Download - Centrify DirectControl Express Editiondocshare04.docshare.tips/files/5839/58394439.pdf · 2017-02-16 · 10 DirectControl Express Edition Administrator’s Guide to indicate variables.

Centrify DirectControl Express Edition

Administrator’s GuideFebruary 2011

Centrify Corporation

• 2

Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

© 2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

Contents

About this guide 7

Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 1 Introduction 13

Understanding Centrify DirectControl Express . . . . . . . . . . . . . . . . . . . . . 14

Understanding the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . 16

Comparing Centrify Suite 2011 Express Edition to other editions. . . . . 18

Understanding Zones and Auto Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Understanding how DirectControl generates consistent UNIX UIDs . . 22

Chapter 2 Installing Centrify DirectControl Express 25

Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Installing the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . . . . . . . 27

Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Troubleshooting adcheck errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Adding generally-licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Updating the Express installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Removing Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 3 Using DirectControl Express 51

Logging in to your computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

• 3

Applying password policies and changing passwords . . . . . . . . . . . . . . 54

Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . . 57

Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Using standard programs such as telnet, ssh, and ftp . . . . . . . . . . . . . . . 60

Using Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Setting Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 4 Troubleshooting Centrify DirectControl 63

Understanding diagnostic tools and log files. . . . . . . . . . . . . . . . . . . . . . . 63

Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . 64

Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . . 68

Understanding the DirectControl DNS client . . . . . . . . . . . . . . . . . . . . . . . 75

Appendix A Using Centrify DirectControl UNIX commands 79

Understanding when to use command-line programs . . . . . . . . . . . . . . 80

Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . . 81

Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

4 DirectControl Express Edition Administrator’s Guide

Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Appendix B Customizing Auto Zone configuration parameters 155

auto.schema.primary.gid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

auto.schema.private.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

auto.schema.shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

auto.schema.homedir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

auto.schema.use.adhomedir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

auto.schema.remote.file.service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

auto.schema.name.format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

auto.schema.separator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

auto.schema.domain.prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

auto.schema.search.return.max. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

auto.schema.name.lower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

auto.schema.iterate.cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

adclient.ntlm.separators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Appendix C Customizing PAM-related configuration parameters 163

pam.allow.groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

pam.allow.override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

pam.allow.password.change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

pam.allow.password.change.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

pam.allow.password.expired.access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

pam.allow.password.expired.access.mesg . . . . . . . . . . . . . . . . . . . . . . . . 168

pam.allow.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

pam.deny.groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

• 5

pam.deny.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

pam.ignore.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

pam.mapuser.username. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

pam.password.change.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

pam.password.change.required.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

pam.password.confirm.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

pam.password.empty.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

pam.password.enter.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

pam.password.expiry.warn.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

pam.password.new.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

pam.password.new.mismatch.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

pam.password.old.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

pam.policy.violation.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Appendix D Using DirectControl with SSH 179

About SSH and DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180

Setting up SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Testing SSH on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Testing SSH from a Windows machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Index 183


About this guide

Centrify Suite 2011 centrally secures cross-platform data centers through Active Directory-based identity and access management of the industry's widest range of heterogeneous systems, hypervisors and applications. Built on an integrated architecture, the Centrify Suite enables organizations to reduce IT expense, improve end-user productivity, strengthen security and enhance regulatory compliance.

This guide describes Centrify DirectControl Express, the main component of the Express version of Centrify Suite 2011, which allows a supported machine to join Active Directory and authenticate users with minimal configuration. As your IT structure grows in size and complexity, the Express version allows seamless upgrade to full Centrify Suite 2011 functionality to take advantage of features such as:

The same authentication and group policy services deployed for your Windows environment.

Centrify DirectControl Zones to provide secure, granular access control and delegated administration.

Centrify DirectAuthorizeTM to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems.

Centrify DirectAudit to deliver auditing, logging and real-time monitoring of user activity on your non-Microsoft systems.

Centrify DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and enabling optional end-to-end encryption of data in motion.

• About this guide 7

Intended audience

Centrify DirectManage to centralize the discovery, management and user administration of UNIX and Linux systems through integration into Active Directory-based tools and processes.

Intended audienceThis DirectControl Express Edition Administrator’s Guide provides complete information for installing and configuring Centrify DirectControl Express and authenticating users and groups with Centrify DirectControl and Active Directory. This guide is intended for system and network administrators who are responsible for managing user access to servers, workstations, and network resources.

Because Centrify DirectControl Express Edition is installed on the Linux or Mac OS X computers you intend to manage, and requires you to work with Windows Active Directory, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts.

This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.

Using this guideDepending on your environment and role as an administrator or user, you may want to read portions of this guide selectively. The guide provides the following information:

Chapter 1, “Introduction,” provides an overview of DirectControl Express.


Chapter 2, “Installing Centrify DirectControl Express,” summarizes the steps for installing DirectControl Express on computers to be managed by Centrify DirectControl.

Chapter 3, “Using DirectControl Express,” explains how to take advantage of Active Directory when joined to a domain through DirectControl Express.

Chapter 4, “Troubleshooting Centrify DirectControl,” describes how to use diagnostic tools and log files to retrieve information about the operation of DirectControl.

Appendix A, “Using Centrify DirectControl UNIX commands,” provides reference information for the DirectControl command-line programs.

Appendix B, “Customizing Auto Zone configuration parameters,” provides reference information for the Centrify DirectControl configuration parameters that affect the operation of a computer joined to Auto Zone. In Express Mode, a computer is automatically connected to Auto Zone.

Appendix C, “Customizing PAM-related configuration parameters,” describes the DirectControl configuration parameters that affect the operation of PAM-related activity on the local host computer.

Appendix D, “Using DirectControl with SSH,” explains how to install and use the Centrify release of OpenSSH.

In addition to these chapters, an index is provided for your reference.

Conventions used in this guideThe following conventions are used in this guide:

Fixed-width font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used


Conventions used in this guide

to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms.

Italics are used for book titles and to emphasize specific words or terms.

For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted.

The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 4.2.0 for the Sun Solaris operating system on a SPARC server, the full file name is centrifydc-4.2.0-sol8-sparc-local.tgz.


Where to go for more informationThe documentation set for Centrify DirectControl Express, includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further:

Release Notes included on the distribution media or in the download package provide the most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation.

Quick Start for Express Mode provides a brief summary of the steps for installing Centrify DirectControl Express and getting started so you can begin working with the product right away.

Individual UNIX man pages for command reference information for Centrify DirectControl UNIX command line-programs. This DirectControl Express Edition Administrator’s Guide also contains a command reference appendix for all DirectControl command-line programs.

In addition to the Centrify DirectControl documentation, you may want to consult the documentation for your Windows, Linux, UNIX, or Mac OS X operating system, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.


Contacting Centrify

Contacting CentrifyIf you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify Corporation products, support, services, and upcoming events. For information about purchasing or evaluating Centrify Corporation products, send email to [email protected].


http://www.centrify.com/

Chapter 1

Introduction

This chapter provides an introduction to the main features of the Centrify DirectControl Express, including a brief overview of the ways Centrify DirectControl can help organizations leverage their investment in Active Directory.

