Home >Documents >Centrify DirectControl Express Edition - UTEC...

Centrify DirectControl Express Edition - UTEC...

Date post:28-Apr-2018
Category:
View:226 times
Download:3 times
Share this document with a friend
Transcript:
  • Centrify DirectControl Express Edition

    Administrators GuideMay 2010

    Centrify Corporation

  • 2

    Legal notice

    This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

    This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

    This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

    2004-2010 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

    U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

    Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

  • Contents

    About this guide 7

    Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

    Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

    Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

    Chapter 1 Introduction 13

    Understanding Centrify DirectControl Express . . . . . . . . . . . . . . . . . . . . . 14

    Understanding the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . 16

    Comparing Centrify Suite 2010 Express Edition to other editions. . . . . 18

    Understanding Zones and Auto Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

    Understanding how DirectControl generates consistent UNIX UIDs . . 22

    Chapter 2 Installing Centrify DirectControl Express 25

    Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

    Installing the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . . . . . . . 27

    Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    Troubleshooting adcheck errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

    Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

    Adding generally-licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

    Updating the Express installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

    Removing Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

    Chapter 3 Using DirectControl Express 51

    Logging in to your computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

    3

  • Applying password policies and changing passwords . . . . . . . . . . . . . . 54

    Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

    Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . . 57

    Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

    Using standard programs such as telnet, ssh, and ftp . . . . . . . . . . . . . . . 59

    Using Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

    Setting Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . 61

    Chapter 4 Troubleshooting 63

    Understanding diagnostic tools and log files. . . . . . . . . . . . . . . . . . . . . . . 63

    Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . 64

    Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

    Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . . 68

    Appendix A Using Centrify DirectControl UNIX commands 75

    Understanding when to use command line programs . . . . . . . . . . . . . . . 76

    Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . . 77

    Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

    Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

    Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

    Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

    Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

    Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

    Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

    Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

    Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

    Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

    Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

    Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

    4 DirectControl Express Edition Administrators Guide

  • Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

    Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

    Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

    Appendix B Customizing Auto Zone configuration parameters 145

    auto.schema.primary.gid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

    auto.schema.private.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

    auto.schema.shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

    auto.schema.homedir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

    auto.schema.use.adhomedir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

    auto.schema.remote.file.service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

    auto.schema.name.format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

    auto.schema.separator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

    auto.schema.domain.prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

    auto.schema.search.return.max. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

    auto.schema.name.lower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

    auto.schema.iterate.cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

    adclient.ntlm.separators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

    Appendix C Customizing PAM-related configuration parameters 153

    pam.allow.groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

    pam.allow.override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

    pam.allow.password.change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

    pam.allow.password.change.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

    pam.allow.password.expired.access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

    pam.allow.password.expired.access.mesg . . . . . . . . . . . . . . . . . . . . . . . . 158

    pam.allow.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

    pam.deny.groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

    pam.deny.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

    5

  • pam.ignore.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

    pam.mapuser.username. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

    pam.password.change.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

    pam.password.change.required.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

    pam.password.confirm.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

    pam.password.empty.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

    pam.password.enter.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

    pam.password.expiry.warn.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

    pam.password.new.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

    pam.password.new.mismatch.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

    pam.password.old.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

    pam.policy.violation.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

    Appendix D Using DirectControl with SSH 169

    About SSH and DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

    Setting up SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

    Testing SSH on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

    Testing SSH from a Windows machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

    Index 173

    6 DirectControl Express Edition Administrators Guide

  • About this guide

    Centrify Suite 2010 centrally secures cross-platform data centers through Active Directory-based identity and access management of the industry's widest range of heterogeneous systems, hypervisors and applications. Built on an integrated architecture, the Centrify Suite enables organizations to reduce IT expense, improve end-user productivity, strengthen security and enhance regulatory compliance.

    This guide describes Centrify DirectControl Express, the main component of the Express version of Centrify Suite 2010, which allows a supported machine to join Active Directory and authenticate users with minimal configuration. As your IT structure grows in size and complexity, the Express version allows seamless upgrade to full Centrify Suite 2010 functionality to take advantage of features such as:

    The same authentication and group policy services deployed for your Windows environment.

    Centrify DirectControl Zones to provide secure, granular access control and delegated administration.

    Centrify DirectAuthorizeTM to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems.

    Centrify DirectAudit to deliver auditing, logging and real-time monitoring of user activity on your non-Microsoft systems.

    Centrify DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and enabling optional end-to-end encryption of data in motion.

    About this guide 7

  • Intended audience

    Centrify DirectManage to centralize the discovery, management and user administration of UNIX and Linux systems through integration into Active Directory-based tools and processes.

    Intended audienceThis DirectControl Express Edition Administrators Guide provides complete information for installing and configuring Centrify DirectControl Express and authenticating users and groups with Centrify DirectControl and Active Directory. This guide is intended for system and network administrators who are responsible for managing user access to servers, workstations, and network resources.

    Because Centrify DirectControl Express Edition is installed on the Linux or Mac OS X computers you intend to manage, and requires you to work with Windows Active Directory, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts.

    This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.

    Using this guideDepending on your environment and role as an administrator or user, you may want to read portions of this guide selectively. The guide provides the following information:

    Chapter 1, Introduction, provides an overview of DirectControl Express.

    8 DirectControl Express Edition Administrators Guide

  • Chapter 2, Installing Centrify DirectControl Express, summarizes the steps for installing DirectControl Express on computers to be managed by Centrify DirectControl.

    Chapter 3, Using DirectControl Express, explains how to take advantage of Active Directory when joined to a domain through DirectControl Express.

    Chapter 4, Troubleshooting, describes how to use diagnostic tools and log files to retrieve information about the operation of DirectControl.

    Appendix A, Using Centrify DirectControl UNIX commands, provides reference information for the DirectControl command-line programs.

    Appendix B, Customizing Auto Zone configuration parameters, provides reference information for the Centrify DirectControl configuration parameters that affect the operation of a computer joined to Auto Zone. In Express Mode, a computer is automatically connected to Auto Zone.

    Appendix C, Customizing PAM-related configuration parameters, describes the DirectControl configuration parameters that affect the operation of PAM-related activity on the local host computer.

    Appendix D, Using DirectControl with SSH, explains how to install and use the Centrify release of OpenSSH.

    In addition to these chapters, an index is provided for your reference.

    Conventions used in this guideThe following conventions are used in this guide:

    Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used

    About this guide 9

  • Conventions used in this guide

    to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

    Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms.

    Italics are used for book titles and to emphasize specific words or terms.

    For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted.

    The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 4.2.0 for the Sun Solaris operating system on a SPARC server, the full file name is centrifydc-4.2.0-sol8-sparc-local.tgz.

    10 DirectControl Express Edition Administrators Guide

  • Where to go for more informationThe documentation set for Centrify DirectControl Express, includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further:

    Release Notes included on the distribution media or in the download package provide the most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation.

