you want to add as a new restricted environment commands. The Command is a required field and should include any parameters or options, as needed. Depending on the button you select below the Command field (Glob expressions or Regular expressions), you can use glob pattern matching syntax or extended regular expression syntax within the Command field. The default is glob pattern matching. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). You can also use an exclamation point (!) at the start of a command to disallow matching commands. For example, you can prevent users from specifying the program to use for viewing man pages (man P) that may allow them to use programs that are not allowed by specifying the following commands:
!man P* !man * -P* man
Note When using pattern matching, keep in mind that the path is always pre-pended to the command name. Therefore, doing something like using a caret (^) to match the first character of a command does not work because the pattern matches the first character of the path, not the first character of the command name. Commands that start with the exclamation point take precedence over others that dont. For example, if you type the commands !ls l and ls * users will be prevented from running the ls command with the -l option, even though ls * specifies that all options are allowed. If a command is followed by empty quotation marks (""), the command can only run without any options. For more detailed information about using wildcard patterns: With glob syntax, see the glob or glob(7) man page. With extended regular expressions, see the regcomp or regexec man page.
184
For this Glob expressions Regular expressions
Do this Specify the type of pattern matching to use for wildcard characters in the Command field and the Match path > Specific path field. Glob expressions, the default, specifies glob pattern matching syntax. The description of the Command field and the Match path fields provides some examples of glob pattern matching. See the glob and glob(7) man pages for detailed information. Regular expressions specifies extended regular expression pattern matching. See the regcomp and regexec man pages for detailed information. Select an appropriate path for matching the command name specified on the different operating environments you support. Select Standard user path to use the local operating systems common set of user directories to match the path of the command specified. Select Standard system path to use the directories the root user would normally get on the local operating environment to match the path of the command specified. Select Specific path if you want to define a custom set of locations for matching the path of the command specified. If you select this option, you can specify one or more paths, separated by a colon. Depending on the button you select above the Match path field (Glob expressions or Regular expressions), you can use wildcard patterns to generate matching path names. For example, with glob pattern matching, the path can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). The path must start with a slash (/), however, unless you are matching all paths (*). For example, if the command you specify is ls and you set the match path to *, the ls command from any path is allowed. If you set the Command to * and the match path to *, then any command from any path is allowed. For more information about using wildcard patterns to expand path names, see the glob or glob(7) man page, or for extended regular expression syntax, see regcomp and regexec.
Match path
185
For this Execute as
Do this Select the user account the shell command should run as. Select User running the command to execute the command using the currently logged-on users account. Select Specific user account and type the user account name if you want the command to be executed using a specific user account that is not the logged-on users account.
If you are not configuring environment variables or additional execution attributes, you can click OK after setting the General properties for the command. If you want to configure environment variables or customize additional execution attributes, you can click Apply and go on to the next step.
9 Click the Environment tab if you want to configure the
environment variables to use in the restricted enviroment.
To customize the environment variables used: Select Reset environment variables if you want to reset the listed set of environment variables when the user runs the restricted environment command. In addition to the listed environment variables, the dzdo.env_keep configuration
186
parameter in the centrifydc.conf file defines a default set of environment variables to retain from the current users environment. If you select this option and want to specify additional environment variables to retain from the users environment, click Add, type the environment variable name you want to retain, then click OK to keep the environment variable setting when the user runs the command. Select Remove unsafe environment variables if you want to retain existing environment variables while removing a default set of unsafe environment variables when running the restricted environment command. The list of unsafe environment variables is defined by the dzdo.env_delete configuration parameter in the centrifydc.conf file. If you select this option, and want to specify additional environment variables to remove, click Add, type the environment variable name, then click OK to remove the specified environment variable setting when the user runs the command. Select Add environment variables to define new environment variables to add when running the restricted environment command. Enter variables in a comma-separated list in the form name=value.
Note
You can select Add environment variables and define new environment variables with either of the other options.
187
10 Click the Attributes tab if you want to set other execution
attributes for the command running in a restricted environment.
For this Preserve group membership
Do this Check this option to retain the users group membership while executing commands in a restricted environment.
Allow nested command Check this option to allow the restricted execution environment command to start another program or open a new shell. You should uncheck this option if you want to prevent the command from starting another program or opening a new, unrestricted shell while executing an allowed command. Unmask value Set the umask value to use for the restricted shell.
11 Click OK to save the new command in the current restricted
environment.
12 Repeat Step 8 through Step 11 for each command you want to
allow in the restricted environment.

13 When you are finished adding commands to the restricted
environment, click OK to save the restricted environment.
188
Importing a default restricted environment
When you install DirectAuthorize on a computer, it includes a default restricted environment that provides access rights to a default set of basic commands that enables users to perform common operations such as copy files, list directory contents, view man pages, and display the current working directory. If you want to use this default restricted environment as a starting point for creating your own customized restricted environment, you can import the BasicRestrictedEnvironment.xml file into a zone then modify the list of commands allowed, as needed. By default, the BasicRestrictedEnvironment.xml file is located in the Centrify DirectControl installation directory, for example C:\Program Files\Centrify\Centrify DirectControl. To import the preconfigured restricted environment, select the zone name, right-click, then click All Tasks > Import DirectAuthorize Configuration and follow the prompts displayed to import the definitions from the BasicRestrictedEnvironment.xml file. For more information about importing rights and roles, see Exporting and importing rights and roles on page 209.
Modifying the default restricted environment
After importing the BasicRestrictedEnvironment, you can expand the Restricted Environments node to view it. If you want to modify the commands included, select BasicRestrictedEnvironment in the Centrify DirectControl Administrator Console, right-click, then click Properties. You
189
can then click the Commands tab to add, remove, or modify the default list of commands allowed. For example:
Configuring rights for running privileged commands

To set up a privileged command right:
190
5 Select Privileged Commands, right-click, then click New
Command.
191
6 On the General tab, type the command name, detailed
description, the programs executable file, and select a method for matching the path of the command executable.
For this Name
Do this Type a short descriptive name for the command. The privileged command name is required and must not be more than 60 characters in length or contain any special characters, such as asterisks (*), slashes (\ /), question marks (?), or quotation marks (). Note In most cases, the privileged command name is the same as, or similar to, the command executable name. For example, you might use uname, ps, or id to set up rights for the uname, ps, or id programs. If you plan to define a System Administrator role that allows assigned users to run any command as the root user, you may want to use All as the name of the privileged command, then use an asterisk (*) to indicate all commands in the Command field. For detailed instructions about setting up a System Administrator role with permission to execute all commands as root and access all PAM-enabled applications, see Creating a standard system administrator role in the Evaluation Guide. Type a detailed description for the command. This field is optional.
Description
192
For this Command
Do this Type one or more commands you want to add as a new restricted environment commands. The Command is a required field and should include any parameters or options, as needed. Depending on the button you select below the Command field (Glob expressions or Regular expressions), you can use glob pattern matching syntax or extended regular expression syntax within the Command field. The default is glob pattern matching. For example, with glob pattern matching, the command can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). You can also use an exclamation point (!) at the start of a command to disallow matching commands. For example, you can prevent users from specifying the program to use for viewing man pages (man P) that may allow them to use programs that are not allowed by specifying the following commands:
!man P* !man * -P* man
Note When using pattern matching, keep in mind that the path is always pre-pended to the command name. Therefore, doing something like using a caret (^) to match the first character of a command does not work because the pattern matches the first character of the path, not the first character of the command name. Commands that start with the exclamation point take precedence over others that dont. For example, if you type the commands !ls l and ls * users will be prevented from running the ls command with the -l option, even though ls * specifies that all options are allowed. If a command is followed by empty quotation marks (""), the command can only run without any options. For more detailed information about using wildcard patterns: With glob syntax, see the glob or glob(7) man page. With extended regular expressions, see the regcomp or regexec man page.
193
For this Glob expressions Regular expressions
Do this Specify the type of pattern matching to use for wildcard characters in the Command field and the Match path > Specific path field. Glob expressions, the default, specifies glob pattern matching syntax. The description of the Command field and the Match path fields provides some examples of glob pattern matching. See the glob and glob(7) man pages for detailed information. Regular expressions specifies extended regular expression pattern matching. See the regcomp and regexec man pages for detailed information. Select an appropriate path for matching the command name specified on the different operating environments you support. Select Standard user path to use the local operating systems common set of user directories to match the path of the command specified. Select Standard system path to use the directories the root user would normally get on the local operating environment to match the path of the command specified. Select Specific path if you want to define a custom set of locations for matching the path of the command specified. If you select this option, you can specify one or more paths, separated by a colon. Depending on the button you select above the Match path field (Glob expressions or Regular expressions), you can use wildcard patterns to generate matching path names. For example, with glob pattern matching, the path can contain a question mark (?) to represent any single character, an asterisk (*) to represent any string, including an empty string, or an expression enclosed by brackets ([. . .]). The path must start with a slash (/), however, unless you are matching all paths (*). For example, if the command you specify is ls and you set the match path to *, the ls command from any path is allowed. If you set the Command to * and the match path to *, then any command from any path is allowed. For more information about using wildcard patterns to expand path names, see the glob or glob(7) man page, or for regular expression syntax, see regcomp and regexec.
Match path
194
7 Click the Run As tab, then specify the users and groups allowed
to run this privileged command. Select Any user if any user enabled for the zone can run the privileged command. Select User list if only specific user accounts listed can be used to run this privileged command. A user assigned to a role that includes this right can only run the privileged command under the listed user accounts. For example, if you select this option and specify the users root and ben, the command can be run as root or ben. By default, privileged commands run as root. If you select User list, click Add to add a new user name to the list of allowed users. The users a command can run as can be either Active Directory users with a UNIX profile in the zone or local UNIX user accounts. The user account that logs in and invokes the privileged command, however, must be associated with an Active Directory account. For example:
195
8 Click the Environment tab if you want to configure the list of
environment variables to use or prevent from being used when running the privileged command. For example:
To customize the environment variables used: Select Reset environment variables if you want to reset the listed set of environment variables when the user runs the privileged command. In addition to the listed environment variables, the dzdo.env_keep configuration parameter in the centrifydc.conf file defines a default set of environment variables to retain from the current users environment. If you select this option and want to specify additional environment variables to retain from the users environment, click Add, type the environment variable name you want to retain, then click OK to keep the environment variable setting when the user runs the command. Select Remove unsafe environment variables if you want to retain existing environment variables while removing a default set of unsafe environment variables when running the privileged command. The list of unsafe environment variables is defined by the dzdo.env_delete configuration parameter in
the centrifydc.conf file. If you select this option, and want to specify additional environment variables to remove, click Add, type the environment variable name, then click OK to remove the specified environment variable setting when the user runs the command.
9 Click the Attributes tab to set other execution attributes for
the user account running the privileged command.
For this Authentication required
Do this Check this option to require the user to be authenticated before running a privileged command. If authentication is required, specify whether the password used should be the password for the logged-on user or the target run-as user. Check this option to retain the users group membership while executing a privileged command.
Preserve group membership
197
Creating roles for job functions in a zone
For this Allow nested command execution
Do this Check this option to allow the privileged command to start another program or open a new shell. You should uncheck this option if you want to prevent the privileged command from starting another program or opening a new, unrestricted shell while executing an allowed command. Set the umask value to use for the privileged command or shell to be executed.
Umask value
10 Click OK to save the privileged command right.

Rights control the specific operations, tasks, or environments you want to grant or deny access to. Roles describe job functions that require a specific set of rights, and, if applicable, the specific days and times the role should be available for performing the operations allowed. To create a new role and assign rights to it:
2 In the console tree, select Zones to display the list of zones.
198
3 Select a zone name in which you have activated DirectAuthorize
4 Select Roles, right-click, then click Add Role. 5 On the General tab, type the role name and description. For
example:
6 If you want to restrict when this role is available, click
Available Times, then select the days and times to allow or deny access for users assigned to the role. For example, to prevent users from performing the operations defined for the role on weekdays before 7:00 AM, weeknights after 10:00 PM,
199
and on Saturdays and Sundays, you could set the available times like this:
7 Click the PAM Access tab, then click Add. 8 Select the appropriate PAM applications from the list of available
PAM applications, then click Add to add the selected applications to the role. Alternatively, you can click New to create a new PAM access right for this role. Once you create the new PAM access right, it is added to the list of Available Applications for the zone. You should keep in mind that the list of available applications that can be assigned to roles is maintained on a zone-specific basis. You can use wildcards to perform pattern matching for the PAM application name. For example, you can specify *ftp* to match all PAM-enabled applications containing the string ftp, such as vsftpd, ftpd, and ftp. To allow a role to access all PAM-enabled applications, use an asterisk (*) as the application name.
Note
9 Click the Command Access tab, then select the type of
command access you want the role to provide. If you want users in this role to use a restricted environment DirectAuthorize shell (dzsh) with a limited set of commands available, click Use restricted environment, then select the restricted environment to use from the list of restricted environments you have defined.
200
If you want users in this role to be able to run privileged commands, click Privileged commands, then click Add. You can then select the appropriate privileged commands from the list of available privileged commands and click Add to add the selected privileged commands to the role.
Note
Alternatively, you can click New to create a new privileged command right for this role. Once you create the new privileged command, it is added to the list of Available Privileged Commands for the zone. You can then add the new privileged command to the role. You should keep in mind that the list of available privileged commands that can be assigned to roles is maintained on a zone-specific basis.
10 Click OK to save the changes to the role and close the dialog
box.
Assigning users and groups to a role

To assign users and groups to a role in a zone:
201
Assigning users and groups to a role
4 Select Roles, then select the role name to which you want to
assign users and groups. For example, select the dc_admins role from the list of roles displayed:
5 Right-click, then select Assign Users and Groups. 6 Select the type of object to search for from the Find list. For
example, select User to find user account objects or Group to find group account objects.
7 Type a search string to locate the user or group account, then
click Find Now. For example, type per to display the Performix Admins, Performix Contractors, and Performix Employees groups.
8 Select one or more objects in the results, then click OK.
You can assign any Active Directory user to a role. If the user does not have a profile defined in the current zone, a warning message is displayed. You can continue with the role assignment and add a profile for the user to the zone later to ensure that the role controls the operations the user can perform. If you are assigning an Active Directory group to a role, however, you may want to check whether the members of the group have profiles defined in the current zone to determine whether any profiles need to be added. Theres no warning message for group members without a profile in the zone.
Note
9 Review the role assignment settings for the user or group your
selected and make any changes necessary, then click OK.
202
For example, uncheck Start immediately to select a specific date for the role to become active and uncheck Never expires to select a specific date for the role to expire.
By default, assigning a user or group to a role defines the operations the user or group can perform across all computers in the zone whenever that role is active for that user or group. Alternatively, you can limit the scope of a role assignment for a user or group to one or more specific computers within a zone.
Note
Limiting the scope of a role to a specific computer

In some cases, you may want to limit the scope of a role assignment for a user or group to one or more specific computers within a zone. For example, you may want to assign the user Rey to the Web_Admin role only on the computer maverick to give that user specific rights that only apply to that computer and to no other computers in the zone. To assign users and groups to a role on a specific computer:
203
Limiting the scope of a role to a specific computer
and expand the zone. For example, expand the default zone.
4 Click Computers, then select the computer name to which you
want to assign users and groups. For example, select the magnolia computer object:
5 Click Role Assignments to display the list of roles defined for
the zone.
6 Select the appropriate role name, right-click, then select Assign
Users and Groups.

7 Select the type of object to search for from the Find list. For
example, select User to find user account objects or Group to find group account objects.
8 Type a search string to locate the user or group account, then
click Find Now. For example, type per to display the Performix Admins, Performix Contractors, and Performix Employees groups.
9 Select one or more objects in the results, then click OK.
You can assign any Active Directory user to a role. If the user does not have a profile defined in the current zone, a warning message is displayed. You can continue with the role assignment and add a profile for the user to the zone later to ensure that the role controls the operations the user can perform. If you are assigning an Active Directory group to a role, however, you may want to check whether the members of
Note
the group have profiles defined in the current zone to determine whether any profiles need to be added. Theres no warning message for group members without a profile in the zone.
10 Review the role assignment settings for the user or group your
selected and make any changes necessary, then click OK. For example, uncheck Start immediately to select a specific date for the role to become active and uncheck Never expires to select a specific date for the role to expire.
Working within assigned roles

The rights you assign to users and group in a particular role only apply to profiles associated with Active Directory users and groups. DirectAuthorize does not check or enforce rights for locally-defined users and groups. Once you have initialized DirectAuthorize by clicking Enforce rights and roles for at least one zone in the forest and defined rights, roles, and role assignments for that zone, you can verify enforcement by logging on as a user with a specific role assignment and testing the operations the user can perform or using the dzinfo username --test command command to check whether
205
a user has permission to run a specified command. Users and groups not assigned to roles in the zone are not affected in any way. If you want to use DirectAuthorize in additional zones, you need to manually set Enforce rights and roles zone property for those zones. Once this property is set for a zone to set up its authorization store, you can uncheck the option to temporarily stop the enforcement of rights and roles for the users in a selected zone, if needed.
Using privileged commands

If a user is assigned to a role that includes privileged command rights, the user can run those privileged commands by invoking the dzdo command, any command line options, and the privileged command name. The dzdo command provides functionality similar to the UNIX sudo command to enable a user to execute a command using another user account. For example, you can define reboot as a privileged command that users can execute using the root user account. A user assigned to a role that includes this right can then execute the command as root by typing a command similar to the following:
dzdo reboot
The basic syntax for dzdo is:

dzdo [options] command
For more information about running dzdo and using dzdo command line options, see Using dzdo on page 487 or the dzdo man page. The dzdo command does not interfere or interoperate with any UNIX sudo operation or sudoers configuration. Any existing configuration remains in effect and is unaffected by DirectAuthorize.
206
Using PAM-enabled applications

If a user is assigned to a role that includes PAM application rights, the user can only access the authorized PAM-enabled applications. For example, users who are assigned to a role that includes the right to access FTP (ftpd) can connect to the FTP server by typing a command similar to the following:
ftp ginger.ajax.org
Using a restricted environment shell

If a user is only assigned to roles that use a restricted environment, the user can only access the specific commands that have been defined for each of those restricted environments. When the user who only has access to restricted environments logs on to the console or opens a new terminal in a desktop environment, a customized DirectAuthorize shell (dzsh) is opened. The dzsh shell is a Bourne-based shell that provides the subset of commands the user is allowed to run and automatically runs each allowed command as the user it is configured to run as. If the user attempts to run a command he is not authorized to use in his current role, the shell displays a warning. For example, if the user is not authorized to run the uname command, the following message is displayed:
$ uname uname: command not allowed
Setting or changing the active role
Users who are only assigned to one or more restricted environments roles are only allowed to run commands within the DirectAuthorize shell (dzsh). Within the DirectAuthorize shell, user can only be in one active role at a time to prevent ambiguity about the commands the user can run or the user account that should be used to execute those commands. For example, if the user carol is assigned to the lab_staff restricted environment role that specifies the tar command should run as root and to the temps restricted environment role that
207
specifies the tar command should run as tmp_admin, she needs to specify which role she is using for DirectAuthorize to run the tar commands under the proper account. Within the DirectAuthorize shell, users can switch between available restricted environment roles, as needed, using the built-in role command. If a user has been assigned to the Backup Operators (backup_ops) role and the DirectAuthorize Managers (dz_managers) role, he can run the role command to specify which role should be active so that only commands from that role apply. For example, to switch from the backup_ops role to the dz_managers role:
$ role dz_managers Role changed to: dz_managers
For more information about using the role option in a DirectAuthorize shell (dzsh), see the man page for dzsh.
Viewing available roles
The dzinfo command enables users to view information about the roles they have available and what they are allowed to do within their different roles. You may want to add this command to all of your restricted environment roles to allow users to check their definitions and availability within the DirectAuthorize restricted environment shell. For more information about using the dzinfo command, see the man page for dzinfo.
Using a graphical desktop manager in a restricted environment
In some operating environments, users who a placed into a restricted environment may not be able to log on using a graphical user interface desktop manager unless they are explicitly given permission to run the desktop manager or related commands within the dzsh restricted environment. For example, on Red Hat Linux, users must be allowed to run /usr/bin/dbus-launch to log on using KDE or Gnome desktop manager.
208
To allow restricted environment users to log on using KDE or Gnome on Red Hat, you must add dbus-launch to the list of allowed commands for the restricted environment users role. If you want to prevent restricted environment users from logging on using the graphical user interface, you can restricted their access to specific PAM-enabled applications such ssh and telnet.
Cloning and renaming a role

You can create a new role in a zone by copying an existing role, then modifying its properties. To copy an existing role to create a new role:
and expand the zone. For example, expand the default zone.
4 Select Roles, then select the name of the role you want to copy. 5 Right-click, then click Clone. 6 Select the Copy of the role name you selected, right-click, then
click Rename and type a new name for the role.

7 Select the renamed role name, right-click, then click
Properties to modify any of the settings for the cloned role.
Exporting and importing rights and roles

Once you have defined rights, roles, and role assignments in one zone, you can export part or all of that information to a file, then import the information into a new zone and modify it as needed. For example, you can choose to export all the rights you have
Chapter 9 Defining rights and roles 209
defined in one zone but create a completely new set of roles for those rights in the import zone.
Exporting a zones rights and role definitions

To export rights, role definitions, and role assignments:
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name where you have defined the
DirectAuthorize information you want to export, right-click, then click All Tasks > Export DirectAuthorize Configuration.
4 At the Welcome page, click Next. 5 Select the information you want to export, then click Next. For
example, to export all of the information, click All to select all rights, role definitions, and role assignments:
210
6 Click Browse to specify a location and file name for the export
file, then click Next. For example:
7 Review the information to be exported, then click Finish.
Importing rights and role definitions into a new zone

To import rights, role definitions, and role assignments:
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name into which you want to import
DirectAuthorize information, right-click, then click All Tasks > Import DirectAuthorize Configuration.
Note
You must initialize DirectAuthorize for the zone before you can import DirectAuthorize rights, roles, or role assignments. If you cannot select Import DirectAuthorize Configuration, initialize DirectAuthorize for the zone before continuing.
4 At the Welcome page, click Next.
211
5 Click Browse to navigate to the file that contains the
DirectAuthorize information you want to import, then click Next. For example:
6 Select the information you want to import, then click Next. For
example, to import only Privileged Commands and PAM Access rights, click Privileged Commands and PAM Access:
7 Review the information to be imported, then click Finish.
212
Modifying rights, roles, and role assignments

If you make changes to rights, roles, or role assignments in DirectAuthorize, you need to flush the Centrify DirectControl cache for the change to take effect. After making a change in DirectAuthorize:
1 Log on or switch to the root user on the DirectControl-managed
computer.
2 Run the adflush command to clear the DirectControl cache.
For example:
# /usr/sbin/adflush
Viewing rights and roles

DirectAuthorize allows you to view the status and effective rights for any user in a zone, whether they have been assigned a role or not. You can view detailed information about the rights and role assignments for users in the following ways: Using the Show User Rights command in the Centrify DirectControl Administrator Console. Running the dzinfo command line program on any DirectControl-managed computer. You can view summary information about the rights and roles defined for multiple zones in a forest by running the User Privileged Command Rights or User Role Assignment reports.
Displaying rights for an individual user in the console

To view the status, role assignments, privileged commands, and PAM access rights for a user in the Centrify DirectControl Administrator Console:
213
2 In the console tree, select Zones to display the list of zones. 3 Select the zone name in which you have activated
DirectAuthorize and expand the zone. For example, expand the default zone.
4 Select Users, right-click, then select All Tasks > Show User
Rights.
5 Type criteria to find a user, then click Find Now. 6 Select a user in the results, then click OK to display that users
rights. For example:
7 Click the Privileged Commands tab to view a list of the
privileged commands the user has permission to run, including the target user under which the command runs and the role
214
where the permission to run the command is granted. For example:
8 Click the PAM Access tab to view a list of the PAM-enabled
applications the user has permission to run and the role where the permission to run the application is granted.
Checking user rights with the dzinfo program

DirectAuthorize also provides a command line program, dzinfo, to enable you to view roles and rights on DirectControl-managed computers. The dzinfo program enables you to view roles and rights for one or more specific users or for the currently logged on user. Running the dzinfo program to view roles and rights for specific users requires root permission. Therefore, you may want to create a privileged command for dzinfo to allow administrators to view rights and roles for other users. The program does not require root permission to view rights and roles for the currently logged on user.
Note
215
To view roles and rights for a specific user:

1 Log on or switch to root on a DirectControl-managed
computer.
2 Run the dzinfo command for a specific user with the username
in the command line. For example, to see the rights and roles assigned to the user sonya:
dzinfo sonya
Alternatively, if you have defined a privileged command to run the dzinfo command as root, you can invoke the program using dzdo. For example:
dzdo dzinfo sonya
If roles and rights have been configured for the user, the command displays information similar to the following:
Zone Status: DirectAuthorize is enabled User: sonya Forced into restricted environment: Yes Role Name --------------role-Lab Staff PAM Application --------------login sshd gdm Avail Restricted Env ----- -------------Yes rs-lab_staff Avail ----Yes Yes Yes Source Roles ----------------------------role-Lab Staff role-Lab Staff role-Lab Staff
Privileged commands: Name Avail Command Source Roles --------------- ----- --------------------------------------------------------(molly has no privileged command rights) Commands in restricted environment: rs-lab_staff Name Avail Command Run As ---------------------- ----------------------------- ---------rs-lab_staff-whoami Yes whoami self rs-lab_staff-pwd Yes pwd self rs-lab_staff-uname Yes uname tim rs-lab_staff-who Yes who self rs-lab_staff-groups Yes groups self
You can run dzinfo without parameters to see the roles for the current user. To see more detailed information, such as the days and times a role is available, you can use the --verbose option. For
216
example, to see detailed information for the currently logged on user, you could type the following command:
dzinfo --verbose
You can also use the dzinfo program to test whether a user has the right to run specific commands. For more information about using dzinfo and the dzinfo command line options, see the dzinfo man page.
Running reports for roles and rights

To view information about rights and role assignments, you can run the following default report definitions or create your own custom reports: The default User Privileged Command Rights report lists the privileged commands that have been defined for each user in each zone where rights and roles are enforced. The report includes the domain name, user profile name, name of each privileged command, the scope to which the role assignment applies, and the description of the right. The default User Role Assignments report lists the role assignments for each user in each zone where rights and roles are enforced. The report includes the domain name, user profile name, the list of roles the user is assigned to in each zone, and the scope to which the users role assignment applies. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
217
Running reports for roles and rights
218
Chapter 10
Managing license containers and keys

This chapter describes how to update and manage Centrify DirectControl license keys for servers, workstations, and supported applications. The following topics are covered: Understanding how licensing works Adding license containers Assigning a specific license container to a zone Viewing the license summary Adding license keys Removing a license key Running reports for licenses
Understanding how licensing works

For Centrify DirectControl, licensing is based on the number of servers and workstations you authorize for access, but license validation does not impact the operation of any production systems. Instead, license validation is handled through the Centrify DirectControl Administrator Console so that the administrator is notified if there are not enough license keys to cover the number of Centrify DirectControl-managed systems. With this licensing enforcement model, the Centrify DirectControl Administrator Console always checks for license keys at startup to verify that there are enough license keys installed for all UNIX computers with valid accounts in Active Directory. If the number of licensed servers and workstations exceeds the total
219
Understanding how licensing works
number of licenses you have purchased, the Centrify DirectControl Administrator Console will display the Manage Licenses dialog box to enable you to add license keys. Once you have installed enough license keys to cover all the configured UNIX, Linux, or Mac OS X computers, the Centrify DirectControl Administrator Console will display at startup and allow you to perform all of the normal administrative tasks.
Understanding license types

In Centrify DirectControl, licenses are issued based on how a computer is used. For example, a computer can be licensed as a workstation or a server, and as a standard UNIX server or as an application server. The following types of licenses are available: Workstation Licenses permit a specific number of UNIX workstations to be available to Active Directory users who log on to the UNIX shell. Workstation licenses are intended for computers that are used interactively by one or two concurrent users who log on using standard UNIX services such as telnet and ftp, but that do not host applications accessed by multiple users. Server Licenses permit a specific number of UNIX servers to be available to Active Directory users accessing server-based applications. Server licenses are for computers that are accessed by multiple concurrent users and typically host a specific type of application. Application Licenses permit UNIX servers to be available for Active Directory users accessing specific applications hosted on UNIX servers.
Understanding license keys

Every Centrify DirectControl installation includes an evaluation license that allows you to use Centrify DirectControl for a specific number of days. If you purchase Centrify DirectControl, you are
220
provided with permanent license keys that replace any evaluation keys and identify the specific Centrify DirectControl licenses you have purchased. Your capacity for enabling access for standard UNIX services or applications is defined by the total of all of the licenses you purchase and install. For example, if you install three valid license keys that each enable 100 workstations for UNIX login access, you have a total of 300 workstation login licenses available. Each license you purchase has a 24-character registration key that specifies: The type of license granted by the key. The total number of computers that may be enabled under this keys license. If this is an evaluation key, the number of computers is unlimited, but the license count is displayed as zero (0) to indicate no computers are licensed under the evaluation key. The time limit for the key. If the license is a permanent license key, the time limit is not applicable. If the license is an evaluation key, the time is set to 30 days. Because each license key specifies a set number of computers, its common to receive multiple license keys. You can provide these license keys when you install Centrify DirectControl on Windows or after installation using the Centrify DirectControl Administrator Console. For information about using the Centrify DirectControl Administrator Console to add licenses, see Adding license keys on page 227.
Adding license containers

When you run the Setup Wizard the first time, you are prompted to create a Licenses container object because you must have at least one Licenses container in the forest into which you install license keys. It is also possible to add License containers to the forest and
Chapter 10 Managing license containers and keys
221
Adding license containers
use those additional containers to control who can use which license keys. For example, you may want to create one license container for application servers and another for workstation licenses. You can then set permissions on the container objects to prevent the workstation administrators from installing the application server license keys and the application server administrators from installing the workstation license keys in their respective containers. To add a new license container object:
1 Open Centrify DirectControl Administrator Console. 2 In the console tree, right-click Centrify DirectControl, then
click Manage Licenses.

3 Click the Update tab. 4 In the License container section, click Add.
Click Add to add a new license container object to Active Directory
222
5 Browse to select a location for the new license container, then
click Create.
6 Select either container or organizational unit to indicate the type
of object to create, and type a name for the new license container object and click OK.
7 Click OK to close the Browse for container dialog box. 8 When prompted to confirm the creation of the container object,
click Yes to add the license container to Active Directory.

9 Click Permissions to assign Read License and Modify License
permissions to specific users or groups. The users or groups that
223
Assigning a specific license container to a zone
you give the Modify License permission to can then add license keys to the new license container.
Assigning a specific license container to a zone

If you choose to use more than one license container in the forest, you can assign a specific license container to an individual zone. This option is useful if you want to manage zones independently with each zone using its own set of license keys rather than having all zones use a common pool of licenses. If you assign a specific license container to a zone, however, only the license keys installed in that container can be used for the computers in that zone. For example, if you create a license container object named ajax.org/Performix Licenses, add a license key for 10 Workstation license to that container, and assigned that container to the Performix Division zone, only ten workstation licenses are available for the computers you add to the Performix Division zone. If more than ten computers join the Performix Division zone, your licensing reports will indicate you are not in compliance. To assign a license container to a zone:
2 If prompted to connect to a forest, specify a domain controller,
3 In the console tree, select Zones to display the list of zones. 4 Select a zone and right-click, then click Properties. 5 On the General tab, select a specific Licenses container from the
list of available License containers for the zone to use, then click OK. For example:
Select a License container from the list of available License containers
For more information about setting zone properties, see Managing zones on page 55.
Viewing the license summary

As discussed in Understanding how licensing works on page 219, licenses are issued for servers, workstations, and applications to enable specific activities such as permission to log in to the UNIX shell or permission to use specific applications on a UNIX computer.
225
Viewing the license summary
To see a summary of the licenses you have installed and activated, including the type of license, the number of computers covered by the license, and the number of licenses currently being used:

3 Click the Summary tab.
4 Select All license containers to see a summary of all of the
licenses installed in all of the license containers defined in the forest. The Computers section lists the total number of UNIX shell workstation and server licenses you have installed and activated with licensing keys. Because the number of UNIX shell licenses includes workstations and servers, the Licensed value represents the maximum number of computers authorized to join Active Directory domains in the current forest if All license containers is selected. The number of Used licenses indicates the number of computers currently joined to Active Directory domains that allow access to a UNIX shell or applications.
226
The Applications section lists the total number of application licenses of each application type you have installed and activated with licensing keys. The number of Used licenses indicates the number of computer accounts for which you have enabled access to applications. If you want to see licensing information for a specific license container, select the container from the list of available License containers. For example:
Select a specific license container to view only information about the licenses in that container
If you select a specific license container, the Licensed value only represents the number of licenses available in the selected container and the number of Used licenses only represents the licenses used in the zones that are associated with the selected container.
Adding license keys

If you need to add license keys to enable more computers to join the domain:

3 Click the Update tab.
227
Adding license keys
4 Select the appropriate License container from the list of available
license containers.
Select the License container to which you want to add keys
5 In the License keys section, click Add. 6 Type the new license key, then click OK. 7 Click the Summary tab to view the installed licenses. Note that
license keys are Licensed, that is, available to be used, until you begin adding computers to the domain.
228
8 Click OK.
Removing a license key

If you want to delete a license key you have previously installed:

3 Click the Update tab. 4 Select the license key you want to remove. 5 Click Remove, then click OK.
Running reports for licenses

To view information about the licenses you have installed and used, you can run the following default report definitions or create your own custom reports: The License Summary Report lists the total number of each license type you have installed. For each type of license, you can see the number of computers covered by the license, the number of licenses used, and the number of licenses you still have available. The License Detail Report lists the specific computers licensed as UNIX workstations and application servers. For more information about generating and working with reports, see Generating predefined and custom reports on page 231.
229
Running reports for licenses
230
Chapter 11
Generating predefined and custom reports

The Centrify DirectControl Administrator Console includes a Report Center with several default reports that provide summarized and detailed information about users, groups, computers, zones, and licenses. The Report Center also provides a Report Wizard that you can use to modify the content or format of any default report or create your own custom reports. This chapter describes how to view, modify, and save report results in the Report Center and how to use the Report Wizard to create your own report definitions. The following topics are covered: Understanding the importance of reports Understanding the default report definitions Understanding current and snapshot results Generating a report from current or saved results Creating and modifying report definitions Exporting and importing report definitions Configuring SMTP for emailing reports
Understanding the importance of reports

Reports provide you with information about the users, groups, computers, and zones you are managing and the properties associated with them. They can be useful for auditing who has access to different systems, the availability of licenses, and the current status of accounts. Reports can also be used as a way to periodically check the integrity of zones across the Active
231
Understanding the default report definitions
Directory forest and to verify which users have permission to perform specific tasks. Reports can help simplify accounting and auditing of user access and provide the information you require for capacity planning and regulatory compliance. For any report you create you can choose different ways to filter, group, sort, and format the information included. You can also choose to save reports in different file formats so they can be displayed on web sites or imported into other programs.