The following topics are covered:

Understanding Centrify DirectControl Express

Understanding the Centrify DirectControl Agent

Comparing Centrify Suite 2011 Express Edition to other editions

Understanding Zones and Auto Zone

Understanding how DirectControl generates consistent UNIX UIDs

Chapter 1 • Introduction 13

Understanding Centrify DirectControl Express

Understanding Centrify DirectControl ExpressThe Centrify Suite is bundled in a number of different editions, ranging from the most basic, Express (the focus of this manual), to more advanced editions (Standard, Enterprise, and Platinum), which in addition to having more features, provide other Centrify products, such as DirectAudit and DirectSecure.

DirectControl is the underlying, base product of the Centrify Suite. The core feature of DirectControl is the ability to enable Linux and Mac servers and workstations to participate in an Active Directory domain. The DirectControl Agent effectively turns the host system into an Active Directory client, enabling you to secure that system using the same authentication services deployed for your Windows systems.

Specifically, DirectControl Express provides the following:

The ability to join a Linux, or Mac OS X computer to Active Directory and authenticate users.

Centrify-enabled versions of OpenSSH, Kerberos and Samba.

Note The Centrify Suite 2011 Express Edition includes an Express Edition of DirectManage that enables you to centrally discover computers and deploy software to them.

DirectControl Express requires minimal configuration to join a UNIX machine to a domain and authenticate users through Active Directory. For example, DirectControl automatically creates consistent UIDs across the domain for users on the computers it manages; see “Understanding how DirectControl generates consistent UNIX UIDs” on page 22 for information on this topic.

Also, when using DirectControl Express, you do not need to configure group policies and compliance reports, nor create zones to model your organization and control access to a domain. Therefore, DirectControl Express is ideal for an environment in which:

You have a limited number of users and domains.


You do not need to maintain your current UNIX UIDs.

The organizational structure is relatively flat.

You want to configure computers quickly to join a domain.

If your organization grows in size and complexity, you can easily upgrade Centrify DirectControl Express to one of the generally-featured versions; see “Comparing Centrify Suite 2011 Express Edition to other editions” on page 18 for more information.

What you can do after you deploy

When Centrify Suite 2011 Express installs the Centrify DirectControl agent on a UNIX system, that computer is considered a Centrify DirectControl managed system and can be joined to Active Directory in the same manner as a Windows computer.

When a computer is managed by Centrify DirectControl, and connected to a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine unless configured to deny or allow specific users or groups access; see pam.deny.users |pam.allow.users and pam.deny.groups |pam.allow.groups. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine. These users can perform the following common tasks:

Log on to the UNIX shell or desktop program and use standard programs and services such as telnet, ssh, and ftp.

Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously.


Understanding the Centrify DirectControl Agent

Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.

Understanding the Centrify DirectControl AgentThe Centrify DirectControl Agent makes a UNIX, Linux, or Mac OS X computer look and behave like a Windows client computer to Active Directory. The Centrify DirectControl Agent performs the following key tasks:

Joins the UNIX, Linux, or Mac OS X computer to an Active Directory domain.

Communicates with Active Directory to authenticate users when they log on and caches credentials for offline access.

Enforces Active Directory authentication and password policies.

Provides a Kerberos environment so that existing Kerberos applications work transparently with Active Directory.

Although the individual agents you install are platform-specific, the Centrify DirectControl Agent is a tightly integrated suite of services that work together to ensure seamless operation between existing UNIX programs and applications and Active Directory authentication and directory service.


The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:

As this figure suggests, the Centrify DirectControl Agent includes the following core components:

The core Centrify DirectControl Agent is the adclient process that handles all of the direct communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information.

The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory.

The Centrify DirectControl NSS module is added to the nsswitch.conf so that system look-up requests use the Centrify DirectControl agent to look up and validate information using Active Directory through LDAP.

The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks,

Active Directory Domain Controller

Centrify DirectControl Agent

Centrify DirectControl Service Library

Cached credentials and search results

Centrify DirectControl adclient

Kerberos environment

Core services for UNIX shell programs and applications

Kerberos-enabled applications

PAM module NSS module

Command line programs

Other add-on

modules:

ApacheJAAS realm

SPNEGONIS



such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks.

The Centrify DirectControl Kerberos environment generates a Kerberos configuration file (etc/krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled applications to authenticate through Active Directory. These files are maintained by the Centrify DirectControl Agent and are updated to reflect any changes in the Active Directory forest configuration.

The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency.

In addition to these core components, the Centrify DirectControl Agent can also be extended with optional utilities and programs, such as updated Kerberos, OpenSSH, or OpenLDAP utilities, that have been optimized to work with Centrify DirectControl and Active Directory.


Centrify Suite 2011 Express Edition is composed of DirectControl Express and DirectManage Express. As explained in “Understanding Centrify DirectControl Express” on page 14, Centrify DirectControl Express provides a limited subset of the features available in DirectControl for Centrify Suite 2011 Standard, Enterprise, Platinum, or Application Editions.

Express Edition provides

DirectControl Express (a limited version of DirectControl) with the following features:


The ability to join a domain and authenticate users

Centrify-enabled OpenSSH, Kerberos, and Samba

DirectManage Express (a limited version of DirectManage) with the ability to discover computers and deploy software

Standard Edition is the first-level commercial offering and combines the base product, DirectControl, with additional products, as follows:

A fully-featured DirectControl with these features:

The ability to join a domain and authenticate users

Centrify-enabled OpenSSH, Kerberos, and Samba

Advanced Active Directory support; for example, DirectControl is site-aware, supports trusts, and requires no modifications to the AD schema

Centralized UNIX identity management; that is, the ability to map multiple UIDs to one Active Directory account

Zone-based access control and separation of duties

Group Policy enforcement

Legacy NIS integration and migration

Out-of-the-box reporting

For Mac OS X users, the ability to use their PIV/CAC smart cards for authentication and single sign-on

A fully-featured DirectManage to centrally discover systems and deploy software, migrate existing accounts and access rights to Active Directory, and provision and manage access, rights, and roles.

DirectAuthorize to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems.


Understanding Zones and Auto Zone

Enterprise Edition provides:

All the features of Standard Edition

DirectAudit for real-time auditing of user sessions on UNIX- and Linux-based systems.

Platinum Edition provides:

All the features of Enterprise Edition

DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and encrypting data in motion.

Application Edition provides:

All the features of Enterprise Edition

Single sign-on for SAP, Web servers (Tomcat, Apache, JBoss, Websphere, and Weblogic), and IBM DB2

Understanding Zones and Auto ZoneWhen using a generally-featured version of DirectControl, one of the most important aspects of managing UNIX, Linux, and Mac OS X systems through the DirectControl Administrator Console is the ability to organize computers and user’s access to those computers using zones.

A DirectControl zone is similar to an Active Directory organizational unit (OU) or NIS domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify account and access management and the migration of information from existing sources to Active Directory.

Zones also enable you to map multiple UIDs to a single Active Directory account and store the mapping inside Active Directory.

How you use zones will depend primarily on the needs of your organization. In some organizations, a single default zone is sufficient. In other organizations, using multiple zones may be a necessity.