    Quick Start for Express Mode provides a brief summary of the steps for installing Centrify DirectControl Express and getting started so you can begin working with the product right away.

    Individual UNIX man pages for command reference information for Centrify DirectControl UNIX command line-programs. This DirectControl Express Edition Administrators Guide also contains a command reference appendix for all DirectControl command-line programs.

    In addition to the Centrify DirectControl documentation, you may want to consult the documentation for your Windows, Linux, UNIX, or Mac OS X operating system, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.

    About this guide 11

  • Contacting Centrify

    Contacting CentrifyIf you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify Corporation products, support, services, and upcoming events. For information about purchasing or evaluating Centrify Corporation products, send email to [email protected]

    12 DirectControl Express Edition Administrators Guide

    http://www.centrify.com/

  • Chapter 1

    Introduction

    This chapter provides an introduction to the main features of the Centrify DirectControl Express, including a brief overview of the ways Centrify DirectControl can help organizations leverage their investment in Active Directory.

    The following topics are covered:

    Understanding Centrify DirectControl Express

    Understanding the Centrify DirectControl Agent

    Comparing Centrify Suite 2010 Express Edition to other editions

    Understanding Zones and Auto Zone

    Understanding how DirectControl generates consistent UNIX UIDs

    Chapter 1 Introduction 13

  • Understanding Centrify DirectControl Express

    Understanding Centrify DirectControl ExpressThe Centrify Suite is bundled in a number of different editions, ranging from the most basic, Express (the focus of this manual), to more advanced editions (Standard, Enterprise, and Platinum), which in addition to having more features, provide other Centrify products, such as DirectAudit and DirectSecure.

    DirectControl is the underlying, base product of the Centrify Suite. The core feature of DirectControl is the ability to enable Linux and Mac servers and workstations to participate in an Active Directory domain. The DirectControl Agent effectively turns the host system into an Active Directory client, enabling you to secure that system using the same authentication services deployed for your Windows systems.

    Specifically, DirectControl Express provides the following:

    The ability to join a Linux, or Mac OS X computer to Active Directory and authenticate users.

    Centrify-enabled versions of OpenSSH, Kerberos and Samba.

    Note The Centrify Suite 2010 Express Edition includes an Express Edition of DirectManage that enables you to centrally discover computers and deploy software to them.

    DirectControl Express requires minimal configuration to join a UNIX machine to a domain and authenticate users through Active Directory. For example, DirectControl automatically creates consistent UIDs across the domain for users on the computers it manages; see Understanding how DirectControl generates consistent UNIX UIDs on page 22 for information on this topic.

    Also, when using DirectControl Express, you do not need to configure group policies and compliance reports, nor create zones to model your organization and control access to a domain. Therefore, DirectControl Express is ideal for an environment in which:

    You have a limited number of users and domains.

    14 DirectControl Express Edition Administrators Guide

  • You do not need to maintain your current UNIX UIDs.

    The organizational structure is relatively flat.

    You want to configure computers quickly to join a domain.

    If your organization grows in size and complexity, you can easily upgrade Centrify DirectControl Express to one of the generally-featured versions; see Comparing Centrify Suite 2010 Express Edition to other editions on page 18 for more information.

    What you can do after you deploy

    When Centrify Suite 2010 Express installs the Centrify DirectControl agent on a UNIX system, that computer is considered a Centrify DirectControl managed system and can be joined to Active Directory in the same manner as a Windows computer.

    When a computer is managed by Centrify DirectControl, and connected to a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine unless configured to deny or allow specific users or groups access; see pam.deny.users |pam.allow.users and pam.deny.groups |pam.allow.groups. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine. These users can perform the following common tasks:

    Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp.

    Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously.

    Chapter 1 Introduction 15

  • Understanding the Centrify DirectControl Agent

    Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.

    Understanding the Centrify DirectControl AgentThe Centrify DirectControl Agent makes a UNIX, Linux, or Mac OS X computer look and behave like a Windows client computer to Active Directory. The Centrify DirectControl Agent performs the following key tasks:

    Joins the UNIX, Linux, or Mac OS X computer to an Active Directory domain.

    Communicates with Active Directory to authenticate users when they log on and caches credentials for offline access.

    Enforces Active Directory authentication and password policies.

    Provides a Kerberos environment so that existing Kerberos applications work transparently with Active Directory.

    Although the individual agents you install are platform-specific, the Centrify DirectControl Agent is a tightly integrated suite of services that work together to ensure seamless operation between existing UNIX programs and applications and Active Directory authentication and directory service.

    16 DirectControl Express Edition Administrators Guide

  • The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:

    As this figure suggests, the Centrify DirectControl Agent includes the following core components:

    The core Centrify DirectControl Agent is the adclient process that handles all of the direct communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information.

    The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory.

    The Centrify DirectControl NSS module is added to the nsswitch.conf so that system look-up requests use the Centrify DirectControl agent to look up and validate information using Active Directory through LDAP.

    The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks,

    Active Directory Domain Controller

    Centrify DirectControl Agent

    Centrify DirectControl Service Library

    Cached credentials and search results

    Centrify DirectControl adclient

    Kerberos environment

    Core services for UNIX shell programs and applications

    Kerberos-enabled applications

    PAM module NSS module

    Command line programs

    Other add-on

    modules:

    ApacheJAAS realm

    SPNEGONIS

    Chapter 1 Introduction 17

  • Comparing Centrify Suite 2010 Express Edition to other editions

    such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks.

    The Centrify DirectControl Kerberos environment generates a Kerberos configuration file (etc/krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled applications to authenticate through Active Directory. These files are maintained by the Centrify DirectControl Agent and are updated to reflect any changes in the Active Directory forest configuration.

    The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency.

    In addition to these core components, the Centrify DirectControl Agent can also be extended with optional utilities and programs, such as updated Kerberos, OpenSSH, or OpenLDAP utilities, that have been optimized to work with Centrify DirectControl and Active Directory.

    Comparing Centrify Suite 2010 Express Edition to other editions

    Centrify Suite 2010 Express Edition is composed of DirectControl Express and DirectManage Express. As explained in Understanding Centrify DirectControl Express on page 14, Centrify DirectControl Express provides a limited subset of the features available in DirectControl for Centrify Suite 2010 Standard, Enterprise, Platinum, or Application Editions.