Centrify DirectControl includes several default report definitions that you can use to generate commonly requested reports out-of-the-box without modifications or use as a basis for customized reports of your own. These default report definitions are listed under the Report Center node in the Centrify DirectControl Administrator Console. For example:
232
The default report definitions provide the following information if you run them unmodified:
This predefined report Authorization Report for Computers Includes this information by default Lists each computer in the zone and indicates which users are allowed to access each computer. The report includes details from the users UNIX profile for each user listed, including the users Active Directory user name, UNIX user name, zone, UID, shell, home directory and primary group. Lists each user account in the zone and includes details from the users UNIX profile for each user listed, including the users UNIX user name, zone, UID, shell, home directory and primary group. Lists computer account information for each computer in each zone, including the computer account name in Active Directory, the computers DNS name, the computers operating system, and the version of the Centrify DirectControl Agent installed on the computer, if available. Lists group information for each group in each zone, including the Active Directory group name, the UNIX group name, the UNIX group identifier (GID), and whether the group is an orphan. Lists the computers that have been licensed for each type of license. With this report, you can see which computers have been licensed as UNIX workstations and which are licensed as application servers. Lists the number of application, computer, and evaluation licenses you have installed and activated with licensing keys, including the total number of each license type, the number of licenses in use, and the number of licenses still available.
Authorization Report for Users
Computers Report
Groups Report
License Detail Report
License Summary Report
Chapter 11 Generating predefined and custom reports
233
This predefined report User Account Report
Includes this information by default Lists account details for the users that have UNIX profiles in each zone. The report includes the Active Directory display name, the Active Directory logon name, the Active Directory domain for the account, and details about the account status, such as whether the account is configured to expire, locked out, or disabled and the date and time of the accounts last logon. Lists the privileged commands that each user has permission to run and the scope to which the users rights apply. The report is sorted by user name and zone for the zones where rights and roles are enforced. Lists the role assignments for each user in each zone. The report includes the domain name, user profile name, the list of roles the user is assigned to in each zone, and the scope to which the users role assignment applies. Lists information from the UNIX profile for each user in each zone. The report includes the users Active Directory user name, UNIX user name, UID, shell, home directory and primary group. Lists the administrative tasks for each zone and the users or groups have been delegated to perform each task. This report indicates which users or groups have permission to perform specific tasks, such as add groups, join computers to a zone, or change zone properties. Lists the zone properties for each zone. The report includes the zone name, list of available shells, the default shell, the default home directory path, the default primary group, the next available UID, reserved UIDs, the next available GID, and reserved GIDs.
User Privileged Command Rights
User Role Assignments
Users Report
Zone Delegation Report
Zones Report
234
Understanding current and snapshot results

Each report definition can be used to retrieve a current report of live data at any point of time. You can also use the report definition to a take a snapshot of the live data to save the result retrieved in a dated report that can be accessed later. For example, you may want to take a weekly or monthly snapshot of data to compare the results of a specific report over time.
Retrieving current results

Centrify DirectControl retrieves the current results the first time you click the Current node for any report definition. When you click Current the first time, Centrify DirectControl retrieves the appropriate information from Active Directory as it exists at that moment. The results are not updated continuously, however. You can refresh the current results at any time by selecting Current, right-clicking, then clicking Refresh. To retrieve the current results for an existing report definition:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Expand the report definition name for which you want to
retrieve results, then click Current. For example, to retrieve the current information for the Users Report, expand the Users Report report definition, then click Current. Depending on the report definition, the results may be nested under the Current node. For more information about viewing results in the Centrify DirectControl Administrator Console, see Viewing current or saved results in the console on page 236. For information about generating report output from the results, see Generating a report from current or saved results on page 237.
235
Understanding current and snapshot results
Taking a snapshot of results

The current data for any report definition is subject to change as you add or delete accounts or change account properties. In some cases, however, it is useful to have historical reports that capture data at specific points in time, for example, for quarterly reports or year-end analysis. To save the results from a report so they can be accessed later, you can create a snapshot of the data. To take a snapshot for a report definition:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Select the report definition for which you want a snapshot,
right-click, then click Take a Snapshot. For example, to take a snapshot of the results of the User Account Report, select the User Account Report report definition, then click Take a Snapshot.
Viewing current or saved results in the console

When you select either Current or Saved results in the Centrify DirectControl Administrator Console, the data is not formatted into a static report. Instead, the results from the current or saved report are presented in nested form using the panes displayed and you can select the objects included in the results to perform additional tasks. For example, if you select the Users Report, then click Current, the results for each zone are nested under the Current node.
Select a zone to see the zones users displayed in the results pane
236
You can then select a zone to see user information for that zone displayed in the results pane.
You can also select an individual user in the results pane, right-click, and select a user-related task to perform.
Generating a report from current or saved results

You can generate a static report for any report definition using either current or saved results. A static report is a formatted view of the results that can be displayed, printed, or saved. You can save static reports as: HTML documents (.htm) Adobe Acrobat documents (.pdf) Microsoft Excel documents (.xls) XML documents (.xml) You can also customize the formatting of the static report to change how information is grouped and sorted, which columns of information are included in the report, how columns are displayed, and the fonts and colors used in table headings and rows. To generate a static report from an existing report definition:
237
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Expand the report definition for the type of report you want to
generate. For example, to run the Users Report, expand the Users Report report definition. For example:
4 Select either Current or a Saved and dated snapshot of
previously retrieved results, right-click, then click Display Report. For example:
Note
In most cases, reports only include information for the zones you have currently open. For best performance, close the zones you are not interested in reporting on before generating reports.
238
The report is displayed in a new window.
From this window you can customize the report format, save the report as a specific type of document, email the report to another person, or print the report.
Modifying the format of a generated report

Once you have generated a report, you can modify its format in several ways. For example, you can modify the properties used for grouping and sorting, the sort order used, which columns are displayed in the output, the column names to use, and the fonts and colors to use. To modify the content or layout of a generated report:
1 In the generated report window, click Report > Format. 2 Click the Group tab to change how the information in a report
is grouped or to add grouping criteria. To add grouping criteria, select a property from the Group based on selected properties list and either Ascending or Descending order, then click Add.
239
To remove grouping criteria, select a property in the Group by list, then click Remove. To change the order in which grouping is done when grouping by more than one property, select a property in the Group by list, then click Move up or Move down. For example, you can group computers by zone, then within each zone by agent version number:
Note
The specific properties you can use to base grouping on depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
3 Click the Sort tab to change how the information in the report
is sorted or to add sorting criteria. To add sorting criteria, select a property from the Sort based on these criteria list and either Ascending or Descending order, then click Add. To remove sorting criteria or change the sort order for a sort criteria, select a property in the Sort by list, then click Remove.
240
To change the order in which sorting is done when sorting by more than one property, select a property in the Sort by list, then click Move up or Move down. For example, you can sort results by zone name in ascending or descending order:
Note
The specific properties you can use as sorting criteria depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
4 Click the Layout tab to change the columns displayed in the
report. To remove a property from the report, clear the Column checkbox. To change the display name or column width for a property, select the property name, then type a new column name or set a new column width. To change the column order from left to right, select the property name, then click Move up to shift a column to the left or Move down to shift a column to the right.
241
For example, check the properties you want to include in the report and uncheck the properties to exclude. If you include a property in the report, you can also specify the display name for the column and the column width:
Note
The specific properties you can choose to display or remove depend on the properties included in the report. To change the properties included in a report, use the Modify Report Wizard.
5 Click the Font & Color tab to change the fonts and colors used
in the report. Select an report attribute from the list of Display items, then select a font family, size, style, and colors to use for the selected attribute.
242
For example, to change the color of a table or group header, select the Table Header or Group Header, then select the Foreground and Background colors to use:
Saving a generated report

Once you have generated a report, you can save the report to a variety of file formats. Saving a report to different file formats gives you options for printing, distributing, and manipulating the report information. For example, if you want to post reports on a Web site, you can save reports as HTML (.htm) documents. If you want to incorporate report data in an Excel spreadsheet, you can save the report as an Excel (.xls) document. If you want to share a generated report with other departments, you may want to save the report as an Adobe Acrobat (.pdf) document. If you want to manipulate a report programmatically or import it into a database, you may want to save it as XML. To save a generated report:
1 In the generated report window, click Report > Save As, then
select the type of document to save the report as. You can save the report to any of the following formats: HTML Document
Chapter 11 Generating predefined and custom reports 243
PDF Document Excel Document XML

2 Select a location and type a file name for the report, then click
Save to save the report in the selected format. Although you can save a generated report as an XML document and report definitions are XML documents that can be imported and exported from one Centrify DirectControl Administrator Console to another, you cannot use the generated report output as a new report definition or import generated reports into the Centrify DirectControl Administrator Console. To share reports with other administrators, you must export the report definition to XML. Other administrators can then import your report definition and generate their own reports from the imported report definition.
Printing a generated report

To print a generated report:
1 In the generated report window, click Report > Page Setup
to set page margins or printing options or Report > Print Preview to preview the report output.
2 Click Report > Print to print the report on the default printer.
244
Creating and modifying report definitions

Report definitions define the content and format of reports. The report definition describes the informationthe objects and their properties and relationshipsto retrieve, and how the information retrieved should be grouped and sorted in report output. You can delete, modify, or rename any existing report definition, including the default report definitions, using the Centrify DirectControl Administrator Console. You can also create your own custom report definitions. The report definitions are stored as XML files for each user who creates report definitions in the Documents and
Settings\user\Application Data\Centrify\DirectControl\Queries
folder.
Creating a new report definition

To create a new report definition:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select the Report Center, right-click, then
click New Report Wizard.

3 At the Welcome page in the Report Wizard, click Next. 4 Type the report name and a description of the report, then click
Next. The report definition name can start with an alphabetic character or an underscore character (_), followed by any combination of alphabetic, numeric, underscore (_), hyphen (-) or spaces up to a maximum length of 64 characters. For example:
Sample Zones Report Dept-1331
5 Select the primary object you want to report on, then click
Next. Selecting the primary object controls the properties that are available for reporting. For example, if you select Active Directory Users for the report, the report can include information associated with the Active Directory user account,
such as the account status, password restrictions, or the users address and telephone number. If you select Zone Users, the report can include information about the users UNIX profile but not the Active Directory account status unless you link this criteria to the report in Step 6. The valid primary objects are: Active Directory computer accounts Active Directory group accounts Active Directory user accounts Centrify DirectControl licenses Open zones Zone computers Zone groups Zone users Zones For example, to report on Zones as the primary object, select Zones from the list of objects:
6 Select whether you want to link other criteria to the primary
object included in the report, then click Next.
246
For a simple report that only includes the properties associated with the primary object, select No then click Next. For a more complex report, select Yes and a criteria to use, then click Next. For example, if you want to include UNIX user information in the report, you can select Yes to add a related link, then select Zones that contain Zone Users:
The specific criteria you can choose depends on the primary object you select. For example, if you are creating a report about Zone Users, you can specify users in open zones, users in all zones, only the users that have been granted access to zone computers, or users that have permission to join a computer to the zone. Linking a primary object to other criteria makes additional properties available for inclusion in the report. For example, if you select Zone Users that are profiles of Active Directory users, you can report on properties associated with the Active Directory user account, such as the account status, the users department, job title, or home phone number. If you select Zone Users that can access zone computers, the report can include computer account properties. You can continue adding relationship criteria to the report and clicking Next, as needed, until you have defined all of the
criteria you want to use to generate the report. The specific objects and relationships you can choose depend on the primary object and each previous selection. When you are finished defining the criteria for the report, select No then click Next.
7 For each object to be included in the report, select the specific
properties to display, then click Next.
Select each object, then select the properties to include in the report
For example: Select Zones to choose the zone properties to include in the report. Select Zone Computers to choose the computer account properties to include in the report. Select Zone Users to choose which use UNIX profile attributes to include in the report.
8 Select the type of filter you want to apply, if any, then click
Next. To add a filter: Select a property for filtering. The properties you can select as filters depend on the objects and properties you selected in Step 7. For example, if you include the UNIX user name,
248
UID, and primary group name in the report, you can filter the report using any or all of these properties. Select the criterion to use when matching the filter string. For example, you can specify that the filter starts with, contains, is, or ends with the specified string. Type the string you want to match, then click Add. Add any other filters, then click Next. For example, to filter a report to include only the information for the domains that starts with ajax in the domain name:
Click Add to add the specified criteria to the list of filters to be applied
9 Review the report definition, then click Finish.
Modifying the content of an existing report definition

To modify the information retrieved in an existing report definition:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Select the report definition that you want to modify, right-click,
then click Modify Report Wizard.

4 At the Welcome page in the Report Wizard, click Next.
249
5 Modify the name or description of the report, if needed, then
click Next.
6 Select a new primary object to report on, if needed, then click
Next.
7 Modify any other criteria related to the primary object included
in the report, then click Next.

8 Modify the specific the specific properties to display, then click
Next.
9 Modify the filters applied, if any, then click Next. For example,
to remove a filter, select the filter, then click Remove.

10 Review the report definition, then click Finish.
Modifying the format of an existing report definition

To modify the default formatting and report layout in an existing report definition:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, click the Report Center. 3 Select the report definition that you want to modify, right-click,
then click Format.

4 Click the Group tab to change how the information in report is
grouped or to add grouping criteria.

5 Click the Sort tab to change how the information in the report
is sorted or to add sorting criteria.

6 Click the Layout tab to change the columns displayed in the
report, including the properties you want to report, the display name for each column, and the column width.
7 Click the Style tab to configure the fonts and colors used in the
HTML, PDF, and Excel versions of the report. Select a document type, then click Configure.
250
Select a font family, size, style, and the colors to use for titles, headers, and content of the report.
Exporting and importing report definitions

Report definitions are stored for each user in the Documents
Settings\user\Application Data\Centrify\DirectControl\Queries and
folder. You can share report definitions by exporting the definition to an XML file and importing it into the Report Center on another computer or into another users Centrify DirectControl Administrator Console. You can also export report definitions to create new reports based on existing report definitions. To export and import previously created report definitions:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, expand the Report Center node. 3 Select the report definition name that you want to export,
right-click, then click Export.

4 Navigate to an appropriate directory, type a file name, then click
Save.
5 In the console tree, select the Report Center, right-click, then
click Import.
6 Navigate to the appropriate directory, select the report
definition file name, then click Open.
251
Configuring SMTP for emailing reports
Configuring SMTP for emailing reports

Configuring the information for connecting to a mail server in the Centrify DirectControl Administrator Console enables you to email reports to a specific user or email alias. To view or modify the Simple Mail Transfer Protocol (SMTP) settings for emailing reports:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select the Centrify DirectControl node
and right-click.
3 Select Options. 4 Click the SMTP Configuration tab. 5 Specify a valid senders user name and email address,
a recipients user name and email address, the SMTP server name and port number for outgoing mail, and the server authentication requirements, if any, then click OK.
252
Chapter 12
Managing network information with NIS maps

This chapter describes how to designate a Centrify DirectControl-managed computer as a NIS server and how to import, create, and manage network information using NIS maps stored in Active Directory. The following topics are covered: Understanding the servicing of NIS client requests Preparing for agentless authentication Installing and configuring the NIS server Configuring the NIS clients Checking the derived passwd and group maps Importing and creating additional NIS maps Changing the map type Maintaining map records in Active Directory This chapter focuses on tasks you can perform using the Centrify DirectControl Administrator Console. For more complete information about installing and configuring the Centrify DirectControl Network Information Service and NIS clients to handle agentless authentication and look up network information, see the NIS Administrators Guide. For information about managing NIS maps using the Centrify DirectControl Web Console, see the Web Console Users Guide.
Note
Understanding the servicing of NIS client requests

The Centrify DirectControl Agent (adclient) normally handles account authentication and lookup requests. In some cases,
253
Understanding the servicing of NIS client requests
however, you may have computers, devices, or applications that require access to a NIS server. For example, you may have legacy systems with operating systems that the Centrify DirectControl Agent doesnt support or applications that send requests directly to the NIS port and expect a NIS process to be listening there. For computers and applications that submit lookup or authentication requests directly to a NIS server on the NIS port, Centrify DirectControl provides its own Network Information Service. The Centrify DirectControl Network Information Service (adnisd) is a separate process that can be installed on any computer that has the Centrify DirectControl Agent installed. Once this separate service is installed, if a legacy system needs to authenticate a user or look up network information, it sends a NIS client request to the Centrify DirectControl Network Information Service listening on the NIS port. The Centrify DirectControl Network Information Service responds using the information stored in a local cache of data that is generated from the information stored in Active Directory. In this way, the Centrify DirectControl Network Information Service can be used to service agentless authentication requests from computers or devices where the Centrify DirectControl Agent itself cannot be installed. If you want to use the Centrify DirectControl Network Information Service to service NIS client requests, you need to: Identify the zones for which you want to publish information. For example, if you want user and group information broadly available to NIS clients across the network and you have a master zone, you may want to allow agentless authentication for all of the users in that zone. If you want to strictly control which users can be authenticated to NIS clients, you may want to use the Zone Generator to populate a separate agentless-authentication zone that only contains those users and their groups. For each zone that supports agentless authentication, you must specify the Active Directory attribute for storing the password hash.
254
Identify the computer(s) that should service NIS client requests in each zone. You can designate any computer that has the Centrify DirectControl Agent installed to also act as the Centrify DirectControl Network Information Server in the zone. Any computer you want to use as the NIS server must be joined to an Active Directory domain. Install and configure the Centrify DirectControl Network Information Service on the selected computers in each zone. Configure clients to use the Centrify DirectControl Network Information Service on the selected computers in each zone. Import and enable the users and groups who need to be authenticated to NIS clients for the zone. You can migrate this information from existing NIS servers or local configuration files by importing passwd and group NIS maps or local /etc/passwd and /etc/group files using the Import from Unix wizard as described in Using the Import from UNIX wizard on page 103, or you can create UNIX profiles for users and groups, as needed. The users and groups must have UNIX profiles stored in Active Directory and enabled for the local computers zone for the Centrify DirectControl Network Information Service to generate the maps it needs to service agentless authentication and lookup requests from NIS clients. Import and manage any additional NIS maps you want to make available to NIS clients. For example, you can import network maps such as netgroup and automount NIS maps or create custom maps using the Centrify DirectControl Administrator Console. Importing existing NIS maps simply provides a mechanism for migrating information to Active Directory. Once the information is stored in Active Directory, any original NIS maps you imported are no longer used. Instead, the Centrify DirectControl Network Information Service uses the information stored in Active Directory to automatically generate the maps it needs to service authentication
Note
Chapter 12 Managing network information with NIS maps 255
Preparing for agentless authentication
and lookup requests. This local cache of data is updated at a regular interval.

A computers zone is equivalent to a NIS domain for the Centrify DirectControl Network Information Service. Therefore, users and groups must be enabled for the zone the Centrify DirectControl Network Information Service serves. In addition, you need to do the following to prepare your environment to handle authentication requests from agentless NIS clients: Identify the zones that need to support agentless authentication in response to NIS client requests and the Active Directory attribute to use for storing the password hash in each zone that support agentless authentication. Identify one or more computers in each zone that should be allowed to respond to authentication requests from NIS clients. Install a password synchronization service to create the password hash for UNIX users and keep passwords synchronized between Active Directory and the computer you are using as the NIS server.
Enabling agentless authentication for a zone

If user information from a zone needs to be available to NIS clients for agentless authentication, the Centrify DirectControl Network Information Service must be able to access the password hash for zone users. However, because Active Directory does not generate a password hash for users by default, theres no default attribute for storing this information. To enable the password hash to be stored for users in a zone, you need to select the Support agentless client option when you create or modify the zone. Once you select the Support agentless clients option for a zone, you can specify the Active Directory attribute to use for
256
storing the password hash for users and the NIS domain name to use for the zone. For example, if you want to create a new zone, you would follow the steps described in Creating a new zone on page 57 and check the Support agentless client option, then select an attribute such as the altSecurityIndenties for the password hash, and type the NIS domain name to use:
Check this option, then select an Active Directory attribute for the password hash and type the NIS domain name
Selecting the Active Directory attribute for the password hash
The Active Directory attributes you can choose for storing the password hash depend on the Active Directory schema you are using and the zone type. The supported attributes for storing the password hash are:
altSecurityIdentities msSFU30Passsword unixUserPassword
The computer account acting as a NIS server for the zone must be able to access the attribute containing the password hash for agentless authentication to be successful. For information about granting a computer account access to the attribute that stores the password hash, see Selecting a computer to service NIS client requests on page 258.
Setting the NIS domain name
By convention, the zone name is most commonly used as the NIS domain name because this makes it easy to identify the scope of the
Chapter 12 Managing network information with NIS maps
257
information available to NIS clients. You can specify a different name if you choose. If you dont specify the NIS Domain name in the zone properties, the zone name is used by default. Whether you use the zone name or another name, you need this information to configure the NIS clients. For more information, see Configuring the NIS clients on page 268.
Selecting a computer to service NIS client requests

You can designate any computer in a zone to act as the NIS server for the zone by setting the Allow this computer to respond to NIS client requests computer property as described in Designating a computer as a NIS server on page 94. For example, select the computer account, right-click, then select Properties and click the Centrify Profile tab to set this option:
Check this option to identify a computer allowed to respond to NIS client requests in the zone
Selecting the Allow this computer to respond to NIS client requests option adds the computer account to the zone_nis_servers Active Directory group to ensure the computer has the appropriate permissions to authenticate users in response to NIS client requests. When computer accounts are placed in the zone_nis_servers group, they are granted permission to read the attribute that stores the password hash for users in the zone.
258
Although this setting enables the computer account to access the password hash, you must manually install and start the Centrify DirectControl Network Information Service on the physical computer before the computer can act as a NIS server.
Configuring a password synchronization service

If user information from a zone needs to be available to NIS clients for agentless authentication, the Centrify DirectControl Network Information Service must be able to access the password hash for zone users. However, Active Directory does not generate a password hash for users by default. This task is handled by the password synchronization service.Therefore, to generate the password hash for zone users, you need to install a password synchronization service. The password synchronization service is installed separately on your Window network. Once deployed, it ensures the passwords served by the Centrify DirectControl Network Information Service are always up-to-date. With a password synchronization service, any time users change their Active Directory password, the corresponding password hash in their user profile is updated to reflect the change. Depending on your environment, you can choose to install one of the following: Centrify DirectControl Password Synchronization Microsoft Windows Services for UNIX Password Synchronization Service Microsoft Windows Server 2003 R2 UNIX Identity Management Service
Note
Regardless of the password synchronization service you choose to use, the service must be installed on all domain controllers in the Active Directory domain where you are enabling agentless authentication.
259
Using Centrify DirectControl Password Synchronization
To install the Centrify DirectControl Password Synchronization program:

1 Copy the CentrifyDC_PasswordSync-4.1.0.zip file to your
Active Directory domain controller.

2 Right-click, then select Extract All. 3 Open the CentrifyDC_PasswordSync-4.1.0 folder, and
double-click setup.exe to start the setup program.

4 At the Welcome page, click Next. 5 Review the terms of the license agreement. If you accept the
license agreement, select I accept the terms of the license agreement, then click Next.
6 Type your name and company, select who should be able to use
this application on the computer, then click Next.

7 Select a restart option, then click Finish.
Once installed, the Centrify DirectControl Password Synchronization program will generate the initial password hash when users next change their password, then update the password hash at each password change thereafter. The password hashes are created using DES encryption with a two character salt. If the password hash is stored in the altSecurityIdentities attribute, it has a prefix of cdcPasswordHash, for example, cdcPasswordHash:VkievQ69VhYKc. If the password hash is stored in one of the other supported attributes, it is stored without a prefix. When a user changes his Active Directory password, the Centrify DirectControl Password Synchronization program discovers the zones to which that user has access and updates the appropriate attribute that holds the password hash for that user in each zone.
Note
The initial password hash is only generated when the user changes his password. You may want to force users to change their password at the next logon to get the password set at the earliest
260
opportunity. Client authentication requests may fail for users who do not have a password hash available. If the password hash field in the passwd.byname or passwd.byuid map displays a single exclamation point (!), it indicates that the users password hash has not been set.
Using a Microsoft password synchronization service
If you choose to use one of the password synchronization services provided by Microsoft instead of the Centrify DirectControl Password Synchronization program, follow the instructions provided with the software to install the service. In general, you need to do the following to use the Microsoft password synchronization services: Set the Windows domain to the domain you joined after installing the Centrify DirectControl Agent. Set the NIS domain name to the zone name you specified when you joined the domain. For example, if you are using the default zone, set the NIS domain to default. Set the NIS Server name to the host name of the computer running both the Centrify DirectControl Agent (adclient) and the Centrify DirectControl Network Information Service (adnisd). Give user accounts access to the zone and NIS domain. If you are using the Microsoft Windows Services for UNIX, you need to make this setting by selecting the zone name from the list of NIS domains on the UNIX Attributes tab.
Note
The rest of the fields on the UNIX Attributes tab are not used by Centrify DirectControl, but you are required to enter information for these fields to enable the NIS domain for the user. Therefore, you should specify a UID, Login shell, Home directory, and Primary group for the user account, then click OK.
261
Installing and configuring the NIS server

After you have enabled agentless authentication for a zone and selected a computer to act as the NIS server for the zone, you must install and configure the Centrify DirectControl Network Information Service (adnisd) on that computer before it can service NIS client requests. You can install the Centrify DirectControl Network Information Service (adnisd) on any computer that has the Centrify DirectControl Agent installed using any installation program appropriate for the local operating environment, such as RPM, SMIT or YAST. To install the Centrify DirectControl Network Information Service:
1 On the UNIX computer, log in as or switch to the root user and
verify the Centrify DirectControl Agent is installed and the local computer is joined to a domain. For example, run the adinfo command to verify the local computer has the Centrify DirectControl Agent installed, is joined to a domain, and can connect to Active Directory:
su Password:
adinfo
Local host name: Joined to domain: Joined as: Current DC: Preferred site:
magnolia ajax.org magnolia.ajax.org ginger.ajax.org Default-First-Site-Name
Zone: ajax.org/Program Data/Centrify/Zones/default Last password set: 2006-12-28 14:47:57 PST CentrifyDC mode: connected
262
2 Copy the appropriate package for the local computers operating
environment from the Centrify DirectControl CD or a download directory to a local directory. For example, if the operating environment is Solaris 9 SPARC:
cp /tmp/centrifydc-nis-release-sol8-sparc-local.tgz .
If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.
3 If the software package is a compressed file, unzip and extract
the contents. For example, on Solaris:

gunzip -d centrifydc-nis-release-sol8-local.tgz tar -xf centrifydc-nis-release-sol8-sparc-local.tar
4 Run the appropriate command for installing the package based
on the local computers operating environment. For example, on Solaris:

pkgadd d CentrifyDC-nis -a admin
If you arent sure about the command to use for the local operating environment, see the release-notes text file included in the package. If you are using an installation program not described in the release-notes text file, such as SMIT or YAST, see the documentation for that program.
Configuring the IP addresses to accept

By default, the Centrify DirectControl Network Information Service only accepts local NIS client requests. To accept requests from any other NIS clients on the network, you must modify the nisd.securenets configuration parameter in the /etc/centrifydc/centrifydc.conf file to specify the subnets from which to accept NIS requests. By setting this parameter, you can filter NIS client requests by IP address. If you specify any IP address, subnet, or mask from which to accept NIS requests, the adnisd process only responds to the requests coming from IP addresses that meet the criteria you have specified.
All other NIS client requests are ignored. For example, if you want to restrict NIS requests to a single trusted subnet of computers, such as the 172.68.0.0 subnet, you can edit the nisd.securenets configuration parameter in the /etc/centrifydc/centrifydc.conf file to include a line similar to the following:
nisd.securenets: 172.68.0.0/255.255.0.0
You can specify multiple subnets by separating the entries with a comma or a space. For example:
nisd.securenets: 172.68.0.0/255.255.0.0,196.48.0.0/0
To accept NIS client requests from any computer, you can set the nisd.securenets configuration parameter as follows:
nisd.securenets: 0/0
For more information about restricting the computers sending NIS client requests using configuration parameters, see the Configuration Parameters Reference Guide.
Customizing the update interval for NIS maps

By default, the adnisd process checks for updates to its NIS maps every 5 minutes. If there have been changes to any NIS map records, the local cache of map data is updated to reflected the change. This interval can be customized by modifying the nisd.update.interval configuration parameter in the Centrify DirectControl configuration file. Changes to automount maps typically require you to restart the automount service or reboot the local computer. Therefore, when there are updates to an automount map, you may need to reboot the computer and restart the adnisd process to ensure updated information is used.
Note
For more information about customizing the interval for updating NIS maps, see the Configuration Parameters Reference Guide.
264
Customizing the maps published

By default, the adnisd process retrieves all of the NIS maps stored in Active Directory at each update interval and makes the data from all of the explicitly-defined and derived maps in its local cache available to the NIS clients it services. In some cases, you may want to prevent NIS clients from accessing data in specific maps or from looking up certain types of information using a specific key. You can customize the list of maps to make available by modifying the nisd.maps or nisd.exclude.maps configuration parameter in the Centrify DirectControl configuration file, or by using the group policy, Specify allowed NIS mapping files for NIS daemon or Specify disallowed NIS mapping files for NIS daemon. With the nisd.maps parameter, you can explicitly list the NIS maps you want to include in the local cache of map data. If you specify a list of maps, only those maps are available in the local cache. Note that you must explicitly list all maps, including derived maps. With the nisd.exclude.maps parameter, you can explicitly list the NIS maps you want to prevent from being used in response to NIS client requests. If you specify a list of maps, only those maps are unavailable to NIS clients. Most often this parameter is used to prevent NIS clients from retrieving user and group information but allowing them to access network information, such as automount instructions. Note that when you specify a map, the derived maps are excluded as well. For example, to explicitly list the NIS maps that can be published, you can make a setting similar to the following in the centrifydc.conf file:
nisd.maps: hosts.byname,hosts.byaddr,automount
To explicitly exclude the NIS maps that should not be published, you can make a setting similar to the following in the centrifydc.conf file:
nisd.exclude.maps: group passwd
265
For more information about customizing the interval for updating NIS maps or customizing the NIS maps available using configuration parameters, see the Configuration Parameters Reference Guide.
Starting the adnisd daemon

Once you have specified the subnets from which to accept NIS client requests, you can manually start the adnisd process at the command line or you can configure the startup script on the local computer to start the adnisd process automatically whenever the computer is rebooted. If you dont add the adnisd process to a computers startup script, you must manually restart the adnisd process whenever the computer is rebooted.
Note
To start the adnisd process at the command line:

1 Verify the Centrify DirectControl Agent is running and the local
computer is joined to a domain.

2 Verify that RPC is running on the local computer. For example:
rpcinfo -p localhost
Note
The adnisd process requires RPC services. If you restart RPC, you also need to restart the adnisd process.
3 Type the appropriate start command. For example, on Red
Hat Linux, type:

/sbin/service adnisd start
On most other platforms, you can start the adnisd process by running the following command:
/etc/init.d/adnisd start
On Solaris 10 or later, the daemon is controlled through the Solaris Service Management Facility. For example:
svcadm enable nis/centrifydc-server
266
When the adnisd process starts, it connects to Active Directory through adclient and does the following: Retrieves the current user, group, network, and custom information thats stored in Active Directory for its zone. Generates additional maps derived from the information retrieved from Active Directory, such as the netgroup.byuser and netgroup.byhost maps generated from the netgroup map and the passwd.byuid, passwd.byname, group.byname, and group.bygid maps generated from the user and group profile information for the local computers zone. Stores the information retrieved or derived from Active Directory in a local cache of NIS map data. After the initial connection, the adnisd process periodically connects to Active Directory through adclient to retrieve updated information for its zone. However, the adnisd process always responds to NIS client requests using the data in its local cache. Because this information is available in the local cache, the adnisd process can respond to NIS requests even if Active Directory is unavailable.
267
Configuring the NIS clients

After you install and configure the Centrify DirectControl Network Information Service (adnisd) on a computer, you must configure other computers or devices to use the computer running adnisd for NIS client requests. The steps for configuring the NIS client are slightly different in different operating environments. For information about configuring the NIS client in different operating environments, see the appropriate section: Configuring NIS clients on Linux Configuring NIS clients on Solaris Configuring NIS clients on HP-UX Configuring NIS clients on AIX
Note
The client configuration instructions in this section assume that you are using the zone name as the NIS domain name. If you are not using the zone name, substitute the NIS domain name you specified when you created the zone where applicable. In addition, for more complete information about configuring NIS clients on any platform, you should consult the documentation for that platform.
Configuring NIS clients on Linux

To configure the NIS client on a Linux computer:
1 Stop the existing NIS service if it is currently running and
remove any files in the /var/yp/binding directory. For example, run the following commands:
/sbin/service ypbind stop rm -rf /var/yp/binding/*
2 Set the NIS domain name for the client to the zone name or NIS
domain name of the computer where the adnisd process is running.

domainname zone_name
268
For example, if you have installed the Centrify DirectControl Network Information Service on a computer in the corpHQ zone:
domainname corpHQ
3 Edit the NIS configuration file, /etc/yp.conf, to specify the
Centrify DirectControl zone and the name of the computer where the Centrify DirectControl Network Information Service is installed.
domain zonename server hostname
For example, edit the /etc/yp.conf to include a line similar to the following:
domain corpHQ server localhost
Note
If your NIS clients are configured for broadcast discovery, you can typically skip this step. service by running the following command:
4 Start the ypbind service. On Red Hat Linux, you can start the
/sbin/service ypbind start
On Debian 3.1, you can start the service by running the nis script. The operation of the nis script is controlled with the file /etc/default/nis. By default, the script starts the NIS client, ypbind. For example, run the following command:
/etc/init.d/nis start
One SuSE Linux 9.3 Professional, you can start the service by running the following command:
/etc/init.d/ypbind start
5 Modify the passwd, group, and shadow lines in

/etc/nsswitch.conf
file to use compat as the source. For
example:
passwd: compat group: compat
shadow: compat
269
6 Restart services that rely on the NIS domain or reboot the
computer to restart all services. The most common services you should restart are:
autofs NSCD cron sendmail
Configuring NIS clients on Solaris

To configure the NIS client on a Solaris computer:
remove any files in the /var/yp/binding directory. For example, run the following commands on Solaris 8 or 9:
kill ypbind rm -rf /var/yp/binding/*
On Solaris 10, stop the service by running:

svcadm disable network/nis/client
2 Set the NIS domain name for the client to the zone name of the
computer where the adnisd daemon is running.

For example, if you have installed the Centrify DirectControl Network Information Service on a computer in the corpHQ zone:
domainname corpHQ
3 Run the ypinit
-c command and enter the name of the computer where the Centrify DirectControl Network Information Service is installed.
This step is not required if you want to use the broadcast option to locate the server when you run the ypbind command. You must use the ypinit command, however, if your network topology would prevent a broadcast from reaching the desired servers. For example, if the router does not transmit broadcasts
Note
270
across subnets, you can use the ypinit server on a different subnet. start the service by running:
/usr/lib/netsvc/yp/ypbind
-c command to specify a
4 Start the ypbind service. On most versions of Solaris, you can
If you are using the broadcast option to locate the server, you must start the service with the broadcast option. For example:
/usr/lib/netsvc/yp/ypbind -broadcast
On Solaris 10, start the service by running:

svcadm enable network/nis/client

/etc/nsswitch.conf
example:
shadow: compat
Configuring NIS clients on HP-UX

To configure the NIS client on an HP-UX computer:
remove any files in the /var/yp/binding directory. For example, run the following commands:
/sbin/init.d/nis.client stop rm -rf /var/yp/binding/*
271
2 Edit the NIS configuration file, /etc/rc.config.rc/namesrvs,
to set the NIS_CLIENT to 1and the NIS_DOMAIN to the name of the Centrify DirectControl zone. For example:
NIS_CLIENT=1 NIS_DOMAIN="zone-name"
3 Add the -ypset option to the YPBIND_OPTIONS variable and set
the YPSET_ADDR variable to the IP address of the computer where the Centrify DirectControl Network Information Service is installed. For example:
YPBIND_OPTIONS="-ypset" YPSET_ADDR="15.13.115.168"
Note
This step is not required if you want to use the broadcast option to locate the server when you run the ypbind command.
computer where the adnisd process is running.

5 Start the ypbind service. On HP-UX, you can start the service
by running:
/sbin/init.d/nis.client start

/etc/nsswitch.conf
example:
shadow: compat
272
Configuring NIS clients on AIX

To configure the NIS client on an AIX computer:
remove any files in the /var/yp/binding directory. For example, run the following command:
stopsrc s ypbind
If the computer is not already a NIS client, you can use the System Management Interface Tool (smit) and the mkclient command to add the NIS client service to the computer.
2 Open the /etc/rc.nfs file and verify that the startsrc
command is configured to start the ypbind daemon. For example:

if [ -x /usr/etc/ypbind ]; then startsrc -s ypbind fi
computer where the adnisd process is running. For example:

4 Start the ypbind service. On AIX, you can start the service by
running:
startsrc -s ypbind

/etc/nsswitch.conf
example:
shadow: compat
autofs NSCD
273
Checking the derived passwd and group maps
cron sendmail
Verifying the client configuration

You can run the domainname command to verify the client is configured to use the appropriate Centrify DirectControl zone or NIS domain name. For example, if you have configured a computer to service NIS requests for the default zone and are using the zone name as the NIS domain name:
domainname default
To test that the client can connect to the Centrify DirectControl Network Information Service, you may want to run one or more NIS client request commands. For example, you may try the following commands:
ypwhich ypwhich -m ypcat -k mapname
Checking the derived passwd and group maps

On a computer you have configured as an NIS client, you can verify that the NIS maps required for agentless authentication are available by running the following command:
ypwhich -m
At a minimum, you should see the passwd.* and group.* map names followed by the name of the computer you are using as the NIS server. For example, if the computer running the Centrify DirectControl Agent and Centrify DirectControl Network Information Service is iceberg-hpux, you should see output similar to this:
passwd.byuid iceberg-hpux passwd.byname iceberg-hpux group.byname iceberg-hpux group.bygid iceberg-hpux
These passwd.* and group.* maps are automatically generated based on the information stored in Active Directory for the zone.
These maps include all of the Active Directory users and groups that have been granted access to the zone. You can view information from any of these maps using a command such as:
ypcat passwd.byname
The output displayed should look similar this:

paul:Xq2UvSkNngA:10000:10000:paul:/home/paul:/bin/bash mlopez:!:10002:10000:Marco Lopez:/home/mlopez:/bin/bash jsmith:!:10001:10000:John Smith:/home/jsmith:/bin/bash
In this example, the user paul has a password hash, but the users mlopez and jsmith do not have password hashes. If a user account is a new account and no password hash is available, the Centrify DirectControl NIS server sets the password hash field for the users account to ! until the user sets a password. For example, you may see this for users who have not yet generated an initial password hash until they next set their Active Directory password and have the password hash generated. If a users Active Directory account is disabled, locked, requires a password change, or is not enabled for a zone, the Centrify DirectControl NIS server sets the password hash field for the users account to !! until the account is enabled, reset, or updated with a new password. On some platforms, you may see ABCD!efgh12345$67890 as the password hash for users who need to set their password.
Note
Importing and creating additional NIS maps

The passwd.* and group.* maps are derived automatically from the information stored in Active Directory for the zone. Therefore, these derived maps include account information for any passwd and group NIS maps or configuration files that you have imported and migrated to Active Directory using the Import from Unix wizard as described in Using the Import from UNIX wizard on page 103. In addition to the user and group information, you can also use the Centrify DirectControl Network Information Service to service NIS client requests for network information or to make information from custom maps available.
Using the Centrify DirectControl Administrator Console, you can: Import network information from standard NIS maps, such as automount, automaster, and netgroup databases. Create new network maps. Create custom maps of information in key/value pairs.
Importing network information from existing NIS maps

You can import network information from standard NIS maps such as automount, netgroup, and automaster, if these maps exist in your environment. Unlike users and groups, however, you must have the NIS Extensions for the Centrify DirectControl Administrator Console installed to import information from other types of NIS maps.
Note
NIS Extensions are installed by default when you run the setup program. If you did not select this option, re-run the setup program and select the Centrify DirectControl Administrator Console > NIS Extensions component. If you have the NIS Extensions installed, you should see the NIS Maps node under each zone. For example:
You should see NIS Maps in you have the NIS Extensions installed
To import a standard network NIS map into Active Directory:

1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Zones, and open the specific zone you
want to work with.