Understanding Auto Zone

When using Centrify DirectControl Express, you have no access to the DirectControl Console, nor do you have the ability to create zones, including the default zone. Rather, in Express Mode, you connect to a domain through Auto Zone, which essentially is one super zone for the forest.

Express Mode and Auto Zone greatly simplify the process of using DirectControl to join a UNIX computer to a zone. When using a generally-featured version of DirectControl, you must perform a certain amount of configuration in the DirectControl Console, such as defining a zone, adding Active Directory users and groups to the zone, and enabling specific group policies. With Auto Zone, UNIX attributes, such as UID, default shell, and home directory, that are normally defined in the zone to which the UNIX computer is joined, are derived from user attributes in Active Directory, or from DirectControl configuration parameters.

When you join a domain by connecting to Auto Zone, all DirectControl Express users and groups defined in Active Directory for the forest automatically become valid users and groups on the UNIX machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the UNIX machine.

Although all users and groups have default access to all machines joined to Auto Zone, you may still control access to any particular machine by setting parameters, such as pam.deny.users and pam.deny.groups, in the Centrify DirectControl configuration file; see “pam.deny.groups” on page 170 and “pam.deny.users” on page 172.

Note Auto Zone does not support one-way trusts. That is, if a computer is joined to a domain through Auto Zone, and the domain has a one-way trust relationship with another domain, users and groups in the trusted domain do not become valid users and groups on the computer.




In DirectControl Express, when an Active Directory user logs into a UNIX computer for the first time, DirectControl automatically creates a 31-bit UNIX UID as well as a 31-bit GID for any groups to which the user belongs. To create these GIDs and UIDs DirectControl creates a prefix from the last 9 bits of the user or group Security Identifier and combines it with the lower 22 bits of the user or group RID (relative identifier).

Although DirectControl Express caches these UIDs and GIDs, they are not stored in Active Directory and consequently you cannot edit or change them in any way with Active directory Users and Computers (ADUC). If the cache expires, DirectControl uses the same algorithm to create the same UID and GID the next time the user logs in so you are guaranteed consistent ownership for files and resources.

Note This is in contrast to fully-featured DirectControl which stores UIDs and GIDs in Active Directory and provides tools that enable you to migrate local UIDs and GIDs to Active Directory, as well as map multiple UIDs to a single AD account.

In addition to the UID and GID, DirectControl creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is:

Linux: /home/username

Mac OS X: /Users/username

When you join multiple Linux or Mac OS X computers to a domain, any Active Directory user who logs on to more than one computer will have the same DirectControl-generated UID on each machine.

Although local users (such as those defined in /etc/passwd) may still log in to any local computer, if you want to control access through Active Directory, you should create Active Directory


accounts for each user. You can then either delete the local account, or to preserve access to current home directories and files, map the local users on each computer to an AD account; see “Mapping local UNIX accounts to Active Directory” on page 57.




Chapter 2

Installing Centrify DirectControl Express

This chapter provides step-by-step instructions for installing the Express version of the Centrify DirectControl Agent on a computer and joining a Linux or Mac OS X computer to the Active Directory domain.


Preparing for installation

Installing the Centrify DirectControl Agent

Verifying the installation

Troubleshooting adcheck errors

Joining an Active Directory domain

Adding generally-licensed features

Updating the Express installation

Removing Centrify DirectControl

Chapter 2 • Installing Centrify DirectControl Express 25

Preparing for installation

Preparing for installation The Centrify DirectControl Agent needs to be installed on each UNIX computer you want to manage through Centrify DirectControl and Active Directory. Therefore, you should check that each computer where you plan to install is running a supported version of the Linux or Mac OS X operating system and meets the following requirements:

Note For the most complete and up-to-date information about supported platforms and version information, check the Centrify Web site or the Release Notes included with the software package. Some operating environments may require patches, updates, or bundles to work correctly, so check the Release Notes for any environment-specific requirements before installing. Also, you can check the Web site of your operating system vendor to identify the most recent patches and updates available.

Verifying account permissions

You need the following accounts to install DirectControl and join an Active Directory domain:

To install on Linux you need the root account and password.

To install on Mac OS X you need the local Administrator account and password.

For this You need this

Operating system One of the supported operating environments. For information about the specific operating systems and version levels currently supported, see Supported Platforms on the Centrify Web site.

CPU speed 300 MHZ

RAM 10MB

Disk space 100MB


http://www.centrify.com








To join a domain, you need an Active Directory account (and password) with permission to add computers to the domain.

Depending on your organization, this requirement might be more stringent; for example, in some organizations, an account with permission to add computers to the domain might need to be a member of the Domain Admins group. If you are not sure about the requirements of your organization, or do not know the name and password for an Active Directory account, check with your AD administrator.

Installing the Centrify DirectControl AgentThe files and directories you need to install on each Linux and Mac OS X computer you want to manage through Active Directory are bundled together in a platform-specific software package and installed using a native installation mechanism for each platform. You can install the Centrify DirectControl Agent in any of the following ways:

(Recommended) Run the Centrify DirectControl installation script to automatically invoke the proper installation mechanism for a computer’s local operating system with the appropriate command line options; see “Installing the agent by using the installation script” on page 28.

On Mac OS X computers, use the graphical user interface to install; see “Installing on Mac OS X by using the graphical user interface” on page 31.

Manually install any package by running the appropriate installation command yourself; see “Using other programs to install DirectControl Agents” on page 34.

Notes Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the installation script does the following:



Automatically joins the computer to a domain.

Sets the Agent to Express Mode.

Runs operating system, network, and Active Directory tests to verify your environment.

If you manually install the Agent, you must manually join a domain, manually turn off licensing to enable Express Mode after joining a domain, and manually run tests if you wish to verify your environment.

Installing the agent by using the installation script

To install on a Linux or Mac OS X computer:

1 Log on or switch to the root user if you are installing on a computer running Linux UNIX or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.

Note Although you are not required to log on as the root user on the Macintosh computer, you must know the password for the Administrator account to complete the installation. In addition, joining the domain and configuring your environment is slightly different on Macintosh computers than on other platforms. Therefore, you should follow the steps in the section “Joining the domain from Mac OS X computers” on page 42 to join an Active Directory domain on computers running the Mac OS X operating system.

2 Mount the cdrom device using the appropriate command for the local computer’s operating environment, if necessary. If you have copied the package to another location or downloaded the package from an FTP server or Web site and are not using the CD, verify the location and go on to the next step.

3 Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the Centrify DirectControl package. For example, to install on a Linux


computer from the Centrify DirectControl CD, change to the Unix directory:cd Unix

Similarly, if you are installing on a Mac OS X computer, change to the MacOS directory.

4 Run the install-express.sh script to start the installation of Centrify DirectControl on the local computer’s operating environment. For example:./install-express.sh

The installation script runs a utility, adcheck, to verify that your environment is configured properly to work with Centrify DirectControl. You may see warning or error messages that may require immediate attention or may be something that you can fix after running the installation.

For example, you will see a warning message if your machine has a version of OpenSSH that is not configured to work with Centrify DirectControl. However, by default, the installation script installs the DirectControl build of OpenSSH, which corrects this problem, so in this case you do not need to correct anything.