    Express Edition provides

    DirectControl Express (a limited version of DirectControl) with the following features:

    18 DirectControl Express Edition Administrators Guide

  • The ability to join a domain and authenticate users

    Centrify-enabled OpenSSH, Kerberos, and Samba

    DirectManage Express (a limited version of DirectManage) with the ability to discover computers and deploy software

    Standard Edition is the first-level commercial offering and combines the base product, DirectControl, with additional products, as follows:

    A fully-featured DirectControl with these features:

    The ability to join a domain and authenticate users

    Centrify-enabled OpenSSH, Kerberos, and Samba

    Advanced Active Directory support; for example, DirectControl is site-aware, supports trusts, and requires no modifications to the AD schema

    Centralized UNIX identity management; that is, the ability to map multiple UIDs to one Active Directory account

    Zone-based access control and separation of duties

    Group Policy enforcement

    Legacy NIS integration and migration

    Out-of-the-box reporting

    For Mac OS X users, the ability to use their PIV/CAC smart cards for authentication and single sign-on

    A fully-featured DirectManage to centrally discover systems and deploy software, migrate existing accounts and access rights to Active Directory, and provision and manage access, rights, and roles.

    DirectAuthorize to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems.

    Chapter 1 Introduction 19

  • Understanding Zones and Auto Zone

    Enterprise Edition provides:

    All the features of Standard Edition

    DirectAudit for real-time auditing of user sessions on UNIX- and Linux-based systems.

    Platinum Edition provides:

    All the features of Enterprise Edition

    DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and encrypting data in motion.

    Application Edition provides:

    All the features of Enterprise Edition

    Single sign-on for SAP, Web servers (Tomcat, Apache, JBoss, Websphere, and Weblogic), and IBM DB2

    Understanding Zones and Auto ZoneWhen using a generally-featured version of DirectControl, one of the most important aspects of managing UNIX, Linux, and Mac OS X systems through the DirectControl Administrator Console is the ability to organize computers and users access to those computers using zones.

    A DirectControl zone is similar to an Active Directory organizational unit (OU) or NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify account and access management and the migration of information from existing sources to Active Directory.

    Zones also enable you to map multiple UIDs to a single Active Directory account and store the mapping inside Active Directory.

    How you use zones will depend primarily on the needs of your organization. In some organizations, a single default zone is sufficient. In other organizations, using multiple zones may be a necessity.

    20 DirectControl Express Edition Administrators Guide

  • Understanding Auto Zone

    When using Centrify DirectControl Express, you have no access to the DirectControl Console, nor do you have the ability to create zones, including the default zone. Rather, in Express Mode, you connect to a domain through Auto Zone, which essentially is one super zone for the forest.

    Express Mode and Auto Zone greatly simplify the process of using DirectControl to join a UNIX computer to a zone. When using a generally-featured version of DirectControl, you must perform a certain amount of configuration in the DirectControl Console, such as defining a zone, adding Active Directory users and groups to the zone, and enabling specific group policies. With Auto Zone, UNIX attributes, such as UID, default shell, and home directory, that are normally defined in the zone to which the UNIX computer is joined, are derived from user attributes in Active Directory, or from DirectControl configuration parameters.

    When you join a domain by connecting to Auto Zone, all DirectControl Express users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine.

    Although all users and groups have default access to all machines joined to Auto Zone, you may still control access to any particular machine by setting parameters, such as pam.deny.users and pam.deny.groups, in the Centrify DirectControl configuration file; see pam.deny.groups on page 159 and pam.deny.users on page 161.

    Note Auto Zone does not support one-way trusts. That is, if a computer is joined to a domain through Auto Zone, and the domain has a one-way trust relationship with another domain, users and groups in the trusted domain do not become valid users and groups on the computer.

    Chapter 1 Introduction 21

  • Understanding how DirectControl generates consistent UNIX UIDs

    Understanding how DirectControl generates consistent UNIX UIDs

    In DirectControl Express, when an Active Directory user logs into a UNIX computer for the first time, DirectControl automatically creates a 31-bit UNIX UID as well as a 31-bit GID for any groups to which the user belongs. To create these GIDs and UIDs DirectControl creates a prefix from the last 9 bits of the user or group Security Identifier and combines it with the lower 22 bits of the user or group RID (relative identifier).

    Although DirectControl Express caches these UIDs and GIDs, they are not stored in Active Directory and consequently you cannot edit or change them in any way with Active directory Users and Computers (ADUC). If the cache expires, DirectControl uses the same algorithm to create the same UID and GID the next time the user logs in so you are guaranteed consistent ownership for files and resources.

    Note This is in contrast to fully-featured DirectControl which stores UIDs and GIDs in Active Directory and provides tools that enable you to migrate local UIDs and GIDs to Active Directory, as well as map multiple UIDs to a single AD account.

    In addition to the UID and GID, DirectControl creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is:

    Linux: /home/username

    Mac OS X: /Users/username

    When you join multiple Linux or Mac OS X computers to a domain, any Active Directory user who logs on to more than one computer will have the same DirectControl-generated UID on each machine.

    Although local users (such as those defined in /etc/passwd) may still log in to any local computer, if you want to control access through Active Directory, you should create Active Directory

    22 DirectControl Express Edition Administrators Guide

  • accounts for each user. You can then either delete the local account, or to preserve access to current home directories and files, map the local users on each computer to an AD account; see Mapping local UNIX accounts to Active Directory on page 57.

    Chapter 1 Introduction 23

  • Understanding how DirectControl generates consistent UNIX UIDs

    24 DirectControl Express Edition Administrators Guide

  • Chapter 2

    Installing Centrify DirectControl Express

    This chapter provides step-by-step instructions for installing the Express version of the Centrify DirectControl Agent on a computer and joining a Linux or Mac OS X computer to the Active Directory domain.

    The following topics are covered:

    Preparing for installation

    Installing the Centrify DirectControl Agent

    Verifying the installation

    Troubleshooting adcheck errors

    Joining an Active Directory domain

    Adding generally-licensed features

    Updating the Express installation

    Removing Centrify DirectControl

    Chapter 2 Installing Centrify DirectControl Express 25

  • Preparing for installation

    Preparing for installation The Centrify DirectControl Agent needs to be installed on each UNIX computer you want to manage through Centrify DirectControl and Active Directory. Therefore, you should check that each computer where you plan to install is running a supported version of the Linux or Mac OS X operating system and meets the following requirements:

    Note For the most complete and up-to-date information about supported platforms and version information, check the Centrify Web site or the Release Notes included with the software package. Some operating environments may require patches, updates, or bundles to work correctly, so check the Release Notes for any environment-specific requirements before installing. Also, you can check the Web site of your operating system vendor to identify the most recent patches and updates available.

    Verifying account permissions

    You need the following accounts to install DirectControl and join an Active Directory domain:

    To install on Linux you need the root account and password.

    To install on Mac OS X you need the local Administrator account and password.

    For this You need this

    Operating system One of the supported operating environments. For information about the specific operating systems and version levels currently supported, see Supported Platforms on the Centrify Web site.

    CPU speed 300 MHZ

    RAM 10MB

    Disk space 100MB

    26 DirectControl Express Edition Administrators Guide

    http://www.centrify.comhttp://www.centrify.comhttp://www.centrify.comhttp://www.centrify.comhttp://www.centrify.comhttp://www.centrify.comhttp://www.centrify.comhttp://www.centrify.com

  • To join a domain, you need an Active Directory account (and password) with permission to add computers to the domain.