3 In the console tree, select NIS Maps, right-click, then click
Import Maps.
4 Select whether you want to connect to the NIS server and
domain or import the information from a text file, then click Next. If you are importing maps directly from an NIS server, type the name of the NIS domain and server. If you are importing a map from a text file, click Browse to navigate to the map file you want to import. If Centrify DirectControl can connect to the NIS server and domain, you can import the NIS maps directly from the server. If Centrify DirectControl cannot connect to the NIS server, you should export the NIS map to a text file and then import the information from the text file.
5 Select the NIS maps to import if you are importing directly from
an existing NIS server, or type a map name and describe the file format if importing from a file, then click Next. If you importing from a text file, you need to specify: Map name that describes the type of map being imported. Character used to separate fields in the map file. Column number that defines the start of the key field. Whether to include comments and the character used to designate comment lines. For Centrify DirectControl to correctly interpret the map file, you need to provide the correct information about the file format, such as the type of separator used between fields. Because the NIS server does not include comments in response to service requests, you cannot import comments in NIS maps if you import directly from the NIS server and domain. If you want to import comments recorded in NIS maps, you must save the map to a text file and import from the file.
6 When the import is complete, click Finish. 7 After importing NIS maps, restart the adnisd service.
277
Creating new network NIS maps in Active Directory

If you cannot import network information from existing NIS maps, you can create new netgroup, automaster, and automount network maps by adding the appropriate information directly to Active Directory through the Centrify DirectControl Administrator Console. Once you add the information to Active Directory, the Centrify DirectControl Network Information Service can use the information to automatically generate a local cache of the map data and make the information in those generated maps available to NIS clients. To create a new network NIS map in Active Directory:
want to work with.

New and select the type of map you want to add.

Select this map type netgroup map To do this Create a new, empty netgroup map. You can then open the empty map to add records. Note Because the netgroup map is used to derive additional netgroup.* maps automatically, you cannot change the map name for this type of map. Create a new, empty automount map. If you select this map, type a custom name for the new map, then click OK. You can then open the empty map to add records. Create a new, empty automaster map. If you select this map, choose either auto_master or auto.master as the map name, then click OK. You can then open the empty map to add records. Note Because this map used to retrieve the names of the autoMount maps, you cannot give this type of map a custom name.
autoMount map
autoMaster map
278
4 In the details pane of the Centrify DirectControl Administrator
Console, select the new empty map, right-click, then click New to add a new individual map record.
Select New to add a record to the map
The file format and the fields used in individual map records depend on the type of map you are working with.
If the map is
netgroup
Do this to add new records To create a new group: Click New > netgroup. Type a group name and optionally any comments, then click OK. To add members to the new group: Select the group name and right-click. Select Add Member > Entry to add a user, computer, and domain to the group or select Add Member > netgroup to add an existing group as a member of the selected group. For more information about defining fields in netgroup records, see the netgroup man page.
279
If the map is
autoMount
Do this to add new records To create a new automount record: Click New > Map entry. Type the Name to use for mounting a directory. Type the Network path specifies the absolute path to the directory to be mounted. You can also specify mount command line Options or Comments. These fields are optional. For more information about defining fields in automount records, see the automount man page. To create a new automaster record: Click New > Map entry. Type the Mount point used. Type the Map name to be consulted for the specified mount point. You can also specify mount command line Options or Comments. These fields are optional. For more information about defining fields in automaster records, see the automaster man page.
autoMaster
Creating generic custom maps

You can create generic maps to publish any type of custom information that you want to make available to NIS clients. Generic custom maps consist of a simple key/value format and optional comments. You can also use generic maps to manually create standard NIS maps that consist of key/value pairs. To add a custom map to Active Directory:
want to work with.

New and select Generic map.

4 Type a name for the new map, then click OK.
5 In the details pane, select the new map, right-click, then click
New > Map entry.

6 Type the appropriate information for the map record you are
adding, then click OK. For example: Type the Key to use in a client request for looking up the corresponding value. Type the Value associated with the key. Type any optional Comments for the key/value pair. For example:
Changing the map type

When you import or create NIS maps, the map type determines the fields defined. For example, a Generic map type consists of three fields: the Key field (required) the Value field (required), and the Comment field. If you dont select the correct map type, the Centrify DirectControl Network Information Service will not be able to interpret the records in the map correctly or respond to client requests with the proper information. To change the map type of an existing NIS map:
want to work with.

3 In the console tree, open NIS Maps, then the select the map
name you want to change. For example, if you have created a map named nethosts, select the nethosts map.
Maintaining map records in Active Directory
4 Right-click, then click Change Type and select the correct map
type. For example, if the records in nethosts map should consist of a Key, a Value, and an optional Comment, select Generic Map as the map type.
Note
If records have already been defined for the map using the incorrect map type, in most cases, you will need to modify the fields after changing the map type.

Once NIS maps are stored in Active Directory, you must maintain the records in Active Directory to ensure changes are reflected in the local map cache that the Centrify DirectControl Network Information Service uses to respond to NIS client queries. You can use the Centrify DirectControl Administrator Console to manually add, edit, or delete individual map records for any map. The specific fields available in each record, and which fields are required and which are optional, depend on the type of map you are editing. For example, the fields in an auto.master map entry are different from the fields in a netgroup map entry. For information about the fields in different types of maps, see Importing and creating additional NIS maps on page 275.
Modifying map records in Active Directory

To edit individual map records:
want to work with.

3 In the console tree, open NIS Maps, the select the map you
want to modify.
4 Right-click, then click Properties to modify the fields for the
selected record or Delete to remove the record from the map.
282
Deleting a map stored in Active Directory

To remove a NIS map from Active Directory:
want to work with.

3 In the console tree, open NIS Maps, the select the map you
want to remove.
4 Right-click, then click Delete to remove the map from Active
Directory.
Changing the map type

When you import or create NIS maps, the map type determines the fields defined. For example, a Generic map type consists of three fields: the Key field (required) the Value field (required), and the Comment field. If you dont select the correct map type, the Centrify DirectControl Network Information Service will not be able to interpret the records in the map correctly or respond to client requests with the proper information. To change the map type of an existing NIS map:
want to work with.

3 In the console tree, open NIS Maps, then the select the map
name you want to change. For example, if you have created a map named nethosts, select the nethosts map.
4 Right-click, then click Change Type and select the correct map
type. For example, if the records in nethosts map should consist of a Key, a Value, and an optional Comment, select Generic Map as the map type.
283
Note
If records have already been defined for the map using the incorrect map type, in most cases, you will need to modify the fields after changing the map type.
284
Chapter 13
Troubleshooting authentication and authorization

This chapter describes how to use diagnostic tools and log files to retrieve information about the operation of Centrify DirectControl and to identify and correct problems within your environment. The following topics are covered: Understanding diagnostic tools and log files Analyzing zone information in Active Directory Configuring logging for Centrify DirectControl Collecting diagnostic information Working with DNS, Active Directory, and DirectControl Filtering the objects displayed
Understanding diagnostic tools and log files

Centrify DirectControl includes some basic diagnostic tools and a comprehensive logging mechanism to help you trace the source of problems if they occur. These diagnostic tools and log files allow you to periodically check your environment and view information about Centrify DirectControl operation, your Active Directory connections, and the configuration settings for individual UNIX and Linux computers. Although Centrify DirectControl logging is not enabled by default for performance reasons, log files provide a detailed record of Centrify DirectControl activity. This information can be used to analyze the behavior of adclient and communication with Active Directory to locate points of failure. However, log files and other diagnostic tools provide an internal view of operation and are
285
Analyzing zone information in Active Directory
primarily intended for Centrify DirectControl experts and technical staff. In most cases, you should only enable logging when you need to troubleshoot unexpected behavior, authentication failure, or problems with connecting to Active Directory or when requested to do so by Centrify Technical Support. Other troubleshooting tools, such as command line programs, can be used at any time to collect or display information about your environment.

One important way you can troubleshoot your environment is by running the Analyze command. The Analyze command enables you to selectively check the integrity of zone information stored in Active Directory. With the Analyze wizard, you can check zones for a variety of potential problems, such as duplicate user IDs, duplicate groups, empty zones, orphaned data objects, or computers that have joined more than one zone.
Note
When you run the Analyze command, only the zones that are open are checked. To check for problems with Centrify DirectControl information in the Active Directory forest:
1 Open the Centrify DirectControl Administrator Console. 2 If you are prompted to connect to a forest, specify the forest
domain or domain controller to which you want to connect.

3 In the console tree, select the Centrify DirectControl root node,
right-click, then click Analyze.

4 At the Welcome page, click Next.
286
5 Select the types of checks you want to perform, then click Next
to generate the report.

Select this option All To do this Perform all of the data integrity checks. Note If you do not register the administrative notification handler through the Setup Wizard or manually using ADSI, you should periodically run the Analyze command with All or Orphan Unix data objects selected. Check for computers that have joined the domain using more than one zone. Each UNIX computer should only reside in one zone, but if you run the join command more than once, it is possible to have the same computer in more than one zone. This option checks for this problem. Check for duplicate UNIX group names or group identifiers (GIDs) in each open Centrify DirectControl zone. Check for duplicate service principal names across the entire forest. Service principal names are required to be unique within an Active Directory forest. Check for duplicate SFU zones that are set to manage the same NIS domain. Check for duplicate UNIX user names or user identifiers (UIDs) in each open Centrify DirectControl zone. Check for duplicate Zones parent container objects in the Active Directory forest. Check for zones that have no computers, users, or groups.
Computers joined to multiple zones
Duplicate groups in zones
Duplicate service principal names in entire forest
Duplicate SFU zones Duplicate users in zones
Duplicate zone default container
Empty zones
Chapter 13 Troubleshooting authentication and authorization
287
Select this option Inconsistency in granting NIS server permissions
To do this Check that there is a

zone_nis_servers group in each
zone that supports agentless authentication and that the group contains all the NIS servers that have been defined for the zone. The zone_nis_servers group is required to assign permissions to DirectControl-managed computers that act as NIS servers, and should not be manually deleted or modified. This option checks that the group exists and includes all of the computers acting as NIS servers to ensure data integrity. Insufficient permission for agent version upgrade Check whether the computer object in Active Directory has sufficient permission to update the version number property of the Centrify DirectControl Agent in the computers serviceConnectionPoint object. If the computer object does not have permission to change this property, the version number cannot be displayed. Check whether the computer object has sufficient permission to update its operating system property. Check for UNIX profile objects that have no parent objects because the parent object has been deleted. For example, if you delete a zone but do not delete the users, groups, or computers that were part of that zone, some UNIX data will be left in Active Directory. This option removes any UNIX-specific data left in Active Directory after the parent was deleted. Check for zone information created in another zones parent container.
Insufficient permission for OS version upgrade Orphan UNIX data objects
Zone created under another zone
288
Select this option Zone information in old format
To do this Check for zone information stored in an obsolete Centrify DirectControl zone format. Check for computer objects that have Centrify DirectControl information associated with them but do not belong to any zone.
Zoneless computers
6 Review the result summary, then click Finish. 7 If the result summary indicates any issues, you can view the
details by selecting Analysis Results in the console tree and viewing the information listed in the right pane. For example:
For additional information, select the warning or error, right-click, then select Properties. For example:
289
Understanding common scenarios that generate results

For most organizations, it is appropriate to check the data integrity of the Active Directory forest on a regular basis. Although running the Analyze command frequently may not be necessary for small networks with few domain controllers, there are several common scenarios that you should consider to determine how often you should check the forest for potential problems. The most likely reasons for data integrity issues stem from: Multiple administrators performing concurrent operations. Administrators using different domain controllers to perform a single operation. Replication delays that allow duplicate or conflicting information to be saved in Active Directory. Insufficient permissions that prevent an operation from being successfully completed. Network problems that prevent an operation from being successfully completed. Partial or incomplete upgrades that result in inconsistency of the information stored in Active Directory. Running Analyze periodically helps to ensure the issues these scenarios can cause are reported in the Analysis Results, so you can take corrective action.
Responding to Analysis Results

Depending on the type of warning or error generated in the Analysis Results, you may be able to take corrective action or access additional information. For example, if a computer account lacks the necessary permission to update Active Directory with the agent version it has currently installed, the Analysis Result will enable you to update the computers account permissions to allow changes to that attribute.
290
The following table describes the warnings and errors you may see in the Analysis Results after running the Analyze wizard and how to resolve potential issues.
Check Computers joined to multiple zones Result If there are any computers joined to multiple zones, an error is displayed. Responsive action No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if an administrator runs adleave with the --force option then runs adjoin to join the computer to a different domain without removing the old computer profile from Active Directory. You should identify the appropriate zone for the computer, then use the Centrify DirectControl Administrator Console to delete the computer profile from any additional zones.
Duplicate groups in If there are any duplicate No responsive action can be taken zone groups in a zone, a directly within the Analysis Results warning is displayed. for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate group profile to be added to a zone. For example, if two administrators add the same group to a zone using different domain controllers, there will be duplicate group profiles after the domain controllers complete replication. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete the duplicate group profiles from the zone.
291
Check Duplicate service principal name in the forest
Result If any duplicate service principal names (SPNs) are found for users or computers in the forest, a warning is displayed.
Responsive action No responsive action can be taken directly within the Analysis Results for this issue. Right-click the warning and click Properties to identify the duplicate SPN. Open the account properties for the user or computer and modify or remove the duplicate servicePrincipalName value.
Duplicate users in zone
If there are any duplicate No responsive action can be taken directly within the Analysis Results users in a zone, a warning is displayed. for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate user profile to be added to a zone. For example, if two administrators add the same user to a zone using different domain controllers, there will be duplicate user profiles after the domain controllers complete replication. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete the duplicate user profiles from the zone.
292
Check Duplicate SFU zones
Result If more than one DirectControl SFU zones is found in the forest, a warning is displayed.
Responsive action No responsive action can be taken directly within the Analysis Results for this issue. Because a DirectControl SFU zone is associated with an Active Directory SFU schema extension, there should be a maximum of one SFU zone in an Active Directory forest. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate. You should use the Centrify DirectControl Administrator Console or ADSI Editor to delete any duplicate SFU zones. No responsive action can be taken directly within the Analysis Results for this issue. In general, this issue only occurs if multiple administrators perform concurrent operations or there are replication delays that allow a duplicate default container for new zones. Having more than one default parent container for zones can result in an unexpected default value in the Create New Zone wizard. You should use the ADSI Editor to delete any duplicate Zones parent containers from the forest.
Duplicate zone default container
If a duplicate default parent container for zones is found, a warning is displayed.
293
Check Empty zones
Result If any zone does not contain users, groups, or computers, a warning is displayed for each type of object. For example, if a zone has computers and groups, but no users, only the user warning is displayed for that zone.
Responsive action No responsive action can be taken directly within the Analysis Results for these issues. In general, this issue occurs early in a deployment before you have populated zones. You should use the Centrify DirectControl Administrator Console to add missing objects to the zone. If the empty zone is not a valid zone, right-click the zone and select Delete. Right-click the error in the Analysis Results, then select Create NIS servers group to create the zone_nis_servers group for agentless authentication. Note that your account must have permission to create this object for the operation to be successful.
Inconsistency in If the Active Directory granting NIS server group zone_nis_servers is permissions not found in a zone configured for agentless authentication, an error is displayed.
zone_nis_servers
If the membership of the Right-click the error in the Analysis Results, then select Fix group group is not consistent membership to modify the with the computers membership list for the zone_nis_servers group. authorized as NIS servers, a Membership inconsistent error is displayed.
If a zone is configured to No responsive action can be taken support agentless directly within the Analysis Results authentication and the for these issues. zone_nis_servers You should verify that all of the group exists but does computers you want to use as NIS not contain all servers in the zone are configured computers in the zone, to allow agentless authentication. an informational alert is displayed.
294
Check Insufficient permissions for agent update
Result If a computer account does not have permission to write to the keywords attribute, an error is displayed.
Responsive action Right-click the error in the Analysis Results, then select Grant permission to computer account to update the permissions on the computer account object. Right-click the error in the Analysis Results, then select Grant computer permission to modify operating system properties to update the permissions on the computer account object.
Insufficient If a computer account permissions for OS does not have upgrade permission to modify operating system properties, a warning is displayed.
295
Check Zone information in old format
Result If a zone was created using the DirectControl 2.x console and includes a Private Groups container, a warning is displayed.
Responsive action If any computers in the zone are running DirectControl 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove privateGroupCreation attribute to update the zone format. If any computers in the zone are running DirectControl 2.x or 3.x agents, you should ignore this warning to ensure compatibility for those agents. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and unix_enabled attribute to update the computer profile in the zone. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy attribute to update the group profile in the zone. If all of the agents in the zone have been upgraded, you can right-click the warning in the Analysis Results, then select Remove managedBy and app_enabled attribute to update the user profile in the zone.
If a computer profile was created using the DirectControl 2.x console, the warning Unix computer is in old format is displayed.
If a group profile was created using the DirectControl 2.x console, the warning Unix group is in old format is displayed. If a user profile was created using the DirectControl 2.x console, the warning Unix user is in old format is displayed.
296
Check Orphan UNIX data object
Result If a computer, group, or user profile exists, but no corresponding Active Directory computer, group, or user object is found, the warning Orphan UNIX data object is displayed.
Responsive action In general, this issue occurs if an administrator removes an Active Directory computer, group, or user object manually using ADSI Editor or Active Directory Users and Computers but the corresponding data is not removed for the UNIX profile. Right-click the warning in the Analysis Results, then select Remove orphan profile to remove all of the UNIX properties associated with the orphan profile. Computer, group, and user profiles are associated with Active Directory computer, group, and user objects through either the managedBy attribute (DirectControl 2.x) or a parentLink value in the keywords attribute (DirectControl 3.x and later). If the links refer to different Active Directory objects, you will see this alert. Right-click the alert in the Analysis Results, then select Overwrite with the active link to remove outdated links. Right-click the warning in the Analysis Results, then select Missing parentLink to add the parentLink value to the keywords attribute.
If a computer, group, or user profile has inconsistent links, an informational Inconsistent links alert is displayed.
If a computer, group, or user profile does not have a parentLink value defined, a Missing parentLink warning is displayed.
297
Configuring logging for Centrify DirectControl
Check
Result
Responsive action No responsive action can be taken directly within the Analysis Results for these issues. You should move the zone to another parent container or delete and recreate the zone in a different location.
Zone created under If the parent container another zone for a zone is another zone object, an error is displayed.
Zoneless computers
The computer
ObjectName contains
Right-click the warning in the Analysis Results, then select Move Centrify information but to Zone to search for and select the it is not in a zone. zone you want to place the computer in.

By default, Centrify DirectControl logs errors, warnings and informational messages in the UNIX syslog and /var/log/messages files along with other kernel and program messages. Although these files contain valuable information for tracking system operations and troubleshooting issues, occasionally you may find it useful to activate Centrify DirectControl-specific logging and record that information in a Centrify DirectControl log file.
Enabling logging for the Centrify DirectControl Agent

To enable Centrify DirectControl logging on the Centrify DirectControl Agent:
1 Log in as or switch to the root user. 2 Run the addebug command:
/usr/share/centrifydc/bin/addebug on
Note
addebug
You must type the full path to the command because is not included in the path by default.
298
Once you run this command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging. For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it. When you are ready to stop logging activity, run the addebug command.
off
Setting the logging level

You can define the level of detail written to the log by setting the log configuration parameter in the Centrify DirectControl configuration file:
log: level
With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors.
299
You can use the following keywords to specify the type of information you want to record in the log file:
Specify this level
FATAL
To log this type of information Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the users console. With this setting, only the most severe problems generate log file messages. System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages. Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages. Informational messages that describe operational status or provide event notification.
ERROR
WARN
INFO
Logging details for a specific component

By default, when you specify a logging level, it applies to all of the Centrify DirectControl components that log activity. The logging system, however, provides a hierarchical organization of logical log names for the components within DirectControl and each of these logical logs can be configured to provide more targeted analysis of it specific operations. For example, if you set your base logging level to only report serious errors but you want to see informational, warning, and error messages for adclient, you can add a separate logging level parameter for the log messages generated by adclient:
# Use the following setting to set the base level of detail # for logging to record Error messages: log: ERROR # Add the name of the adclient logical log and specify the # logging level to use for it and its children: log.com.centrify.adclient: INFO
300
Logging for the Centrify DirectControl Administrator Console

Although most logging activity focuses on the actions of the Centrify DirectControl Agent, you can also enable or disable logging for the Centrify DirectControl Administrator Console and configure the types of messages to record in the log file by selecting options in the Centrify DirectControl Administrator Console. To configure logging for operations handled through the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Centrify DirectControl,
right-click, then click Options.

3 Click the Log Settings tab, select the type of messages to log,
then click OK. If you enable logging, the log file is located by default in the
Documents and Settings\user_name\Application Data\Centrify DirectControl\Log
folder and is updated as you perform different operations in the Centrify DirectControl Administrator Console.
Logging to the circular in-memory buffer

If the Centrify DirectControl Agents adclient process is interrupted or stops unexpectedly, a separate watchdog process (cdcwatch) automatically enables an in-memory circular buffer that writes log messages passed to the logging subsystem to help identify what operation the adclient process was performing when the problem occurred. The in-memory buffer is also mapped to an actual file, so that if theres a system crash or a core dump, the last messages leading up to the event are saved. Messages from the in-memory circular buffer have the prefix _cbuf, so they can be extracted from a core file using the strings command. The in-memory circular buffer allows debug-level information to be automatically written to a log file even if debugging is turned off. It can be manually enabled by restarting the adclient process
Chapter 13 Troubleshooting authentication and authorization 301
Collecting diagnostic information
with the -M command line option. The default size of the buffer is 128K, which should be sufficient to log approximately 500 messages. Because enabling the buffer can impact performance, you should not manually enable the circular buffer or modify its size or logging level unless you are instructed to make the changes by Centrify Support.
Collecting diagnostic information

You can use the adinfo command to display or collect detailed diagnostic and configuration information for a local UNIX computer. Options control the type of information and level of detail displayed or collected. The options you are most likely to use to collect diagnostic information are the --config, --diag, or --support options, which require you to be logged in as root. You can redirect the output from any adinfo command to a file for further analysis or to forward information to Centrify Technical Support. For more information about the options available and the information returned with each option, see Using adinfo on page 389. To display the basic configuration information for the local UNIX computer, you can type:
adinfo
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: magnolia ajax.org magnolia.ajax.org ginger.ajax.org Default-First-Site-Name ajax.org/Centrify/Zones/default 2006-12-28 14:47:57 PST connected
302
Working with DNS, Active Directory, and DirectControl

Centrify DirectControl is designed to perform the same set of DNS lookups that a typical Windows workstation performs to find the nearest domain controller for the local site. This DNS lookup enables the DirectControl agent to find domain controllers as they become available on the network or as the computer is relocated to another network location where different domain controllers are present. DirectControl also uses DNS to find the Kerberos service providers and the Global Catalog service providers for the Active Directory forest. In a typical Windows environment, the DNS server role is updated dynamically to contain the service locator (SRV) DNS entries for Active Directorys LDAP, Kerberos, and Global Catalog services, so this information in available for Centrify DirectControl to use. However, there are some configurations of DNS that may not provide all of the SRV records for the set of domain controllers that provide Active Directory service to the enterprise. You may also run into problems if DNS for the enterprise runs on UNIX servers that cannot locate your Active Directory domain controllers. The next sections describe how you can adjust DNS or DirectControl to ensure they work together properly in your environment.
Configuring the DNS server role on Windows

One of the most common scenarios for running DNS in an environment with Active Directory is to add the DNS server role to a Windows domain controller or another Windows server. If you are already using DNS in Active Directory and dynamically publishing DNS service records, no additional configuration for Centrify DirectControl should be necessary. If you are using DNS in Active Directory but have disabled dynamic updates, you should change the configuration for the DNS server role to allow dynamic updates. Making this change will allow Centrify DirectControl to properly locate domain controllers in the site and select an appropriate new domain controller if a connection to its primary
303
domain controller is lost or the managed computer is moved to a new location on the network.
Configuring DNS running on UNIX servers

If your environment is configured to use UNIX-based DNS servers instead of Active Directory-based DNS servers and the UNIX system is configured to use DHCP, the nameserver entry in /etc/resolv.conf file is set automatically to point to a DNS server. If this DNS server is aware of the Active Directory domain you want to join, no further changes are needed. If the DNS server identified as a nameserver in the /etc/resolv.conf file is not aware of the domain you are trying to join, for example, because you are using a test domain or a separate evaluation environment, you need to either disable DHCP or manually set the location of the Active Directory domain controller in the Centrify DirectControl configuration file.
Checking whether DNS can resolve the domain controller
In most cases, you can verify whether a UNIX computer can locate the domain controller and related services by running the ping command and verifying connectivity to the correct Active Directory domain controller or by checking the nameserver entry in the /etc/resolv.conf file. This nameserver entry should be the IP address of one of the domain controllers in the domain you want to join. If the ping command is successful, it indicates the DNS server is aware of the Active Directory domain you want to join and no further changes are needed. If the ping command is not successful, you will need to take further action to resolve the issue.
Resolving issues in locating Active Directory domain controllers
If the UNIX computer cannot find the Active Directory domain controller, there are several ways you can resolve the issue.
304
Depending on your environment and specific situation, you should consider doing one of the following: Set up DNS on the target Active Directory domain controller and the manually configure the nameserver entry in the /etc/resolv.conf file to use that domain controller as described in Setting up DNS service on a target domain controller on page 305. Set the Centrify DirectControl configuration file to manually identify the domain controllers you want to use as described in Setting the domain controller in the configuration file on page 307.
Setting up DNS service on a target domain controller

One of the simplest ways to ensure that the UNIX computers can locate the Active Directory domain controller and related services is to use the DNS service on the Active Directory domain controller as a DNS slave to the enterprise DNS servers. You can do this is by configuring the DNS server role on the Active Directory domain controller, then specifying that domain controller in the UNIX computers /etc/resolv.conf file. You can then add a forwarder to the local DNS on the domain controller that will pass on all lookups that it cannot satisfy to an enterprise DNS server. This configuration does not require any changes to the enterprise DNS servers. Any look up request from the domain controller is simply a query from another computer in the enterprise. However, the UNIX computers configured to use this slave DNS service will receive the appropriate Service Location (SRV) records and Global Catalog updates for the Active Directory domain controller. In addition, the DNS service on the domain controller can be configured to forward requests to the enterprise DNS servers so those requests can be answered when the local DNS service cannot respond.
305
Adding a DNS server role to an Active Directory domain controller
To configure the DNS service on a Windows Server 2003 domain controller: The specific steps for configuring the DNS server vary depending on whether you are configuring a Windows 2000 Server or a Windows Sever 2003 computer. The following steps describe how to configure DNS on Windows Server 2003. If you are configuring DNS on Windows 2000, you may want to consult your Windows documentation for differences that are specific to your environment.
Note
1 Open the Start Menu and click Manage Your Server. 2 Click Add or remove a role, review the preliminary steps,
then click Next.

3 Select DNS Server from the list of Server Roles. If the DNS
Server role is not currently configured, click Next.

Note
If this server role is already configured on this computer, you can skip the next steps and go on to Configuring UNIX to use DNS service on the target domain controller on page 307.
4 Review the summary of steps, then click Next to display the
Configure a DNS Server Wizard. Click Next to configure the DNS server lookup zones.
5 Select the Create a forward lookup zone (recommended
for small networks) option, then click Next.

6 Select This server maintains the zone, then click Next. 7 Type the domain name (dn) component of the Active Directory
domain controllers name, then click Next. In most cases, you should specify a sub-domain of the top-level domain name. For example, if the forest root domain for the organization is acme.com, you might have a sub-domain of labs.acme.com.
8 Select the Allow both nonsecure and secure dynamic
updates option, then click Next.

9 Type the IP address for at least one of the enterprise DNS
servers, then click Next. Setting at lease one valid IP address ensures that any request the local DNS server cannot answer will be forwarded to a valid enterprise DNS server.
10 Click Finish to complete the configuration of the DNS server.
Once you have configured DNS on the local computer, the local computer uses the local DNS server as its primary DNS server.
Configuring UNIX to use DNS service on the target domain controller
Once you have configured the DNS service to contain the required Active Directory entries, you simply need to modify the UNIX computer to send all DNS lookup requests to the newly configured DNS server. To configure the UNIX computer to use the new DNS server:
1 Open the /etc/resolv.conf file. 2 Set the IP address of the nameserver entry to the IP address of
the DNS server on the Active Directory domain controller you just configured.
Setting the domain controller in the configuration file

If you are not able to use DNS to locate the Active Directory domain controllers on your network, you can manually specify one or more domain controllers in the Centrify DirectControl configuration file. To manually specify a domain controller, add the following entry to the Centrify DirectControl configuration file, /etc/centrifydc/centrifydc.conf:
dns.dc.domain_name: server_name [server_name ...]
For example, if you want to use Centrify DirectControl in a domain called mylab.test and the domain controller for this domain is dc1.mylab.test, you would add the following line to the /etc/centrifydc/centrifydc.conf file:
dns.dc.mylab.test: dc1.mylab.test
307
You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller you want to use if you are not using DNS or if the DNS server cannot locate your domain controllers.
Note
To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:
dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test
Centrify DirectControl will attempt to connect to the domain controllers in the order specified. For example, if the domain controller dc1.mylab.test cannot be reached, Centrify DirectControl will then attempt to connect to dc2.mylab.test. If the Global Catalog for a given domain is on a different domain controller, you can add a separate dns.gc.domain_name entry to the configuration file to specify the location of the Global Catalog. For example:
dns.gc.mylab.test: dc3.mylab.test
You can add as many domain and domain controller entries to the Centrify DirectControl configuration file as you need. Because the entries manually specified in the configuration file override any site settings for your domain, you can completely control DirectControls binding to the domains in your forest through this mechanism. In most cases, you should use DNS whenever possible to locate your domain controllers. Using DNS ensures that any changes to the domain topology are handled automatically through the DNS lookups. The settings in the configuration file provide a manual alternative to looking up information through DNS for those cases when using DNS is not possible. If you use the manually-defined entries in the configuration file and the domain topology is changed by an Active Directory administrator, you must manually update the location of the domains in each configuration file.
Note
308
Using the fixdns script
Centrify DirectControl includes a fixdns script that you can use to inspect your environment and make the necessary configuration file changes for you. To run this script, you need to specify the domain controller name and IP address:
fixdns domain_controller_name IP_address
For example if you intend to join the domain mytest.lab and the domain controller for that domain is dc1.mytest.lab and its address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the /etc/hosts and the DirectControl configuration file. This script does not update the /etc/resolv.conf file. If the script cannot locate the domain controller using the existing /etc/resolv.conf settings, it will assume that you want to use settings from the configuration file.
Note
Filtering the objects displayed

For performance or security reasons, you may want to filter or limit the objects displayed in the Centrify DirectControl Administrator Console. To filter the objects listed in the Centrify DirectControl Administrator Console:
1 Open the Centrify DirectControl Administrator Console. 2 In the console tree, select Centrify DirectControl,
right-click, then click Options.

3 Click the Filter Settings tab.
Select Load all zones from connected forest to load all zones in the forest. Uncheck this option to manually load zones. If you select this option, you cannot close any zones
309
Filtering the objects displayed
except those you opened manually (before selecting the Load all zones... option). Select Show disabled Active Directory accounts to include disabled computer and user accounts in the Centrify DirectControl Administrator Console. Uncheck this option to hide disabled objects. Select Show orphaned computer, user and group profiles to include users and groups that have UNIX profiles without a corresponding user or group object in the Centrify DirectControl Administrator Console. Uncheck this option to hide orphan profiles. Set the Maximum number of items to be displayed in the list to limit the number of objects displayed in the Centrify DirectControl Administrator Console, up the total maximum allowed (65535). This setting applies to most of the objects listed in the Centrify DirectControl Administrator Console, including computers, users, groups, pending users and pending groups. Lowering the maximum number of items displayed improves performance when browsing the listed items. This setting does not affect the number of items you can define, only the number displayed.
4 Click OK.
310
Appendix A
Using Centrify DirectControl UNIX commands

This appendix provides an overview of the command line interface and complete reference information for the command line programs you can run on Centrify DirectControl-managed systems. The following topics are covered: Understanding when to use command line programs Displaying usage information and man pages Understanding common result codes Using adjoin Using adleave Using adcheck Using adlicense Using adpasswd Using adupdate Using adquery Using adgpupdate Using adinfo Using addebug Using adobfuscate Using adrmlocal Using adfinddomain Using adfixid
Appendix A Using Centrify DirectControl UNIX commands
311
Using adflush Using adid Using adkeytab Using adsmb Using adsetgroups Using adclient Using adcache Using adreload Using addns Using dzdo Using dzinfo Using dzsh Using nisflush Using OpenLDAP commands
312
Understanding when to use command line programs

The UNIX command line programs are installed by default when you install the Centrify DirectControl Agent on a computer. The commands are typically installed in one of the following locations: the /usr/sbin directory, the /usr/bin directory, or the /usr/share/centrifydc/bin directory. The command line programs allow you to perform basic Active Directory administrative tasks directly from a UNIX shell or using a shell script. These commands use the underlying Centrify DirectControl service library to enable you to add a UNIX, Linux, or Mac OS X computer to an Active Directory domain, leave the Active Directory domain, and change Active Directory user passwords, and return detailed Active Directory, network, and diagnostic information for a host computer. You should use the UNIX command line programs interactively or in shell scripts when you must take action directly from a UNIX computer, for example to join or leave a domain, or when taking action from the UNIX computer is most convenient, for example when individual users want to set new Active Directory passwords from their UNIX login shell. You use these commands to perform specific tasks, for example: The most important command is the adjoin command. You must use adjoin to add a UNIX computer to an Active Directory domain, so it is the command you use first and run on each UNIX computer. You should use adleave if you want to remove a UNIX computer from its current Active Directory domain or from the Active Directory forest entirely. You can use adpasswd to change an Active Directory account password from a UNIX computer. You can use adupdate to add, delete, or modify an Active Directory users and groups in the current zone.
313
Displaying usage information and man pages
You can use adquery to retrieve information from Active Directory for a user or group. You can use adgpupdate to update computer-based and user-based group policies applied to a UNIX computer. You can use adinfo to collect and display detailed diagnostic and configuration information for a UNIX computer and its Active Directory domain.
Displaying usage information and man pages

You can display a summary of usage information for any of the UNIX command line programs by typing the command and the --help or -h option. For example, to see usage information for the adleave command:
adleave --help
The usage information displayed is a summary of the valid command line options and required arguments and a brief description of each option. For more complete information about any command, you can review the information in the commands manual page. For example, to see the manual page for the adleave command:
man adleave
Understanding common result codes

All of the Centrify DirectControl command line programs share a common set of return codes that describe the result of the operation that the program attempted to perform. The following
314
table lists the result codes that are reserved for use by all of the command line programs.
Result
0
Error name
ERR_SUCCESS
Indicates Successful completion of the operation. Miscellaneous errors occurred during the operation. Usage error occurred during the operation. Operation aborted by user. Root privilege is required for the operation. Computer is not currently joined to any Active Directory domain. Computer is currently joined to an Active Directory domain. another Active Directory domain.
ERR_OTHERS
ERR_USAGES
8 9
ERR_OP_ABORTED ERR_ROOT_PRIV
10
ERR_NOT_JOINED
11
ERR_ALREADY_JOINED
12
ERR_JOINED_ANOTHER_DOMAIN Computer is currently joined to ERR_ADCLIENT_DOWN
13
The adclient process is not running or not available. in disconnected mode.
14
ERR_ADCLIENT_DISCONNECTED The adclient process is running ERR_ADLCIENT_STARTUP
15
The adclient process failed to start. The DNS server is not responding and may be down. Generic DNS problem occurred during the operation. The Active Directory domain name is incorrect or not found in DNS. User name or password provided is not correct. The account specified has been disabled.
16
ERR_DNS_TIMEOUT
17
ERR_DNS_GENERIC
18
ERR_INVALID_DOMAIN_NAME
19
ERR_INVALID_LOGON
20
ERR_ACCOUNT_DISABLED
315
Understanding common result codes
Result
21 22
Error name
ERR_ACCOUNT_EXPIRED ERR_ACCOUNT_EXISTS
Indicates The account specified has expired. The account specified already exists, The account specified was not found in Active Directory. The account password has expired. Unable to find the zone. Invalid Active Directory container object. The account specified does not have sufficient permissions to perform the operation. The time difference between system clocks is outside the acceptable range. Invalid computer account. Invalid credentials. The service ticket is not valid. Policy not matched. Password change rejected. Workstation denied. No matching user was found. No matching group was found. An attempt to open a connection to the adclient process failed. Unable to stop the adclient process. The user has exceeded the number of join operations allowed. The attempt to open a file failed. The attempt to read a file failed.
23
ERR_ACCOUNT_NOTFOUND
24 25 26
ERR_PASSWORD_EXPIRED ERR_ZONE_NOTFOUND ERR_CONTAINER_NOTFOUND
27
ERR_INSUFFICIENT_PERM
28
ERR_CLOCK_SKEW
29 30 31 32 33 34 35 36 37
ERR_COMPUTER_NAME ERR_CRED_INVALID ERR_SERVICE_TKT_INVALID ERR_POLICY_NOT_MATCH ERR_REJECT_CHG_PASSWD ERR_WORKSTATION_DENY ERR_NOT_FIND_USER ERR_NOT_FIND_GROUP ERR_NOT_CONNECT_ADCLIENT
38
ERR_ADLCIENT_STOP
39
ERR_QUOTA_EXCEEDED
40 41
ERR_OPEN_FILE ERR_READ_FILE
316
Result
42
Error name
ERR_COPY_FILE
Indicates The attempt to copy a file failed.
In addition to these common result codes, each program may also provide one or more command- or operation-specific result codes. Command-specific results are included in the command reference section for individual command line programs.
Using adjoin
The adjoin command adds the local host computer to the specified Active Directory domain. The basic syntax for the adjoin program is:
adjoin [options] domain
The domain name should be a fully-qualified domain name, for example, sales.acme.com. If the computer is already a member of another domain, you must leave the old domain by running adleave to remove the computer account from the old domain. Once you have left the old domain, you can run adjoin to join the new domain.
Note
To run adjoin, you must be logged in as root.
By default, when you run adjoin, the program performs the following tasks: Locates the domain controller for the specified domain and contacts Active Directory. Synchronizes the local computers time with Active Directory to ensure the timestamp of Kerberos tickets is within the acceptable time period to allow for authentication. Checks whether a computer account already exists for the local computer in Active Directory, and creates a new Active Directory computer account for the computer, if needed.
317
Using adjoin
Updates the Kerberos principal service names used by the host computer, generating new /etc/krb5.conf and krb5.keytab files and new service keys for the host and http services. Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally to ensure Centrify DirectControl alone has control of the account. Starts the Centrify DirectControl daemon (adclient). You may join to a specific zone, or if you do not specify a domain, join the default zone, which Centrify DirectControl creates automatically when you are running a licensed copy of DirectControl.
318
Setting valid options