See “Troubleshooting adcheck errors” on page 38 for more information about adcheck and how to fix any issues it uncovers.

5 Respond to the installation prompts as follows:

How do you want to proceed? (E|S|X|C|Q) [X]:

Accept the default, X (for Express Edition), by clicking Enter.

Do you want to run adcheck to verify your AD

environment? (Q|Y|N) [Y]:

Accept the default answer, Y (to run adcheck) by clicking Enter.



Please enter the Active Directory domain to check:

Enter the fully qualified name of your AD domain; for example, sales.acme.com.

Join an Active Directory domain? (Q|Y|N) [Y]

Accept the default answer, Y to join a domain.

Enter an authorized Active Directory user (one with permission to add computers to the domain) and password at the following prompts (see “Verifying account permissions” on page 26 for information about the accounts required for installing DirectControl and joining a domain); the default account, if you do not enter one, is administrator:Enter the Active Directory authorized user

[administrator]:Enter the password for the Active Directory user:

Click Enter to select the defaults for the following prompts:Enter the computer name: [QA1.sales.acme.com]

Enter the container DN [Computers]:

Enter the name of the domain controller [auto detect]:Reboot the computer after the installation (Q|Y|N) [Y}:

You will see summation text similar to the following:You chose Centrify Suite Express Edition and entered the

following:

Install CentrifyDC 4.4.0 package: Y

Install CentrifyDC-nis 4.4.0 package: N

Install CentrifyDC-openssh 4.3.1 package: Y Install CentrifyDA 1.1.2 package: N

Run adcheck : Y

Join an Active Directory domain : Y Active Directory domain to join : sales.acme.com

Active Directory authorized user : administrator

computer name : QA1.sales.acme.com container DN : Computers

domain controller name : auto detect

Reboot computer : Y

6 After reviewing the choices you have made, enter Y and click Enter.

When the installation is complete, the computer prepares to reboot in 15 seconds if you specified to reboot after installation.


Go to “Verifying the installation” on page 36 to see how to verify the installation.

Installing on Mac OS X by using the graphical user interface

This section explains how to install using the graphical user interface. To install using the installation script, see “Installing the agent by using the installation script” on page 28.

To install the Centrify DirectControl Agent on a Mac OS X computer using the graphical user interface, complete the steps in the following procedure:

Note Before launching the installer, be certain that the Apple Directory Utility is closed. If it is open while running the installer, it causes the Centrify DirectControl Directory Access plug-in to show the incorrect status, that is, it shows that the plug-in is disabled when in fact it is enabled.

1 Log on with the Administrator or root user account.

2 Navigate to the directory on the CD or your local network where the Centrify DirectControl Agent package is located. For example, if you are installing from the Centrify DirectControl CD, open the MacOS directory.

3 Double-click the DMG file, for example:centrifydc-release-mac10.4.dmg

4 Double-click ADCheck to open the ADCheck utility.

ADCheck performs a set of operating system, network, and Active Directory checks to verify that the Mac OS X computer meets the system requirements necessary to install the Centrify DirectControl Agent and join an Active Directory domain.

5 Enter the domain you intend to join with the Mac OS X computer and click AD Check.



Note The ADCheck utility has a set of options — see the adcheck man page for details. You can specify options in the AD Domain window along with the domain name. For example, to run the network options only, and provide verbose output, enter the following, then click AD Check:-t net myDomain.com --verbose

You can also run ADCheck as a command-line utility in a terminal window.

6 Review the results of the checks performed. If the target computer, DNS environment, and Active Directory configuration pass all checks with no warnings or errors, you should be able to perform a successful installation and join.

If you receive errors or warnings, correct them before proceeding with the installation. See “Troubleshooting adcheck errors” on page 38 for more information about adcheck and how to fix any issues it uncovers.

7 Double-click CentrifyDC.pkg to open the Centrify DirectControl Installer package.

8 Review the information on the Welcome page, then click Continue; review or print the terms of the license agreement and click Continue; then click Agree to agree to the terms of the license agreement.

9 Select a volume for installing the Centrify DirectControl Agent, then click Continue.

10 Click Install to begin installing the Centrify DirectControl Agent

If you see the following warning box, click OK. If you did not have Directory Utility running during the installation, you can ignore the warning. If Directory Utility was open, you can quit


and restart it to show the correct status of the Centrify DirectControl plug-in.

11 If prompted, enter the administrator name and password.



12 (Optionally) If the computer is not already joined to a domain, you can choose to join the domain now or manually after completing installation. To join now, enter a domain name.

13 (Optionally) Reboot the computer to stop and restart all services.


Using other programs to install DirectControl Agents

If you want to manually install a software package using a native installation program instead of the Centrify DirectControl installation script, you can follow the instructions in the release-notes text file for the package or use another native installation mechanism appropriate for the local operating environment. For example, if your operating environment supports another mechanism for installing and managing software packages, such as the SMIT or YAST programs, you can use those programs to install Centrify DirectControl software packages.

Note Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the


installation automatically joins the computer to a domain, sets the Agent to Express Mode, runs operating system, network, and Active Directory tests to verify your environment, and installs the Centrify OpenSSH package — all of which you have to do manually if you use a native installer.

To install Centrify DirectControl using a native installation program:

1 Log on as or switch to the root user.

2 If you are installing from a CD and the CD drive is not mounted automatically, use the appropriate command for the local computer’s operating environment to mount the cdrom device.

3 Copy the appropriate package for the local computer’s operating environment to a local directory.

For example, if installing from the CD and the operating environment is Enterprise Linux:cp /cdrom/cdrom0/Unix/centrify-suite-2011-rhel3-i386.tgz .

If you aren’t sure which file to use for the local operating environment, see the release-notes text file included in the package.

4 If the software package is a compressed file, unzip and extract the contents. For example, on Red Hat Linux:gunzip -d centrify-suite-2011-rhel3-i386.tgz

tar -xf centrify-suite-2011-rhel3-i386.tar

5 Run the appropriate command for installing the package based on the local computer’s operating environment. For example, on Red Hat Linux:rpm -Uvh centrifydc-release-rhel3-i386.rpm

If you aren’t sure which command to use for the local operating environment, see the release-notes text file included in the package.

Note You are not required to use the specific commands described in the release-notes to install the software package


Verifying the installation

manually. If your operating environment has programs such as the SMIT or YAST programs, you can use those programs to install the Centrify DirectControl package.

6 Disable licensed features by running the adlicense --express command:adlicense --express

Note The native installer installs Centrify DirectControl in full-featured mode; you must run the adlicense command to change to Express Mode.

7 Join the domain by running the adjoin --workstation command, which connects you to Auto Zone; see “Joining an Active Directory domain” on page 40:adjoin --workstation domainName

Note If you do not specify the --workstation option the join will fail because adjoin will attempt to connect you to a specific zone, which is not allowed in Express Mode — you must connect to Auto Zone; see “Understanding Zones and Auto Zone” on page 20.

8 (Optionally) Install the Centrify OpenSSH package; for example:rpm -Uvh centrifydc-openssh-release-rhel3-i386.rpm


Verifying the installationWhen a computer is joined to Active Directory, all Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined machine. Therefore, after running the installation script, which installed the Centrify DirectControl Agent and joined your computer to a domain, you can log in as any Active Directory user.