    Depending on your organization, this requirement might be more stringent; for example, in some organizations, an account with permission to add computers to the domain might need to be a member of the Domain Admins group. If you are not sure about the requirements of your organization, or do not know the name and password for an Active Directory account, check with your AD administrator.

    Installing the Centrify DirectControl AgentThe files and directories you need to install on each Linux and Mac OS X computer you want to manage through Active Directory are bundled together in a platform-specific software package and installed using a native installation mechanism for each platform. You can install the Centrify DirectControl Agent in any of the following ways:

    (Recommended) Run the Centrify DirectControl installation script to automatically invoke the proper installation mechanism for a computers local operating system with the appropriate command line options; see Installing the agent by using the installation script on page 28.

    On Mac OS X computers, use the graphical user interface to install; see Installing on Mac OS X by using the graphical user interface on page 31.

    Manually install any package by running the appropriate installation command yourself; see Using other programs to install DirectControl Agents on page 35.

    Notes Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the installation script does the following:

    Chapter 2 Installing Centrify DirectControl Express 27

  • Installing the Centrify DirectControl Agent

    Automatically joins the computer to a domain.

    Sets the Agent to Express Mode.

    Runs operating system, network, and Active Directory tests to verify your environment.

    If you manually install the Agent, you must manually join a domain, manually turn off licensing to enable Express Mode after joining a domain, and manually run tests if you wish to verify your environment.

    Installing the agent by using the installation script

    To install on a Linux or Mac OS X computer:

    1 Log on or switch to the root user if you are installing on a computer running Linux UNIX or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.

    Note Although you are not required to log on as the root user on the Macintosh computer, you must know the password for the Administrator account to complete the installation. In addition, joining the domain and configuring your environment is slightly different on Macintosh computers than on other platforms. Therefore, you should follow the steps in the section Joining the domain from Mac OS X computers on page 42 to join an Active Directory domain on computers running the Mac OS X operating system.

    2 Mount the cdrom device using the appropriate command for the local computers operating environment, if necessary. If you have copied the package to another location or downloaded the package from an FTP server or Web site and are not using the CD, verify the location and go on to the next step.

    3 Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the Centrify DirectControl package. For example, to install on a Linux

    28 DirectControl Express Edition Administrators Guide

  • computer from the Centrify DirectControl CD, change to the Unix directory:cd Unix

    Similarly, if you are installing on a Mac OS X computer, change to the MacOS directory.

    4 Run the install-express.sh script to start the installation of Centrify DirectControl on the local computers operating environment. For example:./install-express.sh

    The installation script runs a utility, adcheck, to verify that your environment is configured properly to work with Centrify DirectControl. You may see warning or error messages that may require immediate attention or may be something that you can fix after running the installation.

    For example, you will see a warning message if your machine has a version of OpenSSH that is not configured to work with Centrify DirectControl. However, by default, the installation script installs the DirectControl build of OpenSSH, which corrects this problem, so in this case you do not need to correct anything.

    See Troubleshooting adcheck errors on page 38 for more information about adcheck and how to fix any issues it uncovers.

    5 Respond to the installation prompts as follows:

    How do you want to proceed? (E|S|X|C|Q) [X]:

    Accept the default, X (for Express Edition), by clicking Enter.

    Do you want to run adcheck to verify your AD

    environment? (Q|Y|N) [Y]:

    Accept the default answer, Y (to run adcheck) by clicking Enter.

    Chapter 2 Installing Centrify DirectControl Express 29

  • Installing the Centrify DirectControl Agent

    Please enter the Active Directory domain to check:

    Enter the fully qualified name of your AD domain; for example, sales.acme.com.

    Join an Active Directory domain? (Q|Y|N) [Y]

    Accept the default answer, Y to join a domain.

    Enter an authorized Active Directory user (one with permission to add computers to the domain) and password at the following prompts (see Verifying account permissions on page 26 for information about the accounts required for installing DirectControl and joining a domain); the default account, if you do not enter one, is administrator:Enter the Active Directory authorized user

    [administrator]:Enter the password for the Active Directory user:

    Click Enter to select the defaults for the following prompts:Enter the computer name: [QA1.sales.acme.com]

    Enter the container DN [Computers]:

    Enter the name of the domain controller [auto detect]:Reboot the computer after the installation (Q|Y|N) [Y}:

    You will see summation text similar to the following:You chose Centrify Suite Express Edition and entered the

    following:

    Install CentrifyDC 4.4.0 package: Y

    Install CentrifyDC-nis 4.4.0 package: N

    Install CentrifyDC-openssh 4.3.1 package: Y Install CentrifyDA 1.1.2 package: N

    Run adcheck : Y

    Join an Active Directory domain : Y Active Directory domain to join : sales.acme.com

    Active Directory authorized user : administrator

    computer name : QA1.sales.acme.com container DN : Computers

    domain controller name : auto detect

    Reboot computer : Y

    6 After reviewing the choices you have made, enter Y and click Enter.

    When the installation is complete, the computer prepares to reboot in 15 seconds if you specified to reboot after installation.

    30 DirectControl Express Edition Administrators Guide

  • Go to Verifying the installation on page 37 to see how to verify the installation.

    Installing on Mac OS X by using the graphical user interface

    This section explains how to install using the graphical user interface. To install using the installation script, see Installing the agent by using the installation script on page 28.

    To install the Centrify DirectControl Agent on a Mac OS X computer using the graphical user interface, complete the steps in the following procedure:

    Note Before launching the installer, be certain that the Apple Directory Utility is closed. If it is open while running the installer, it causes the Centrify DirectControl Directory Access plug-in to show the incorrect status, that is, it shows that the plug-in is disabled when in fact it is enabled.

    1 Log on with the Administrator or root user account.

    2 Navigate to the directory on the CD or your local network where the Centrify DirectControl Agent package is located. For example, if you are installing from the Centrify DirectControl CD, open the MacOS directory.

    3 Double-click the DMG file, for example:centrifydc-release-mac10.4.dmg

    4 Double-click ADCheck to open the ADCheck utility.

    ADCheck performs a set of operating system, network, and Active Directory checks to verify that the Mac OS X computer meets the system requirements necessary to install the Centrify DirectControl Agent and join an Active Directory domain.

    5 Enter the domain you intend to join with the Mac OS X computer and click AD Check.

    Chapter 2 Installing Centrify DirectControl Express 31

  • Installing the Centrify DirectControl Agent

    Note The ADCheck utility has a set of options see the adcheck man page for details. You can specify options in the AD Domain window along with the domain name. For example, to run the network options only, and provide verbose output, enter the following, then click AD Check:-t net myDomain.com --verbose

    You can also run ADCheck as a command-line utility in a terminal window.