You can use the following options with this command:
Use this option
-u, --user username[@domain]
To do this Specify an Active Directory username with sufficient rights to add a computer to the specified domain and create new computer accounts. For example, depending on the security delegation policies in place, you may need to specify a user account with Domain Administrator privileges. By default, however, any authenticated Active Directory user can join a computer to the domain. You must use the username@domain format to specify the user account if the username is not a member of the domain being joined. Note When specifying username@domain, you cannot use an alternative UPN. You must use the domain defined for your account. If you do not specify the --user option, the default is the Administrator user account. Because this account has special rights that can represent a security risk, many organizations disable or restrict access to it. Therefore, in most cases, you should specify the --user option when joining a domain.
319
Using adjoin
Use this option

-p, --password userpassword
To do this Specify the password for the Active Directory user account performing the join operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
320
Use this option

-c, --container containerDN
To do this Specify the distinguished name (DN) of the container or Organizational Unit in which to place this computer account. You can specify the containerDN by: Canonical name (ajax.org/unix/services) You cannot specify a partial name for the canonical name. Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix (cn=services,cn=unix). For example, to place the computer in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
--container ajax.org/UNIX/Services
The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this computer in the
paris.regional.sales.acme.com
organizational unit within the acme.com domain, you would specify: ou=paris, ou=regional, ou=sales If you do not specify a container, the computer account is created in the domains default Computers container. Note The container you specify must already exist in Active Directory or the join operation will fail. In addition, you must have permission to add entries to the specified container.
321
Using adjoin
Use this option

-n, --name computername
To do this Specify the host name you want to use for this computer in Active Directory. The maximum length for computer account names in Active Directory is normally 15 or 24 characters and some characters cannot be used. For more information about naming conventions in Active Directory, see the Active Directory documentation. If you do not specify a computername, the computer account name in Active Directory is the same as the local host name. This option is most commonly used if you have a disjointed DNS namespace. For example, if the local UNIX host is a member of the DNS zone ajax.org, but is joining the Active Directory domain emea.ajax.org, you can use this option to join the domain with a computer name that is different from the name of the computer in DNS:
-n finserv.emea.ajax.org
This option can also be used in conjunction with the --alias option if the computer has multiple IP addresses and there are DNS records for those addresses.
322
Use this option

-N, --prewin2k accountname
To do this Specify the pre-Windows 2000 name for this computer in Active Directory. The pre-Windows 2000 name is the name stored in the samAccountName attribute. The maximum length for the samAccountName attribute is 19 characters. Note Although the actual limit is 19 characters, it is recommended that you limit the name to 15 characters because some Windows functions use this attribute as a NetBIOS name, which has a 15-character limit. If the name is larger than 15 characters, DirectControl must use less efficient NTLM authentication methods. If you do not specify this option, the default pre-Windows 2000 name is the computer account name truncated at 15 characters. This option enables you to manually specify the pre-Windows 2000 name you want to use. This option is most commonly used if the naming conventions for computer account names result in names that are longer than the 15 character limit. Overwrite the information stored in Active Directory for an existing computer account. This option allows you to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.
-f, --force
323
Using adjoin
Use this option

-a, --alias computeralias
To do this Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias. This option would normally be used if a computer has more than one Ethernet port and each port is known by a different DNS name. You can specify more than one --alias option if you need to specify multiple aliases for a single computer.
324
Use this option

-z, --zone zonename
To do this Specify the name of the zone in which to place this computer account. If you do not specify a zone, the computer joins the domain in the default zone (a zone named default can be created when you run the Setup Wizard for the first time). Note If you are using the Express mode of DirectControl, you cannot use this option. You must join a domain through Auto Zone by using the --workstation option. If individual zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one default zone, you can use the full canonical name of the zone to specify which default zone to join. If you specify a zone name and the named zone does not exist, the join operation fails. Note If users and groups are unique across the forest and not required to be segregated into zones, you can join the Active Directory domain by using the --workstation option to connect to Auto Zone instead of specifying a zone. The --workstation and --zone options are mutually exclusive. Indicate that you do not want to update the local systems PAM and NSS configuration. If you set this option, you will need to modify the PAM and NSS configuration files manually to work with the adclient daemon.
-C, --noconf
325
Using adjoin
Use this option
To do this controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
-s, --server domaincontroller Specify the name of the domain
-Z, --zoneserver
domaincontroller
Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the one you are joining. Note You cannot use this option when using the Express deployment mode of DirectControl. Specify the name of the domain controller to use for global catalog operations. You can use this option if the default domain controller is not writable or does not support global catalog operations. Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. If you want to use this option, you should clear the local cache on the client before joining the domain. Set the computer account to use the Data Encryption Standard (DES) for keys.
-g, --gc domaincontroller
-T, --trust
-k, --des
326
Use this option

-P, --precreate
To do this Precreate a computer account in Active Directory without joining the domain. If you use this option, you must also specify the name of the computer account you want to precreate using the --name option. The --precreate option does the following: Creates a computer object in Active Directory in the organizational unit you specify or the Computers container. Resets the computer account password to computers host name (in lower case). Creates an Extension object in the zone. The following permissions are granted to the computer object: Read and Write to: operatingSystemServicePack, operatingSystem, and operatingVersion attributes in Computer object. Reset the computer's password. Read userAccountControl attributes of the Computer object. Validate write to: servicePrincipalName and dNSHostName attributes. By precreating the computer account and its serviceConnectionPoint, you can allow any user to join the computer to a domain without granting any special rights or performing any zone delegation. This option also enables you to create all the computer accounts you want in a batch job and automate how computers join the domain.
327
Using adjoin
Use this option

-m, --compat
To do this Precreate a computer object that is compatible with DirectControl version 2.x and later. You must specify this option if you want the precreated computer object to be compatible with DirectControl version 2.x and later. Use the computer objects account credentials to join the domain. Note You cannot use this option when using the Express deployment mode of DirectControl. To use this option, you must have already precreated the computer account in Active Directory using the Pre-Create Computer wizard. For more information about using the wizard to precreate a computer account, see Precreating computer accounts on page 86. Note If you use the --selfserve option, you dont need to specify a zone for the computer. The computer is automatically made a member of the zone where the precreated object was created. You must, however, specify the Active Directory domain to successfully add the computer to the domain. Display information about each step in the join process as it occurs. This option can be useful in diagnosing join problems. This option also writes log messages to the centrifydc.log file for troubleshooting purposes. Display version information for the installed software.
-S, --selfserve
-V, --verbose
-v, --version
328
Use this option

-w, --workstation
To do this Join the computer to an Active Directory domain by connecting to Auto Zone rather than by making the computer a member of any specific zone. When joined to Auto Zone, every Active Directory user and group defined in the forest and any users defined in a two-way trusted forest are valid UNIX users or groups. You can use this option when: Active Directory identities are unique for the forest and trusted external forest. Active Directory users and groups only require one set of properties for all computers and do not need to be segregated into zones for any reason. For the join to be successful, all of the domains in the forest and the trusted external forest must be unique. If domains are not unique across the forest trust, you must manually configure a unique prefix for each trusted domain using parameters in the centrifydc.conf configuration file. Note The --workstation and --zone options are mutually exclusively. Specify the fully-qualified domain name you want the local computer to join. There is no default setting, so this argument is required.
domain
Examples of using adjoin

Joining a domain can be a very simple or fairly sophisticated operation depending on the design of your Active Directory forest, how you want to manage your UNIX systems, and the policies your organization follows. The following examples illustrate some of the options you can use when joining a domain.
Appendix A Using Centrify DirectControl UNIX commands 329
Using adjoin
To join the acme.com domain using all of the default options and the Administrator user account, you could type a command line similar to the following:
adjoin acme.com
You are then prompted for the Active Directory Administrator password. If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified host name and Organizational Unit, you could type a command line similar to the following:
adjoin --workstation --user jeff@acme.com --name orlando --container ou=UNIX computers sales.acme.com
You are then prompted to provide the password for the user jeff@acme.com. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name orlando in the UNIX computers Organizational Unit. When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as garcia@mission.org but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:
Note
adjoin --workstation --user garcia@sf.mission.org la.mission.org
To join the acme.com domain using all of the default options and the Administrator user account, you could type a command line similar to the following:
adjoin acme.com
You are then prompted for the Active Directory Administrator password. If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified zone, host name, and Organizational Unit, you could type a command line similar to the following:
adjoin --user jeff@acme.com --zone LinuxDev --name orlando
330
--container ou=UNIX computers sales.acme.com
You are then prompted to provide the password for the user jeff@acme.com. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name orlando in the UNIX computers Organizational Unit. When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as garcia@mission.org but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:
Note
adjoin --user garcia@sf.mission.org la.mission.org
If zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one default zone, you could type a command line similar to the following:
adjoin --user trey --zone ajax.test/UNIX/Zones/default javadev.ajax.test
Understanding the files modified by running adjoin

Running adjoin modifies several key files to complete the join operation and configure your environment to work with Active Directory for authentication, authorization, and directory services. By default, the following files are modified by running adjoin:
Type On File location
/etc/krb5.conf /etc/krb5/krb5.conf /etc/krb5.keytab /etc/krb5/krb5.keytab /etc/nsswitch.conf
Kerberos configuration file Most platforms Solaris Kerberos keytab file Most platforms Solaris NSS configuration file Most platforms
331
Using adjoin
Type PAM configuration file
On HPUX, Solaris Red Hat Linux All other Linux
File location
/etc/pam.conf /etc/pam.d/system-auth /etc/pam.d/* /usr/lib/security/metho ds.cfg /etc/security/user
LAM configuration file Login control file
AIX AIX
In addition, the following files are created in the /var/centrifydc directory by running adjoin or by starting the Centrify DirectControl Agent for the first time:
Name
daemon
Purpose This is the pipe which clients open to communicate to the agent. Cache of objects from the Domain Controller Cache of objects from the Global Catalog Cache index Cache index Cache index Cache index Cache index Cache index Cache index Cache index The domain name The domain controller host name The host name used to join The current schema version The preferred site
dc.cache
gc.cache dcdn.idx extmgr.idx gcdn.idx gid.idx gname.idx search.idx uid.idx uname.idx kset.domain kset.domaincontroller kset.host kset.schema kset.site
332
Name
kset.zone kset.zonename reg/*/*/*
Purpose The Zone GUID Readable zone name Group Policy registry files downloaded from AD
Working in an environment without a global catalog

If you join a UNIX computer to a domain where there is no global catalog available, users from other domains must use their fully-qualified login name to be authenticated successfully.
Understanding join-specific result codes

Most of the common result codes described in Understanding common result codes on page 314 apply to join operations. In addition to those common codes, however, the adjoin command can generate join-specific result codes when there are errors that prevent a computer from joining a domain. The following table lists these join-specific result codes.
Result
156
Error name
ERR_JOIN_ATTRMAP
Indicates The mapping of computer account properties to Active Directory attributes failed. If you encounter this problem, you may need to map all attributes, then rerun the adjoin command.
333
Using adjoin
Result
157
Error name
ERR_JOIN_UPDATE
Indicates The computer failed to join the domain. If you encounter this problem, you may need to take corrective action: Check whether the computers hostname exceeds 15 characters. If the hostname exceeds 15 characters, shorten it or use the --name option to specify a name that is 15 characters or less, then rerun the adjoin command. Check whether the computer's primary DNS suffix matches the Active Directory domain DNS name or another allowed primary DNS suffix. If the DNS suffix does not match the Active Directory domain or is not an allowed primary DNS suffix, you may need to change the DNS or domain configuration, then rerun the adjoin command. A stronger authentication method is required by Active Directory. If you encounter this problem, you should set the LDAP traffic encryption parameter, adclient.ldap.packet.encrypt, to Allowed or Required in the Centrify DirectControl configuration file, then rerun the adjoin command. There was an unexpected referral response. This is usually caused by an erroneous replication object in Active Directory. If you encounter this problem, you should check the zone container for replication errors, then rerun the adjoin command.
158
ERR_STRONGER_AUTH_NEEDED
159
ERR_UNEXPECTED_LDAP_REFERRAL
334
Result
160
Error name
ERR_SPN_NOT_UNIQUE
Indicates The servicePrincipalName (SPN) was not unique. Each SPN must be unique across the Active Directory forest. If you encounter this problem, you should use a servicePrincipalName that is unique across the forest, then rerun the adjoin command. You can search for duplicate service principal names using the Analyze wizard. The domain server was specified using an IP address. If you encounter this problem, you should specify the domain controller name using a fully-qualified DNS name. The attempt to change to the data directory failed. The domain specified is not in the same forest or is not a trusted domain. If you encounter this problem, you should check the trust relationship for the domain or use a different domain, then rerun the adjoin command. Multiple zones were detected. If you encounter this problem, you should check the zones defined, then rerun the adjoin command and specify only one zone.
161
ERR_SERVERNAME_INVALID
162
ERR_CHANGE_DIR
163
ERR_DOMAIN_NOT_TRUSTED
164
ERR_MULTIPLE_ZONES_FOUND
Using adleave
The adleave command removes the local host computer from its current Active Directory domain. Once a computer has become a member of a domain, you must run the adleave command to leave that domain before you can move a computer to a new domain.
335
Using adleave
The basic syntax for the adleave program is:

adleave [options]
By default, when you run adleave, the program performs the following tasks: Contacts Active Directory and deactivates the computer account associated with the local UNIX host. The program does not remove the computer account from Active Directory. To remove the computer account entirely, you must delete it from Active Directory manually with Active Directory Users and Computers. Reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-join states, deleting the /var/centrifydc/* files, and deleting /etc/krb5.keytab. When you join a domain, the Kerberos configuration file, /etc/krb5.conf, and keytab file, /etc/krb5.keytab, are automatically generated for you. Because the /etc/krb5.conf file can contain entries used by other applications, it is not removed automatically when you leave a domain. If you leave the domain, you should check whether this file is used by any other applications or if it has been manually edited. If it is not used by other applications, you can safely delete the file after leaving the domain. Stops the Centrify DirectControl daemon (adclient).
Note
To run adleave you must be logged in as root.
336

Use this option
To do this Identify an Active Directory user account with sufficient rights to remove a computer from the domain. You must use the username@domain format to specify the user account if the username is not a member of the computer's current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account performing the leave operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. controller that you prefer to use to disconnect from the domain. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
-p, --password userpassword
-s, --server domaincontroller Specify the name of the domain
-Z, --zoneserver
domaincontroller
Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the domain you are leaving. Note You cannot use this option when using the Express deployment mode of DirectControl.
337
Using adleave
Use this option

-C, --noconf
To do this Indicate that you do not want to revert the local system's PAM and NSS configuration files to their original state. Normally, if you leave a domain, any changes that have been made to the PAM and NSS configuration files to work with the adclient daemon during the join operation are removed. If you set this option to leave the file changes in place, you should review the PAM and NSS configuration files for potential changes. Note Be sure to review and, if necessary, edit the PAM and NSS configuration files before you use this option. If you don't take precautions before using this option, the computer may become inoperable and require a reboot in single user mode to fix the problem. Indicate that you want to force the local computers settings to their pre-join conditions even if the adleave command cannot connect to Active Directory or is not successful in deactivating the Active Directory computer account. You must use this option if the Active Directory computer account has been modified or deleted so that the host computer can no longer work with it.
-f, --force
338
Use this option

-G, --nogp
To do this Indicate that you do not want to revert any group policies applied to the computer to their original state. Note This option has no effect when using the Express deployment mode of DirectControl as group policies are not supported by Centrify DirectControl Express. Normally, if you leave a domain, any group policy changes that have been applied to UNIX configuration files are reverted to restore the files to their pre-join state. Remove the computer account from Active Directory. Restore system configuration files to their pre-join state without leaving the domain. Display version information for the installed software. Display detailed information for each operation.
-r, --remove
-R, --restore
-v, --version
-V, --verbose
Examples of using adleave

Leaving a domain is a straightforward process that returns a computer to its pre-join state. The following examples illustrate the options you can use when leaving a domain. To remove a computer from its current domain using the default options and the Administrator user account, you could type a command line similar to the following:
adleave
You are then prompted for the Active Directory Administrator password. To remove a computer from its current domain using a specific user account and without reverting the PAM and NSS configuration files
339
Using adleave
to their pre-join state, you could type a command line similar to the following:
adleave --user raj@acme.com --noconf
You are then prompted for the password for the user raj@acme.com. To revert all computer settings to their pre-join state even if unable to deactivate the host computer's in Active Directory account, you could type a command line similar to the following:
adleave --force
Understanding adleave-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adleave command can generate leave-specific result codes when there are errors that prevent a computer from leaving a domain. The following table lists these leave-specific result codes.
Result
156
Error name
ERR_STOP_NIS_ADCLIENT
Indicates The adleave command was unable to stop the adnisd or adclient process. If you encounter this problem, you may need to manually stop the processes, then rerun the adleave command. The adleave command was unable to delete all content. The attempt to leave the domain failed. If you encounter this problem, you may need to rerun the adleave command with the --force option. The adleave command was unable to connect to domain controller. If you encounter this problem, you may need to rerun the adleave command with the --force option. Time is not synchronized between the local system clock and the domain controller.
157
ERR_DELETE_CONTENT
158
ERR_LEAVE_FAILED
159
ERR_CONNECT_DC
160
ERR_SYNC_TIME
340
Using adcheck
The adcheck command can be used to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The domain should be a fully-qualified domain name, for example, sales.acme.com. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them. By default, adcheck performs the following tests: Operating system check to verify that the operating system is supported and at the correct patch levels, and that there is sufficient disk space. Network check to verify DNS and SSH. Active Directory check to verify various aspects of the Active Directory configuration, including the domain name, time and domain synchronization, and checking up to 10 domain controllers (which can be extended by an adcheck parameter for large domains). The adcheck program is run automatically when you install the Centrify DirectControl Agent by running the install.sh program or the graphical-user-interface installer on a Mac OS X platform.
Note
To run adcheck you must be logged in as root. The basic syntax for the adcheck program is:
adcheck [--alldc] [--siteonly] [--bigdomain number] [--xml filename][--test os|net|ad] [--servername domainController] [--verbose] [--version]
341
Using adcheck

Use this option
-a, --alldc
To do this Check all domain controllers. This option overrides the --siteonly and --bigdomain options. The --servername option overrides this option. If you do not specify --alldc, --siteonly, or --servername, adcheck checks the number of domain controllers specified by the --bigdomain option (default is 10). Check all domain controllers for the first detected site. This option overrides the --bigdomain option. The --alldc and --servername options override this option. Specify the number of domain controllers to check. The default is 10. The --alldc --siteonly, and --servername options override this option. Specify the filename in which to generate XML output. Run only one or two of the tests, as follows: os Operating system check net Network check ad Active Directory check Specify the domain controller to connect to when performing the network checks. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information. This option overrides the --alldc, --siteonly, and --bigdomain options. Display diagnostic information about the host, the domain, and the domain controller. Display version information for the installed software.
-s, --siteonly
-b, bigdomain number
-x, --xml filename
-t, --test os|net|ad
-s, servername
domainController
-V, --verbose
-v, --version
342
Using adlicense
The adlicense command can be used to enable or disable licensed features on a local computer. If you execute adlicense with no options, it displays the current mode, either licensed or express. In licensed mode, a computer has access to group policies and may join any existing zones. In express mode (licensing is disabled) a computer may not download or execute group policies and cannot join a zone. The computer is automatically joined to Auto Zone. To run adlicense you must be logged in as root. The basic syntax for the adlicense program is:
adlicense [--licensed] [--express] [--verbose] [--version]

Use this option
-l, --licensed
To do this Enable licensed features, including the ability to use group policies and join a specific zone. After you enable licensed features, the computer is still joined to Auto Zone. You may keep the computer joined to Auto Zone or join a specific zone, in which case, you must first leave the zone with adleave, then rejoin the domain with the adjoin --zone command. To enable licensing, you must have installed a valid license key. Enabling licensing consumes a license.
343
Using adpasswd
Use this option

-e, --express
To do this Disable licensed features. This option unmaps group policies and prevents the machine from joining any specific zones. The computer is automatically joined to Auto Zone. If you are running in licensed mode, and execute adlicense --express to switch to Express mode, a license is restored. Note You cannot use this option if the machine is currently joined to a zone. You must first leave the domain, then connect to Auto Zone when rejoining the domain. Display detailed information about the operation performed. Display version information for the installed software.
-V, --verbose
-v, --version
Using adpasswd
The adpasswd command changes the password for an Active Directory user account. It can be used to change the password of the current user executing the command or to change the password of another Active Directory user. If you want to change the password for any Active Directory account other than your own, you must provide the user name and password of an administrative account with the authority to change that users password. The basic syntax for the adpasswd program is:
adpasswd [options] [user[@domain]]
If a user@domain is specified in the command line, you must provide an administrative user name and password for an Active Directory account with the authority to set passwords for other Active Directory users. If a user@domain is not specified in the command line, this command can only be used to change the password for the current user account. Because adpasswd allows a user to change his or her own password, you do not need to be logged in as root to run this command.
Note
Changing a users password with this command updates the users Active Directory account. Once changed, the new password must be used for all activities that are authenticated through Active Directory, including logging on to the UNIX shell, logging on to Windows computers, and accessing applications on both UNIX and Windows.

Use this option
-a, --adminuser
To do this Identify an Active Directory user account with sufficient rights to modify another Active Directory user account. You must use the adminuser@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the default is the Administrator user account. Directory administrative account when changing another users Active Directory password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. However, if adpasswd detects Kerberos credentials, it uses those for the command, and if these credentials are not sufficient, you receive an error message rather than a prompt for a password. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
adminuser[@domain]
-p, --adminpass adminpassword Specify the password for the Active
345
Using adpasswd
Use this option

-V, --validate
To do this Check the validity of a users password. This option is used to verify whether a specified user can log on with the specified password. Specify the current password for the Active Directory user account. This option is only used when the user executing the command is trying to change the password for his own account. This option is ignored if the administrator is trying to change the password for another user account. If you are trying to changing your own password and do not provide the current password at the command line, you are prompted to enter the old password before the command executes. Specify the new password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the new password and confirm the new password by retyping it before the command executes. The new password must meet the Active Directory domain password policy requirements for length and complexity. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Display version information for the installed software.
-o, --oldpass oldpassword
-n, --newpass newpassword
-v, --version
346
Use this option

user[@domain]
To do this Specify the Active Directory user account for the password change. You must use this option if you are changing another Active Directory users account password. You should not use this option when changing your own account password. If a user name is not specified, the default is always the current users account. You must use the user@domain format to specify the account if the user is not a member of the host computers current domain.
Examples of using adpasswd

In most cases, you use this command to change the password for your own account. The following command illustrates how to change the password for the current user account. It prompts for the old and new passwords because they arent provided in the command line:
adpasswd Old password: xxx New password: xxx Repeat password: xxx
The following command illustrates changing the password for another user account, jane@acme.com, which is in a domain outside the host computers own Active Directory domain. Because this example changes the password for another user, the command specifies an Active Directory administrative account, admin@acme.com, with the authority to change the password for Janes account:
adpasswd --adminuser admin@acme.com jane@acme.com
You are then prompted for the administrator password and the users new password because these values arent provided in the command line.
Administrator password: xxx New password for jane@acme.com: xxx
347
Using adupdate
Repeat password: xxx
To check whether a user can log on with a specific password, you can use the --validate option. For example:
adpasswd --validate pablo@acme.com Password: xxx
If the user name and password are valid and can be authenticated by Active Directory, a successful validation message is displayed. If the user name and password specified cannot be authenticated, the command displays a message indicating the authentication failure:
Password validate failed for user pablo Account cannot be accessed at this time Please contact your system administrator
Understanding adpasswd-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adpasswd command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result
156
Error name
ERR_PASSWDFILE_MISS
Indicates The password could not be updated because the passwd file could not be found. The password could not be updated because the passwd file was being used by another program.
157
ERR_PASSWDFILE_BUSY
Using adupdate
The adupdate command enables administrators to perform user and group account management tasks from the command line on any Centrify DirectControl-managed system. These user and group management tasks you can perform include the following: Adding a new user to a zone
348
Modifying a users UNIX profile Disabling and enabling a users access to a zone Deleting users from a zone Adding an Active Directory group to a zone Modifying a groups UNIX profile Managing the groups membership Deleting an existing Active Directory group from a zone Synchronizing the time on the local computer with its domain controller Each of these tasks can include command line options that enable the task to be accomplished using a script. The basic syntax for the adupdate program is as follows:
adupdate add|delete|modify user|group [options]
You must specify the administrative task to perform, then whether the task applies to a user or group before you specify any other command line options. In addition, the options required to complete an administrative task depend on which task you are performing. For more information about the syntax and the options you need to use for each task, see the appropriate section for the administrative task you are performing.
Note
Adding a UNIX user profile

You can use adupdate add user to add a specified user to the zone associated with the computer where the command is run. You can also use this command to create a new user account in Active Directory, if desired. The basic syntax for adding a new user with the adupdate program is:
adupdate add user -U user[@domain] [options] UNIXlogin
You must specify the Active Directory user that the new UNIX user profile should be associated with. In specifying the Active
349
Using adupdate
Directory user, you must use the user@domain format if the user is a member of a domain other than the host computers domain.
Setting options for a new user profile
You can use the following options with the adupdate command:
Use this option
-a, --admin user[@domain]
add user
To do this Identify an Active Directory user account with sufficient rights to add a new user profile or new user account to Active Directory in the current domain. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account. Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes.
-p, --password password
350
Use this option

-U, --user loginname
To do this Specify the Active Directory user that the new UNIX user profile should be associated with. This option is required. You can use the users Windows login name, for example, the samAccountName attribute or the users userPrinicpalName attribute to identify the Active Directory account. The name you specify can also include spaces if properly quoted according to the rules of the UNIX shell you are using. For example, if you want to specify a first name and last name:
--user 'Kay Li'
You should use the user@domain format to specify the login name if the user is not a member of the host computers currently joined domain. If you are also using the --create option to create a new Active Directory user and do not specify the --first name option in the command line, the name you specify for the --user loginname is also used for the displayName and CN attributes in Active Directory.
-C, --create
Create a new Active Directory user. If you dont specify this option, the user account you specify for the --user option must already exist in Active Directory. Specify the UNIX home directory for the new user. The default home directory path is set by appending the users login name to default_home. For example, if the users login name is kay:
/default_home/kay
-d, --home
home_directory
Note You cannot specify this option when connected to Auto Zone.
351
Using adupdate
Use this option

-g, --group
To do this Specify the group name or numeric identifier of the users primary group. Note You cannot specify this option when connected to Auto Zone. If you specify a group name, the group name must exist in Active Directory. If you specify a numeric group identifier (GID), the group identifier should refer to a group with an existing UNIX profile defined for the zone. By default, a users primary group is the value specified as the default group GID for the zone, if one is defined, or the next available UID and GID if you are using user-specific primary groups. List additional groups the user is a member of. Use commas to separate group names. For example:
--groups qa02,sap,javax
initial_group
-G, --groups
groupname,[...]
You can specify the groups by UNIX group name or samAccountName attribute. The groups you specify do not need to have a UNIX profile already defined for the zone. There is no default group list. By default, only a users initial group is defined.
-u, --uid uid_value
Specify the numeric value of the user identifier (UID) for the UNIX user account. Note You cannot specify this option when connected to Auto Zone. This value must be a positive integer and must be unique in the zone unless you specify the -o option to allow duplicate values. If you do not specify the --uid option, the next available UID in the zone is used by default. You should not specify UID values between 0 and 99. Values between 0 and 99 are typically reserved for system accounts.
352
Use this option

-o, --allow-duplicate
To do this Allow the UID value for the new user to be the same as the UID used in another user profile. Note You cannot specify this option when connected to Auto Zone. Specify the users login shell. If you dont specify this option, the system selects the default login shell for the operating environment when the user logs on. Note You cannot specify this option when connected to Auto Zone. Create the users home directory automatically if it does not already exist. Note You cannot specify this option when connected to Auto Zone. If you specify this option and the --skeleton option, the files and directories contained in skeleton_directory are copied to the new home directory. If you dont specify the --skeleton option, the files contained in the directory specified by the pam.homeskel.dir configuration parameter are copied to the new home directory instead. The --skeleton option is only valid in conjunction with the --make-home option. If you dont specify this option, the adupdate command does not create the users home directory or copy any files. Specify the first name of the Active Directory user. The name you specify is mapped to the givenName LDAP attribute and is used as the first component for the displayName and cn attributes. If you dont specify this option, the givenName attribute is left blank and the samAccountName is used for the displayName and cn attributes. This option is ignored if you are not using the --create option to create an Active Directory account.
-s, --shell shell_path
-m, --make-home [-k, --skeleton
skeleton_directory]
-f, --first name
353
Using adupdate
Use this option

-l, --last name
To do this Specify the last name of the Active Directory user. The name you specify is mapped to the sn LDAP attribute and is used as the second component for the displayName and cn attributes if the --first name option is specified. This option is ignored if you are not using the --create option to create an Active Directory account. Specify the initial password for the new user account. If you not specify a password for the user, you are prompted to enter and re-enter the password before the command executes. Whether you specify the user's password at the command line or when prompted, the password must adhere to the domains password policy requirements for length and complexity. Generate and display an initial password for the new user account. This option enables the account to be created with a random password, which can then be reset later when the user logs on.
-w, --new-password
password
-W, --show-password
354
Use this option

-c, --container
To do this Specify the distinguished name (DN) of the container or Organizational Unit (OU) in which to place this user account. The DN represents the direct parent object for the user. You can specify the containerDN by: Canonical name (ajax.org/unix/services) Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix(cn=services,cn=unix). For example, to place the account in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
containerDN
The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this user in the
paris.regional.sales.acme.com organizational unit within the acme.com
domain, you would specify: ou=paris, ou=regional, ou=sales Note You must specify a container for the new user object when creating a new user account with the adupdate command. You can use the domains default Users container object, for example, ajax.org/Users, or any other existing parent container object. If the container you specify does not exist in Active Directory, however, the user account will not be created. In addition, you must have permission to add entries to the specified container.
355
Using adupdate
Use this option

-S, --spn
To do this Specify the servicePrincipalName to use as the service principal name for this user account. Specifying a service principal name is particularly useful for if you intend to use prevalidated authentication. To specify the servicePrincipalName, you should use the format:
service/samAccountName
servicePrincipalName
For example, to add a service principal for the prevalidation service, preval, for the user account kai:
--spn preval/kai kai -V, --verbose
Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX login name for the user in the current zone.
-v, --version
UNIXlogin
Examples of using adupdate add user
To add a new UNIX profile for Active Directory user Wilson Perez if you are logged on with a user account with permission to add new users to the domain, you could type a command line similar to the following:
adupdate add user -U wilson perez@ajax.org wilson
You are then prompted for the password for the new account and to retype the password for the new account. To add a new user account when your current user account does not have permission to add new users to the domain, you must provide the user name and password for an account with permission to add new users to the domain. For example, if the user paolo@acme.com is an administrator with permission to add users to the atlas.acme.com domain, you could type a command line similar to the following:
adupdate add user --uid 2367 --admin paolo@acme.com --create --user chris@atlas.acme.com --first Chris --last Roberts chris
356
You are then prompted for the password for the paolo@acme.com account. If the user name and password for the administrators account are valid, you are then prompted for the password for the new account and to retype the password for the new account.
Modifying a user profile

You can use adupdate modify user to modify login information for an user account with a UNIX profile defined for the current zone. The basic syntax for the adupdate modify user adupdate modify user [options] UNIXlogin
Setting options for modifying a user profile
program is:
Use this option To do this
modify user
-a, --admin user[@domain] Identify an Active Directory user account
with sufficient rights to modify user profiles in the current domain. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account.
357
Using adupdate
Use this option

To do this Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes. Change the UNIX login name for the specified user. For example, to change the login name for the UNIX user james from jim to james:
adupdate modify user --login james jim
-l, --login newUNIXlogin
Note You cannot specify this option when connected to Auto Zone. This option does not make any other changes. If you use this option, you should also use other options to create a new home directory name that reflects the new login name or move the contents of the users old home directory to a new home directory name.
358
Use this option
To do this specified user. Note You cannot specify this option when connected to Auto Zone. You can use this option in conjunction with the --move-home option to move the contents of a users current home directory to a new home directory. The new home directory is created automatically if it does not already exist.
-d, --home home_directory Create a new UNIX home directory for the
-m, --move-home
Move the contents from a users old home directory to a new home directory. Note You cannot specify this option when connected to Auto Zone. of the users primary group. Note You cannot specify this option when connected to Auto Zone. If you specify a group name, the group name must exist in Active Directory. If you specify a numeric group identifier (GID), the group identifier must refer to an existing group with a UNIX profile defined for the zone. By default, a users primary group is the value specified as the default group GID for the zone, if one is defined, or the next available UID and GID if you are using user-specific primary groups.
-g, --group initial_group Modify the group name or numeric identifier
-G, --groups
groupname,[...]
Modify the additional groups the user is a member of. Use commas to separate group names. For example:
--groups qa02,sap,javax
You can specify the groups by UNIX group name or samAccountName attribute. The groups you specify do not need to have a UNIX profile already defined for the zone. There is no default group list. By default, only a users initial group is defined.
359
Using adupdate
Use this option

-u, --uid uid_value
To do this Modify the numeric value of the user identifier (UID) for the UNIX user account. Note You cannot specify this option when connected to Auto Zone. This value must be a positive integer and must be unique in the zone unless you specify the -allow-duplicate option to allow duplicate values. If you do not specify the --uid option, the next available UID in the zone is used by default. You should not specify UID values between 0 and 99. Values between 0 and 99 are typically reserved for system accounts. Allow the UID value for the user to be the same as the UID used in another user profile. Note You cannot specify this option when connected to Auto Zone. Change the users login shell. Note You cannot specify this option when connected to Auto Zone. If you dont specify this option, the system selects the default login shell for the operating environment when the user logs on. Lock or unlock a users account in Active Directory. Change whether the specified user should be forced to enter a password at the next logon. Change the Use DES encryption types for this account setting in Active Directory for the specified user.
-s, --shell shell_path
-L, --lock on|off
-f, --forcepw on|off
-k, --des on|off
360
Use this option

-S, --spn
To do this Specify the servicePrincipalName to add for this user account. Specifying a service principal name is particularly useful for if you intend to use prevalidated authentication. To specify the servicePrincipalName, use the format:
service/samAccountName
For example, to add a service principal for the prevalidation service, preval, for the user account kai:
--spn preval/kai kai -x, --remove-spn
Specify the servicePrincipalName to remove for this user account. For example, to remove the service principal for the prevalidation service, preval, for the user account kai:
--remove-spn preval/kai kai
-z, --enable on|off
Enable or disable access to the current zone for the specified user. Note You cannot specify this option when connected to Auto Zone. Unlock a user account that has been locked because of failed password attempts.
-U, --unlock
361
Using adupdate
Use this option

-X, --extattr [+|-]name=value
To do this Add, delete, or modify the value of an extended attribute for the user. Note You cannot specify this option when connected to Auto Zone. Typing a plus sign (+) before the attribute name adds the extended attribute if it doesn't exist. Typing a minus sign (-) before the attribute name removes the attribute, if it exists. For example, to set the value of the extended attribute aix.rlogin:
adupdate modify user -X +aix.rlogin=true jae
Note Extended attributes are only applicable on AIX computers. You can use adquery and the keyword help to view a list of the supported extended attributes. For example:
adquery user --extattr help -V, --verbose
Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX login name for the user in the current zone. The user must exist and be enabled for UNIX access in the same zone as the computer.
-v, --version
UNIXlogin
Examples of using adupdate modify user
To change the UID for a UNIX user profile if you are logged on with an account with permission to modify user information in the domain, you could type a command line similar to the following:
adupdate modify user --uid 700 jcole
To change the UNIX user name and home directory for the UNIX user jim to kuoj if you are logged on with an account with permission to modify user information in the domain, you could type a command line similar to the following:
adupdate modify user --login kuoj --home /home/kuoj --move-home jim
362
To force a the user kuoj to change his password the next time he logs on, you could type a command line similar to the following:
adupdate modify user --forcepw on kuoj
You may need to refresh the console you are using to verify changes were made.
Note
Deleting a user profile