1 Log in using an Active Directory user account.

When a user logs in for the first time, the system creates a /home/userName directory.

2 Run the adinfo command to see information about the Active Directory configuration for the local computer. You should see output similar to the following:Local host name: QA1

Joined to domain: sales.acme.com

Joined as: QA1.sales.acme.comPre-win2K name: QA1

Current DC: acme-dc1.sales.acme.com

Preferred site: Default-First-SiteZone: Auto Zone

Last password set: 2009-11-12 12:01:31 PST

CentrifyDC mode: connected

Licensed Features: Disabled

Note that licensed features are disabled and that the zone is Auto Zone, which essentially is a super zone for the entire forest. Creating actual zones requires a licensed copy of Centrify DirectControl.

The Linux or Mac OS X computer is now joined to a domain exactly as any Windows machines in the domain. See Chapter 3, “Using DirectControl Express,” for some of the ways Centrify DirectControl Express simplifies administration of your Linux and Mac OS X computers.


Troubleshooting adcheck errors

Locating Centrify DirectControl directories and files

When you complete the installation, the local computer will be updated with the following directories and files for Centrify DirectControl:

Troubleshooting adcheck errors You can run adcheck before, during, or after installation to verify that your system is configured properly for Centrify DirectControl. This utility performs three sets of checks that are controlled by the following options:

-t os checks the operating system, disk size, and Perl and Samba installations.

-t net checks DNS to verify that the local system is configured correctly and that the DNS server is available and healthy.

-t ad includes the -t net checks and verifies that the domain has a valid domain controller.

This directory Contains

/etc/centrifydc The Centrify DirectControl Agent configuration file and the Kerberos configuration file.

/usr/share/centrifydc Kerberos-related files and service library files used by the Centrify DirectControl Agent to enable group policy and authentication and authorization services.

/usr/sbin and /usr/bin Command line programs to perform Active Directory tasks, such as join the domain and change a user password.

/var/centrifydc No files until you join the domain. After you join the domain, several files are created in this directory to record information about the Active Directory domain the computer is joined to, the Active Directory site the computer is part of, and other details.


Correcting errors for the os check

The -t os option performs a series of checks that verify operating-system basics for the machine on which you are installing Centrify DirectControl. This option performs the following specific checks:OSCHK : Verify that this is a supported OS PATCH : Linux patch check PassPERL : Verify perl is present and is a good version PassSAMBA : Inspecting samba installation SPACECHK : Check if has enough disk space in /var /usr /tmp

The operating system checks are self-explanatory. If your computer fails one of these checks, you need to upgrade the machine with a new operating system version or patch, a new Perl or Samba version, or free up sufficient disk space.

Note If you get a warning about your Samba installation, you can install Centrify-enabled Samba as part of the DirectControl Express installation.

Correcting warnings and errors for the net check

The -t net option performs a series of checks that verify DNS is correctly configured on your local machine and that the DNS server is running properly. There is also a check to verify that you are running a supported version of OpenSSH.

Note A supported version of OpenSSH is automatically installed by the installation script. If you get a warning about your OpenSSH version before installation, you can ignore it.

This option performs the following specific checks:NSHOSTS : Check hosts line in /etc/nsswitch.conf DNSPROBE : Probe DNS server 192.168.43.130 DNSCHECK : Analyze basic health of DNS servers WHATSSH : Is this an SSH that DirectControl works well withSSH : SSHD version and configuration

Because Centrify DirectControl uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS nameservers need to be specified in the local /etc/resolv.conf file on each UNIX computer before the computer can join the domain. If you receive errors or warnings from these checks, you



need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Correcting errors for the ad check

The -t ad option locates each domain controller in DNS and then does a port scan and DNS lookup of each. The checks for this option also verify the global catalog and verify clock and domain synchronization. The specific checks performed by this option are as follows:

Note The-t ad option runs the -t net checks as well as the -t ad checks.

DOMNAME : Check that the domain name is reasonable ADDC : Find domain controllers in DNS ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local ADPORT : Port scan of DC centrify-mkdaze.mkline.local ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local GCPORT : Port scan of GC centrify-mkdaze.mkline.local DCUP : Check DCs in mkline.local SITEUP : Check DCs for mkline.local in our site DNSSYM : Check DNS server symmetry ADSITE : Check that this machine's subnet is in a site known by AD GSITE : See if we think this is the correct site TIME : Check clock synchronization ADSYNC : Check domains all synchronized

If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Joining an Active Directory domainWhen you install the Centrify DirectControl Agent on a UNIX computer, you can automatically join that computer to an Active Directory domain by selecting the option to do so in the Centrify DirectControl installation script, install-express.sh.

However, if you don’t join the domain when you run the installation script, or if you leave a domain for any reason and want to rejoin, you can manually join a domain by using the adjoin command.


When using Centrify DirectControl Express, you can only connect to a domain through Auto Zone, not by connecting to a specific zone. Connecting to a zone requires Centrify DirectControl licensed features. To connect to Auto Zone, you use the adjoin --workstation option.

Note On the Mac OS, joining the domain and configuring your environment is slightly different than on other platforms. Therefore, you should follow the steps in the section “Joining the domain from Mac OS X computers” on page 42 to join an Active Directory domain when the Centrify DirectControl Agent is installed on Mac OS X computers.

To join an Active Directory domain manually on a Linux or UNIX computer:

1 On the UNIX computer, log in as or switch to the root user.

2 Run adjoin to join an existing Active Directory domain. You should join the domain using a fully-qualified domain name. You must specify the --workstation option.

For example, to join the sales.acme.com domain with the user account dylan:adjoin --user dylan --workstation sales.acme.com

The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you don’t specify a user with the --user option, the Administrator account is used by default.

3 Type the password for the specified user account.

If Centrify DirectControl can connect to Active Directory and join the domain, a confirmation message is displayed. All Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined machine.



Joining the domain from Mac OS X computers

You can use either the ADJoin GUI utility or the adjoin command line tool to join a domain. This section shows how to use ADJoin GUI utility, which is specific to Mac OS X. For information on adjoin, see the DirectControl Administrator’s Guide, or the man page for adjoin.

To start the Centrify DirectControl program for joining or leaving a domain:

1 Click Applications > Utilities > Centrify > Adjoin. Then double-click Adjoin to open it.

2 Type the name of the Active Directory domain you want to join and select Auto Zone.

You can also type a different computer name if you want to use a different name for the local host in Active Directory. Check Overwrite existing joined Computer to overwrite the information stored in Active Directory for an existing computer account with the same name as the local computer. This is the same as running the adjoin command with the --force option.


If you want to use the default settings for joining the domain, you can continue to the next step. If you want to specify additional options, click Show advanced options to display the additional options:



Select this option To do this

Container DN Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account.

By default, computer accounts are created in the domain’s default Computers container.

If you want to specify a container, check this option, then type the DN without its domain suffix. For example, if the domain suffix is acme.com and you want to place this computer in the paris.regional.sales.acme.com organizational unit, you would type:ou=paris, ou=regional,

ou=sales

Checking this option is the same as running the adjoin command with the --container option.