    6 Review the results of the checks performed. If the target computer, DNS environment, and Active Directory configuration pass all checks with no warnings or errors, you should be able to perform a successful installation and join.

    If you receive errors or warnings, correct them before proceeding with the installation. See Troubleshooting adcheck errors on page 38 for more information about adcheck and how to fix any issues it uncovers.

    7 Double-click CentrifyDC.pkg to open the Centrify DirectControl Installer package.

    8 Review the information on the Welcome page, then click Continue; review or print the terms of the license agreement and click Continue; then click Agree to agree to the terms of the license agreement.

    9 Select a volume for installing the Centrify DirectControl Agent, then click Continue.

    10 Click Install to begin installing the Centrify DirectControl Agent

    If you see the following warning box, click OK. If you did not have Directory Utility running during the installation, you can ignore the warning. If Directory Utility was open, you can quit

    32 DirectControl Express Edition Administrators Guide

  • and restart it to show the correct status of the Centrify DirectControl plug-in.

    11 If prompted, enter the administrator name and password.

    Chapter 2 Installing Centrify DirectControl Express 33

  • Installing the Centrify DirectControl Agent

    12 (Optionally) If the computer is not already joined to a domain, you can choose to join the domain now or manually after completing installation. To join now, enter a domain name.

    Note You can click Show Advanced Options if you want to specify additional options when joining a domain. See Joining the domain from Mac OS X computers on page 42 for more information about joining a domain, including advanced options.

    13 Click Join Domain and enter the Active Directory user (defaults to Administrator) and password for the domain when prompted. The ADjoin dialog is configured to join in Express Mode.

    14 Click Close to close the installer.

    15 (Optionally) Reboot the computer to stop and restart all services.

    Go to Verifying the installation on page 37 to see how to verify the installation.

    34 DirectControl Express Edition Administrators Guide

  • Using other programs to install DirectControl Agents

    If you want to manually install a software package using a native installation program instead of the Centrify DirectControl installation script, you can follow the instructions in the release-notes text file for the package or use another native installation mechanism appropriate for the local operating environment. For example, if your operating environment supports another mechanism for installing and managing software packages, such as the SMIT or YAST programs, you can use those programs to install Centrify DirectControl software packages.

    Note Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the installation automatically joins the computer to a domain, sets the Agent to Express Mode, runs operating system, network, and Active Directory tests to verify your environment, and installs the Centrify OpenSSH package all of which you have to do manually if you use a native installer.

    To install Centrify DirectControl using a native installation program:

    1 Log on as or switch to the root user.

    2 If you are installing from a CD and the CD drive is not mounted automatically, use the appropriate command for the local computers operating environment to mount the cdrom device.

    3 Copy the appropriate package for the local computers operating environment to a local directory.

    For example, if installing from the CD and the operating environment is Enterprise Linux:cp /cdrom/cdrom0/Unix/centrify-suite-2010-rhel3-i386.tgz .

    If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.

    Chapter 2 Installing Centrify DirectControl Express 35

  • Installing the Centrify DirectControl Agent

    4 If the software package is a compressed file, unzip and extract the contents. For example, on Red Hat Linux:gunzip -d centrify-suite-2010-rhel3-i386.tgz

    tar -xf centrify-suite-2010-rhel3-i386.tar

    5 Run the appropriate command for installing the package based on the local computers operating environment. For example, on Red Hat Linux:rpm -Uvh centrifydc-release-rhel3-i386.rpm

    If you arent sure which command to use for the local operating environment, see the release-notes text file included in the package.

    Note You are not required to use the specific commands described in the release-notes to install the software package manually. If your operating environment has programs such as the SMIT or YAST programs, you can use those programs to install the Centrify DirectControl package.

    6 Disable licensed features by running the adlicense --express command:adlicense --express

    Note The native installer installs Centrify DirectControl in full-featured mode; you must run the adlicense command to change to Express Mode.

    7 Join the domain by running the adjoin --workstation command, which connects you to Auto Zone; see Joining an Active Directory domain on page 40:adjoin --workstation domainName

    Note If you do not specify the --workstation option the join will fail because adjoin will attempt to connect you to a specific zone, which is not allowed in Express Mode you must connect to Auto Zone; see Understanding Zones and Auto Zone on page 20.

    8 (Optionally) Install the Centrify OpenSSH package; for example:

    36 DirectControl Express Edition Administrators Guide

  • rpm -Uvh centrifydc-openssh-release-rhel3-i386.rpm

    Go to Verifying the installation on page 37 to see how to verify the installation.

    Verifying the installationWhen a computer is joined to Active Directory, all Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined machine. Therefore, after running the installation script, which installed the Centrify DirectControl Agent and joined your computer to a domain, you can log in as any Active Directory user.

    1 Log in using an Active Directory user account.

    When a user logs in for the first time, the system creates a /home/userName directory.

    2 Run the adinfo command to see information about the Active Directory configuration for the local computer. You should see output similar to the following:Local host name: QA1

    Joined to domain: sales.acme.comJoined as: QA1.sales.acme.com

    Pre-win2K name: QA1

    Current DC: acme-dc1.sales.acme.comPreferred site: Default-First-Site

    Zone: Auto Zone

    Last password set: 2009-11-12 12:01:31 PSTCentrifyDC mode: connected

    Licensed Features: Disabled

    Note that licensed features are disabled and that the zone is Auto Zone, which essentially is a super zone for the entire forest. Creating actual zones requires a licensed copy of Centrify DirectControl.

    The Linux or Mac OS X computer is now joined to a domain exactly as any Windows machines in the domain. See Chapter 3, Using DirectControl Express, for some of the ways Centrify

    Chapter 2 Installing Centrify DirectControl Express 37

  • Troubleshooting adcheck errors

    DirectControl Express simplifies administration of your Linux and Mac OS X computers.

    Locating Centrify DirectControl directories and files

    When you complete the installation, the local computer will be updated with the following directories and files for Centrify DirectControl:

    Troubleshooting adcheck errors You can run adcheck before, during, or after installation to verify that your system is configured properly for Centrify DirectControl. This utility performs three sets of checks that are controlled by the following options:

    -t os checks the operating system, disk size, and Perl and Samba installations.

    -t net checks DNS to verify that the local system is configured correctly and that the DNS server is available and healthy.

    This directory Contains

    /etc/centrifydc The Centrify DirectControl Agent configuration file and the Kerberos configuration file.

    /usr/share/centrifydc Kerberos-related files and service library files used by the Centrify DirectControl Agent to enable group policy and authentication and authorization services.

    /usr/sbin and /usr/bin Command line programs to perform Active Directory tasks, such as join the domain and change a user password.

    /var/centrifydc No files until you join the domain. After you join the domain, several files are created in this directory to record information about the Active Directory domain the computer is joined to, the Active Directory site the computer is part of, and other details.

    38 DirectControl Express Edition Administrators Guide

  • -t ad includes the -t net checks and verifies that the domain has a valid domain controller.