You can use adupdate delete user to remove an existing user profile from the current zone or to delete an Active Directory user. The basic syntax for the adupdate delete user program adupdate delete user [options] user[@domain]
Setting options for deleting a user profile
is:
User this option
delete user
To do this Identify an Active Directory user account with sufficient rights to remove an Active Directory user account from the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory.
363
Using adupdate
User this option

To do this Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Remove the users home directory on the Centrify DirectControl-managed system. Remove the associated Active Directory user account from Active Directory without interactive confirmation. Confirm the deletion of the UNIX profile or Active Directory user account interactively before removing the user. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX user profile name or Active Directory user login name (samAccountName@domain) for the user in the current zone. The user must exist and be enabled for UNIX access in the same zone as the computer. If the user name you specify does not uniquely identify the user, you must include the domain name in the command line. For example:
kris@iowa.arcadia.net
-R, --rmhome
-r, --remove
-i, --interactive
-V, --verbose
-v, --version
user[@domain]
364
Examples of using adupdate delete user
To remove the UNIX user profile from the current zone if you are logged in with a user account with permission to delete user information from the domain, you could type a command similar to the following:
adupdate delete user -V sunni
To remove a UNIX profile account if your current user account does not have permission to delete users from the domain, you must provide the user name and password for an account with permission to delete users from the domain. For example, if the user paolo@acme.com is an administrator with permission to remove user profiles from the domain, you could type a command similar to the following:
adupdate delete user --admin paolo@acme.com -V sunni
You are then prompted for the Active Directory password for the paolo@acme.com account. If the user name and password for the administrators account are valid, the user profile is removed from Active Directory. If you also want to remove the Active Directory user account, you could type a command similar to the following:
adupdate delete user --admin paolo@acme.com --verbose --remove --interactive sunni
After you provide the Active Directory password for the paolo@acme.com account, this command connects to Active Directory and prompts you to confirm whether you want to delete the account:
Delete Centrify user CN=Sunni Ashton,CN=Users,DC=ajax,DC=org ? (Yes/No)
You can then type y to confirm that you want to delete the user. You may need to refresh the console you are using to verify changes were made.
Note
Adding a new group

You can use adupdate current zone.
add group to add a new group profile to the
365
Using adupdate
The basic syntax for the adupdate

Setting options for adding a group
add group adupdate add group [options] groupname
program is:
User this option
add group
To do this Identify an Active Directory user account with sufficient rights to add a new Active Directory group to the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password in the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Create a new UNIX group profile and Active Directory group.
-C, --create
366
User this option

-G, --group name|canonical_name
To do this Specify the group name to be associated with the new UNIX group in canonical form or by its samAccountName attribute in Active Directory. This option is required and is used for the samAccountName, displayName, and LDAP common name (cn) attributes in Active Directory. Specify the numeric value of the group identifier (GID) for the new group profile. Allow the GID value for the new group to be the same as the GID used in another group profile. Make the new group a required group for all of the users who are members of the group. Required groups cannot be removed when users change their active set of groups using the adsetgroups command. (RDN) of the container or Organizational Unit in which you want to place this group account. The RDN represents the direct parent object for the group. Note You must specify a container for the new group object when creating a new group with the adupdate command. You can use the domains default Users container object, for example, ajax.org/Users, or any other existing parent container object. If the container you specify does not exist in Active Directory, however, the group account will not be created. In addition, you must have permission to add entries to the specified container.
-g, --gid
-R, --required
-c, --container containername Specify the relative distinguished name
367
Using adupdate
User this option

-t, --type local|global|universal
To do this Specify the type of Active Directory security group to create. The valid group types are domain local, global across domains, or universal. If you dont specify the group type, the group is added as a global group by default. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group.
-V, --verbose
-v, --version
groupname
Examples of using adupdate add group
To add the group profile qa002 to the Active Directory QA group if you are logged in with a user account with permission to add groups to the domain, you could type a command line similar to the following:
adupdate add group -g 9000 -G ajax.org/Users/QA qa002
To create a new Active Directory group with a UNIX profile if you are logged in with a user account with permission to add groups to the domain, you could type a command line similar to the following:
adupdate add group --create --container Users --gid 9000 --group ajax.org/Users/QA --type universal qa002
Modifying an existing group

You can use adupdate modify group to modify the UNIX group profile name, numeric identifier, or membership. The basic syntax for the adupdate
modify group adupdate modify group [options] groupname
program is:
368
Setting options for modifying a group
You can use the following options with the adupdate group command:
User this option
modify
To do this Identify an Active Directory user account with sufficient rights to modify an Active Directory group. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password in the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Modify the numeric group identifier (GID) for the specified group profile. Allow the GID value for the group to be the same as the GID used in another group profile. Modify the UNIX group name for the specified group. Add a new user or group as a member of the specified group.
-g, --gid
-n, --name groupname
-m, --member user|group
369
Using adupdate
User this option

-r, --remove user|group
To do this Remove a user or group as a member of the specified group. Make the specified group a required group for all of the users who are members of the group. Required groups cannot be removed when users change their active set of groups using the adsetgroups command. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group. The group must exist and be enabled for UNIX access in the same zone as the computer.
-R, --required
-V, --verbose
-v, --version
groupname
Examples of using adupdate modify group
To change the GID for a UNIX group profile if you are logged on with an account with permission to modify group information in the domain, you could type a command similar to the following:
adupdate modify group --gid 700 javax
To add a new user to the UNIX group javax if you are logged on with an account with permission to modify group information in the domain, you could type a command similar to the following:
adupdate modify group --member jcole -V javax
To add a group or user as a new member of a UNIX group, the group or user must be enabled for UNIX access in the host computers zone. In addition, you can only specify one new user or group member each time you run this command. To remove a group or user from the list of members for a group, you could type a command similar to the following:
adupdate modify group --remove luis -V javax
370
Deleting a group
You can use adupdate delete group to remove an existing group profile from the current zone or delete an Active Directory group. The basic syntax for the adupdate
Setting options for deleting a group
delete group adupdate delete group [options] groupname
program is:

User this option
To do this Identify an Active Directory user account with sufficient rights to remove an Active Directory user account from the domain. You must use the user@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available or user account specified, the Administrator user account is used to connect to Active Directory. Specify the password for the Active Directory administrative account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Confirm the deletion of the group profile interactively before removing the group.
-i, --interactive
371
Using adupdate
User this option

-r, --remove
To do this Remove the Active Directory group associated with the group profile. Display detailed information about each operation as it is performed. Display version information for the installed software. Specify the UNIX name for the group. The group must exist and be enabled for UNIX access in the same zone as the computer.
-V, --verbose
-v, --version
groupname
Examples of using adupdate delete group
To remove the UNIX group profile from the current zone when you are logged in with an account with permission to delete groups from the domain, you could type a command line similar to the following:
adupdate delete group performx
If you also want to remove the Active Directory group associated with the UNIX group, you could type a command similar to the following:
adupdate delete group --admin paolo --verbose --remove --interactive unixdev
After you provide the Active Directory password for the paolo account, this command connects to Active Directory and prompts you to confirm whether you want to delete the group. For example:
Delete Centrify group CN=Unix developers,CN=Users,DC=ajax,DC=org ? (Yes/No)
You can then type y to confirm that you want to delete the group. You may need to refresh the console you are using to verify changes were made.
Note
372
Updating the system clock

You can also use the adupdate command to synchronize the system clock on the local computer with its domain controller. The syntax for synchronizing the time on the local computer with its domain controller is:
adupdate time
Understanding adupdate-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adupdate command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_READ_CDC_SETTING
Indicates A Centrify DirectControl setting could read. The type of zone you are attempting to update is obsolete and no longer supported. The user profile you are attempting to add already exists in the zone. The user you are attempting to add already exists in Active Directory. The users UID already exists in the zone. The group profile could not be found. A default group has not been defined for the zone. If a default primary group does not exist for a zone, you must specify the GID of the users primary group.
157
ERR_NOT_SUPPORT_ZONE
158
ERR_USER_IN_ZONE
159
ERR_USER_IN_AD
160
ERR_DUP_UID
161
ERR_NOT_FIND_CENTRIFY_GROUP_OBJ
162
ERR_NOT_SPECIFY_INIT_GROUP
373
Using adupdate
Result Error name

163
ERR_NOT_SPECIFY_CONTAINER
Indicates You must specify a container for the Active Directory object you are adding. The Centrify DirectControl user profile cannot be added, for example, because the user name or UID already exist in the zone. The home directory could not be created. The automatic creation of the users home directory will be skipped. The attempt to add a user failed. The attempt to synchronize system clocks failed. The user account cannot be updated in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to modify the user account. The attempt to modify the user profile failed. The attempt to delete the user profile failed. The user account cannot be deleted in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to delete the user. The group profile you are attempting to add already exists in the zone.
164
ERR_CANNOT_ADD_CENTRIFY_USER
165
ERR_CANNOT_CREATE_HOME_DIR
166
ERR_SKIP_CREATE_HOME_DIR
167 168
ERR_ADD_USER_FAILED ERR_TIME_SYNC_FAILED
169
ERR_CANNOT_UPDATE_USER
170
ERR_MOD_USER_FAILED
171
ERR_DEL_USER_FAILED
172
ERR_CANNOT_DELETE_USER
173
ERR_GROUP_IN_ZONE
374
Result Error name

174
ERR_GROUP_IN_AD
Indicates The group you are attempting to add already exists in Active Directory. The Active Directory group could not be found. The groups GID already exists in the zone. The Centrify DirectControl group profile cannot be added, for example, because the group name or GID already exist in the zone. The attempt to add a group failed. The group account cannot be updated in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to modify the group. The attempt to modify the group failed. The group cannot be deleted in Active Directory. For example, you may see this error if the user account running the command does not have sufficient permissions to delete the group. The attempt to delete the group failed.
175
ERR_NOT_FIND_AD_GROUP_OBJ
176
ERR_DUP_GID
177
ERR_CANNOT_ADD_CENTRIFY_GROUP
178 179
ERR_ADD_GROUP_FAILED ERR_CANNOT_UPDATE_GROUP
180
ERR_MOD_GROUP_FAILED
181
ERR_CANNOT_DELETE_GROUP
182
ERR_DEL_GROUP_FAILED
Using adquery
The adquery command enables you to query Active Directory for information about users and groups from the command line on a Centrify DirectControl-managed system. The options you can use
Using adquery
depend on whether you are looking up user information or group information. You can look up information for a specific user or group or for all of the users or groups in a zone. The basic syntax for the adquery program is as follows:
adquery user|group [options] [username|groupname]
You can specify a single option in the command line to have the information returned as one value per line suitable for use in scripts. If you specify multiple options in the command line, the information returned is formatted in a list with field labels identifying each value.
Querying user information

You can use adquery user command to look up one or more details about one or more specified users in Active Directory. If you dont specify any users in the command line, the command lists all of the users in the zone. The basic syntax for querying user information is:
adquery user [options] [username]
You can specify the username in any supported format. If the user name includes any blank spaces, the name should be enclosed by quotation marks. For example, if you want to specify an Active Directory account name consisting of a first name and a last name, you can type a command similar to the following:
adquery user --samname --enabled "Jae Park"
Setting valid options for user information
You can use the following options with the adquery command:
Use this option
-h, --home
user
To do this Display the specified users home directory or the home directory for all users in the zone.
376
Use this option

-g, --group
To do this Display the specified users primary group identifier (GID) or the primary group identifier (GID) for all users in the zone. List the UNIX-enabled groups the user is a member of. List all of the Active Directory groups the user is a member of. Active Directory groups are listed by canonical name. Display the users default shell. Display the user identifier (UID) for the specified user or for all users in the zone. Display the displayName attribute for the user or for all users in the zone. Display the contents of the GECOS field for the user or for all users in the zone. Display the UNIX login name for the specified user or for all users in the zone. Display the Active Directory logon name for the specified user or for all users in the zone. Display the Active Directory security identifier (SID) for the specified user or for all users in the zone. Display the Kerberos user principal name (UPN) for the specified user or for all users in the zone. Display the Kerberos service principal name (SPN) for the specified user or for all users in the zone. Display the Active Directory canonical name for the specified user or for all users in the zone.
-G, --groups
-a, --adgroups
-s, --shell -u, --uid
-p, --display
-o, --gecos
-n, --unixname
-M, --samname
-i, --sid
-P, --principal
-S, --service
-C, --canonical
377
Using adquery
Use this option

-H, --hash
To do this Display the UNIX password hash for the specified user if you are using password synchronization between Active Directory and DirectControl-managed computers. You must be logged on as the root user or querying Active Directory for your own account information to retrieve the password hash. Display the date the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date the current password for the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date after which the user may change their password. You must be either logged on as the root user or be querying Active Directory for your own account information to retrieve this information. Display the date of the last password change for the user. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user is locked because of failed attempts to log on. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information.
-x, --acct-expire
-w, --pwd-expire
-c, --pwd-nextchange
-l, --pwd-lastchange
-k, --locked
378
Use this option

-d, --disabled
To do this Determine whether the Active Directory account for the user has been disabled. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user has been enabled for UNIX access in the current zone. Display the distinguished name (dn) for the specified user or for all users in the zone. List the value of the users Active Directory userWorkstations attribute, which specifies the machines from which the user may log into the domain. If the output is blank, the user is not restricted to a particular machine. List all of the information returned by the other command line options for the user. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the separator character or string (char) to use between fields. The default separator between fields is a colon (:). For example:
jae:uid:525
-e, --enabled
-D, --dn
-W, --userWorkstations
-A, --all
-F, --cache-first
-r, --separator char
-R, --list-separator char Specify the separator character or string
(char) to use between the values in a list. The default separator between values in a list is a comma (,). For example:
jae:unixGroups:testlab,dev2
379
Using adquery
Use this option

-f, --prefix
To do this Add the users UNIX user name as a prefix when returning single values. This option formats the information returned to include the users UNIX name when you are querying for a specific attribute, such as the users UID or displayName. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the users UNIX name and a label identifying each attribute by default. Display the list of extended attributes or the value of a specified extended attribute. Note Extended attributes are only applicable on AIX computers. You can use the keyword help to view a list of the supported extended attributes. For example:
adquery user --extattr help
-X, --extattr
To look up the value of a specific extended attribute, include the name of the attribute in the command line. For example, to look up the value of the aix.rlogin extended attribute:
adquery user -X aix.rlogin jae -v, --version
Display version information for the installed software.
Querying group information

You can use adquery group command to look up one or more details about a specified group or multiple groups in Active Directory. If you dont specify any groups in the command line, the command lists all of the groups in the zone. The basic syntax for querying group information is:
adquery group [options] groupname
380
You must use the canonical format for the group name if specifying the Active Directory group name. For example, if you want to specify the Active Directory group name, you can type a command similar to the following:
adquery group ajax.org/Users/TestExpert Team
Setting valid options for group information
You can use the following options with the adquery command:
Use this option
-m, --members
group
To do this List the UNIX members of the specified group or of all groups in the zone. List the Active Directory members of the specified group or of all groups in the zone. List Active Directory members of the specified group or all groups in the form: name@domain; for example,
jsmith@AJAX.COM
-a, --admembers
-s, --sammembers
-g, --gid
Display the group identifier (GID) for the specified group or of all groups in the zone. Display whether membership in the specified group is required or not. For more information about required groups, see adsetgroups. Display the UNIX group name for the group. Display the Active Directory name for the group. Display the Active Directory security identifier (SID) for the group. Display the Active Directory canonical name for the group. Display the distinguished name (dn) for the group.
-q, --required
-n, --unixname
-M, --samname
-i, --sid
-C, --canonical
-D, --dn
381
Using adquery
Use this option

-A, --all
To do this List all of the information returned by the other command line options for the group. If you use this option without specifying a group name, the command lists details for all of the groups in the zone. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the character or string (char) to use as the separator between an attribute name and its value. The default separator between attributes and values is a colon (:). For example:
unixname:qa-euro
-F, --cache-first
-r, --separator char
-R,--list-separator char
Specify the character or string (char) to use as the separator between the values in a list. The default separator between values in a list is a comma (,). For example:
unixGroups:unixdev,testexpe
-f, --prefix
Add the UNIX group name as a prefix when returning single values. This option formats the information returned to include the UNIX group name when you are querying for a specific attribute, such as the group GID or membership list. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the UNIX group name and a label identifying each attribute by default.
382
Use this option

-t, --type
To do this Display the scope and group type for a specified group. The valid group types are: local security global security universal security Display version information for the installed software.
-v, --version
Examples of using adquery

You can use adquery to return a specific value for a user or group or to list multiple details about a user or group. The format of the output depends on whether you specify a single attribute or multiple attributes on the command line. For example, if you want to see a complete list of details about the group unixdev, you would type:
adquery group --all unixdev
This command returns the results for the unixdev group in the following format:
unixname:unixdev gid:400 required:false dn:CN=Unix Developers,CN=Users,DC=ajax,DC=org groupType:global security samAccountName:Unix Developers sid:S-1-5-21-3619768212-1024502798-2657341593-1106 canonicalName:ajax.org/Users/Unix Developers members:ajax.org/Users/Ashish Menendez,ajax.org/Users/Ben Waters,ajax.org/Users/Monte Fisher,ajax.org/Users/Jae Kim,ajax.org/Users/Jay W. Reynolds,ajax.org/Users/Pierre Leroy,ajax.org/Users/Rae Parker,ajax.org/Users/Zoe Green unixMembers:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Similarly, if you want to see a complete list of details about the user jae@ajax.org, you would type:
adquery user --all jae@ajax.org
This command returns the results for the user in the following format:
unixname:jae
383
Using adquery
uid:409 gid:400 gecos:Jae Kim home:/home/jae shell:/bin/bash dn:CN=Jae Kim,CN=Users,DC=ajax,DC=org samAccountName:jae display:jae sid:S-1-5-21-3619768212-1024502798-2657341593-1185 userPrincipalName:jae@AJAX.ORG servicePrincipalName: canonicalName:ajax.org/Users/Jae Kim passwordHash:x accountExpires:Never passwordExpires:Thu Apr 12 15:21:04 2007 nextPasswordChange:Fri Mar 2 14:21:04 2007 lastPasswordChange:Thu Mar 1 14:21:04 2007 accountLocked:false accountDisabled:false zoneEnabled:true unixGroups:unixdev,testexpe memberOf:ajax.org/Users/Unix Developers, ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert Team
Specifying a single attribute for users and groups
When you specify a single attribute in the command line, the information is displayed as one value per line without any attribute label or identifier. For example, if you want to return the canonical name for the qa-euro group as an unlabeled value, you would type:
adquery group --canonical qa-euro
This command displays the canonical name without any prefix or label:
ajax.org/Users/QA Europe
Similarly, if you want to return only the UID for the user rae@ajax.org, you would type:
adquery user --uid rae@ajax.org 10003
To list a single attribute about multiple groups or users, you can specify the additional groups or users in the command line. For example, to see a list of the UNIX user names of Active Directory
384
members for the testexp, performx and unixdev groups, you would type:
adquery group --members testexp performx unixdev
This command returns the UNIX user names of the members in each group in the following format:
ben,fisher,jae,jolie,rae zoe ashish,ben,fisher,jae,jay,pierre,rae,zoe
If you want the results to include the UNIX user name or group name, you can add the --prefix option to the command line. For example, to include the UNIX group name with a membership list for the testexp, performx and unixdev groups, you would type:
adquery group --members --prefix testexp performx unixdev
This command returns the members in each group in the following format:
testexp:ben,fisher,jae,jolie,rae performx:zoe unixdev:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Specifying multiple attributes for users and groups
When you query multiple attributes for a user or group, the results display the UNIX user or group name, followed by an attribute label to identify the attribute values displayed. For example, to return the samAccountName and unixGroups for the users rae, ben, ashish, and jae, you would type:
adquery user --samname --groups rae ben ashish jae
This command returns the requested information for each user in the following format:
rae:samAccountName:rae-old rae:unixGroups:unixdev,testexpe,perform2 ben:samAccountName:ben ben:unixGroups:qualtrak,unixdev,testexpe ashish:samAccountName:ashish ashish:unixGroups:qualtrak,unixdev jae:samAccountName:jae jae:unixGroups:unixdev,testexpe,perform2
385
Using adquery
Listing information for all users and groups in a zone
If you dont specify a username or groupname in the command line, the adquery command returns information for all users or all groups in the current zone. The format of the output depends on whether you specify a single attribute or multiple attributes and any other options you set. For example, to list the UNIX group names and GIDs for all of the groups in the current zone, you would type:
adquery group --gid --prefix
This command returns the group names and GIDs in the following format:
unixdev:400 oracle:700 qualtrak:800 performi:401 perform2:402 financeu:403 testexpe:404 integrit:405
Similarly, to return a list of UIDs and display names for all of the users in the current zone, you would type:
adquery user --uid --display
For example:
rae-old:uid:10003 rae-old:displayName:Rae S. Parker jay:uid:501 jay:displayName:Jay W. Reynolds zoe:uid:502 zoe:displayName:Zoe Green ben:uid:503 ben:displayName:Ben Waters ashish:uid:504 ashish:displayName:Ashish Menendez fisher:uid:505 fisher:displayName:Monte Fisher pierre:uid:506 pierre:displayName:Pierre Leroy lynn:uid:507 lynn:displayName:Lynn Hogan tess:uid:508 tess:displayName:Tess Adams jolie:uid:509 jolie:displayName:Jolie Ames-Anderson jae:uid:510
386
jae:displayName:Jae Kim
Using adgpupdate
The adgpupdate command requires that you are running DirectControl with a license.
Note
The adgpupdate command retrieves group policies from the Active Directory domain controller and applies the policy settings to the local computer and current user immediately. Under normal conditions, without running this command, group policies are updated automatically every 90 to 120 minutes by default. If you want a policy change to take effect immediately, however, you can force the group policy to be refreshed by running the adgpupdate command. Upon updating the group policy, the adgpupdate command then resets the timer for the next automatic update to occur in the next 90 to 120 minutes. Automatic group policy updates occur at a random interval between 90 and 120 minutes to prevent multiple computers from connecting to and requesting updates from the Active Directory domain controllers at the same time. However, both the default interval of 90 minutes and the default offset period of 30 minutes can be configured to other values using group policy settings. Therefore, the automatic group policy update may occur more or less frequently in your environment. For information about setting computer and user group policies, see the Group Policy Guide. For information about customizing the group policy update, see the Configuration Parameters Reference Guide.
Note
The basic syntax for the adgpupdate program is:

adgpupdate [options]
By default, the adgpupdate command updates both the computer-based group policies and the user-based group policies for the user who is currently logged in and running the adgpupdate command. With a command line setting, you can restrict the group
387
Using adgpupdate
policies updated to be only computer group policies or only the current users group policies, if needed.

Use this option
-T, --target [Computer|User]
To do this Restrict the group policy update to either Computer group policy or User group policy. Displays information about each step in the group policy update process as it occurs. This option is useful for troubleshooting purposes. Display version information for the installed software.
-V, --verbose
-v, --version
Examples of using adgpupdate

In most cases, you use the adgpupdate command to update both the computer-based group policies and the user-based group policies after changes have been made or when new policies are set. To update both the computer and user group policies on the local computer for the current user account, you can type:
adgpupdate
The command then displays update status similar to the following:

Refreshing Computer Policy... Computer Policy Refresh has completed. Refreshing User Policy... User Policy Refresh has completed.
If you only want to update computer group policy on the local computer, you can type a command similar to the following:
adgpupdate --target Computer
Note
To update user policies on a computer, you must be logged on as a valid Active Directory user. If you are not logged on as a valid Active Directory user, running adgpupdate will refresh the
388
computer-based group policies but no user-based group policies will be updated.
Using adinfo
The adinfo command displays detailed Active Directory, network, and diagnostic information for a local UNIX computer. Options control the type of information and level of detail displayed. The basic syntax for the adinfo program is:
adinfo [option] [--user username[@domain]] [--password password]
The option argument can be any of the following:

adinfo [--domain] [--gc] [--zone] [--zonedn] [--site] [--server] [--name] [--all] [--support [--output filename]] [--diag [domain]] [-config] [--mode] [--test] [--verbose] [--version] [--auth [domain]] [--servername domain_controller] [--computer]
The --domain, --gc, --zone, --zonedn, --site, --server, and --name options are intended for use in scripts to return the current Active Directory domain, global catalog domain controller, zone, site, domain controller, and computer account name, respectively. The other options provide more detailed or operation-specific information. You can use the --user and --password options in conjunction with the --all, --support, --diag, or --auth option to specify the user name and password of an Active Directory account with permission to read the computer account information in the Active Directory domain controller you are accessing. If you run adinfo while logged in as root, you do not need to specify the --user or --password option because the command uses the Active Directory account associated with the local host. If you run the adinfo command with a user account that doesnt have permission to read the computer account information in Active Directory, some information may not be available in the command output.
389
Using adinfo
To run the adinfo --support command, you must be logged in as root. You are not required to log in as root for any of the other adinfo options.
Note
If you do not specify an option, adinfo returns the basic set of configuration details for the local computer, which is equivalent to specifying adinfo --all.

Use this option
-d, --domain
To do this Return the name of the local computers Active Directory domain. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory domain controller used for global catalog operations. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory zone or Auto Zone if a computer is joined to Auto Zone and not a member of any specific zone. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2.
-G, --gc
-z, --zone
390
Use this option

-Z, --zonedn
To do this Return the distinguished name (DN) of the local computers Active Directory zone or the distinguished name (DN) of the computers Active Directory domain if the computer is joined to Auto Zone. The distinguished name is the name that uniquely identifies an entry in the directory, beginning with the most specific attribute and continuing with progressively broader attributes. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the name of the local computers Active Directory site. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the fully-qualified name of the local computers Active Directory domain controller. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2. Return the fully-qualified name of the local computers computer account name in Active Directory. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 2.
-s, --site
-r, --server
-n, --name
391
Using adinfo
Use this option

-a, --all
To do this Return the following information: Local host name Domain the computer is joined to Computer account name in Active Directory Local preferred site Centrify DirectControl zone The date and time that the password was last reset for the computers Active Directory computer account Current operational mode indicating whether the computer is connected to Active Directory or running in disconnected mode Note If you use this option but the user account doesnt have permission to read the computer account information in Active Directory, the command output does not indicate whether shell access has been enabled or information about the last password set.
392
Use this option

-t, --support [--output filename]
To do this Return all of the information supplied by the --all option and the following additional information: The current configuration parameters set in
/etc/centrifydc/centrifydc.conf
The settings from /etc/krb5.conf The contents of the log file

/var/log/centrifydc.log
The key list from /etc/krb5.keytab This option is typically used to send complete diagnostic information to a file, which can then be sent to Centrify Technical Support for analysis. By default, the output for the command is written to the file /tmp/adinfo_support.txt. You can save the output in a different location or using a different file name by using the optional --output argument. To send --support output to stdout, use a hyphen (-) in the command line in place of the filename. Note The root account is required if you want to retrieve the Kerberos key version stored in Active Directory for comparison with the local Kerberos key.
393
Using adinfo
Use this option

-g, --diag [domain]
To do this Return the diagnostic information for the host computer and a specific Active Directory domain. If you dont specify the domain, the command returns information for the computer's current domain. Specifying a domain is useful when an attempt to join the computer to an Active Directory domain fails. By specifying adinfo --diag and the domain you tried to join, you can better diagnose why an attempt to join failed. This option returns the following information: Local host name. Local IP address. List of the DNS servers for the specified domain. Host name or IP address of the DNS server supplied by the domain controller. Whether the domain controller has up-to-date global catalog data so that it can become the global catalog, if necessary. Functional level of the specified Active Directory domain. Functional level of the domain's Active Directory forest. Functional level of the domain controller. Name of the Active Directory forest to which the specified domain belongs. Name of the computer account in Active Directory for this computer. Kerberos key version for this computer. List of Kerberos service principal names this computer has registered with Active Directory. Note You should use the root user account when you use this option. If you dont use the root account, the command will not be able to bind to domain controller or locate the computer account. The root account is also required to compare the local key version with the key version stored in Active Directory.
394
Use this option

-c, --config
To do this Return the parsed contents of the Centrify DirectControl configuration file. Display whether the computer is currently connected to Active Directory or running in disconnected mode. If the adclient process is not currently running at all, this option will return the agent status as down. Note You should use the root user account when you use this option to display the appropriate status. If you dont use the root account, the command will not be able to check the adclient lock file to confirm whether adclient is running or not. Test the availability of the ports Centrify DirectControl requires for authentication through Active Directory. Display detailed information about each operation as it is performed. You can use this option in combination with other options. Display version information for the installed software. Identify an Active Directory user account with sufficient rights to read the computer account information. You must use the username@domain format to specify the user account if the username is not a member of the computers current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
-m, --mode
-T, --test
-V, --verbose
-v, --version
-u, --user
username[@domain]
-p, --password
userpassword
395
Using adinfo
Use this option

-A,--auth [domain]
To do this Authenticate the user name and password for the user specified with the --user option against the specified domain. If you dont specify a domain, the user is validated against the currently joined domain. This option only validates the user name and password you enter can be authenticated by Active Directory. You cannot use this option in combination with other options to display other types of information Connect to a specific domain controller to perform network diagnostics. You can use this option in combination with any of the other options. Display the service principal names (SPNs) associated with the computer account.
-S, --servername
domain_controller
-C, --computer
Examples of using adinfo

In most cases, you use the adinfo command to provide information that will help you diagnose and resolve problems Centrify DirectControl or Active Directory environments. To display the basic configuration information for the local UNIX computer, you can type:
adinfo
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Pre-win2k name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: magnolia ajax.org magnolia.ajax.org magnolia ginger.ajax.org Default-First-Site-Name ajax.org/Program Data/Centrify/Zones/default 2006-12-21 11:37:22 PST connected Enabled
You can also use adinfo in shell scripts to return specific information, such as the domain a computer has joined. For example, the following command returns the host computers current domain and no other information:
adinfo --domain
396
For example:
ajax.org
The adinfo --diag command can also be useful in diagnosing Active Directory configuration issues and Kerberos problems. For example, in addition to other information, the --diag option returns the Kerberos key version for the UNIX computer. The key version is stored both locally and in the computers Active Directory account. It is incremented when a service principals password key changes. If the local key differs from the Active Directory account key version, it indicates that the local key is no longer in sync with the Active Directory key and this may cause authentication to fail. By running adinfo --diag and checking the Key Version: field you can determine whether the key versions are the same or out of sync. If the versions are different, the Key Version field shows both keys and indicates which is local and which comes from Active Directory. If the computer isnt joined to a domain, it has no local key and the following is displayed:
Key Version: local key version unavailable
If the computer is joined to a domain other than the specified domain, the Active Directory key is shown as:
<unavailable>
If the computer has joined a domain, the adinfo --diag command displays information similar to the following truncated example:
Host Diagnostics uname: Linux magnolia 2.4.21-15.EL #1 Thu Apr 22 00:27:41 EDT 2004 i686 OS: Red Hat Enterprise Linux ES Version: 3 (Taroon Update 2) Number of CPUs: 1 IP Diagnostics Local host name: magnolia FQDN host name: magnolia (domain missing?) Local IP Address: 192.168.147.135 Domain Diagnostics: Domain: ajax.org Subnet site: Default-First-Site-Name DNS query for: _ldap._tcp.ajax.org Found SRV records: ginger.ajax.org:389 Testing Active Directory connectivity: Domain Controller: ginger.ajax.org ldap: 389/udp - good
397
Using adinfo
ldap: 389/tcp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good Domain Controller: ginger.ajax.org:389 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG DNS query for: _gc._tcp.AJAX.ORG Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org:3268 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG Retrieving zone data from ajax.org Centrify DirectControl 2.x zones: ConsumerDiv - ajax.org/Program Data/Centrify/Zones/ConsumerDiv Manufacturing - ajax.org/Program Data/Centrify/Zones/Manufacturing London - ajax.org/Program Data/Centrify/Zones/London Centrify Microsoft SFU zones: default - ajax.org/Program Data/Centrify/Zones/default Computer Account Diagnostics Joined as: magnolia Key Version: 5 Service Principal Names: nfs/magnolia.ajax.org nfs/magnolia host/magnolia.ajax.org host/magnolia ftp/magnolia.ajax.org ftp/magnolia cifs/magnolia.ajax.org cifs/magnolia HTTP/magnolia.ajax.org HTTP/magnolia Centrify DirectControl Status Running in connected mode
To test whether a specific user can be authenticated by a specific Active Directory domain controller, you could type a command similar to the following:
adinfo --auth --user rae --servername ginger.ajax.org
You are then prompted for the Active Directory password for the user rae account. If Active Directory can authenticate the user, a confirmation message similar to the following is displayed:
Password for user rae is correct
398
To test connectivity and the availability of required ports on the Active Directory domain controller, you could type a command similar to the following:
adinfo --test
If the computer is joined to a domain and the connection to Active Directory succeeds, the command displays information similar to the following:
Domain Diagnostics: Domain: ajax.org DNS query for: _ldap._tcp.ajax.org DNS query for: _gc._tcp.ajax.org Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org ldap: 389/tcp - good ldap: 389/udp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good ntp: 123/udp - good
Understanding adinfo-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adinfo command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_MACHINE_PASSWORD_CHANGED
Indicates The computer account password has been changed. If you encounter this error, you may need to manually reset the computer account password in Active Directory, then rerun the adinfo command. A Kerberos format error occurred when reading the Kerberos configuration file. You should rename or remove the configuration file, then rerun the adinfo command. The server name must be a fully-qualified domain name.
157
ERR_KRB_READ_FORMAT
158
ERR_NOT_FQDN_NAME
399
Using addebug
Using addebug
The addebug command is used to start or stop detailed logging activity for Centrify DirectControl on a local UNIX computer. The basic syntax for the addebug program is:
addebug [on | off| clear]
If you run the addebug on command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/log/centrify_client.log file. Therefore, you should also check that file location if you enable logging. If you do not specify an option, addebug displays its current status, indicating whether logging is active or disabled.

Use this option
on
To do this Start logging all Centrify DirectControl daemon activity. Stop logging Centrify DirectControl daemon activity. Clear the existing log file, then continue logging activity to the cleared log file.
off
clear
Examples of using addebug

You use the addebug command to start and stop detailed Centrify DirectControl-specific logging to help you trace and resolve problems. To display the current status of logging, type:
/usr/share/centrifydc/bin/addebug
400
You must type the full path to the command because addebug is not included in the path by default.
Note
This command displays information similar to the following:

Centrify DirectControl debug logging is off
To turn on logging, type:

/usr/share/centrifydc/bin/addebug on
This command records information in the /var/log/centrifydc.log file similar to the following:
... Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Joining domain garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Getting the KDC List for garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Updating config file with domain garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Created user LDAP connection Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Destroying binding to 'garfield.com' Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Attempting connection to server Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connecting to odie.garfield.com:389 Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connected ...
For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time. To discontinue logging, type:
addebug off
Using adobfuscate
The adobfuscate command allows you to obscure sensitive data in a log file, such as email addresses, hostnames, and usernames, before sending the file to Centrify for analysis. You create a pattern file using regular expressions to identify specific patterns in the file. The command reads the pattern file and replaces items matched by the patterns with generic values.
401
Using adobfuscate
The adobfuscate command operates in two passes. The first pass searches for patterns (as defined in the pattern file) in the log file and creates a map file that contains the specific values to be hidden, as well as a unique token to replace each one. For example, in the pattern file you can search for hostnames (see Examples of using adobfuscate on page 405 for specific information on how to use regular expressions in the pattern file to identify items in the log file to hide). In the map file, adobfuscate creates a list of specific hostnames and replacement value tuples; for example:
centrify.com ajax.com hostcom_0 hostcom_1
The second pass applies the value-token tuples in the map file to the log file, replacing each instance of the value with its corresponding token. For example, each instance of centrify.com in the log file is replaced by hostcom_0. By default, adobfuscate performs the first pass only, although you can use the --both option to perform both. Once you create a map file, you can hand edit it to add other known hostnames, email addresses and so on, and if you are sure you have identified all sensitive names that might be in a log file, you can run this map file against any log file without performing the first pass each time. The basic syntax for the adobfuscate program adobfuscate [options] [user[@domain]] is:
402

Use this option
-b, --both
To do this Perform both passes of adobfuscate. The first pass searches the log file for patterns specified in the pattern file and creates a map file that contains values to be replaced and the token to replace them with. The second pass reads the the map file and replaces the patterns in the log file with the replacement token. When you specify the --both option, the replacement values created by pass one are used during pass two, rather than read from a map file. By default (if you do not specify the --both option), only pass one is performed. Specify the input log file. It must be a text-based file in which lines are separated by the newline character. Note Although the purpose of this command is to hide sensitive information in log files generated by Centrify DirectControl commands, you can specify any valid text file. The default input file is log.txt.
-f, --logfile filename
403
Using adobfuscate
Use this option

-m, --mapfile filename
To do this Specify the map file to create, or use, depending on the pass you are running. When you run only the first pass of adobfuscate (the default operation), this option (--mapfile) specifies the map file to create. When you run only the second pass of adobfuscate (--obfuscate), this option specifies the map file to apply to the log file. Note If you use the --both option to run both passes, you do not need to specify a map file because the command creates replacement values during the first pass, and applies them to the log file during the second pass. The map file contains a list of lines, each with a value and replacement token, separated by a tab; for example:
centrify.com ajax.com rdavis@ajax.com hostcom_0 hostcom_1 email_1
The default input map file is map.txt.