Preferred Domain Server Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

Checking this option is the same as running the adjoin command with the --server option.

Computer Alias Name Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias.

Checking this option is the same as running the adjoin command with the --alias option.


For more information about these options, see “Using adjoin” on page 84.

3 The Disable Licensed Features button turns off licensing for DirectControl on the local computer, making it an Express installation. For a Standard Centrify Suite 2011 installation, you can ignore this button. See the Centrify Suite Express Edition Administrator’s Guide for complete information on installing and configuring Centrify DirectControl Express.

4 Click Join Domain.

5 Type the Active Directory user name and password for a user with permission to join the local computer to the Active Directory domain, then click OK.

Do not update PAM and DirectoryService configuration

Indicate that you do not want to update the local system’s PAM and DirectoryService configuration.

If you don’t want to have the PAM files and DirectoryService configuration updated automatically, check this option.

Checking this option is the same as running the adjoin command with the --noconf option.

Select this option To do this


Adding generally-licensed features

6 Type the user name and password for the local Administrator account.

Restarting services after installing or joining the domain

You may need to restart some services on UNIX computers where you have installed the Centrify DirectControl Agent so that those services will reread the name switch configuration file. For example, if you typically log on to the UNIX computer through a graphical desktop manager such as gdm, you need to either restart the gdm service or reboot the workstation to force the service to read the updated configuration before Active Directory users can log on. The most common services that need to be restarted are sshd and gdm. If you are using these services, you should restart them. For example, to restart sshd:/etc/init.d/sshd restart

As an alternative to restarting individual services, you may want to reboot the system to restart all services.

Note Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.

Adding generally-licensed featuresTo take full advantage of all Centrify DirectControl features, including the ability to create zones and apply group policies, you need to run a generally-licensed version of the product.


To upgrade to a generally-licensed version of Centrify DirectControl, complete the following steps:

1 Obtain a license or download an evaluation copy from the centrify.com Website.

2 On a Windows machine that is joined to the domain, run the Centrify Suite 2011 setup program to install the Centrify DirectControl Management Tools.

3 On the UNIX machine that is running Centrify DirectControl Express, run the following command to enable licensed features, and if successful, you will see a message about group policies:adlicense --licensed

Group policies will be initialized on background

4 Run a command similar to the following to verify that licensing has been enabled:adinfo

Local host name: qa1Joined to domain: acme.com

Joined as: qa1.acme.com

Pre-win2K name: qa1Current DC: acme-dc1.acme.com

Preferred site: Default-First-Site

Zone: Auto ZoneLast password set: 2009-11-12 12:01:31 PST

CentrifyDC mode: connected

Licensed Features: Enabled

5 After enabling licensed features, the computer is still connected to Auto Zone. To connect to a specific zone, you must leave, then rejoin the domain:adleaveActive Directory password:***

...

Left Active Directory domainCentrify DirectControl stopped.

adjoin acme.com

If you do not specify a zone, as in this example, you are automatically connected to the default zone. If you have already



Updating the Express installation

created zones, you can specify a zone on the command line; for example, to connect to the Finance zone:adjoin -z Finance acme.com

You may also move a computer to a different zone by using the DirectControl Console. See the Administrator’s Guide for details.

See the Centrify DirectControl Administrator’s Guide and the Planning and Deployment Guide for information about creating and managing zones, using group policy, and other Centrify DirectControl features.

Although enabling licensing gives you access to all DirectControl features, the Express installation does not install all optional packages, such as CentrifyDC NIS or DirectAudit. To install additional DirectControl packages, rerun the installation script as described in the next section, Updating the Express installation.

Updating the Express installationTo update from an Express installation to a full Centrify DirectControl product, you can simply turn on licensed features as explained in “Adding generally-licensed features” on page 46. However, certain optional Centrify DirectControl packages are not installed by the Express installation. To add these packages, you must rerun the installation script, as follows:

1 Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the Centrify DirectControl package. Then run the installation script that you used originally to install Centrify DirectControl:install.sh

Alternately, you can download and unzip a new DirectControl package and run it’s installation script.

2 You are prompted whether to keep, erase, or reinstall the currently installed packages (CentrifyDC and Centrify openSSH) whether to install specific new packages. Accept the


default (K, keep) for the currently installed packages, and specify yes (Y) for the packages you want to add; for example, Centrify DirectControl NIS and DirectAudit.

For the following prompt, type Y and press Enter to enable licensed features. Be certain that you have installed the Centrify DirectControl Console on a Windows machine and have an available license.Enable licensed features? (Q|Y|N) [Y]:

You can also choose to run adcheck, enable auditing (if you installed DirectAudit), and reboot the computer after installation.

The computer remains joined to the domain you previously joined and your existing /etc/centrifydc/centrifydc.conf file is backed up and any modifications you have made to the file are migrated to the new version of the file.

3 Restart running services, such as login, sshd, or gdm, (if you did not reboot during installation) or reboot the computer to ensure all services use the updated configuration. For example, you can run the following command to stop running sessions: pkill -1 sshd

Removing Centrify DirectControlOn most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script. The uninstall.sh script is installed by default in the /usr/share/centrifydc/bin directory on each Centrify DirectControl-managed system.

To remove Centrify DirectControl on a Linux, UNIX, or Mac OS X computer:

1 Log on to the computer where the Centrify DirectControl Agent is installed.


Removing Centrify DirectControl

2 Run the uninstall.sh script. For example:/bin/sh /usr/share/centrifydc/bin/uninstall.sh

The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.

3 To uninstall Centrify DirectControl, enter Y when prompted.

If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local operating environment to remove the Centrify DirectControl Agent and related files. The following table summarizes the commands to use in different environments:

To remove from Do this

Red Hat Linux Run the following command:rpm -e centrifydc

SuSE Linux Run the following command:rpm -e centrifydc

Debian Linux Run the following command:dpkg -P centrifydc

Mac OS X You must use the uninstall.sh script to remove Centrify DirectControl files on Macintosh computers.


Chapter 3

Using DirectControl Express

This chapter explains how to perform basic administrative tasks with DirectControl Express.


Logging in to your computer

Applying password policies and changing passwords

Working in disconnected mode

Mapping local UNIX accounts to Active Directory

Setting a local override account

Using standard programs such as telnet, ssh, and ftp

Using Samba

Setting Auto Zone configuration parameters

Chapter 3 • Using DirectControl Express 51

Logging in to your computer

Logging in to your computerWhen you install Centrify DirectControl Express on a computer and join a domain, all users and groups defined in Active Directory for the forest automatically become valid users and groups on the machine. In addition, all Active Directory users defined in a forest with a two-way, cross-forest trust relationship to the forest of the joined domain, are also valid users for the machine.

To see a list of valid users, open Active Directory Users and Computers (ADUC) on a Windows machine in the domain, then navigate to domainName > Users.

Note By default, DirectControl transforms Active Directory names into UNIX names in the form of a SAM name (short name in Mac OS X); for example, jcool. You can specify a different form for the UNIX name by setting the value of the auto.schema.name.format parameter in the DirectControl configuration file.