    Correcting errors for the os check

    The -t os option performs a series of checks that verify operating-system basics for the machine on which you are installing Centrify DirectControl. This option performs the following specific checks:OSCHK : Verify that this is a supported OS PATCH : Linux patch check PassPERL : Verify perl is present and is a good version PassSAMBA : Inspecting samba installation SPACECHK : Check if has enough disk space in /var /usr /tmp

    The operating system checks are self-explanatory. If your computer fails one of these checks, you need to upgrade the machine with a new operating system version or patch, a new Perl or Samba version, or free up sufficient disk space.

    Note If you get a warning about your Samba installation, you can install Centrify-enabled Samba as part of the DirectControl Express installation.

    Correcting warnings and errors for the net check

    The -t net option performs a series of checks that verify DNS is correctly configured on your local machine and that the DNS server is running properly. There is also a check to verify that you are running a supported version of OpenSSH.

    Note A supported version of OpenSSH is automatically installed by the installation script. If you get a warning about your OpenSSH version before installation, you can ignore it.

    This option performs the following specific checks:NSHOSTS : Check hosts line in /etc/nsswitch.conf DNSPROBE : Probe DNS server 192.168.43.130 DNSCHECK : Analyze basic health of DNS servers WHATSSH : Is this an SSH that DirectControl works well withSSH : SSHD version and configuration

    Because Centrify DirectControl uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS

    Chapter 2 Installing Centrify DirectControl Express 39

  • Joining an Active Directory domain

    nameservers need to be specified in the local /etc/resolv.conf file on each UNIX computer before the computer can join the domain. If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

    Correcting errors for the ad check

    The -t ad option locates each domain controller in DNS and then does a port scan and DNS lookup of each. The checks for this option also verify the global catalog and verify clock and domain synchronization. The specific checks performed by this option are as follows:

    Note The-t ad option runs the -t net checks as well as the -t ad checks.

    DOMNAME : Check that the domain name is reasonable ADDC : Find domain controllers in DNS ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local ADPORT : Port scan of DC centrify-mkdaze.mkline.local ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local GCPORT : Port scan of GC centrify-mkdaze.mkline.local DCUP : Check DCs in mkline.local SITEUP : Check DCs for mkline.local in our site DNSSYM : Check DNS server symmetry ADSITE : Check that this machine's subnet is in a site known by AD GSITE : See if we think this is the correct site TIME : Check clock synchronization ADSYNC : Check domains all synchronized

    If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

    Joining an Active Directory domainWhen you install the Centrify DirectControl Agent on a UNIX computer, you can automatically join that computer to an Active Directory domain by selecting the option to do so in the Centrify DirectControl installation script, install-express.sh.

    However, if you dont join the domain when you run the installation script, or if you leave a domain for any reason and want

    40 DirectControl Express Edition Administrators Guide

  • to rejoin, you can manually join a domain by using the adjoin command.

    When using Centrify DirectControl Express, you can only connect to a domain through Auto Zone, not by connecting to a specific zone. Connecting to a zone requires Centrify DirectControl licensed features. To connect to Auto Zone, you use the adjoin --workstation option.

    Note On the Mac OS, joining the domain and configuring your environment is slightly different than on other platforms. Therefore, you should follow the steps in the section Joining the domain from Mac OS X computers on page 42 to join an Active Directory domain when the Centrify DirectControl Agent is installed on Mac OS X computers.

    To join an Active Directory domain manually on a Linux or UNIX computer:

    1 On the UNIX computer, log in as or switch to the root user.

    2 Run adjoin to join an existing Active Directory domain. You should join the domain using a fully-qualified domain name. You must specify the --workstation option.

    For example, to join the sales.acme.com domain with the user account dylan:adjoin --user dylan --workstation sales.acme.com

    The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you dont specify a user with the --user option, the Administrator account is used by default.

    3 Type the password for the specified user account.

    If Centrify DirectControl can connect to Active Directory and join the domain, a confirmation message is displayed. All Active Directory users and groups defined for the forest, as well as any

    Chapter 2 Installing Centrify DirectControl Express 41

  • Joining an Active Directory domain

    users defined in a two-way trusted forest are valid users or groups for the joined machine.

    Joining the domain from Mac OS X computers

    You can use either the ADJoin GUI utility or the adjoin command line tool to join a domain. This section shows how to use ADJoin GUI utility, which is specific to Mac OS X. For information on adjoin, see the DirectControl Administrators Guide, or the man page for adjoin.

    To start the Centrify DirectControl program for joining or leaving a domain:

    1 Click Applications > Utilities > Centrify > Adjoin. Then double-click Adjoin to open it.

    2 Type the name of the Active Directory domain you want to join and select Auto Zone.

    You can also type a different computer name if you want to use a different name for the local host in Active Directory. Check Overwrite existing joined Computer to overwrite the information stored in Active Directory for an existing computer

    42 DirectControl Express Edition Administrators Guide

  • account with the same name as the local computer. This is the same as running the adjoin command with the --force option.

    If you want to use the default settings for joining the domain, you can continue to the next step. If you want to specify additional options, click Show advanced options to display the additional options:

    Chapter 2 Installing Centrify DirectControl Express 43

  • Joining an Active Directory domain

    Select this option To do this

    Container DN Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account.

    By default, computer accounts are created in the domains default Computers container.

    If you want to specify a container, check this option, then type the DN without its domain suffix. For example, if the domain suffix is acme.com and you want to place this computer in the paris.regional.sales.acme.com organizational unit, you would type:ou=paris, ou=regional,

    ou=sales

    Checking this option is the same as running the adjoin command with the --container option.

    Preferred Domain Server Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

    Checking this option is the same as running the adjoin command with the --server option.

    Computer Alias Name Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias.

    Checking this option is the same as running the adjoin command with the --alias option.

    44 DirectControl Express Edition Administrators Guide

  • For more information about these options, see Using adjoin on page 80.

    3 The Disable Licensed Features button turns off licensing for DirectControl on the local computer, making it an Express installation. For a Standard Centrify Suite 2010 installation, you can ignore this button. See the Centrify Suite Express Edition Administrators Guide for complete information on installing and configuring Centrify DirectControl Express.

    4 Click Join Domain.

    5 Type the Active Directory user name and password for a user with permission to join the local computer to the Active Directory domain, then click OK.

    Do not update PAM and DirectoryService configuration

    Indicate that you do not want to update the local systems PAM and DirectoryService configuration.

    If you dont want to have the PAM files and DirectoryService configuration updated automatically, check this option.

    Checking this option is the same as running the adjoin command with the --noconf option.