-o, --obfuscate
Run the second pass of the operation only. The second pass reads replacement values from the specified map file and replaces matching values in the specified log file with the appropriate tokens. The default input file is log.txt. The default map file is map.txt. Specify the input pattern file to use. The pattern file contains regular expressions to find sensitive information (email addresses, hostnames, and so on) to replace with generic tokens. The default pattern file is:
/etc/centrifydc/adobfuscate.conf.
-p, --patternfile filename
You can use this file as is, or use it as a template to create your own pattern file.
404
Use this option

-v, --verbose
To do this Print verbose information while the command runs. Specify multiple --verbose options to increase the verbosity level. The maximum is 2.
Examples of using adobfuscate

Using adobfuscate command is a multi-step process:
1 Create a pattern file to identify the types of names to hide in the
log file. Centrify DirectControl provides a standard pattern file that you can use as is, or as a template to create your own pattern file.
2 Run the first pass of adobfuscate, and specify the pattern file
you just created, to create a map file that contains all the specific names to replace as well as a replacement value for each name.
3 Run the second pass of adobfuscate, and specify the map file
you just created, to apply the replacement values to each specified name in the log file. The following example steps you through this process. Creating a pattern file In the pattern file, you use regular expressions to identify sensitive names that you want obscured in the log file. Each line in the pattern file uses the following syntax:
action reg-expr-pattern repl-token
where:
action
match
One of the following:
Replace any items that match the patterns. exclude Keep the item even if it matches the pattern. reg-expr-pattern A regular expression pattern to identify sensitive names in the log file, such as email addresses and hostnames.
405
Using adobfuscate
repl-token The
token to replace names of each type in the log file. For example, specific email addresses are replaced by email_n, .com hostnames by hostcom_n, and so on. The easiest way to create a pattern file is to modify the sample file provided by Centrify DirectControl: /etc/centrifydc/adobfuscate.conf. The following shows the pattern matching definitions from this file:
#You can define your own sensitive data by using the following format. #[action type][regular expression] [substitute value] #The action type has two optional values: match | exclude . #Lines of 'match' specify patterns that should be obfuscated and must have substitute value argument. #Lines of 'exclude' specify patterns that shouldn't be matched. match /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}/ email match /[A-Z0-9-]+[A-Z0-9.-]+\.com/ hostcom match /[A-Z0-9-]+[A-Z0-9.-]+\.net/ hostnet match /[A-Z0-9-]+[A-Z0-9.-]+\.org/ hostorg match /[A-Z0-9-]+[A-Z0-9.-]+\.test/ hosttest match /[A-Z0-9-]+[A-Z0-9.-]+\.land/ hostland
Also in the file are patterns to exclude:

exclude exclude exclude exclude exclude exclude exclude exclude exclude . . . exclude /adclient\..*/ /adclient\.pam\.util/ /adclient\.session/ /adfs\.agent/ /adfs\.federationinfo/ /adfs\.request/ /adfs\.request\.checktoken/ /adfs\.request\.parsetoken/ /adfs\.test/
/util\.ulimit/
The purpose of this list is to retain specific items in the log file that may be useful for analyzing a problem, but would otherwise be obscured because they match one of the specified patterns. You should browse this list and remove any specific items that you do not want to appear in a log file you send to Centrify. Running the first pass of adobfuscate After you create a pattern file, you can run the first pass of adobfuscate to create a map file:
adobfuscate -f /var/log/centrifydc.log -m myMap
This command applies the default pattern file (/etc/centrifydc/adobfuscate.conf) to the centrifydc log file
406
and creates a map file called myMap. Suppose the log file contains the following text (hostnames are in bold-face type so you can easily see them):
Mar 23 11:04:56 lynx1 adnisd[2247]: WARN <main> adnisd No NIS maps found on server win2k-1.acme.com Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 ldap fetch> base.bind.ldap win_serv-1.acme.com:389 fetch dn="" filter="(objectclass=*)" timeout=7 Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 get object> base.bind.ldap win_serv-1.acme.com:389 pagedSearch base="CN=Groups,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=mkline,DC=local" filter="(displayName=$CimsGroupVersion2)" Mar 23 11:09:57 lynx2 adnisd[2247]: WARN <main> adnisd No NIS maps found on server win2k-1.acme.com
By applying the pattern file, adobfuscate creates a map file with the following entries:
win2k-1.acme.com win_serv-1.acme.com hostcom_0 hostcom_2
The entry, base.bind.ldap, has the form of a hostname, and as such would normally be replaced with a hostname_n token; however, the default adobfuscate pattern file contains an entry to exclude it, so it remains in the log file:
Note
exclude /base.bind.ldap
Running the second pass of adobfuscate Now run the second pass (-o option) of adobfuscate specifying the map file you just created, to obscure hostnames in the log file:
adobfuscate -f /var/log/centrifydc.log -m myMap -o
The sanitized log file contains the following entries:

Mar 23 11:04:56 lynx1 adnisd[2247]: WARN <main> adnisd No NIS maps found on server hostcom_0 Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 ldap fetch> base.bind.ldap hostcom_1:389 fetch dn="" filter="(objectclass=*)" timeout=7 Mar 23 11:04:56 lynx1 adclient[2524]: DEBUG <fd:16 get object> base.bind.ldap hostcom_1:389 pagedSearch base="CN=Groups,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=mkline,DC=local" filter="(displayName=$CimsGroupVersion2)" Mar 23 11:09:57 lynx2 adnisd[2247]: WARN <main> adnisd No NIS maps found on server hostcom_0
As you can see, specific hostnames have been replaced with generic host name tokens.
Understanding adobfuscate-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adobfuscate command can generate command-specific result
407
Using adrmlocal
codes when errors are encountered. The following table lists these command-specific result codes.
Result
6
Error name
ERR_OTHERS
Indicates Error when parsing the patter file or the map file. Usage error. Could not open file.
7 40
ERR_USAGES ERR_OPEN_FILE
Using adrmlocal
The adrmlocal command reports and removes local user names that duplicate Active Directory user names. The basic syntax for the adrmlocal program is:
adrmlocal [--interactive] [--commit] [--force] [--version]
The adrmlocal command displays a report of users who are in both a local user database, for example, the local user accounts defined in the /etc/passwd file, and in Active Directory to allow you to check for duplicate user names. You can remove selected duplicate local user names interactively or remove all duplicate local users without prompting. If you run this command with the --interactive option, the command prompts you to remove the local user account or skip each duplicate user, regardless of whether the users UID or GID in /etc/passwd matches the information for the user name in Active Directory. If you run this command with the --commit option, the command removes duplicate users if there are not UID or GID conflicts but prompts you to remove or skip local users that have UID or GID conflicts. If you run this command with the --force option, the command removes all duplicate local users whether without prompting. To delete local user accounts in a NIS domain, you should run the adrmlocal command on the NIS master server. After running the
408
command, you must update the NIS passwd maps to make the updated information available to your NIS servers.

Use this option
-i, --interactive
To do this Be prompted interactively for confirmation that you want to remove the duplicate local user account before performing the delete operation. Remove duplicate local users if the UID and GID is the same in the local database and Active Directory. If the UID or GID for a local user conflicts with the information stored in Active directory, this option prompts you to determine whether a local user account should be deleted or not. Remove all duplicate local user names without prompting even if there are UID or GID conflicts. Display version information for the installed software.
-c, --commit
-f, --force
-v, --version
Examples of using adrmlocal

You use the adrmlocal command to view and remove duplicate local user accounts that conflict with Active Directory user accounts. To report duplicate user names that exist in both the local user database and Active Directory and respond to each duplicate interactively, you would type:
adrmlocal --interactive
This command displays a summary of the conflicts found, then prompts you to decide whether each duplicate user should be deleted. For example:
3 local user(s) that are duplicated with AD users: adam:uid(505):gid(503):ADuid(10001):ADgid(10000) Conflicted with AD chin:uid(506):gid(504):ADuid(10009):ADgid(10000) Conflicted with AD liz:uid(507):gid(505):ADuid(10005):ADgid(10000) Conflicted with AD Delete local user adam ? (Yes/No)
409
Using adfinddomain
Understanding adrmlocal-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adrmlocal command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_NOT_LOAD_PASSWD_FILE
Indicates The attempt to load the local password file failed. The attempt to check for duplicate user accounts failed. The attempt to load the local group file failed. The attempt to check for duplicate user accounts failed.
157
ERR_NOT_CHECK_DUP_LOCAL_USER
158
ERR_NOT_LOAD_GROUP_FILE
159
ERR_NOT_CHECK_DUP_LOCAL_GROUP
Using adfinddomain
The adfinddomain command displays the domain controller associated with the Active Directory domain you specify. The basic syntax for the adfinddomain program is:
adfinddomain [--format name|ldap|ip] [--port] [--verify] [--version] [domain | $]
If you dont specify a domain, the command returns information for the domain the local computer is joined to. If you specify a dollar sign ($) instead of a domain, the command returns the host name and, optionally the port number, for the Global Catalog server.
410

Use this option
-f, --format name|ldap|ip
To do this Control the format of the information displayed for the domain controller. For example, if you set the format to name, the command displays the host name of the domain controller. Similarly, you can specify the format to be the format used for LDAP requests or to be the fully-qualified host name of the domain controller.
adfinddomain -f ldap ldap:://fire.arcade.org
-p, --port -V, --verify
Include the port number in the output. Check whether the specified domain controller is currently operational. Display version information for the installed software. Specify the domain name or the global catalog for which you want to display information.
-v, --version
[domain | $]
Examples of using adfinddomain

You can use the adfinddomain command to display the host name, LDAP URL, or IP address of the domain controller for a specified domain. For example, to display the full host name for the domain controller in the arcade.org domain, you would type:
adfinddomain --format name ajax.org ginger.ajax.org
To display the host name for the global catalog server, type:
adfinddomain $ zen.ajax.org
To include the port number for the domain controller or global catalog, type:
adfinddomain --format name --port ajax.org ginger.ajax.org:389
or:
adfinddomain $ --port
411
Using adfixid
zen.ajax.org:3268
Understanding adfinddomain-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adfinddomain command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_NOT_OBTAIN_IP
Indicates The command is unable to obtain the IP address for the server. The command is unable to find the domain controller for the domain specified. You should verify the domain name, then try rerunning the adfinddomain command.
157
ERR_UNDETECT_SERVICE
Using adfixid
The adfixid command can be used to resolve UID and GID conflicts and change the ownership of a local users files to match the user and group IDs defined for the user in Active Directory. The basic syntax for the adfixid program is:
adfixid [--commit] [--commit-all] [--report filename] [--usermap filename] [--groupmap filename] [--id id_range] [--xdev] [--follow] [--undo] [--restart] [--version] [--verbose] directory
The adfixid command compares the local password database, for example, the local /etc/passwd and /etc/group files, to the UNIX profile entries for the DirectControl zone that are retrieved from Active Directory. To perform this comparison, adfixid checks for local UNIX user and group names that match the user and group names in the UNIX profiles defined for the current zone. The command then generates a report of the local users and groups that have UIDs or GIDs that conflict with the information stored in Active Directory. You can then use adfixid to change the
ownership of local users files and directories to match the user and group ID values defined in Active Directory for the zone, eliminating UID and GID conflicts. Although adfixid bases its comparison on the local UNIX user or group name matching the zone UNIX user or group name to check for UID and GID conflicts and change file ownership, the local password store may have local UNIX user and group names that do not match any of the UNIX user and group names defined for the zone. In some cases, these local users and groups may have a UNIX profile for the zone, but under a different user or group name. To accommodate this situation, you can use a mapping file to specify how the user and group names in the local database map to the user and group names in the UNIX profiles for the current zone. You can then run adfixid with the --usermap or --groupmap option to check for UID or GID conflicts and change file ownership, as needed. By default, running the adfixid command simply lists the local users and groups that have UID or GID conflicts and require file ownership changes. If you run this command with the --commit option, adfixid searches local file systems, starting with the directory you specify, for files owned by users defined in the /etc/passwd file, and changes the ownership and group information to match the information defined for the zone. If you run this command with the --commit-all option, adfixid also updates the /etc/passwd and /etc/group files to contain the new ID values. The local computer must be joined to an Active Directory domain and in a valid zone to perform most operations. This requirement is not necessary to generate a report with the --report option or to undo a previous operation with the --undo option. In addition, to run adfixid with the --commit, --commit-all, or --undo options, you must be logged in as root.
Note
Because of the operations it performs, running the adfixid command can take a significant period of time to complete its
413
Using adfixid
execution. Therefore, in most cases, you should limit the scope of directories to be traversed at any one time and run this command when there is minimal network traffic.

Use this option
-c, --commit
To do this Commit file ownership UID and GID changes to the file system. If you do not specify this option, by default, adfixid only displays a list of the users and groups that require ownership changes. Commit the file ownership UID and GID changes to the file system and update the local /etc/passwd and /etc/group files with the new UID and GID values, as needed. Specify the name of a file that maps local UNIX user names to zone UNIX user names. This option is useful when user names have been rationalized in the DirectControl zone but may not match the names in the local database file. The format of the user mapping file is:
local_UNIX_name zone_UNIX_name
-C, --commit-all
-u, --usermap
filename
If a local UNIX user name is not in the mapping file, its assumed to already match a zone UNIX user name. If no match is found, the name is ignored. If the UID for the ignored name conflicts with a zone UNIX user UID, the UID of the local UNIX user is changed to a value in the UID range set aside for conflict-resolution. For information about setting the value range for conflict resolution, see the --id option.
414
Use this option

-g, --groupmap
To do this Specify the name of a file that maps local UNIX group names to zone UNIX group names. This option is useful when group names have been rationalized in the DirectControl zone but may not match the names defined in the local database file. The format of the group mapping file is:
local_UNIX_group zone_UNIX_group
filename
If a local UNIX group name is not in the mapping file, its assumed to already match a zone UNIX group name. If no match is found, the name is ignored. If the GID for the ignored name conflicts with a zone UNIX group GID, the GID of the local UNIX group is changed to a value in the GID range set aside for conflict-resolution. For information about setting the value range for conflict resolution, see the --id option.
-r, --report filename
Generate an audit log of every chown command that was executed by the adfixid command. You can use a hyphen (-) as the filename to output information to standard out. You can generate the report at the same time as the --commit operation, or at any later time. By default, the audit file is /etc/centrifydc/adfixid.log. Note This option is only valid at the same time you perform a --commit or --commit-all operation or after you have performed one of those operations. You cannot use this option to generate a preview report of changes that a --commit operation would perform. Use the adfixid command with no command line options to review conflicts prior to making file system changes. You can then use the --commit and --report options to generate a report of the changes performed. For example:
adfixid --commit --report chown_rpt1
415
Using adfixid
Use this option

-i, --id id_range
To do this Specify a range of values for assigning new UIDs or GIDs to use in resolving UID or GID conflicts. The id_range parameter can be of the form <start_value>-<end_value> to specify the start and end values of the range. For example:
--id 90000-110000
The default range is 50000-60000. If you specify a single number, that value becomes the starting value for the range and the end value is MAXUID. If a local UNIX UID or GID conflicts with a zone UID or GID, the local value is mapped to a value in the specified range. For example, if a local UNIX user has a UID of 126 that conflicts with a zone UNIX user UID, the local UNIX user UID would be mapped to UID 50126 by default. If the target UID value of 50126 is already used in the zone, the next sequential value, 50127, is used instead.
-x, --xdev
Prevent the adfixid command from running across file system mount points. By default, the adfixid command traverses all local, non-NFS, file system mount points. Specify that you want the adfixid command to follow symbolic links to update the target files and directories. By default, the adfixid command only updates the link file itself, if necessary, and does not traverse into symbolically-linked directories.
-f, --follow
416
Use this option

-R, --restart
To do this Ignore the results of a previous run. By default, the adfixid command skips files that were changed by a previous run of the command. Using this option resets the adfixid audit log so that adfixid is not aware of what files were previously changed. If you have previously run adfixid and made changes the file owner but did not resolve conflicts between the /etc/passwd and /etc/group files and Active Directory, using this option ignores the changes previously made and makes them again when the conflicts between the local files and Active Directory are detected. Reverse the action of a previous --commit operation. All files that had the owner and/or group id changed are set back to their original values. If the /etc/passwd or /etc/group files were updated using a --commit-all operation, this change is also reversed. Display version information for the installed software. Display the file and directory names are they are processed. This option is useful when running this command on a large file system, such as the root file system, so you can track its progress. If you specify this option, the adfixid command: Lists every file it examines. Reports every change of ownership performed for the files and directories examined. Lists any files or directories being skipped. Without this option, the adfixid command does not display its progress and may appear to stop running when it is processing a large number of files and directories on large file systems.
-U, --undo
-v, --version
-V, --verbose
417
Using adfixid
Use this option

directory
To do this Specify the directory or directories in which to start the search for the user files to be changed. By default, adfixid only searches local file systems, starting with the root (/) level of file system. You can, however, specify a network file system on the command line, if needed. You can use this parameter to change the file ownership for selected directories or if you want to change the file ownership in stages. For example, you may want to change the ownership for a limited number of directories before committing changes across the whole file system on a given computer. If you specify a network file system, such as an NFS or CIFS mount point, you should be sure that you do not run the command remotely on the same files from different computers. Running this command remotely from more than one computer may cause the file ownership changes to be overwritten with incorrect information. Note File ownership changes are logged in the audit file on a per-machine basis. If you run this command for a network file system, the change is recorded in the audit file on the local computer. If you run the command again from a second computer, that computer has no record that the file ownership has been previously changed.
Examples of using adfixid

To understand how to use the adfixid command, assume the local UNIX users defined in the local password database (/etc/passwd) are as follows:
gsmith:x:1006:1006:George Smith:/home/gsmith:/bin/bash ballen:x:1007:1007:Bob Allen:/home/ballen:/bin/csh joe:x:1009:1009:Joe Cool:/home/jcool:/bin/bash kane:x:1226:1226:Kane Lewis:/home/kane:/bin/bash jfrank:x:1345:1345:John Frank:/home/jfrank:/bin/bash
The UNIX user profiles defined for the zone are:

gsmith:x:1007:10000:George Smith:/home/gsmith:/bin/bash ballen:x:1006:10000:Bob Allen:/home/ballen:/bin/csh
418
jcool:x:1009:1009:Joe Cool:/home/jcool:/bin/bash klewis:x:10226:10226:Kane Lewis:/home/klewis:/bin/bash tyoung:x:1345:1345:Ted Young:/home/tyoung:/bin/bash
To simply see a list of the local users and groups with UID or GID conflicts requiring resolution, you can run the following command:
adfixid
This generates a report similar to the following:

4 user-id conflicts were found. Local UID Zone UID User ----------------------1006 1007 gsmith 1007 1006 ballen 1009 51009 joe 1345 51345 jfrank 2 group-id conflicts were found. Local GID Zone GID Name ----------------------1006 10000 gsmith 1007 10000 ballen
If you want to make the file ownership changes and resolve user and group conflicts, you can run the following command:
adfixid --commit
The file ownership for the local user gsmith will be changed from UID and GID 1006 to UID and GID 1007. The file ownership for the local user ballen will be changed from UID and GID 1007 to UID and GID 1006. The local user joe appears as a UID conflict because the local UNIX user name is different from the zone UNIX user name. Similarly, the local user kane is be ignored because there is no mapping between the local UNIX user name and the zone UNIX user name. For these users, you would need to create and specify a user mapping file. The local user jfrank is not defined in the zone, but his local UID and GID conflicts with the user tyoung who has a profile defined in this zone. The adfixid command will assign a UID and GID from the temporary range, for example 51345, and
419
Using adfixid
change the ownership (chown) of all of files owned by the local user jfrank to that UID. To create a user mapping file, use a text editor and add an entry to map the local UNIX user account joe to the jcool zone UNIX user. For example:
vi defaultzone_usermap
Add an entry to map the local users to zone users as needed. For example:
joe jcool kane klewis
You can then run the adfixid command and specify the user mapping file. For example:
adfixid --usermap defaultzone_usermap --commit
This command will change the file ownership for the files owned by the local user kane to UID and GID 10226. The command will not change the files owned by the local user joe because once mapped there is no UID or GID conflict between the local UNIX user and the zone UNIX user.
Understanding adfixid-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adfixid command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_ID_RANGE
Indicates The UID or GID range you have specified is not large enough to accommodate the number of new UIDs or GIDs needed to resolve account conflicts. You should try rerunning the command with a larger range of values or with no ending UID or GID value. The attempt to load the local password file failed.
157
ERR_LOAD_PASSWD_FILE
420
Result Error name

158
ERR_LOAD_GROUP_FILE
Indicates The attempt to load the local group file failed. The attempt to undo changes made during a previous run of adfixid failed because the private log file used for recording the changes made could not be opened for reading. You should check the permissions on the log file and whether the account used to run the adfixid command has read permission for the file. The attempt to create a report of the changes by adfixid failed because the private log file could not be opened for reading. You should check the permissions on the log file and whether the account used to run the adfixid command has read permission for the file. The attempt to open and write to the private log file failed. You should check the permissions on the log file and whether the account used to run the adfixid command has write permission for the file. The attempt to load the specified user mapping file failed. You should verify the mapping file exists in the location specified and that the account used to run the adfixid command has read permission for the file, then try rerunning the adfixid command. The attempt to load the specified group mapping file failed. You should verify the mapping file exists in the location specified and that the account used to run the adfixid command has read permission for the file, then try rerunning the adfixid command. The attempt to map local group GIDs to Active Directory GIDs failed.
159
ERR_CANNOT_UNDO_CHANGES
160
ERR_CANNOT_CREATE_REPORT
161
ERR_OPEN_LOG_TO_WRITE
162
ERR_LOAD_USER_MAP
163
ERR_LOAD_GROUP_MAP
164
ERR_GENERATE_GROUP_MAP
421
Using adfixid
Result Error name

165
ERR_GENERATE_ID_MAP
Indicates The attempt to map local user UIDs to Active Directory UIDs failed. The attempt to open a directory failed. You may see this error if a specified target directory or subdirectory is not accessible of if the account used to run the adfixid command does not have permission to access one or more directories to be searched.
166
ERR_OPEN_DIR
422
Using adflush
The adflush command can be used to clear the Centrify DirectControl cache on a local computer. The basic syntax for the adflush program is:
adflush [option]

Use this option
-a, --auth
To do this Remove DirectAuthorize information from the adclient authorization store cache. Remove stored DNS information from the adclient local cache. Clear the adclient local cache of all data even if the Centrify DirectControl Agent is currently disconnected from Active Directory. Remove only domain controller and global catalog objects from the cache. Display detailed information about the operation. Display version information for the installed software.
-d, --dns
-f, --force
-o, --objects
-V, --verbose -v, --version
Examples of using adflush

The adflush command enables you to completely clear the Centrify DirectControl cache at any time. This command can be useful when you want to force the Centrify DirectControl Agent to read new information from Active Directory, or when you want to remove obsolete data from the cache. You can also use this command as part of routine housekeeping to free up disc space. To clear the cache of information from the Active Directory domain controller and global catalog, you would type:
adflush
423
Using adid
To display verbose output and force the local cache to be cleared when the Centrify DirectControl Agent (adclient) is running in disconnected mode without access to Active Directory, you would type:
adflush --verbose --force
Using adid
The adid command can be used to display the real and effective UIDs and GIDs for the current user or a specified user. The basic syntax for the adid program is:
adid [option] [username|uid]
The adid command is intended as a replacement for the standard id program to look up user and group information for a specified user. For Active Directory users, the adid command is more efficient than the standard id program because it can request the users group membership list directly through the Centrify DirectControl Agent, resulting in better performance. For the standard id program, requesting a users group membership requires the program to search through all the groups on the system to find which groups include the user as a member. If you run the adid command and specify a user who is not an Active Directory user, the adid command transfers the request to the local id program with the same arguments you have specified.
424

Use this option To do this Display all of the group IDs for the specified user or the current user if no user name or user ID is specified. Note This option is provided to support compatibility with other versions of the program. The information adid displays with this option is the same as the information displayed without this option. Display only the effective user name for the specified user or the current user. You must include the --user (or -u) option on the command line to use this option. Display only the effective user ID for the specified user or the current user if no user name or user ID is specified. Display usage information for the command.
-a
-n, --name
-u, --user
--help
Examples of using adid

You can use the adid command to display user and group information for the current user or any specified user. For example, to display the user name, default group, and complete group membership for the current user, you can type:
adid uid=505(alan) gid=100(users) groups=100(users),700(oracle),507(testexpert)
To display the user ID and group ID for a specific user name, you can type:
adid alan uid=505(alan) gid=100(users)
To display the user ID and group ID for a specific user ID, you can type:
adid 505 uid=505(alan) gid=100(users)
425
Using adkeytab
To display only the user ID for a specific user name, you can type:
adid --user sloane 506
Using adkeytab
The adkeytab command allows you to create and manage Kerberos key tables (*.keytab files) and coordinate changes with the Kerberos key distribution center (KDC) provided by Active Directory. With the adkeytab command you can: Create new service accounts and new key table files. Add new Kerberos service principals to existing key tables. Adopt Kerberos service principals for an existing Active Directory account and update the key tables and centrifydc.conf entries to manage the adopted account. Change the password for a computer or service account and update the keys in its key table. Reset a key table that is corrupt or out of sync with the KDC in Active Directory to ensure that the account password and Kerberos keys are synchronized. Delete a service principal from a service account and remove its keys from the key table. Delete a service account from Active Directory and removed its key table and all related keys from the centrifydc.conf file.
Note
adkeytab
The specific options you can use on the command line for depend on the task you want to perform. See the appropriate section for information about which options to use for each task. In addition to the task-specific options, however, you can use the [-V, --verbose] option in conjunction with any task to display detailed information about the operations being performed for diagnostic purposes.
426
Understanding Kerberos key tables

In a Kerberos environment, each computer has at least one Kerberos key table file stored on its local disk. This keytab file lists Kerberos service principals, such as FTP (FTP/host@REALM), that are offered by the computer and provides at least one key for each of those service principals. If a computer hosts multiple Kerberos-enabled services, it may have more than one keytab file on its local disk. For example, a computer may provide Kerberos authentication for database services. The database service would then require its own keytab file on the host computer. A keytab file contains two types of entries: One keytab entry specifies the service account that owns the key table. Other entries specify the service principals offered by the account. The service account is a special user or computer account set up in Active Directory to handle requests for the Kerberos-enabled service. Each Kerberos-enabled service on a computer requires its own service account in Active Directory, and that service account always owns the keytab file for the Kerberos-enabled service. The service principal entries in the keytab file contain: The key version number that specifies which version of the Kerberos key this is. A time stamp that specifies the date and time when the entry was created. The name of the service principal. The type of encryption used for the key. The key itself. The keys in the key table are generated each time the password for the service account changes. When the service account password
427
Using adkeytab
changes, a new key is generated for each service principal in the table and stored as a new keytab entry with an updated key version number. Older versions of the keys are retained in the key table as separate entries with earlier version numbers up to a specified number of versions, after which theyre removed from the table. In addition, each service principal has at least one entry for each type of key encryption it supports. Therefore, a single service principal typically has many entries in the key table. In its role as the Kerberos key distribution center (KDC), Active Directory has a computer account for each computer in the network and stores service principals and keys for each computer. It also has a service account for each service offered on a computer, and stores the service principals and keys for each service with the service account. When you add a UNIX computer to an Active Directory domain, the adjoin command creates a computer account in Active Directory and a local keytab file on the computer that adclient can use for authentication. The centrifydc.conf configuration file specifies the Kerberos service principals the computer offers, the location for the computers keytab files, and the number of key versions maintained for each service principal. After the computer has joined the domain, adclient manages the computers computer account and its associated keytab file, changing the account password and the Kerberos keys at a set interval. The adclient process does not, however, maintain keytab files for service accounts, add new keytab files, or notify Active Directory of keytab changes for service accounts. To create and manage the keytab files for service accounts, you can use the adkeytab command. The adkeytab program then uses adclient to communicate the keytab information for service accounts to Active Directory so that it can be synchronized in the KDC.
428
Understanding authentication and permissions for using adkeytab

Executing adkeytab requires root permission. In addition, adding, modifying, or deleting Active Directory service account objects requires an authenticated LDAP connection. When executing adkeytab the administrator can supply credentials in any of the following ways: Supply the name and password of an Active Directory user with sufficient privileges to add, modify or delete the service account object. You can use any of the following adkeytab forms to supply a username and password for authentication:
adkeytab
assumes the user is the root administrator and prompts for a password. For security, the password you enter is not echoed on the screen.
adkeytab adkeytab -u username
prompts for the password for the specified user. The password you enter is not echoed on the screen.
adkeytab adkeytab -p adkeytab assumes the user is the root administrator. Be aware that in this form of adkeytab, the password is visible on the command line. adkeytab -u -p
Be aware that in this form of adkeytab, the password is visible on the command line. Use the Kerberos kinit utility to build up a credential cache for the root user so authentication is automatic. Typically, you use kinit when performing a series of operations that requires Kerberos credentials. By default, kinit is installed with Centrify DirectControl. See the kinit(1) man page for more information.
429
Using adkeytab
Specify Direct Control's computer account credentials for LDAP authentications. Typically, you use Direct Control's computer account credentials if adkeytab operations are being performed on Direct Controls own computer service account and the system keytab. Use the following form of adkeytab:
adkeytab -m
Understanding object permissions for using adkeytab
To create or delete new service accounts, you need permission to the container in which you are creating or deleting the account, as follows: To create a new service account, you need Create account objects permission. To delete a service account, you need Delete permission.
account objects
In addition, each adkeytab operation requires specific permissions to Active Directory attributes of the object being created or modified. For example, to add an SPN, you need read permission to the following attributes:
objectCategory cn sAMAccountName userPrincipalName msDS-KeyVersionNumber
and read/write permission to the servicePrincipalName.
430
The following table summarizes the permissions you need for each type of adkeytab operation.
---------------------------- Operation ---------------------------Permission / Attribute
objectCategory userAccount Control cn sAMAccount Name userPrincipal Name service PrincipalName msDS-KeyVersion Number changePassword restPassword
Adopt Adopt Adopt Modify Modify Change (local) (Force) SPN UPN Passwd
R RW R R R R R W R R R R R R R RW R R R RW R W R R R RW R R R R RW R R R R R W R R R
Reset Passwd
R
R R R R R W W
You can verify or modify permissions to an Active Directory object in a number of ways, including: Open the Properties page for the object in Active Directory Users and Computers and use the Security tab to set Read and Write permissions for specific attributes. See Microsoft TechNet: Assign, change, or remove permissions on Active Directory objects or attributes for more information. Use the dsacls command-line utility to set attribute permissions for the object. See Microsoft TechNet: Dsacls Overview for more information.
Creating a new service account and key table

You can use the adkeytab command to create new service accounts for a computer. When you create a new service account, adkeytab also generates a keytab file for the new account on the local
431
Using adkeytab
computer, and notifies the KDC in Active Directory of the new service account and keys for the computer. The basic syntax for creating new service accounts and keytab files and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --new --principal principal --keytab filename --container containerDN [options] account-name
Setting options for creating a new service account and key table
You can use the following options to perform this task:

Use this option
-n, --new
To do this Create a new service account in Active Directory and a new key table for the account that is stored locally as a keytab file. If you use this option to generate a new service account and keytab file, adkeytab notifies the KDC in Active Directory of the key table contents. If you use this option, you must also specify a keytab file name using the --keytab option and an account-name that is unique in the current domain.
432
Use this option

-P, --principal
To do this Specify a service principal to add to the new key table. You must specify at least one service principal when creating a new service account. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command generates the full principal name by expanding the name to include the account name at this computer, creating a fully-qualified domain name for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
http/firefly@ARCADE.COM http/firefly.arcade.com@ARCADE.COM
principal
If you specify the service type with either a long or short host name, the adkeytab command will only generate the exact principal name specified. Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
-K, --keytab filename
Specify the name and location of the new keytab file to create. For filename, specify either the relative or full path to the file you are creating. For example:
--keytab /etc/krb5/test.keytab
433
Using adkeytab
Use this option
To do this
-c, --container containerDN Specify the Active Directory name of the container (CN) or organizational unit (OU) into which the new service account should be placed. You can specify the containerDN by: Canonical name (ajax.org/unix/services) Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix(cn=services,cn=unix). For example, if you want to place the account in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
Note The account used to run the adkeytab command must have permission to add objects to the container or organizational unit you specify.
434
Use this option

etype
To do this keys for each of the service principals you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
-e, --encryption-type Specify an encryption type to use in generating
435
Using adkeytab
Use this option
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are: Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the
adclient.krb5.permitted.encryption.types
configuration parameter.
-T, --trust
Set the Trust for delegation option in Active Directory for the new service account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. For example, if the new service account is trusted for delegation, it can forward ticket-granting tickets and perform other delegated actions. Setting this option may require the adkeytab command to run using an account with administrator permission.
436
Use this option

-k, --des
To do this Specify that all service principals for this account will use the Data Encryption Standard (DES) for keys. Setting this option enables the Use DES encryption types for this account flag in the userAccountControl attribute of the service account. You can use this option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. Note If you use the --des option, the --encryption-type parameter is ignored. Specify the domain in which this service account should be created. This option is used to create accounts in a domain other than the currently joined domain. If you do not specify this option, adkeytab creates the new service account in the currently joined domain by default. Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. Overwrite an existing Active Directory object with the new account information. This option removes any existing service principals, keytab files and centrifydc.conf entries related to the specified account-name, in preparation for creating a new service account and key table. Note This option is not required for precreated accounts that are inactive. This option is only required if the existing account is active and needs to be replaced.
-d, --domain domain
-U, --upn
userPrincipalName
-f, --force
437
Using adkeytab
Use this option

-m, --machine
To do this Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command. Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to add an account object to the domain. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
--user marie@arcade.com
If you do not specify the --user option, adkeytab uses the current users Kerberos credentials by default. If there are no cached credentials for the current user, adkeytab uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
438
Use this option

-S, --samname
To do this Specify a pre-Windows 2000 account name for the object in Active Directory. This option sets the samAccountName attribute for the Active Directory object you are creating. You should use this option: If the account-name you are using for the object exceeds 20 characters. If you want the samAccountName attribute for the object to be different from the account-name. Note The samAccountName attribute (also known as the pre-Windows 2000 name) can be a maximum of 20 characters. The attribute must be unique within the Active Directory forest. performing this operation. Using this option enables you to avoid replication delays.
-s, --server hostname Specify the domain controller you want to use for
-g, --gc hostname
Specify the global catalog computer you want to search to check for duplicate samAccountName attributes. Using this option enables you to avoid replication delays. Display detailed information about the operation being performed. Create the specified account-name object in Active Directory. You must specify an account-name that is unique in the current domain. In addition, the account-name must be the last argument specified in the command line.
-V, --verbose
account-name
Examples for creating new service accounts and key tables
To create a new DES-encrypted service account and accompanying key table, you would type a command similar to the following:
adkeytab --new --keytab /etc/krb5/mydatabase.keytab --principal data1 --principal data2 --des --container ajax.org/users --user oracleadm mydatabase
This command example uses the Oracle administrator account, oracleadm, to create a dedicated service account named
Using adkeytab
for an Oracle server that offers the Kerberos-enabled services data1 and data2. The command also creates a keytab file for the service account at /etc/krb5/mydatabase.keytab and adds the data1 and data2 service principals to the new keytab file, and creates DES-encoded keys for each service principal.
mydatabase
If you were to run this command, you would need to specify the password for the oracleadm account when prompted for the command to complete its execution. When a new keytab file is created successfully, entries for its service principals are also added to the centrifydc.conf file. For example, the following command:
adkeytab --new --keytab /etc/krb5/mydatabase.keytab --container "arcade.net/UNIX/Accounts" --principal hr_db --principal ap_db --encryption-type des-cbc-md5 --user oracleadm mydatabase
adds the following lines to the /etc/centrifydc/centrifydc.conf file:

adclient.krb5.managed.accounts: mydatabase mydatabase.krb5.keytab: /etc/krb5/mydatabase.keytab mydatabase.krb5.service.principals: hr_db ap_db mydatabase.krb5.tkt.encryption.types.hr_db: des-cbc-md5 mydatabase.krb5.tkt.encryption.types.ap_db: des-cbc-md5
Adding service principals to a key table

You can use the adkeytab command to add one or more service principals to an existing key table and notify the KDC in Active Directory of the new service principals for the computer or service account. The basic syntax for adding new service principals and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --addspn --principal principal [options] [account-name]
440
Setting options for adding service principals to a key table

Use this option
-a, --addspn
To do this Add a service principal to an existing account in Active Directory and generate the appropriate keys for the new service principal in the accounts keytab file. If you don't specify an account-name, the adkeytab command adds the service principal to the computer account in the currently joined domain.
441
Using adkeytab
Use this option

-P, --principal
To do this Specify a service principal to add to the specified key table. You must specify at least one service principal. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account name at this computer, creating a fully-qualified domain name (FQDN) for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
principal
Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
442
Use this option

-E, --entries kvno
To do this Specify the number of password hash entries (key version numbers) to keep in the keytab file. For the kvno, specify a positive integer between 1 and 253. If you omit the --entries parameter, the default number is 3. Note that --entries is only relevant for 2003 or newer key distribution centers (KDC). For Windows 2000, adkeytab manufactures key version numbers as long as the krb5.generate.kvno configuration parameter is true (which is the default setting). In the following circumstances the entries setting is ignored and only one password hash entry is kept: If the KDC is Windows 2000 and the centrifydc.conf parameter krb5.generate.kvno is set to false. If the KDC is Windows 2003 or newer but the dsHeuristics attribute is set to 00000000010000001. For more information about the dsHeuristics bit see http://support.microsoft.com/kb/870987.
443
Using adkeytab
Use this option

etype
To do this keys for each service principal you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
444
Use this option
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the service principal will not be added and an error is displayed. You should verify that the encryption types you want to use are listed for the
-m, --machine
Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
445
Using adkeytab
Use this option

To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to add a service principal to the account object in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file to add. For filename, you can specify either the relative or full path to the file. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default.
-d, --domain domain
446
Use this option