You log in to a computer exactly as you do locally by entering a username and password. You do not have to specify the domain name when you log in.

DirectControl accepts the following login formats:

AD username (samAccountName or Mac OS X short name) and passwordjcool

AD username@domain (userPrincipalName) and [email protected]

NTLM style (domain\username) and passwordmkline\jcool

mkline.com\jcool

When users are defined in a local forest, you can locate them in Active Directory with any of the user login formats, that is, by their UNIX profile name, their userPrincipalName, or their


samAccountName in the form of their user logon name alone or in its full pre-Windows 2000 format of domainname\username.

Getting information about the Active Directory configuration

When logged in as an ordinary user or as the root user, you can use the adinfo command to see information about the Active Directory configuration for the local computer. For example:adinfoLocal host name: QA1Joined to domain: sales.acme.comJoined as: QA1.sales.acme.comPre-win2K name: QA1Current DC: acme-dc1.sales.acme.comPreferred site: Default-First-SiteZone: Auto ZoneLast password set: 2009-11-12 12:01:31 PSTCentrifyDC mode: connectedLicensed Features: Disabled

Note that licensed features are disabled and that the zone is Auto Zone.

Centrify DirectControl Standard Edition uses its zone technology to provide secure, granular access control and delegated administration for UNIX computers joined to a domain. DirectControl Express, on the other hand, does not provide the ability to create zones. When a computer joins a domain, it is automatically joined to Auto Zone. This greatly simplifies the process of joining a domain but does not provide the same granular access control as defining and using zones does.

Auto Zone essentially is one super zone for the forest. With Auto Zone, UNIX attributes that would be defined in the zone to which the UNIX machine is joined (with Centrify DirectControl Standard Edition) are derived from user attributes in Active Directory, or from DirectControl configuration parameters.


Applying password policies and changing passwords

Applying password policies and changing passwordsCentrify DirectControl enforces all of the password policies you have defined in Active Directory for the UNIX accounts you enable. Therefore, if you create a new UNIX user account that requires a password change the next time the user logs on, the user is prompted to change the password the next time she logs on to either a Windows or UNIX computer.

When the user provides a new password, Centrify DirectControl checks the new password to make sure it conforms to Active Directory policies for length and complexity. If the new password meets all of the criteria, the account is updated with the new information in Active Directory and the user logs on successfully.

Centrify DirectControl also enforces the password expiration period, the password reuse policy, account lock out policy, workstation restrictions, and logon hour restrictions if you have defined these policies for any user account. In addition, Centrify DirectControl displays a warning message on the UNIX computer if a user’s password is about to expire.

Administrators can set, reset, or change the password for users using Active Directory or from the UNIX command line. Individual users can also change their own password at any time using the adpasswd command.

Changing your own password

If you attempt to log in but your password has expired, you are prompted to provide your old password, a new password, and to confirm your new password. You can also change your own password at any time using adpasswd.

To change your own password using adpasswd:

1 At the UNIX command line, run the following command:adpasswd


2 Type your old password. When changing your own password, you must always provide your old password.

3 Type the new password. The password should conform to Active Directory password policies.

4 Retype the new password.

For more information about using adpasswd, see the adpasswd man page or “Using adpasswd” on page 108.

Changing another user’s password

The adpasswd command can be used to change the password of another Active Directory user if you provide the user name and password of an administrative account with the authority to change another user’s password.

To change the password for another user using adpasswd:

1 At the UNIX command line, run the adpasswd command and specify an Active Directory administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:adpasswd --adminuser [email protected] [email protected]

2 Type the password for the administrative account. For example:Administrator password: xxx

3 Type the new password for the user specified. Because you are changing another user’s password, you are not prompted for an old password. For example:New password:

4 Retype the new password.Repeat password:

For more information about using adpasswd, see the adpasswd man page or “Using adpasswd” on page 108.


Working in disconnected mode

Working in disconnected modeOnce an Active Directory user logs on to a UNIX computer successfully, the authentication is cached by the Centrify DirectControl Agent. These credentials can then be used to authenticate the user in subsequent log on attempts if the user is disconnected from the network or an Active Directory domain controller is not available.

If there are changes to an account while the account is running in disconnected mode, the changes don’t take effect until the user reconnects to Active Directory to start a new session or access a new service. For example, if a user account is disabled or has its password changed in Active Directory while the user is disconnected from the network, the user can still log on and use the old password until reconnected to the network. Once the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode.

Note If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the user’s credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.

You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through


Centrify DirectControl parameter settings in the Centrify DirectControl configuration file.

To configure how credentials are handled across multiple computers by using group policies, upgrade from Express to Centrify DirectControl Standard or Enterprise Edition.

Mapping local UNIX accounts to Active DirectoryBy default, local UNIX user accounts are still valid on the UNIX computers that join the Active Directory domain. You can then use Centrify DirectControl configuration parameter settings to control any special handling for select accounts. For example, you can use configuration parameters to map a local user account to an Active Directory account. Mapping a local UNIX user account to an Active Directory account gives you Active Directory-based control over password policies, such as password length, complexity, and expiration period.

Notes The information in this section applies primarily to Linux machines. Although you can map local Mac OS user accounts to Active Directory accounts, Mac OS users can still log on using their local account password, so you cannot effectively use Active Directory to enforce your password policies for local Mac OS user accounts.

If a local user has the same profile (user name, UID, and GID) as an Active Directory user but a different password, the local user account is used for authentication when logging on using the Mac login window. If you are logging on remotely (for example, using telnet or ssh), you must use the Active Directory user’s password for authentication.

Mapping a local account to Active Directory is especially useful if you want to migrate an existing local user to an Active Directory account but preserve access to their current Linux home directory


Mapping local UNIX accounts to Active Directory

and files. For example, if you create an Active Directory account for an existing local user but specify a different name, when the user logs in, they will have a new home directory and will not be able to access their former home directory and files.

To map a local account to an Active Directory account, you can set the pam.mapuser.username configuration parameter on any individual local computer.

To configure account mapping across multiple computers by using group policies, upgrade from Express to a generally-featured version of Centrify DirectControl.

Using the pam.mapuser parameter to map local accounts

To map a local user account to an Active Directory user by modifying the Centrify DirectControl configuration file:

1 Create the Active Directory user account to use.

On your Windows Active Directory computer, open Active Directory Users and Computers (ADUC). Navigate to the Users node, right click and select New > User.

Enter the information for the user. You can create any name you want for the user, but if you want the AD user to have access to the same home directory and files as the local user, create a user logon name with the same name as the local user; for example, for local user joe.cool on the qa2 computer, in the acme.com domain:


[joe.cool@qa2 ~]$

Note The information in this section applies primarily to Linux machines. Although you can map local Mac OS user accounts to Active Directory accounts, Mac OS users can still log on using their local account password, so you cannot effectively use Active Directory to enforce your password policies for local Mac OS user accounts.

2 On the Linux computer, open the Centrify DirectControl configuration file /etc/centrifydc/centrifydc.conf.

3 Locate the pam.mapuser.root configuration parameter and un-comment the line to change the default setting.

4 Modify the local account mapping to identify the local user account you want mapped to the Active Directory user you created; for example:pam.mapuser.joe.cool: joe.cool

5 Save the changes to the configuration file, then run the adreload command to reload the configuration file and have the changes take effect.