    Select this option To do this

    Chapter 2 Installing Centrify DirectControl Express 45

  • Adding generally-licensed features

    6 Type the user name and password for the local Administrator account.

    Restarting services after installing or joining the domain

    You may need to restart some services on UNIX computers where you have installed the Centrify DirectControl Agent so that those services will reread the name switch configuration file. For example, if you typically log on to the UNIX computer through a graphical desktop manager such as gdm, you need to either restart the gdm service or reboot the workstation to force the service to read the updated configuration before Active Directory users can log on. The most common services that need to be restarted are sshd and gdm. If you are using these services, you should restart them. For example, to restart sshd:/etc/init.d/sshd restart

    As an alternative to restarting individual services, you may want to reboot the system to restart all services.

    Note Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.

    Adding generally-licensed featuresTo take full advantage of all Centrify DirectControl features, including the ability to create zones and apply group policies, you need to run a generally-licensed version of the product.

    46 DirectControl Express Edition Administrators Guide

  • To upgrade to a generally-licensed version of Centrify DirectControl, complete the following steps:

    1 Obtain a license or download an evaluation copy from the centrify.com Website.

    2 On a Windows machine that is joined to the domain, run the Centrify Suite 2010 setup program to install the Centrify DirectControl Management Tools.

    3 On the UNIX machine that is running Centrify DirectControl Express, run the following command to enable licensed features, and if successful, you will see a message about group policies:adlicense --licensed

    Group policies will be initialized on background

    4 Run a command similar to the following to verify that licensing has been enabled:adinfo

    Local host name: qa1Joined to domain: acme.com

    Joined as: qa1.acme.com

    Pre-win2K name: qa1Current DC: acme-dc1.acme.com

    Preferred site: Default-First-Site

    Zone: Auto ZoneLast password set: 2009-11-12 12:01:31 PST

    CentrifyDC mode: connected

    Licensed Features: Enabled

    5 After enabling licensed features, the computer is still connected to Auto Zone. To connect to a specific zone, you must leave, then rejoin the domain:adleaveActive Directory password:***

    ...

    Left Active Directory domainCentrify DirectControl stopped.

    adjoin acme.com

    If you do not specify a zone, as in this example, you are automatically connected to the default zone. If you have already

    Chapter 2 Installing Centrify DirectControl Express 47

    http://www.centrify.com

  • Updating the Express installation

    created zones, you can specify a zone on the command line; for example, to connect to the Finance zone:adjoin -z Finance acme.com

    You may also move a computer to a different zone by using the DirectControl Console. See the Administrators Guide for details.

    See the Centrify DirectControl Administrators Guide and the Planning and Deployment Guide for information about creating and managing zones, using group policy, and other Centrify DirectControl features.

    Although enabling licensing gives you access to all DirectControl features, the Express installation does not install all optional packages, such as CentrifyDC NIS or DirectAudit. To install additional DirectControl packages, rerun the installation script as described in the next section, Updating the Express installation.

    Updating the Express installationTo update from an Express installation to a full Centrify DirectControl product, you can simply turn on licensed features as explained in Adding generally-licensed features on page 46. However, certain optional Centrify DirectControl packages are not installed by the Express installation. To add these packages, you must rerun the installation script, as follows:

    1 Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the Centrify DirectControl package. Then run the installation script that you used originally to install Centrify DirectControl:install.sh

    Alternately, you can download and unzip a new DirectControl package and run its installation script.

    2 You are prompted whether to keep, erase, or reinstall the currently installed packages (CentrifyDC and Centrify openSSH) whether to install specific new packages. Accept the

    48 DirectControl Express Edition Administrators Guide

  • default (K, keep) for the currently installed packages, and specify yes (Y) for the packages you want to add; for example, Centrify DirectControl NIS and DirectAudit.

    For the following prompt, type Y and press Enter to enable licensed features. Be certain that you have installed the Centrify DirectControl Console on a Windows machine and have an available license.Enable licensed features? (Q|Y|N) [Y]:

    You can also choose to run adcheck, enable auditing (if you installed DirectAudit), and reboot the computer after installation.

    The computer remains joined to the domain you previously joined and your existing /etc/centrifydc/centrifydc.conf file is backed up and any modifications you have made to the file are migrated to the new version of the file.

    3 Restart running services, such as login, sshd, or gdm, (if you did not reboot during installation) or reboot the computer to ensure all services use the updated configuration. For example, you can run the following command to stop running sessions: pkill -1 sshd

    Removing Centrify DirectControlOn most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script. The uninstall.sh script is installed by default in the /usr/share/centrifydc/bin directory on each Centrify DirectControl-managed system.

    To remove Centrify DirectControl on a Linux, UNIX, or Mac OS X computer:

    1 Log on to the computer where the Centrify DirectControl Agent is installed.

    Chapter 2 Installing Centrify DirectControl Express 49

  • Removing Centrify DirectControl

    2 Run the uninstall.sh script. For example:/bin/sh /usr/share/centrifydc/bin/uninstall.sh

    The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.

    3 To uninstall Centrify DirectControl, enter Y when prompted.

    If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local operating environment to remove the Centrify DirectControl Agent and related files. The following table summarizes the commands to use in different environments:

    To remove from Do this

    Red Hat Linux Run the following command:rpm -e centrifydc

    SuSE Linux Run the following command:rpm -e centrifydc

    Debian Linux Run the following command:dpkg -P centrifydc

    Mac OS X You must use the uninstall.sh script to remove Centrify DirectControl files on Macintosh computers.

    50 DirectControl Express Edition Administrators Guide

  • Chapter 3

    Using DirectControl Express

    This chapter explains how to perform basic administrative tasks with DirectControl Express.

    The following topics are covered:

    Logging in to your computer

    Applying password policies and changing passwords

    Working in disconnected mode

    Mapping local UNIX accounts to Active Directory

    Setting a local override account

    Using standard programs such as telnet, ssh, and ftp

    Using Samba

    Setting Auto Zone configuration parameters

    Chapter 3 Using DirectControl Express 51

  • Logging in to your computer

    Logging in to your computerWhen you install Centrify DirectControl Express on a computer and join a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the machine.

    To see a list of valid users, open Active Directory Users and Computers (ADUC) on a Windows machine in the domain, then navigate to domainName > Users.

    Note By default, DirectControl transforms Active Directory names into UNIX names in the form of a SAM name (short name in Mac OS X); for example, jcool. You can specify a different form for the UNIX name by setting the value of the auto.schema.name.format parameter in the DirectControl configuration file.

    You log in to a computer exactly as you do locally by entering a username and password. You do not have to specify the domain name when you log in.

    DirectControl accepts the following login formats:

    AD username (samAccountName or Mac OS X short name) and passwordjcool

    AD [email protected] (userPrincipalName) and [email protected]

    NTLM style (domain\username) and passwordmkline\jcool

    mkline.com\jcool

    When users are defined in a local forest, you can locate them in Active Directory with any of the user login formats, that is, by their UNIX profile name, their userPrincipalName, or their

    52 DirectControl Express Edition Administrators Guide

  • samAccountName in the form of their user logon name alone or in its full pre-Windows 2000 format of domainname\username.