-U, --upn
To do this Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. performing this operation. Using this option enables you to avoid replication delays.
userPrincipalName
-V, --verbose
Display detailed information about the operation being performed. Specify the account-name to which you are adding a service principal. If you dont specify an account-name, adkeytab adds the service principal to the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
account-name
Examples for adding service principals a key table
To add a new DES-encrypted service principal for oracle to the key table that belongs to the service account mydatabase, you would type a command similar to the following:
adkeytab --addspn --principal oracle --des mydatabase
To add a DES-encrypted service principal for Oracle databases named oracle_d1 and oracle_d2 to the computer account key table in the currently joined domain:
adkeytab --addspn --prinicipal oracle_d1 --prinicipal oracle_d2 --encryption-type des-cbc-md5
Selecting an existing account to adopt for a key table

You can use the adkeytab command with the --adopt option to have Centrify DirectControl take over the management of keytab files for an existing account in Active Directory. This option creates the local keytab file for the account and adds entries for any existing service principal names associated with the account to the
447
Using adkeytab
file. You can also specify additional service principal names and encryption types.
centrifydc.conf
The basic syntax for adopting the service principals associated with an existing account and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --adopt --keytab filename [options] account-name
Setting options for adopting existing service principals

Use this option
-A, --adopt
To do this Add the appropriate keytab and centrifydc.conf entries to adopt an existing account and its service principals for management through Centrify DirectControl.
448
Use this option

-P, --principal
To do this Specify an additional service principal for the account in the key table. This option is not required as long as the existing account has at least one service principal already defined. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to add. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command then generates the full principal name by expanding the short name to include the account name at this computer, creating a fully-qualified domain name (FQDN) for the service principal account. For example, if you add the service principal http for service account firefly in domain arcade.com, adkeytab generates two service principals for the keytab file:
principal
Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services.
449
Using adkeytab
Use this option

etype
To do this keys for each service principal you specified with the --principal option. Alternatively, you can use the --des option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. If you use the --des option, the --encryption-type parameter is ignored. If you use the --encryption-type parameter, each etype you specify generates a key table entry for a principal/encryption type combination. For example, if you specify two service principals and one encryption type, adkeytab generates a key table entry for each service principal with a key that uses the selected encryption type. To specify multiple encryption types for a service principal, use this option multiple times. For example, if you specify one service principal and three different encryption types, adkeytab generates a separate key table entry for each encryption type for the service principal.
450
Use this option
To do this If you do not specify an encryption type in the command line, the encryption types defined in the centrifydc.conf file are used. The default encryption types supported are: Windows 2000 server and Windows Server 2003: arcfour-hmac-md5, des-cbc-md5, and des-cbc-crc. Windows Server 2008 domain functional level supports these additional types: aes128-cts and aes256-cts. Although you can specify these types in an environment other than 2008 domain functional level, they are not useful and may cause extra network round trips during the authentication process. Note If you specify an encryption type that is not listed as a permitted encryption type in the centrifydc.conf file, the key table entry will not be created and an error is displayed. You should verify that the encryption types you want to use are listed for the
-m, --machine
Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
451
Using adkeytab
Use this option

To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to read the Active Directory account object and update the userAccountControl attribute, if necessary. If you are specifying additional service principal names, the user must also have sufficient privileges to update the account's servicePrincipalName attribute. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account.
452
Use this option

-f, --force
To do this Overwrite an existing Active Directory object with the new account information. This option removes any existing service principals, keytab files and centrifydc.conf entries related to the specified account-name, in preparation for creating a new service account and key table. Note This option is not required for precreated accounts that are inactive. This option is only required if the existing account is active and needs to be replaced. Update the password hashes in the local keytab file without changing the password in Active Directory. If you use this option, you must also specify the password value with the --newpassword option. This option can be useful in cluster environments where you run adkeytab to force a password change on the Active Directory object and the local keytab on a master server, then run adkeytab with the --change-password and --local options on the backup computers to synchronize the new password in the keytab files on those computers. Specify a new password to substitute for the old password. If you do not specify this option, adkeytab generates a random password. Set the Trust for delegation option in Active Directory for the new service account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. For example, if the new service account is trusted for delegation, it can forward ticket-granting tickets and perform other delegated actions. Setting this option may require the adkeytab command to run using an account with administrator permission.
-l, --local
-w, --newpassword
newpassword
-T, --trust
453
Using adkeytab
Use this option

-k, --des
To do this Specify that all service principals for this account will use the Data Encryption Standard (DES) for keys. Setting this option enables the Use DES encryption types for this account flag in the userAccountControl attribute of the service account. You can use this option in place of the --encryption-type option to automatically generate des-cbc-crc and des-cdc-md5 keys. Using the --des option is recommended if you configuring keytab entries for Oracles Advanced Security Option or services that support older versions of Kerberos. Note If you use the --des option, the --encryption-type parameter is ignored. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. Set the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. performing this operation. Using this option enables you to avoid replication delays.
-d, --domain domain
-U, --upn
userPrincipalName
-V, --verbose
Display detailed information about the operation being performed. Specify the existing account-name that you want to manage keytab entries for using Centrify DirectControl. If you dont specify an account-name, adkeytab adopts the service principals associated with the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
account-name
454
Examples for adopting an existing account
To adopt the existing service principals for the existing service account name oracle_acct, you could type a command similar to this:
adkeytab --adopt --user oracleadm --keytab /etc/krb5/oracle_hr.keytab oracle_acct
In a cluster environment, you can use adkeytab --new to create a new account principal on the primary cluster server and set its password to a known value. You can then run adkeytab --adopt with the --local and --newpassword options on all of the other computers in the cluster to create a local copy of the keytab file. For example:
adkeytab --adopt --local --newpassword password --user oracleadm --keytab /etc/krb5/oracle_hr.keytab oracle_acct
After running this command, all of the computers in the cluster are synchronized with the same password.
Changing the password for a computer or service account

You can use the adkeytab command to change the password for a service or computer account. If you use adkeytab to change the password for an account, it also generates new keys for the accounts service principals, writes the new keys to the accounts key table, and notifies Active Directory of the changed password and new keys. The basic syntax for changing an account password and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --change-password [options] [account-name]
455
Using adkeytab
Setting options for changing the computer or service account password

Use this option To do this
account-name.
-C, --change-password Change the password for a specified
Using this option generates new keys in the

keytab file for the specified account-name, and
notifies the KDC in Active Directory of the change.

-l, --local
Update the password hashes in the local keytab file without changing the password in Active Directory. If you use this option, you should also specify the password value with the --newpassword option. This option can be useful in cluster environments where you run adkeytab to force a password change on the Active Directory object and the local keytab file on a master server, then run adkeytab with the --change-password and --local options on the backup computers to synchronize the new password in the keytab files on those computers. Specify a new password to substitute for the old password. If you do not specify this option, adkeytab generates a random password. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
-w, --newpassword
newpassword
-m, --machine
456
Use this option

To do this Specify an Active Directory user other than the current user to execute adkeytab. The user must have sufficient rights to read the computer account password. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
If you do not specify the --user option, the adkeytab command uses the current users Kerberos credentials by default. If there are no cached credentials, the adkeytab command uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-d, --domain domain
-V, --verbose
Display detailed information about the operation being performed.
457
Using adkeytab
Use this option

account-name
To do this Specify the account-name for which you are changing the password. If you don't specify an account-name, the adkeytab command changes the password of the computer account object for the local computer in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
Examples for changing the password
To change the password for the computer account mission-sf in the currently joined domain to use a new randomly-generated password, you would type a command similar to the following:
adkeytab -C
To explicitly set the password for the service account mysql-sf in Active Directory, you would type a command similar to the following:
adkeytab --change-password --newpassword miles8! mysql-sf
Note
Single quotes are required around the password in this example because the password contains a special character that would be misinterpreted by the UNIX shell.
Resetting a key table

You can use adkeytab to reset a key table when it is out of synchronization with the KDC in Active Directory. The --reset option is typically used to reset the service account password to a known value (up to the first 14 characters of its common name) when the password hash for the service account is not the same the applications keytab file as the password hash in the KDC. To use the --reset option, you must provide credentials for an account with permission to perform the password modification on the Active Directory object.
Note
If the Centrify DirectControl Agent is running in disconnected mode because of a password problem, the computer
458
account credentials are invalid and cannot be used to reset the service account password. The basic syntax for resetting a key table and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --reset [options] [account-name]
Running adkeytab with the --reset option resets the current password for the computer account thats stored in Active Directory, regenerate keys for the accounts service principals, writes those keys into the accounts keytab file, then reports the keys to the KDC in Active Directory.
Setting options for resetting a key table

Use this option
-r, --reset
To do this Reset an accounts key table and synchronize its contents with the key distribution center in Active Directory. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
-m, --machine
459
Using adkeytab
Use this option

To do this Specify an Active Directory user other than the current user to execute adkeytab. The user must have sufficient rights to read the computer account password. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
If you do not specify the --user option, the adkeytab command uses the current users Kerberos credentials by default. If there are no cached credentials, the adkeytab command uses the Administrator user account.
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-d, --domain domain
-V, --verbose
Display detailed information about the operation being performed.
460
Use this option

account-name
To do this Specify the account-name for which you are resetting the key table. If you don't specify an account-name, the adkeytab command resets the key table for the local computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
Examples for resetting a key table
To reset the key table that belongs to the service account mydatabase, you would type a command similar to the following:
adkeytab --reset mydatabase
To specify an Active Directory user account that is not a member of the same domain as the currently joined domain:
adkeytab --reset --user jason@arcade.com mydatabase
You are then prompted to provide the password for the jason@arcade.com account.
Deleting service principals from an account

You can use the adkeytab command to delete a service principal from a service account and remove its keys from the key table. The basic syntax for removing service principals and synchronizing the information with Active Directory using the adkeytab command is:
adkeytab --delspn --principal principal [options] [account-name]
Setting options for deleting service principals

Use this option
-x, --delspn
To do this Remove a service principal from an existing account in Active Directory and remove its keys from the accounts keytab file.
461
Using adkeytab
Use this option

-P, --principal
To do this Specify a service principal to remove from the specified key table. You must specify at least one service principal. To specify multiple service principals, use this option multiple times. For principal, type the service type of the service principal you want to delete. You can specify the principal by: Service type alone (http) Service type and the host name or alias (http/firefly) Service type and the fully-qualified domain name (http/firefly.arcade.com) If you use the service type alone, the adkeytab command removes all service principal names that start with the specified service type. If you specify the service type with either a long or short host name, the adkeytab command will only remove the exact principal name specified. Note If the service account name is different from the host name, you should have a DNS alias for the service account name that resolves to the host name of the computer. This allows you to have multiple service principals of the same type on the same computer, for example, multiple database services. Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command.
principal
-m, --machine
462
Use this option

To do this Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to delete a service principal from the account object in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Specify the name and location of the keytab file for the account. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-d, --domain domain
463
Using adkeytab
Use this option

-U, --upn
To do this Specify the userPrincipalName attribute for the account in Active Directory. Note For user service accounts, you only need to set this option if you want the userPrincipalName to be different from the default user@REALM setting. Display detailed information about the operation being performed. Specify the account-name from which you are removing a service principal. If you dont specify an account-name, adkeytab removes the service principal from the computer account object in the currently joined domain. If you specify the account-name, it must be the last argument in the command line.
userPrincipalName
-V, --verbose
account-name
Examples for deleting service principals from an account
To remove the service principal oracle_d1 from the key table that belongs to the service account berlin_db, you would type a command similar to the following:
adkeytab --delspn --principal oracle_d1 berlin_db
Deleting a service account

You can use the adkeytab command to delete a service account from Active Directory. Deleting a service account removes the account object from Active Directory, removes the key table for the account from the local computer, and removes all keys related to the account from the centrifydc.conf file. If any of the items to be deleted is not found, the command prompts you to confirm whether you want to proceed with the delete operation for the items found. For example, if the account object is not found in Active Directory but a local keytab file is found for the service account, the command displays a warning that the account object was not found and asks you to confirm whether to continue with the delete operation for the items found. If you
464
proceed, the command then removes the keytab file and any related keys in the centrifydc.conf file. You can use the --force option to skip checking for missing components and force the adkeytab command to proceed silently with the delete operation. To use this command to delete service accounts, you must specify a user with sufficient rights to remove account objects in Active Directory, and key tables and related keys in the centrifydc.conf file on the local computer. The basic syntax for removing service accounts from Active Directory using the adkeytab command is:
adkeytab --delete [options] account-name
Setting options for deleting service accounts

Use this option
-D, --delete
To do this Remove a service account object from Active Directory and remove its key table and all related key entries from the centrifydc.conf file. Specify the full path to the keytab file you want to remove. This setting is optional because the information is usually found in the Centrify DirectControl configuration file (centrifydc.conf ). If the keytab files are not defined in centrifydc.conf, however, you can use this option to identify the keytab file to remove. Specify the domain in which this service principal should be added. If you do not specify this option, adkeytab uses the currently joined domain by default. performing this operation. Using this option enables you to avoid replication delays.
-d, --domain domain
465
Using adkeytab
Use this option

-m, --machine
To do this Use the Active Directory computer account credentials generated by Centrify DirectControl to execute the adkeytab command. This option can be used in place of user credentials if the computer account has been granted permission to update its own account information. Note Using the local computers credentials to update Active Directory requires local root permission when executing the adkeytab command. Specify an Active Directory user other than the current user to execute the adkeytab command. The user must have sufficient rights to delete account objects in Active Directory. You must use the username@domain format to specify the user account if the username is not defined in the local computers domain. For example, if the local computer is joined to the fire.arcade.com domain, but the user marie is a member of the arcade.com domain, you must specify the --user option as:
-p, --password
userpassword
Specify the password for the Active Directory user account running the adkeytab command. If you do not specify this option or if there are no currently cached Kerberos credentials, adkeytab prompts for a password before it executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Skip any checking for missing components and proceed with the delete operation, ignoring any errors encountered.
-f, --force
466
Use this option

-V, --verbose
To do this Display detailed information about the operation being performed. Specify the account-name of the service account you want to remove.
account-name
Examples for deleting service accounts
To remove the service account berlin_db, you would type a command similar to the following:
adkeytab --delete --user oracleadm berlin_db
Specifying the encryption type for service principals

If you are creating a new service account and key table or adding service principals to an existing key table, you must specify the encryption type for each service principal you add. The valid encryption types are those defined by the MIT implementation of Kerberos and specified using either the Centrify DirectControl Encryption Types group policy or the Centrify DirectControl adclient.krb5.tkt.encryption.types configuration parameter. Although Centrify DirectControl supports all of the standard encryption types, some encryption types are only supported on particular versions of Windows. For example, Windows Server 2008 supports AES encryption, but earlier versions of Windows do not. The default encryption types supported by Windows 2000 Server and Windows Server 2003 are:
arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
If you are using Windows Server 2008 domain functional level, the following additional encryption types are supported:
aes128-cts aes256-cts
For more information about configuring the supported encryption types using group policy, see the Group Policy Guide. For more information about configuring encryption types using configuration
467
Using adkeytab
parameters in the centrifydc.conf file, see the Configuration Parameters Reference Guide.
Understanding adkeytab-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adkeytab command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156 ERR_ENCRYPT_TYPE
Indicates The encryption type specified is not valid or not supported. Check the list of supported encryption types, then try rerunning the command. The key table name you specify must be an absolute path, starting with the root directory (/). Verify the full path to the keytab file, then try rerunning the command. The keytab file specified already exists. The keytab file name or path contains illegal or invalid characters. The attempt to change ownership for the keytab file failed. The attempt to change permissions to 0600 for the keytab file failed.
157
ERR_KEYTAB_NOT_ABSOLUTE_PATH
158
ERR_KEYTAB_EXISTS
159
ERR_KEYTAB_ILLEGAL
160
ERR_CHG_OWNERSHIP_FAILED
161
ERR_CHG_MODE_FAILED
468
Result Error name

162 ERR_NOT_FIND_ADOBJ_KEYFILE_CONFIGKEY
Indicates The Active Directory object, keytab file, and account configuration keys were not found. Some account components were not found. The centrifydc.conf file may be locked by another process. You should try manually removing the lock by deleting centrifydc.conf.lck, then try rerunning the command. You must associate one keytab file with one Active Directory account. The service principal name (SPN) specified is not unique in the forest. You should rerun the command using a unique service principal name. The attempt to delete a service principal name failed. The service account specified includes a computer name. The keytab file is corrupted or has been removed. You have not specified a password for updating the local keytab file. The local option requires you to specify the accounts new password.
163
ERR_NOT_FIND_ACC_COMPONENT
164
ERR_DEAD_LOCK
165
ERR_NO_KEYTAB_WITH_ACC
166
ERR_SPN_EXISTS
167
ERR_DEL_SPN_FAILED
168
ERR_SRV_ACC_NOT_HAVE_COMPUTER_NAME
169
ERR_KETTAB_CORRUPTED
170
ERR_NEED_NEW_PASSWD
469
Using adsmb
Result Error name

171 ERR_MISS_ATTR
Indicates The distinguished name (dn) specified is invalid. If you encounter this error, the container path may be missing one or more attributes. Verify the full path, then rerun the command. An unexpected referral response was received. This error is usually caused by an erroneous replication object in Active Directory. The domain controller for the specified domain could not be found or is unavailable.
172
ERR_REPLICATION_ERRONEOUS
173
ERR_NOT_FIND_DC
Using adsmb
The adsmb command allows you to perform various file operations, such as get a file, write a file, or display the contents of a directory using the Centrify DirectControl smb stack. You can run this command using your log-on credentials or using the credentials for the local computer account. To use the local computers credential, you must have root-level permission. You can specify the domain controller to use or use the nearest domain controller for the joined domain.
Note
You can use this command in conjunction with group policies to copy files and directories to and from Windows file shares.
The basic syntax for the adsmb program is: adsmb file_operation -s share [-c credentials] [-m] [-C] [-T] [-h [hostname]] [-r remote_file] [-l local_file] The valid file_operations are get, getnew, put, putnew, dir, delete, mkdir, and rmdir.
470

Use this option
get getnew
To do this Get one or more files from a specified share. Get one or more files if the copy of the file on the specified share is newer than the local copy of the file. Put one or more files into the specified share. Put one or more files if the local copy of the file is newer than the copy of the file on the specified share. List the contents of a directory. Delete one or more files. Create a new directory. Remove a directory. Specify the share name. Specify the credentials to use in performing the selected operation. Use the local computers credentials. Convert carriage return line feeds (CRLF) in a file to line feeds (LF). Display the timestamp information in a computer-readable format. By default, the adsmb command displays timestamp information in a human-readable format. Specify the host name of an Active Directory domain controller. If you dont specify a host name with this option, the command uses the nearest domain controller for the joined domain. Specify the remote file or directory to work with. You can use forward slashes in remote file names. Specify the local file or directory to work with.
put putnew
dir delete mkdir rmdir -s share -c credentials
-m -C
-T
-h [hostname]
-r remote_file
-l local_file
471
Using adsetgroups
Examples of using adsmb

You can use the adsmb command to get file or directory information or perform file or directory operation. For example, to display details about the contents of the platforms directory on the lab file share with human-readable timestamps for when a file or subdirectory was created, last modified, and last read, you would type a command similar to the following:
adsmb dir -h sierra -s lab -r "platforms/*"
To get the file autorun.bat from the system volume (sysvol) of the nearest domain controller using the computer credentials and place it in the local /tmp directory, you would type a command similar to the following:
sudo adsmb get -s sysvol -m -r arcade.com/lab/autorun.bat -l /tmp/autorun.bat
Using adsetgroups
The adsetgroups command enables you to view or change the list of groups available for the current user. The basic syntax for the adsetgroups program is:
adsetgroups [-a,--all] [-l,--list] [-r, --required] [-o, --optional] [-m, --samname] [-n, --number] [-R,--remove] [-c, --clear] [-i, --init] [-s --save] [-q, --quiet] [-v, --version] group
On most UNIX systems, a user can only be a member of a limited number of groups at once. Because of this limitation, it is useful to be able to change a users group membership to add and remove groups when necessary. The adsetgroups command allows you to dynamically manage the set of Active Directory groups that are available to a UNIX account. If you run the adsetgroups command with no arguments, it displays the current group list for the current user. If you specify a list of groups on the command line, those groups are added to or removed from the users current group list, and a new shell is invoked.
472
To add or remove groups, the local computer must be joined to a domain and zone. If you specify that membership in a specific group is required in a zone, that group cannot be removed from the currently active set of groups. Any time the list of groups is changed, for example, using the --init, --clear or when specifying a list of group names to add or remove on the command line, a new shell is created.

Use this option
-a, --all
To do this Display all the Active Directory groups that the current user is a member of. Display the current set of supplementary groups for the current UNIX user account. Display only the required groups. Display only the groups that are not required. Display the samAccountName attribute for the group instead of the groups UNIX group name. Display the group identifier (GID) value for the group. Remove all of the specified groups from the currently active set of groups. This option creates a new shell.
-l, --list
-r, --required -o, --optional -m, --samname
-n, --number
-R, --remove group
473
Using adsetgroups
Use this option

-c, --clear [group]
To do this Start with an empty list of groups. If you have previously saved a list of groups, you can use this option to clear the existing list and specify a different set of groups. For example, to replace an existing set of groups with the single group athena, you would run a command similar to the following:
adsetgroups --clear athena
This command would change the list of groups for the user to be the single group athena unless some of the users other groups have been marked as required. This option creates a new shell.
-i, --init
Start with the last saved list of groups. This option creates a new shell. Save the current list of groups. This option sets the default list of groups for the current user when the user logs on. The saved list of groups is used when you run the adsetgroups command with the --init option. Suppress any warning or new shell messages. Display version information for the installed software. List the groups to add or remove.
-s, --save
-q, --quiet -v, --version
group
Examples of using adsetgroups

To display the currently active list of groups for the current user, you would type a command similar to the following:
adsetgroups
To add the groups delta1 and portland_lab to the current set of groups, and save this list as the default for the current user, you would type a command similar to the following:
adsetgroups --save delta1 portland_lab
To remove the groups oxford and westlake from the current set of groups for the current user, you would type a command similar to the following:
adsetgroups --remove oxford westlake
474
Understanding adsetgroups-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adsetgroups command can generate the following operation-specific result code:
Result
156
Error name
ERR_SETUID
Indicates The attempt to run setuid failed.
Using adclient
Most Centrify DirectControl operations are managed by the central daemon process adclient. This daemon is automatically started when the system is first booted. The daemon generally remains running as long as the computer is powered up so that it can handle all of the authentication and authorization interaction between Active Directory and the UNIX shell programs or Web applications that need this information. Although you can run adclient directly from the command line to control the operation of the Centrify DirectControl Agent on a local computer, it is recommended that you do so only under the direction of Centrify support. Typically, you should start and stop adclient from a startup script; see Using the startup script on page 476.
Notes
On AIX computers, you cannot start adclient directly from the command line. On AIX, you should use the centrifydc startup script or the system resource controller commands, such as startsrc, stopsrc, and lssrc. For example, to start adclient with the -d and -F options on AIX, you can use a command such as:
startsrc -s centrifydc -a -d -F
The basic syntax for running adclient at the command line is:
adclient [-x] [-d] [-F]
475
Using adclient

You can use the following options with adclient:
Use this option
-x
To do this Stop the Centrify DirectControl Agent if it is currently running. Set the Centrify DirectControl Agent to run in debug mode when it is restarted. Flush the Active Directory cache when the Centrify DirectControl Agent is restarted. Enable in-memory logging of Centrify DirectControl Agent operations.
-d
-F
-M
For example, to flush the cache when the Centrify DirectControl Agent starts:
adclient -F
Using the startup script

Although adclient normally runs as long as a computer is powered up, periodically you may want to manually stop or restart adclient without rebooting the computer. You do this by running a startup script called centrifydc and specifying whether you want to start, stop, or restart the daemon. The location of the startup scripts that run when a computer is started can vary depending on the platform. For example, on Linux and Solaris the startup script is in the directory /etc/init.d, but on HP-UX, startup scripts are located in the /sbin/init.d directory. For convenience, a copy of the Centrify DirectControl startup script is installed in the /usr/share/centrifydc/bin directory, and you can use the copy in that directory when you want to manually start, stop, or restart the Centrify DirectControl daemon. For more information about how daemons are started and stopped in a specific operating environment, including the normal location for startup scripts, see the documentation for the operating environment.
476
Starting the daemon
To manually start the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc start
Stopping the daemon
To manually stop the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc stop
Restarting the daemon
To manually stop then restart the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc restart
Checking the status of the daemon
You can also check whether the daemon is currently running or stopped. To view the current status of the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc status
Using adcache
The adcache command enables you to manually clear the local Centrify DirectControl cache on a computer. You can use this command to dump all cache files or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space. By default, the program dumps all cache files. Before running adcache, you should stop the adclient process using the following command:
/usr/share/centrifydc/bin/centrifydc stop
477
Using adcache
The basic syntax for running the adcache program is:

adcache [options]

You can use the following options with adcache:
Use this option
-c, --cachename path
To do this Specify the full path to the cache file you want to check or clear. Run the command without displaying any output. This option is useful for running the command as a scheduled maintenance job. Check the Centrify DirectControl cache for a specific key value. Reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items. To use this option, you must be run the adcache command as root. If you use this option, adcache stops and restarts the adclient process.
-q, --quiet
-k, --key value
-r, --reorg
Examples of using adcache

To check domain controller cache for a specific key value, you would type a command similar to this:
adcache --cachename /var/centrifydc/dc.cache --key andre ---------------------------------------------------------Dumping /var/centrifydc/dc.cache ---------------------------------------------------------ADObject: <GUID=83db76a5dfca5243a788d98128d2e101> Acquired: Fri Sep 21 16:10:07 2007 Deserialized data: _ExpiryTime(s):-1, _Foreign(s):False, _GECOS(s):Andre Garcia, _Gid(s):500, _HomeDirectory(s):/home/andre, _LoginShell(s):/bin/bash, _ObjectExtended(s):a30d50f5ef182e42b7687fa1ae07b776, _ParentLink(s):S-1-5-21-3619768212-1024502798-2657341593-1
478
153, _PwSync(s):altSecurityIdentities, _SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153, _ShellEnabled(s):True, _Uid(s):504, _UnixName(s):andre, _dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org, _extendedObjUSN(s):127065, _groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>, <GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e 6c4d8d89c0919f4a2b6e>, _hashTimestamp(s):1190416207, _maxPwdAge(s):-1, _minPwdAge(s):128323800679025000, _objectCategory(s):Person, _pacGroups(s):0105000000000005150000009447c1d70eac103d99d0 639e94040000,0105000000000005150000009447c1d70eac103d99d06 39e00020000,0105000000000005150000009447c1d70eac103d99d063 9e01020000, _passwordHash(s):b450a7940716ea44d980322df1773b10, _passwordSalt(s):$1$wJkhxUEB$, _server(s):ginger.ajax.org, _userPrincipalName(s):andre@AJAX.ORG, accountExpires(s):9223372036854775807, cn(s):Andre Garcia, displayName(s):Andre Garcia, msDS-KeyVersionNumber(s):3, name(s):Andre Garcia, objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC= ajax,DC=org, objectClass(s):top,person,organizationalPerson,user, primaryGroupID(s):513, pwdLastSet(s):-1, sAMAccountName(s):andre, uSNChanged(s):1, userAccountControl(s):512, userPrincipalName(s):andre@ajax.org, ----------------------------------------------------------
To reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items, you would run the following command:
adcache --reorg
You should run the adcache --reorg command on a regular basis in a cron job to remove negative results and to prevent the cache from consuming too much disk space. Depending on how quickly
479
Using adreload
the size of the Centrify DirectControl cache tends to increase in your environment, you may want to schedule this command to run approximately once a week.
Understanding adcache-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adcache command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.
Result Error name
156
ERR_ADCLIENT_NOT_SHUTDOWN
Indicates The Centrify DirectControl Agent is currently running. You should stop the adclient process, then attempt to rerun the command. The cache may be corrupt.
157
ERR_CACHE_CORRUPT
Using adreload
The adreload command enables you to force the Centrify DirectControl Agent (adclient) to reload configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. Running this command enables changes made to the configuration properties to take effect without restarting the adclient process. Running adreload, however, does not reload the properties set with the following configuration parameters:
adclient.ldap.timeout adclient.ldap.socket.timeout adclient.udp.timeout adclient.clients.threads adclient.clients.threads.max adclient.use.all.cpus adclient.clients.listen.backlog adclient.dumpcore
480
For the configuration parameters listed above, you must restart the adclient process for changes to take effect. The basic syntax for running the adreload program is:
adreload
This command returns the following exit codes:

This exit code 0
2 3
Indicates Command executed successfully Process not authorized Reload failed

You can use the following option with adreload:
Use this option
-h, --help
To do this Display the usage message.
Examples of using adreload

To reload the configuration properties on a local computer after making changes to the /etc/centrifydc/centrifydc.conf file, you would type a command similar to this:
adreload
Understanding adreload-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the adreload command can generate the following operation-specific result code:.
Result Error name
156
ERR_RELOAD_CENTRIFYCONF
Indicates The attempt to reload the centrifydc.conf file failed.
481
Using addns
Using addns
The addns command enables you to dynamically update DNS records on an Active Directory-based DNS server in environments where the DHCP server cannot update DNS records automatically. For example, if you are using an Active Directory-based DNS server configured for secure updates with a router acting as a DHCP server, the router cannot automatically register its DHCP clients with the DNS server because it has no way of establishing a security context that will allow the update. By running the addns command, you can use Kerberos credentials to establish a security context for updating the DNS records in the Active Directory-based DNS server. With the addns command, you can: Create or update a local hosts IP addresses in DNS. Create or update a specified hosts IP addresses in DNS. Update pointer records in DNS. Remove the local or another hosts DNS records. Remove the local or another hosts IP addresses in DNS. In most cases, you do not need to use this command if a hosts IP address is managed by a Windows-based DNS server and the host obtains its IP address from a Windows-based DHCP server because the DHCP server updates the DNS record for the host automatically. If you are not using a Windows-based DNS server, you should use nsupdate or a similar command appropriate to the operating environment of the DNS server to update DNS records.
Note
The basic syntax for running the addns program is:

addns --update|--delete [options]
482

You can use the following options with addns:
Use this option
-U, --update
To do this Create or update the IP address (A) and domain name pointer (PTR) records in the DNS server for the local or specified computer hostname. Remove the DNS records for the local or specified computer hostname. Use the local computer accounts Active Directory credentials to establish a security context with the DNS server. Specify an Active Directory username with sufficient rights to add, update, and delete records in the relevant DNS zones. You must use the username@domain format to specify the user account if the username is not a member of the joined domain. If you do not specify the --user option, the credentials for the currently logged-on user are used by default. If there are no Kerberos credentials for the current user and you are not using the computer account credentials, the Administrator user account is used to establish the security context.
-D, --delete
-m, --machine
483
Using addns
Use this option

-p, --password
To do this Specify the password for the Active Directory user account performing the add, update, or delete operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. For better security, you should do one of the following instead of specifying the password in the command line: Allow the addns command to prompt for the password. Use kinit to establish a valid credential cache before running the addns command. Use the --machine option to use the computer account credentials to establish the security context. records to. You can use this option more than once to specify multiple DNS servers. If you do not specify this option, the addns program attempts to discover the DNS servers available on its own.
userpassword
-s, --server servername Specify the DNS server to send the DNS update
-d, --domain domainname Specify the fully qualified domain name of the
DNS domain name to be updated. If you do not specify this option, the DNS domain name for the local host is used.
-n, --name hostname
Specify the name of the host to update IP records for. If you do not specify this option, the local host name is used. Specify one or more IP addresses to use in the update. You can specify this option multiple times to support multi-homed hosts. If no IP addresses are provided, the addns program attempts to determine the current settings.
-i, --ipaddr ipaddress
484
Use this option

-V, --verbose
To do this Display detailed information about the operation being performed. Display version information for the installed software.
-v, --version
Examples of using addns

The addns program is intended for Windows-based DNS servers that are configured for integration with Active Directory. If your DNS servers are integrated with the Active Directory infrastructure, they may be configured to allow for unsecured updates or to require secure updates only for DNS records. When you run the addns program, it will first attempt to perform an unsecure update, then retry using a security context if a secure update is required. If your environment is configured to only allow secure DNS updates, addns can use the current users cached credentials to establish a security context with the Windows DNS server and sign the DNS update packets using GSS methods. If secure updates are required and the current user executing the addns program has valid Kerberos credentials in the cache, you only need to specify the operation to perform and the addns program will attempt to determine the rest of the parameters programatically. For example, to perform an update for the local host:
addns --update
If there are no valid cached credentials or the current user credentials do not have sufficient permissions to perform the update, you can specify a user name and password to use for the establishment of the security context. For example:
addns --update --user rae@arcade.com
To update the IP addresses for a computer other than the local host, you can specify the host name on the command line. For example, to update the IP addresses in the DNS records for the computer picasso on the DNS server fire.arcade.com using the user rae to
485
Using addns
establish the security context, you would type a command similar to this:
addns --update --user "rae" --server "fire.arcade.com" --domain "arcade.com" --name "picasso" --ipaddr "172.128.1.25" --ipaddr "172.128.1.26"
To remove the DNS record for a local host using the local computers account credentials to establish the security context, you would type a command similar to this:
addns --delete --machine
To use the --machine option, you must invoke the addns command as the root user and the account principal in Active Directory must have sufficient rights to modify records in the relevant DNS zones. Using the computer account credentials is particularly useful when an automated script, such as /sbin/dhclient-script, is used to keep the DNS records up to date.
Note
There are several configuration parameters that can be used to customize the behavior of the addns program. For more information about using configuration parameters and modifying the Centrify DirectControl configuration file, /etc/centrifydc.conf, see the Configuration Parameters Reference Guide.
Understanding addns-specific result codes

In addition to the common result codes described in Understanding common result codes on page 314, the addns command can generate the following operation-specific result code:
Result
156
Error name
ERR_NOT_LOCATE_DC
Indicates The domain controller could not be located for the domain. If you encounter this problem, you may need to server name and IP address of the domain controller and verify it is properly configured in the DNS server, then rerun the addns command.
486
Using dzdo
The dzdo command enables a user to execute a privileged command as root or another specified user. The basic syntax for using the dzdo program is:
dzdo [options] command
The dzdo command requires that you are running Centrify DirectControl with a license.
Note
The dzdo program allows an authorized user to execute a command as the superuser or another user in the Active Directory authorization store. The dzdo program provides functionality that is similar to the UNIX sudo command, except its privileged commands are defined in the Centrify DirectControl Administrator Console and stored in an Active Directory authorization store. In addition, only Active Directory users with a profile in the zone where DirectAuthorize rights and roles are enforced can use dzdo to run commands. You can, however, use dzdo to run privileged commands with either an Active Directory or local user as the target user. If you do not specify a user, dzdo attempts to execute the command as the root user by default. The real and effective UID and GID are set to match those of the target user as specified in the users UNIX profile. You can configure privileged commands to require that users authenticate themselves by typing their own account password or the target users account password. For example, if a privileged command right is configured in DirectAuthorize to run as the root user and to authenticate using the target users password, running the command requires the user to know and enter root password. Once authenticated, the user may then run dzdo privileged commands without re-entering a password for a short period of time. By default, the password timeout is 5 minutes but can be modified by specifying a different value with the dzdo.password_timeout configuration parameter in the centrifydc.conf file. You can use the -v option with dzdo to
487
Using dzdo
update the time stamp without running a command. The password prompt itself will also time out if the users password is not entered within the password timeout interval. The dzdo program determines who is an authorized user by consulting the Active Directory authorization store maintained by DirectAuthorize. If a user who is not authorized tries to run a privileged command using dzdo, a warning message is displayed except in the case where unauthorized users try to run dzdo with the -l or -v flags. This allows users to determine for themselves whether or not they are allowed to use dzdo. The dzdo program logs both successful and unsuccessful command execution attempts to the syslog authpriv facility or the auth facility if the authpriv facility is not supported on the platform. Unsuccessful command executions are logged as errors and include the name of the user who attempted the execution, the user the unsuccessful execution ran as, and the command the user attempted to run.
Using dzedit
The dzedit program enables you to edit a file as another user. It is similar to using dzdo with the -e option. The basic syntax for using the dzedit program is:
dzedit [options] file
To use the dzedit program, you must have a role with permission to run dzedit as a privileged command or as an allowed restricted environment command. You can configure the right to run dzedit using the DirectAuthorize tab in the Centrify DirectControl Administrator Console. If a user is granted permission to run dzedit by DirectAuthorize, the program does the following when invoked: Creates temporary copies of the files to be edited with the file owner set to the invoking user.
488
Starts the editor specified by the VISUAL or EDITOR environment variable edit the temporary files. If neither environment variable is set, the dzedit program uses the editor listed in the editor sudoers variable. If the specified file does not exist, it is created. If the files are modified, dzedit copies the temporary files back to their original location and the temporary versions are removed. If dzdo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain as a temporary file. Unlike most dzdo commands, the dzedit program is run with the invoking users environment unmodified.
Note
The dzedit program makes temporary copies of the files to be edited before invoking the editor to prevent users from issuing a shell escape in the editor that would then allow the user to run any command as the target user. By using dzedit to edit the temporary file then replace the original file after editing, users cant use a shell escape in an editor to open a new shell and run any command as the target user.