    Getting information about the Active Directory configuration

    When logged in as an ordinary user or as the root user, you can use the adinfo command to see information about the Active Directory configuration for the local computer. For example:adinfoLocal host name: QA1Joined to domain: sales.acme.comJoined as: QA1.sales.acme.comPre-win2K name: QA1Current DC: acme-dc1.sales.acme.comPreferred site: Default-First-SiteZone: Auto ZoneLast password set: 2009-11-12 12:01:31 PSTCentrifyDC mode: connectedLicensed Features: Disabled

    Note that licensed features are disabled and that the zone is Auto Zone.

    Centrify DirectControl Standard Edition uses its zone technology to provide secure, granular access control and delegated administration for UNIX computers joined to a domain. DirectControl Express, on the other hand, does not provide the ability to create zones. When a computer joins a domain, it is automatically joined to Auto Zone. This greatly simplifies the process of joining a domain but does not provide the same granular access control as defining and using zones does.

    Auto Zone essentially is one super zone for the forest. With Auto Zone, UNIX attributes that would be defined in the zone to which the UNIX machine is joined (with Centrify DirectControl Standard Edition) are derived from user attributes in Active Directory, or from DirectControl configuration parameters.

    Chapter 3 Using DirectControl Express 53

  • Applying password policies and changing passwords

    Applying password policies and changing passwordsCentrify DirectControl enforces all of the password policies you have defined in Active Directory for the UNIX accounts you enable. Therefore, if you create a new UNIX user account that requires a password change the next time the user logs on, the user is prompted to change the password the next time she logs on to either a Windows or UNIX computer.

    When the user provides a new password, Centrify DirectControl checks the new password to make sure it conforms to Active Directory policies for length and complexity. If the new password meets all of the criteria, the account is updated with the new information in Active Directory and the user logs on successfully.

    Centrify DirectControl also enforces the password expiration period, the password reuse policy, account lock out policy, workstation restrictions, and logon hour restrictions if you have defined these policies for any user account. In addition, Centrify DirectControl displays a warning message on the UNIX computer if a users password is about to expire.

    Administrators can set, reset, or change the password for users using Active Directory or from the UNIX command line. Individual users can also change their own password at any time using the adpasswd command.

    Changing your own password

    If you attempt to log in but your password has expired, you are prompted to provide your old password, a new password, and to confirm your new password. You can also change your own password at any time using adpasswd.

    To change your own password using adpasswd:

    1 At the UNIX command line, run the following command:adpasswd

    54 DirectControl Express Edition Administrators Guide

  • 2 Type your old password. When changing your own password, you must always provide your old password.

    3 Type the new password. The password should conform to Active Directory password policies.

    4 Retype the new password.

    For more information about using adpasswd, see the adpasswd man page or Using adpasswd on page 104.

    Changing another users password

    The adpasswd command can be used to change the password of another Active Directory user if you provide the user name and password of an administrative account with the authority to change another users password.

    To change the password for another user using adpasswd:

    1 At the UNIX command line, run the adpasswd command and specify an Active Directory administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:adpasswd --adminuser [email protected] [email protected]

    2 Type the password for the administrative account. For example:Administrator password: xxx

    3 Type the new password for the user specified. Because you are changing another users password, you are not prompted for an old password. For example:New password:

    4 Retype the new password.Repeat password:

    For more information about using adpasswd, see the adpasswd man page or Using adpasswd on page 104.

    Chapter 3 Using DirectControl Express 55

  • Working in disconnected mode

    Working in disconnected modeOnce an Active Directory user logs on to a UNIX computer successfully, the authentication is cached by the Centrify DirectControl Agent. These credentials can then be used to authenticate the user in subsequent log on attempts if the user is disconnected from the network or an Active Directory domain controller is not available.

    If there are changes to an account while the account is running in disconnected mode, the changes dont take effect until the user reconnects to Active Directory to start a new session or access a new service. For example, if a user account is disabled or has its password changed in Active Directory while the user is disconnected from the network, the user can still log on and use the old password until reconnected to the network. Once the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode.

    Note If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the users credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.

    You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through

    56 DirectControl Express Edition Administrators Guide

  • Centrify DirectControl parameter settings in the Centrify DirectControl configuration file.

    To configure how credentials are handled across multiple computers by using group policies, upgrade from Express to Centrify DirectControl Standard or Enterprise Edition.

    Mapping local UNIX accounts to Active DirectoryBy default, local UNIX user accounts are still valid on the UNIX computers that join the Active Directory domain. You can then use Centrify DirectControl configuration parameter settings to control any special handling for select accounts. For example, you can use configuration parameters to map a local user account to an Active Directory account. Mapping a local UNIX user account to an Active Directory account gives you Active Directory-based control over password policies, such as password length, complexity, and expiration period.

    Mapping a local account to Active Directory is especially useful if you want to migrate an existing local user to an Active Directory account but preserve access to their current Linux or Mac OS X home directory and files. For example, if you create an Active Directory account for an existing local user but specify a different name, when the user logs in, they will have a new home directory and will not be able to access their former home directory and files.

    To map a local account to an Active Directory account, you can set the pam.mapuser.username configuration parameter on any individual local computer.

    To configure account mapping across multiple computers by using group policies, upgrade from Express to a generally-featured version of Centrify DirectControl.

    Using the pam.mapuser parameter to map local accounts

    To map a local user account to an Active Directory user by modifying the Centrify DirectControl configuration file:

    Chapter 3 Using DirectControl Express 57

  • Mapping local UNIX accounts to Active Directory

    1 Create the Active Directory user account to use.

    On your Windows Active Directory computer, open Active Directory Users and Computers (ADUC). Navigate to the Users node, right click and select New > User.

    Enter the information for the user. You can create any name you want for the user, but if you want the AD user to have access to the same home directory and files as the local user, create a user logon name with the same name as the local user; for example, for local user joe.cool on the qa2 computer, in the acme.com domain:

    [[email protected] ~]$

    2 On the Linux or Mac OS X computer, open the Centrify DirectControl configuration file /etc/centrifydc/centrifydc.conf.

    3 Locate the pam.mapuser.root configuration parameter and un-comment the line to change the default setting.

    4 Modify the local account mapping to identify the local user account you want mapped to the Active Directory user you created; for example:

    58 DirectControl Express Edition Administrators Guide

  • pam.mapuser.joe.cool: joe.cool

    5 Save the changes to the configuration file, then run the adreload command to reload the configuration file and have the changes take effect.

    Setting a local override accountIn most cases, every computer should have at least one account that can be authenticated locally to ensure you can access the system when the network or Active Directory is not available or Centrify DirectControl is not running. By default, the local override account is set to the root user so that even if you map the root account to an Active Directory account, you can always log on locally using [email protected] and the local root account password.

    You can change the default root

Click here to load reader

Reader Image
Embed Size (px)
Recommended