Use this option
-b
To do this Run the specified command in the background. Note that if you use the -b option, you cannot use shell job controls to manipulate the process. Edit one or more specified files rather than running a command. Note This option is the same as using the dzedit program.
-e file
489
Using dzdo
Use this option

-H
To do this Set the HOME environment variable to the home directory of the target user (root by default) as specified in the user's UNIX profile. By default, dzdo does not modify HOME, but you can change the default behavior by setting the dzdo.always_set_home or dzdo.set_home configuration parameters in the centrifydc.conf configuration file. Note This option has no effect if you select the Reset environment variables option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Display the usage message for the dzdo command. Run the login shell for the user the command is being run as. This option simulates an initial login by changing to the target user's home directory, invoking a shell, setting the HOME, SHELL, USER, LOGNAME, and PATH environment variables, and unsetting all other environment variables. Remove the user's login timestamp entirely. This option does not require a password. After using this option, however, the next time the user attempts to run dzdo, the program will prompt for a password. Invalidate the users login timestamp by setting the time on it to the epoch. This option does not require a password. After using this option, however, the next time the user attempts to run dzdo, it will prompt for a password. This option allows a user to revoke dzdo permissions from a .logout file. Lists the allowed and forbidden commands for the current user on the local host computer.
-h -i
-K
-k
-l
490
Use this option

-P
To do this Preserves the user's group membership unaltered. By default, dzdo will set the group membership to the list of groups the target user is in. The real and effective group IDs, however, are still set to match the target user. Note This option overrides the Preserve group membership option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Allows you to override the default password prompt and use a custom one. The following percentage (%) escapes are supported: %u expands to the invoking user's login name. %U expands to the login name of the target user the command will run as, for example, root by default. %h expands to the local computers host name without its domain name. %H expands to the local computers host name including the domain name. %% collapses into a single % character. You can use this option with dzdo or dzedit. Reads the password from standard input instead of the terminal device. You can use this option with dzdo or dzedit. Runs the shell specified by the SHELL environment variable, if it is set, or the shell as specified in the users UNIX profile.
-p prompt
-S
-s
491
Using dzdo
Use this option

-u username|uid
To do this Runs the specified command as a user other than root. Note The dzdo command will recognize any username that is an equivalent of the username specified for the command to be run. For example, if permission is given to bob.smith (the Active Directory name) to run adinfo as a a privileged command, and if bob.smith has a UNIX profile name, for example, bsmith, you can specify bsmith when you use dzdo to run adinfo:
dzdo -u bsmith adinfo
To specify a user by UID instead of the users login name, use '#uid'. For example, to run adquery as a privileged command and as the user with the numeric UID of 101, you could type a command similar to the following: Note Be certain to put single quotes around #uid.
dzdo -u '#101' adquery
You can use this option with dzdo or dzedit.

-V
Displays version information for the installed software, including the version of the UNIX sudo program that dzdo is based on. Validates and updates the user's login timestamp, prompting for the users password, if necessary. This option extends the dzdo timeout for another 5 minutes or the timeout period set in the centrifydc.conf configuration file. This option does not run a command. Enables you to pass environment variable values to the command you are running as part of the dzdo command line. Note This option has no effect if you select the Reset environment variables option for a privileged or restricted environment command in the Centrify DirectControl Administrator Console. Indicates that the dzdo program should stop processing command line arguments. It is most useful when used in conjunction with the -s option.
-v
VAR=value
--
492
Understanding dzdo return values

Upon successful execution of a program, the return value from dzdo will simply be the return value of the program that was executed. If the attempt to execute the program fails, however, dzdo will exit with a return value of 1. A return value of 1 may indicate that there is a configuration issue, permission problem, or that dzdo cannot execute the command as specified. If dzdo cannot execute the command, an error string is sent to If dzdo cannot access file system information (stat) for one or more entries in the users PATH, it prints an error message to stderr. If a listed directory does not exist or is not really a directory, however, the entry is ignored and no error is printed. The most common reason for dzdo to receive a permission denied message is if you are running an auto-mounter and one of the directories in your PATH is on a computer that is currently unreachable.
stderr.
Understanding security issues

By default, dzdo executes commands with a minimal set of environment variables that includes TERM, PATH, HOME, SHELL, LOGNAME, USER and USERNAME, and removes environment variables that contain special characters. You can check the default list of environment variables that dzdo checks by running dzdo -V as root. You can modify the default list of environment variables to preserve or remove using the dzdo.env_keep and dzdo.env_delete configuration parameters in the Centrify DirectControl configuration file. For security purposes, the dynamic linker on most operating systems will remove variables that can control dynamic linking from the environment for all setuid executables, including dzdo. Depending on the operating system, environment variables such as _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others are removed from the environment before dzdo begins execution and cannot be preserved.
493
Using dzdo
To prevent command spoofing, dzdo checks the current directory last when searching for a command in the users PATH. You should note, however, that the actual PATH environment variable is not modified and is passed unchanged to the program that dzdo attempts to execute.
Checking ownership of the timestamp directory

When you run dzdo privileged commands, dzdo checks the ownership of its timestamp directory (/var/run/dzdo by default). If the directory is not owned by root and writable only by the root user, dzdo ignores the directorys contents. If the timestamp directory is located in a directory writable by anyone, it is possible for a user to create the timestamp directory before dzdo runs. However, because dzdo checks the ownership and mode of the directory and its contents, the only damage that can be done is to hide files by putting them in the timestamp dir. This is unlikely to happen since once the timestamp dir is owned by root and not accessible to any other user, the user placing files there would be unable to get them back out. To get around this issue, you can use a directory that is not world-writable for the timestamps (for example, you can use /var/adm/dzdo as the timestamp directory) or create /var/run/dzdo with the appropriate owner (root) and permissions (0700) in the system startup files. You can specify an alternative timestamp directory using the dzdo.timestampdir configuration parameter in the /etc/centrifydc/centrifydc.conf file.
Checking the date of login timestamps

Login timestamps are not considered valid if they have a date greater than the current time plus twice the timeout value (current_time + (2 * TIMEOUT)). If a timestamp is invalid, dzdo will not allow it to be used and log the issue in its log file. This timestamp check prevents a user from creating his or her own login
494
timestamp with a bogus date on systems that allow users to change file ownership.
Checking the commands that dzdo runs

The dzdo program only logs the command it explicitly runs. If a user is allowed to run a privileged command such as dzdo su or dzdo sh, any subsequent commands the user runs from the invoked shell are not logged. In addition, dzdo access controls do not affect which commands the user is allowed to run in the invoked shell. The same limitation is true for programs such as text editors that offer shell escapes. Because of this limitation, you should use caution when giving users access to privileged commands through dzdo to verify that the command does not inadvertently give the user an effective root shell.
Setting configuration parameters

The following configuration parameters can be set in the centrifydc.conf file to control dzdo operation. The configuration parameters are equivalent to the standard sudo settings.
Use this parameter
dzdo.always_set_home
To do this Set the HOME environment variable to the home directory of the target user, for example, root unless the -u option is used. This effectively means that the -H flag is always implied. The parameter value can be true or false. The default value is false.
495
Using dzdo
Use this parameter

dzdo.env_check
To do this List the environment variables to check for the special characters % or / in the value and remove the variables with values that contain those characters from the users environment. Variables with % or / characters are removed regardless of whether you have selected the Reset environment variables option for the command in the Centrify DirectControl Administrator Console. The default list of variables to check is displayed when you run the dzdo -V command as root. You can customize the list by modifying this configuration parameter in the centrifydc.conf file. The parameter value can be a comma-separated list of environment variable names. Specify the default list of environment variables to preserve in the users environment. This configuration parameter only applies if you have selected the Reset environment variables option for the command in the Centrify DirectControl Administrator Console. The variables specified with this parameter are preserved in addition to the default list of variables displayed when you run the dzdo -V command as root. The parameter value can be a comma-separated list of environment variable names. Specify the default list of environment variables to be removed from the users environment. This configuration parameter only applies if you have selected the Remove unsafe environment variables option for the command in the Centrify DirectControl Administrator Console. The variables specified with this parameter are removed in addition to the default list of variables displayed when you run the dzdo -V command as root. The parameter value can be a comma-separated list of environment variable names.
dzdo.env_keep
dzdo.env_delete
496
Use this parameter

dzdo.set_home
To do this Set the HOME environment variable to the home directory of the target user when the -s option is used. The parameter value can be true or false. The default value is false. Specify whether the dzdo program should inform the user when it cannot find a command in the users PATH. By default, the parameter value is true and the program will display an error statement indicating that the command could not be found in the users PATH. You can set this configuration parameter to false if you want to prevent dzdo from indicating whether a command was not allowed or simply not found. Control whether dzdo displays a warning message about using the program before displaying the password prompt. The valid parameter values are: once to display the warning message only the first time the command is run. never to never display a warning message. always to display the warning message every time the program is invoked. The default value is once. Specify the full path to a file containing the warning message you want displayed. If this parameter is not set, a default message is displayed. Require authentication once per-tty rather than once per user. The parameter value can be true or false. The default value is false. Specify the message displayed if a user enters an incorrect password. The parameter value can be any text string enclosed by quotation marks. The default value is "Sorry, try again." Specify the directory where dzdo stores user timestamp files. The default is directory is /var/run/dzdo.
dzdo.path_info
dzdo.lecture
dzdo.lecture_file
dzdo.tty_tickets
dzdo.badpass_message
dzdo.timestampdir
497
Using dzdo
Use this parameter
To do this operations during which a user need not re-authenticate. The default parameter value is 5 minutes.
dzdo.timestamp_timeout Specify the number of minutes between
dzdo.passwd_timeout
Specify the number of minutes before the dzdo password prompt times out. The default parameter value is 5 minutes.
For more information about setting configuration parameters in the centrifydc.conf file, see the Configuration Parameters Reference Guide.
Examples of using dzdo

To use a privileged command to get a file listing of an unreadable director, you would type a command similar to the following:
% dzdo ls /usr/local/protected
To edit the index.html file as the user webmaster:

% dzdo -u webmaster vi ~www/htdocs/index.html
To shut down a computer, you would type a command similar to the following:
% dzdo shutdown -r +15 "quick reboot"
To make a usage listing of the directories in the /home partition, you would type a command similar to the following:
% dzdo sh -c "cd /home ; du -s * | sort -rn > USAGE"
Note that this example command line opens a sub-shell (sh) before running the commands that generate the listing. Running the commands in a sub-shell is required to make the cd command and file redirection work. However, allowing the user to open a new shell as a privileged command can inadvertently result in giving the user root access in the invoked shell and is not recommended in most cases.
498
Using dzinfo
The dzinfo command displays detailed information about the DirectAuthorize configuration for a one or more specified users on the local computer. If you do not specify a user, dzinfo returns information for the currently logged on user. The basic syntax for the dzinfo command is:
dzinfo [username] [--commands] [--diag] [--pam] [--roles] [--test command] [--verbose] [--all] [--version]
Notes
To specify one or more user names on the command line, you must be logged on as root.
The dzinfo command requires that you are running Centrify DirectControl with a license. By default, the dzinfo command displays all roles and rights for the specified user, including role availability settings, start or expiration times, and DirectAudit integration. The --commands, --pam, and --roles options are intended to limit the information displayed to a single set of rights. For example, you can use the --pam option to display only the PAM-enabled applications that the specified user is allowed to access. Similarly, the --commands option lists only the commands that the user is allowed to run. The commands listed, however, may be privileged commands that can be invoked using dzdo or commands that are allowed in restricted environments. The --roles option lists only the roles the user has been assigned. If you dont specify one of these options to limit the information displayed, the dzinfo command returns information for all three sets of rights.
499
Using dzinfo

Use this option
username[@domain]
To do this Specify the Active Directory user by UNIX profile name or Active Directory name that you want to display DirectAuthorize details for. You can specify this option multiple times to retrieve and display the information for multiple users. If you don't specify the username, the command returns information for the currently logged on user. Note You must be logged on as root to specify a user name. Display only information about the privileged or restricted environment commands the user can run. This option displays all of the commands the user is allowed to run as privileged commands or restricted environment commands. Include extended, diagnostic information in the command output. This option is intended for troubleshooting potential problems with the authorization store. Display only information about the PAM-enabled applications the user has permission to access. Display only the roles to which the specified user is assigned.
-c, --commands
-d, --diag
-p, --pam
-r, --roles
500
Use this option

-t, --test command
To do this Check whether the specified command can be run by the user using dzdo or in a restricted environment. The command argument must be enclosed by quotation marks and be the full path to a specific executable (a binary or a script). The specified command is then tested both as a privileged command using dzdo, and as a restricted environment command for the specified user. You must specify the full path to the command you want to test in order to fully distinguish it from other commands of the same name that may be in your current $PATH. For example, this option enables you to test whether jae_m can run /bin/ls even if root accesses the ls command in /sbin/ls:
dzinfo jae_m -t bin/ls
The command results are printed to standard output.

-V, --verbose
Provide more complete information about the DirectAuthorize configuration in the command output. Provide the most complete information about the DirectAuthorize configuration in the command output, including information about environment variables. Display version information for the installed software. This option cannot be combined with any other options.
-A, --all
-v, --version
Examples of using dzinfo

To display complete configuration information for the user molly, you would type a command similar to the following:
dzinfo molly
501
Using dzinfo
If roles and rights have been configured for the user, the command displays information similar to the following:
Zone Status: DirectAuthorize is enabled User: molly Forced into restricted environment: Yes Role Name --------------role-Lab Staff PAM Application --------------login sshd gdm Avail Restricted Env ----- -------------Yes rs-lab_staff Avail ----Yes Yes Yes Source Roles ----------------------------role-Lab Staff role-Lab Staff role-Lab Staff
Privileged commands: Name Avail Command Source Roles --------------- ----- --------------------------------------------------------(molly has no privileged command rights) Commands in restricted environment: rs-lab_staff Name Avail Command Run As ---------------------- ----------------------------- ---------rs-lab_staff-whoami Yes whoami self rs-lab_staff-pwd Yes pwd self rs-lab_staff-uname Yes uname tim rs-lab_staff-who Yes who self rs-lab_staff-groups Yes groups self
To test whether the user sonya is authorized to run the uname command, you could type a command similar to the following:
dzinfo sonya --test "/usr/bin/adflush"
The command displays information similar to the following:

Testing: User = sonya command = /usr/bin/adflush User sonya can run the command as 'root' via dzdo, authentication will not be required, noexec mode is off User sonya is not allowed to run the command in restricted environment
To display more detailed information, such as the available hours for a role or the user a privileged command should run as in the results, you would type a command similar to the following:
dzinfo jcool --verbose

Zone Status: DirectAuthorize is enabled User: jcool Forced into restricted environment: Yes Role Name Avail Restricted Env Effective Expires Available Hours ------------ ----- -------------- -------------- ------------ --------------------------Backup Operator Yes BUShell Immediate Never Always
PAM Application ---------------
Avail Source Roles ----- --------------------
502
sshd
Yes
Backup Operator
Privileged commands: Name Avail Command Path Run As Auth Exec Source Roles -------------- ----- ------------------ --------- ---------------- ---- ---- ----------(jcool has no privileged command rights)
Commands in restricted environment: BUShell Name Avail Command --------------- ----- -------------------ls Yes ls cat Yes cat dzinfo Yes dzinfo cpio Yes cpio tar Yes tar mount Yes mount
Path --------User User User User User User
Run As ---------self self self root root root
Exec ---Yes Yes Yes Yes Yes Yes
To only display the privileged and restricted environment commands allowed for the user rex, you would type a command similar to the following:
dzinfo rex --commands

Zone Status: DirectAuthorize is enabled User: rex Forced into restricted environment: Yes Privileged commands: Name Avail Command --------------- ----- ----------------------------(rex has no privileged command rights)
Source Roles -----------------------------
Commands in restricted environment: rs-backup_ops Name Avail Command --------------- ----- ----------------------------rs-backup_ops-tar Yes tar rs-backup_ops-rpm Yes rpm
Run As ---------self root
Understanding dzinfo result codes

The dzinfo command returns the following result codes upon exit:
Result code
0 6
Indicates Command executed successfully. The attempt to execute the command generated unexpected errors. The command line contained a usage error. Root privilege is required to perform the selected operation.
7 9
503
Using dzsh
Using dzsh
The dzsh restricted environment shell is a customized Bourne shell for DirectAuthorize that provides environment variables, job control, command history, and command access as defined by DirectAuthorize roles. The restricted environment only allows the user to run the specific commands that have been defined in the users assigned DirectAuthorize roles.
Note
The dzsh command requires that you are running Centrify DirectControl with a license.
If a user is assigned to one or more roles with a restricted environment, only one of those roles may be designated as the active role at any point in time and only the commands defined for that active role are allowed to run. Within the restricted environment, however, the user can change the active role or view information about the roles available by running the role command. The role command allows the user to list, change, and query information about the currently active and available roles. Although dzsh can be used as the interpreter for a script (for example, #!/usr/bin/dzsh), this is not the intended, or recommended usage. Instead, the dzsh shell is intended to function as an interactive shell for restricted environment users. Those users can be given the right to run specific scripts as well as commands, where the scripts should be interpreted by an existing system shell application. Commands in a restricted environment can be executed as the current user or a specified user. If a command is configured in DirectAuthorize to be executed as a specific user, the dzsh shell automatically reforms the command and executes it as the specified user, without requiring another command, such as sudo, to be used.
504
Understanding the limitations of the restricted environment

The restricted environment does not enforce rights for commands run outside of the shell. For example, if using a graphical desktop manager, the user can run commands and applications that are launched from menu selections in the graphical user interface. In addition, limiting the users command set in the dzsh shell does not prevent the user from running built-in shell commands, accessing the file system, or seeing process or system information. For example, even in a restricted environment with no rights to run any commands, a dzsh user could get a process listing using the following script:
for i in /proc/[0-9]*; do read PROC < $i/cmdline; echo $PROC; done
Because the shell scripting environment allows the operations, the user can effectively access information that the command set defined for his restricted environment does not allow.
Using the role command in a dzsh shell

The DirectAuthorize restricted environment shell includes the built-in role command. The role command enables the user to change the currently active role or view summary or detailed information about the roles the user has been assigned.
Understanding role syntax
The basic syntax for using the built-in role command is:
role [role_name] [-h] [-l]
If no command line options are specified, running the built-in role command displays the name of the currently active role.
505
Using dzsh
Setting valid role options
You can use the following options with the role command in a DirectAuthorize restricted environment shell:
Use this option
role_name
-h -l
To do this Change the active role to the role_name specified. Display the usage message. List the available restricted environment roles for the current user.
Running startup and rc scripts

The dzsh restricted environment shell executes the following scripts when started: The /etc/dzsh_profile and ~/.dzsh_profile startup scripts are executed automatically by dzsh when a user logs in. The /etc/dzsh_profile script can run any commands that a normal shell can run without any restrictions from DirectAuthorize. The commands that can be executed in the ~/.dzsh_profile startup script are restricted to the commands allowed by DirectAuthorize to run inside a dzsh shell. The /etc/dzshrc and ~/.dzshrc are executed automatically by dzsh when a user opens a dzsh restricted environment shell. The /etc/dzshrc script can run any commands that a normal shell can run without any restrictions from DirectAuthorize. The commands that can be executed in the ~/.dzshrc startup script are restricted to the commands allowed by DirectAuthorize to run inside a dzsh shell.
Understanding dzsh result codes

The restricted environment shell returns 0 if command execution is successful, or the return code of the command that failed if command execution is not successful.
506
Examples of using dzsh

After logging on as a user assigned to the role test_lab with a restricted environment, the dzsh shell displays the active role. For example:
You are in role: test_lab $
To list all of the roles for the current user and their status, you would type a command similar to this:
$ role -l test_lab web_maint backup_team $
To change the active role for the user:

$ role web_maint Role changed to: web_maint $
If the user attempts to run a command that is not allowed in the current role and restricted environment, the dzsh shell will reject the command. For example:
$ clear clear: command not allowed
To switch between roles that allow the id command to run as root (in the test_lab role) or the current user (in the backup_team role), you would type the following command to set the active role to test_lab:
$ role test_lab Role changed to: test_lab
You can then run id in that role and view the results. For example:
$ id uid=0(root) gid=0(root) groups=10000(samson) context=user_u:system_r:unconfined_t
To change the active role to backup_team, you can type the following command:
$ role backup_team Role changed to: backup_team
If you run id in the new active role, you will notice the difference in the results. For example:
507
Using nisflush
$ id uid=10000(samson) gid=10000(samson) groups=10000(samson) context=user_u:system_r:unconfined_t $
Using nisflush
The nisflush command can be used to clear the Centrify DirectControl Network Information Service cache on a local computer. The Centrify DirectControl Network Information Service cache stores the NIS maps for network information that are retrieved from Active Directory. The nisflush command requires that you are running DirectControl with a license.
Note
The basic syntax for the nisflush program is:

nisflush [option]
To run the nisflush command, you must be logged in as the root user.

Use this option
-f, --force
To do this Clear the cache of all data even if the Centrify DirectControl Agent, adclient, is currently disconnected from Active Directory. Display the usage message.
-h, --help
Examples of using nisflush

The nisflush command enables you to clear the cache for the Centrify DirectControl Network Information Service at any time. This command can be useful when you want to force the Centrify DirectControl Agent to read new information from Active Directory, or when you want to remove obsolete data from the
508
cache. You can also use this command as part of routine housekeeping to free up disc space. To clear the cache of NIS maps for network information from the Active Directory, you would type:
nisflush
To clear the cache of NIS maps for network information from the Active Directory when the local computer is disconnected from the network, you would type:
nisflush --force
Using OpenLDAP commands

Centrify DirectControl includes a set of OpenLDAP commands that have been modified to better support the Active Directory environment. The Centrify DirectControl distribution of OpenLDAP supports all of the standard options and syntax for performing LDAP operations, but the ldap commands in the Centrify DirectControl distribution of OpenLDAP also support the following options that are not supported in a standard OpenLDAP distribution:
Use this option
-m
To do this
Use the local machine credentials from the /etc/krb5.keytab file. This option requires root user access. Disable line wrapping when printing out LDIF entries.
-r
The Centrify DirectControl distribution of OpenLDAP also provides extended URL support for Active Directory. With
509
Centrify DirectControl LDAP commands, you can use the following URLs to connect to Active Directory computers:
Use this
ldap://domain_name
To do this
Connect to the appropriate domain controller for the specified domain within the Active Directory site. Connect to the joined domain.
Connect to the Global Catalog domain controller for the joined domain. You can use the optional domain_name parameter to specify a domain in a different forest.
ldap:// gc://[domain_name]
The Centrify DirectControl distribution of OpenLDAP includes the following commands: ldapsearch ldapadd ldapmodify ldapmodrdn ldapcompare ldapdelete The ldappasswd and ldapwhoami commands do not work with Active Directory. For more information about using the OpenLDAP commands or the standard options available, see the man page for each command.
Note
Using LDAP server and adclient to retrieve results

In addition to the OpenLDAP commands optimized to work with Active Directory, Centrify DirectControl provides a separate LDAP server configuration (ldapproxy) that you can use to enable applications that cannot search Active Directory directly, for example, because they dont support Kerberos or GSS, to look up information in Active Directory through the Centrify
510
DirectControl Agent, adclient. With the ldapproxy configuration, the LDAP server submits LDAP client search requests through adclients secure connection to Active Directory and returns the results as unformatted results without any translation or interpretation of the data (search-only mode).
Installing the LDAP proxy files

The LDAP server configuration (ldapproxy) is available with the Centrify DirectControl Agent or from the Centrify Download Center as a separate software package. To install the Centrify DirectControl LDAP server file:
1 On the UNIX computer, log in as or switch to the root user. 2 Copy the appropriate package for the local computers operating
environment from the Centrify DirectControl CD or download directory to a local directory. For example, if the operating environment is Solaris 9 SPARC:
cp /tmp/centrifydc-ldapproxy-release-sol8-sparc-local.tgz .
If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.
3 If the software package is a compressed file, unzip and extract
the contents. For example, on Solaris:

gunzip -d centrifydc-ldapproxy-release-sol8-local.tgz tar -xf centrifydc-ldapproxy-release-sol8-sparc-local.tar
4 Run the appropriate command for installing the package based
on the local computers operating environment. For example, on Solaris:

pkgadd d CentrifyDC-ldapproxy -a admin
If you arent sure about the command to use for the local operating environment, see the release-notes text file included in the package. If you are using an installation program not described in the release-notes text file, such as SMIT or YAST, see the documentation for that program.
Configuring and starting the LDAP proxy

To use the LDAP server as a proxy to retrieve information from Active Directory:
1 Verify the local computer is joined to an Active Directory
domain and that the adclient process is running.

2 Switch to the root user and edit the LDAP server configuration
file to set the dc=domain,dc=com in the suffix line to the domain the local computer has joined. For example:
vi /usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf ... # LDAP Proxy configuration database suffix directory index centrifydc "dc=ajax,dc=org" /usr/share/centrifydc/var/openldap-data objectClass eq
3 Start the LDAP server process using the modified configuration
file:
/usr/share/centrifydc/libexec/slapd -f \ /usr/share/centrifydc/etc/openldap/ldapproxy.slapd.conf
You can then use the ldapsearch command to search Active Directory for entries. For example, to search Active Directory for the Administrator account (cn=Administrator), you could type a command similar to this:
/usr/share/centrifydc/bin/ldapsearch -h localhost -x -b "dc=domain,dc=com" "(cn=Administrator)"
512
Appendix B
Domain controller versions for Centrify DirectControl

This appendix lists the required versions and functional levels of the Microsoft Windows domain controllers that support Centrify DirectControl and Centrify DirectAuthorize, versions 4.2 and later. In general, Centrify DirectControl version 4.2 or later runs with any domain functional level. However, running on Windows 2000, Centrify DirectControl provides reduced performance; specifically, the following functions are not supported by Windows 2000: Privilege Attribute Certificate (PAC) Contains all of the group memberships for the security principal requesting access to a resource. Service for User (S4U) Microsoft-specific extensions to the Kerberos protocol to allow a service to obtain a Kerberos service ticket for a user that has not authenticated to the key distribution center (KDC). S4U includes S4U2proxy and S4U2self. Centrify DirectAuthorize requires domain functional level 2003 or higher. The Centrify DirectControl Network Information Service (NIS) and Centrify DirectControl Samba both run on a domain controller at any functional level. The following chart summarizes the domain functional levels required to support Centrify DirectControl 4.2 and later, and Centrify DirectAuthorize 1.1 and later.
513
Domain Functional Level
Direct Direct Control Authorize Notes 4.2 1.1 Yes No Reduced performance - W2000 does not support important features such as Privilege Attribute Certificate (PAC) or Service for User (S4U). Supports NIS and Samba
Pure Windows 2000
Mixed Windows types in Windows 2000 Yes forest and functional level Pure Windows 2003
No Yes Yes Yes Yes Must use DirectControl 4.2 to take advantage of updated encryption algorithm.
Yes
Pure Windows 2003r2 Yes Mixed Windows types (2003+) in Windows Yes 2003 forest and functional level Pure Windows 2008 in Windows 2000, 2003 and 2008 forest and functional levels Windows 2008 Read-Only Domain Controllers
Yes
See Notes
See Notes Supported in DirectControl 4.2.2 and later
514
Index
A
account mapping groups pending import 116 other local users 158 purpose of 157 Active Directory DNS configuration 45 enabling existing users 144 forest integrity for zones 286 functional level 174 mapping Unix fields 108 role assignments 202, 204 Windows infrastructure 22 Active Directory Users and Computers group properties 126 installing properties pages 47 managing computer properties 84 user properties 144 adcache command reference 477 examples 478 options 478 adcheck command reference 341 adclient log file 285 starting and stopping 475 addebug command reference 400 examples 400 options 400 adfinddomain command reference 410 examples 411 options 411 adfixid examples 418, 423, 508 options 414 overview 412 adflush command reference 423 options 423 adgpupdate examples 388 options 388 adid command reference 424 examples 425 options 425 adinfo command reference 389 displaying help 314 examples 396 introduction 302 options 390 when to use 314 adjoin command reference 317 displaying help 314 examples 329 operations performed 83 options 319 when to use 313 adkeytab adding service principals 440
515
deleting accounts 464 deleting service principals 461 encryption types 467 file entries 427 new service accounts 431 overview 426 password changes 455 reset key tables 458 adleave changing a computers domain 96 command reference 335, 499 displaying help 314 examples 339 options 337 when to use 313 adlicense options 342, 343 adlicense command reference 343 Administrator Console purpose 34 adnisd client configuration 268 configuring IP addresses 263 installing 262 map update interval 264 publishing maps selectively 265 starting 266 adobfuscate command reference 401 examples 405 options 403 adpasswd command reference 344 displaying help 314 examples 347 options 345 when to use 313 adquery command reference 375
examples 383 group 380 user 376 adreload examples 481, 485 options 481, 483 adrmlocal examples 409 options 409 adsetgroups command reference 472 examples 474 options 473 adsmb command reference 470 examples 472 options 471 adupdate add group 365, 368 add user 349 delete group 371, 372 delete user 365 displaying help 314 modify group 368, 370 modify user 357 overview 348 agentless authentication derived maps 274 designating the NIS server 258 installing the password filter 260 introduction 43 Microsoft services 261 NIS domain name 257 password synchronization 259 storing the password hash 257 zone property 256 applications access rights 166 authentication issues 22
516
licenses 220 Auto Zone about 56
C
Centrify DirectControl access control summary 29, 30 command line programs 313 daemon 475 diagnostic information 302 DirectAuthorize extension 166 documentation 17 log files 298 managed system 29, 31, 32 optional tools 36 password enforcement 154 platform-dependent components 31 prerequisites 45 property extensions 34 release information 12 solution overview 23 to 28 starting the first time 49 support for UNIX services 37 technical support 20 troubleshooting issues 285 updating license keys 221 Centrify DirectControl Agent architecture 38 key tasks 37 Centrify web site 20 command line programs basic usage 313 displaying help 314 location 313 man pages 314 computer accounts changing the zone 95 domain changes 96 password interval 85
pre-join creation 86 reporting 233 role assignment 172, 203 running adjoin 83 secured by password 84 conventions, documentation 14
D
daemon enabling logging 285 introduction 475 diagnostic information 302, 397 DirectAuthorize application names 178 authorization store 174 configuring rights 177 console extension 166 identifying administrators 176 initializing 174 privileged commands 166 restricted environments 166 rights defined 166 role definition 166 system requirements 173 disconnected operation account changes 156 credential storage 156 documentation additional 17 audience 11 conventions 14 installing on Windows 35 latest information 12 online help 15 summary of contents 12 to 14 domain controllers adding DNS server role 306 setting manually 307 testing connectivity 304
Index
517
Domain Name Server (DNS) manual setting 305 nameserver entry 304 server role 303, 306 services provided 303 testing connectivity 304 using a forwarder 305 Windows requirement 45 duplicate UNIX users 287 dzdo command reference 487 examples 498 options 489, 500 dzinfo creating a privileged command 215 current user information 216 running for a specified userr 215 dzsh shell 166
reporting 233 required membership 134 role assignment 201 to 203
H
heterogeneous environments 21
I
identity management importance 21 multiple mechanisms 22 simplifying 23 importing from Unix accessibility from Windows 103 NIS maps 103 to 107 pending state 107 installation DirectAuthorize requirements 173 license keys 50 restarting services 53 running setup on Windows 46 to 49
E
evaluation license key 220
G
GID new zone creation 66 starting value 51 glob pattern matching 184 to 185, 193 to
194
J
join operation command reference 317 key tasks performed 84 specifying arguments 90 user restrictions 85
global catalog, defining manually 308 group policy editor extension 35 groups computer-based role assignment 203 default GID setting 51, 66 exporting roles 210 filters for access control 129 importing roles 211 nesting 129 NIS import 103 to 107
K
keytab files 427
L
licensing adding keys 227 deleting keys 229 during installation 50 evaluation key 220
518
introduction 219 multiple keys 221 permanent keys 221 reports 229, 233 types 220 updating keys 221 viewing a summary 226 Linux naming convention 15 NIS clients 268 log files adinfo output 302 enabling 298 location 299, 400 performance impact 299 purpose 285
maps published 265 network information 276 support for 254 testing access 274 nisflush command reference 508 example 508 options 508 NSS configuration modification 38 reverting to pre-join state 97
O
online help 15, 35 OpenLDAP 509
M
man pages displaying 314 source of information 19 managed system 29, 32 Microsoft Services for UNIX (SFU) duplicate zones 287 password synchronization 259, 261 support for 27
P
PAM configuration access rights 166 agent component 38 application names 178 reverting to pre-join state 97 typical log on process 40 password management changing your own 155 disconnected mode 156 policy definition 154 policy enforcement 30 resetting for other users 155 to 156 synchronization 261 pattern matching glob 184 to 185, 193 to 194 regular expressions 184 to 185, 193 to
194
N
Network Information Service (NIS) additional maps 275 agentless authentication 43 client configuration 268 configuring IP addresses 263 custom maps 280 deleting maps 283 extension for maps 35 importing maps 103 to 107 installing adnisd 262 maintaining maps 282
pending import group information 108 manual process 107 NIS information 107 primary groups
Index
519
selecting the default type 51 privileged command command reference 487 privileged commands adding to a role 201 configuring rights 190 defined 166 execution attributes 197 run-as user 195 running with dzdo 206 property extensions 34
Q
Quick Start 17
R
regular expression pattern matching 184 to 185, 193 to 194 Release Notes 12 reporting forest analysis 286 group information 233 license information 233 privileged command rights 217 purpose of 231 role assignments 217 saving 243 to 244 zone information 234 restricted environments adding shell commands 182 to 188 creating 180 defined 166 limitations 171, 505 selecting for a role 200 rights collected in roles 166 enforcing 205 exporting 210 importing 211
node displayed 176 operation types 166 PAM access 178 privileged commands 190 reporting 217 roles assigning users and groups 201 availability 166, 199 cloning 209 computer-based scope 172, 203 configuring PAM access 200 creating 198 enforcing 205 exporting 210 importing 211 job functions 198 making active 207 node displayed 176 privileged commands 201 reporting 217 restricted environment access 200 scope defined 203 start and expiration 202 root user adinfo options 302 adleave operation 336 adnisd installation 262, 511 changing the domain 96 enabling logging 298 installation requirement 52 join operation 317 leaving the domain 97 local override account 161
S
Setup Wizard creating the Zones container 50
520
T
technical support 20 troubleshooting daemon operation 285 enabling logging 298 forest integrity 286 using adinfo 302
U
UID new zone creation 51, 65 reserved values 72 starting value 51 universal groups 125 UNIX authentication mechanisms 22 available shells 72 command line programs 313 importing local users 103 knowledge of 12 man pages 314 naming convention 15 restarting services 53 server licenses 220 UNIX computers changing the zone 95 domain changes 96 joining a domain 83 restricting who can join 86 server and workstation licenses 220 UNIX groups derived maps 274 duplicate information 287 using user-specific groups 149 UNIX users derived maps 274 duplicate information 287 enabling in Active Directory 144 local account mapping 157
users account mapping 157 account status report 234 computer-based role assignment 203 default UID setting 51, 65 disconnected logins 156 exporting roles 210 group-based filtering 142 importing roles 211 NIS import 103 to 107 password policies 154 reporting 234 reserved UID values 72 role assignment 201 to 203
W
web applications licensing 220 Windows DirectAuthorize requirements 173 integrating UNIX computers 32 knowledge of 12 reliance on Active Directory 23 workstation licenses 220
Z
zones adding computers 76 advantages of using 56 available shells 72 changing default properties 71 changing for a computer 95 checking integrity 286 closing 68 configuring the default zone 50 creating additional 57 to 67 default GID setting 51, 66 default UID setting 51, 65 delegating control 68
Index
521
home directory setting 51, 66 importance of properties 57 opening 67 parent container 50 reports 234 understanding the use of 56 using multiple 56
522

Admin Guide

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Admin Guide

Caricato da

Copyright:

Formati disponibili

Centrify Suite, Standard Edition

About the Centrify DirectControl architecture and operation

Installing and starting Centrify DirectControl

Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Importing existing users and groups

Managing group profiles

Managing user profiles

Defining rights and roles

Managing license containers and keys

Generating predefined and custom reports

Managing network information with NIS maps

Troubleshooting authentication and authorization

Understanding diagnostic tools and log files . . . . . . . . . . . . . . . . . . . . . . 285

Using Centrify DirectControl UNIX commands

Domain controller versions for Centrify DirectControl Index

About this guide

Getting a preview of whats in this release

Getting a preview of whats in this release

Using this guide

About this guide

Conventions used in this guide

Conventions used in this guide

Using online help

About this guide

Using online help

Where to go for more information

About this guide

Where to go for more information

About this guide

Understanding identity and access management

Why integrate with Active Directory?

Why integrate with Active Directory?

What is the Centrify DirectControl solution?

What is the Centrify DirectControl solution?

Moving to a central directory

Using Centrify DirectControl Zones for granular control

What is the Centrify DirectControl solution?

Extending single sign-on for web applications

Simplify compliance with regulatory requirements

Deploying without changes to existing infrastructure

What does DirectAuthorize provide?

What does DirectAuthorize provide?

What can you do after you deploy?

What can you do after you deploy?

About the Centrify DirectControl architecture and operation

Understanding the integration of Windows and UNIX

Understanding the integration of Windows and UNIX

Windows servers and workstations

Active Directory user Account: chris Password: &tiger1

Centrify DirectControl Agent Package

UNIX, Linux, and Mac OS X servers and workstations

Understanding whats installed on Windows

Choosing a console for managing DirectControl properties

Chapter 2 About the Centrify DirectControl architecture and operation

Understanding whats installed on Windows

Choosing optional DirectControl components

Chapter 2 About the Centrify DirectControl architecture and operation

Understanding whats installed on Windows

Centrify DirectControl Agents

Understanding the DirectControl Web Console

Understanding Centrify DirectControl Agents

Chapter 2 About the Centrify DirectControl architecture and operation

Understanding Centrify DirectControl Agents