Setting a local override account

Setting a local override accountIn most cases, every computer should have at least one account that can be authenticated locally to ensure you can access the system when the network or Active Directory is not available or Centrify DirectControl is not running. By default, the local override account is set to the root user so that even if you map the root account to an Active Directory account, you can always log on locally using root@localhost and the local root account password.

You can change the default root override account or add additional local users by modifying the computer’s Centrify DirectControl configuration file.

To configure a local override account across multiple computers by using group policies, upgrade from Express to Centrify DirectControl Standard or Enterprise Edition.

Using standard programs such as telnet, ssh, and ftpWhen a computer is managed by DirectControl, authorized users use standard programs and services such as telnet, ssh, and ftp.

Using telnet and ftp are straight-forward operations. See Appendix D, “Using DirectControl with SSH,” for detailed information on how to set up and use SSH.

Using SambaDirectControl Express includes a special Samba package, DirectControl-enabled Samba, that combines DirectControl with Samba file server technology to enable DirectControl and Active Directory to handle identity management and user credentials, such that Active Directory users on Windows or UNIX computers can access Samba shares across the enterprise.

See the Samba Integration Guide for details on integrating Samba and DirectControl.


Using DirectControl Express with an existing Samba installation

If you are using a non Centrify-enabled version of Samba (configured as an AD domain member) and install DirectControl Express on the same UNIX host, two problems arise:

Samba and DirectControl both attempt to create and manage the same AD computer account object (based on the UNIX host name) causing one of the products to stop working.

Conflicting UIDs and GIDs will be assigned to the same AD users and groups because the algorithms for generating these values differ between Samba and DirectControl, leading to file ownership confusion and access control problems.

To address these issues, you can install Centrify-enabled Samba, which integrates DirectControl and Samba to exist harmoniously on the same UNIX machine.

Notes Due to the lack of zones in DirectControl Express, You cannot migrate existing Samba generated UID’s and GIDs to DirectControl. Although it is possible to manually convert the Samba generated UIDs and GIDs to the same IDs generated by Centrify, currently, Centrify provides no tools to help with this process.

On the other hand, if you upgrade to a generally-featured version of DirectControl, Centrify-enabled Samba provides a PERL configuration script that helps migrate existing UIDs and GIDs to DirectControl zones.

Setting Auto Zone configuration parametersDirectControl provides a set of configuration parameters specifically for computers that are connected to a domain through


Setting Auto Zone configuration parameters

Auto Zone, which is how all computers with DirectControl Express are connected to a domain.

Because Auto Zone is essentially one large zone for the forest, you can encounter problems such as UID and GID conflicts, slow searches because of the number of users, and so on in a forest with a large number of domains.

In general, the default values should work, but if you encounter problems, such as slow searches or UID conflicts, see Appendix B, “Customizing Auto Zone configuration parameters,” for information on how to set specific parameters to resolve the issue.


Chapter 4

Troubleshooting Centrify DirectControl

This chapter describes how to use diagnostic tools and log files to retrieve information about the operation of Centrify DirectControl and to identify and correct problems within your environment.


Understanding diagnostic tools and log files

Configuring logging for Centrify DirectControl

Collecting diagnostic information

Working with DNS, Active Directory, and DirectControl

Understanding the DirectControl DNS client

Understanding diagnostic tools and log filesCentrify DirectControl includes some basic diagnostic tools and a comprehensive logging mechanism to help you trace the source of problems if they occur. These diagnostic tools and log files allow you to periodically check your environment and view information about Centrify DirectControl operation, your Active Directory connections, and the configuration settings for individual UNIX and Linux computers.

Although Centrify DirectControl logging is not enabled by default for performance reasons, log files provide a detailed record of Centrify DirectControl activity. This information can be used to analyze the behavior of adclient and communication with Active Directory to locate points of failure. However, log files and other diagnostic tools provide an internal view of operation and are primarily intended for Centrify DirectControl experts and technical staff.

Chapter 4 • Troubleshooting Centrify DirectControl 63


In most cases, you should only enable logging when you need to troubleshoot unexpected behavior, authentication failure, or problems with connecting to Active Directory or when requested to do so by Centrify Technical Support. Other troubleshooting tools, such as command line programs, can be used at any time to collect or display information about your environment.

Configuring logging for Centrify DirectControlBy default, Centrify DirectControl logs errors, warnings and informational messages in the UNIX syslog and /var/log/messages files along with other kernel and program messages. Although these files contain valuable information for tracking system operations and troubleshooting issues, occasionally you may find it useful to activate Centrify DirectControl-specific logging and record that information in a Centrify DirectControl log file.

Enabling logging for the Centrify DirectControl Agent

To enable Centrify DirectControl logging on the Centrify DirectControl Agent:

1 Log in as or switch to the root user.

2 Run the addebug command:/usr/share/centrifydc/bin/addebug on

Note You must type the full path to the command because addebug is not included in the path by default.

Once you run this command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging.

64 Administrator’s Guide

For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it.

When you are ready to stop logging activity, run the addebug off command.

Setting the logging level

You can define the level of detail written to the log by setting the log configuration parameter in the Centrify DirectControl configuration file:log: level

With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors.



You can use the following keywords to specify the type of information you want to record in the log file:

Logging details for a specific component

By default, when you specify a logging level, it applies to all of the Centrify DirectControl components that log activity. The logging system, however, provides a hierarchical organization of logical log names for the components within DirectControl and each of these logical logs can be configured to provide more targeted analysis of it specific operations. For example, if you set your base logging level to only report serious errors but you want to see informational, warning, and error messages for adclient, you can add a separate logging level parameter for the log messages generated by adclient:# Use the following setting to set the base level of detail # for logging to record Error messages:log: ERROR

# Add the name of the adclient logical log and specify the # logging level to use for it and its children:log.com.centrify.adclient: INFO

Specify this level To log this type of information

FATAL Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the user’s console. With this setting, only the most severe problems generate log file messages.

ERROR System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages.

WARN Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages.

INFO Informational messages that describe operational status or provide event notification.


Logging to the circular in-memory buffer

If the Centrify DirectControl Agent’s adclient process is interrupted or stops unexpectedly, a separate watchdog process (cdcwatch) automatically enables an in-memory circular buffer that writes log messages passed to the logging subsystem to help identify what operation the adclient process was performing when the problem occurred. The in-memory buffer is also mapped to an actual file, so that if there’s a system crash or a core dump, the last messages leading up to the event are saved. Messages from the in-memory circular buffer have the prefix _cbuf, so they can be extracted from a core file using the strings command.

The in-memory circular buffer allows debug-level information to be automatically written to a log file even if debugging is turned off. It can be manually enabled by restarting the adclient process with the -M command line option. The default size of the buffer is 128K, which should be sufficient to log approximately 500 messages. Because enabling the buffer can impact performance, you should not manually enable the circular buffer or modify its size or logging level unless you are instructed to make the changes by Centrify Support.

Collecting diagnostic informationYou can use the adinfo command to display or collect detailed diagnostic and configuration information for a local UNIX computer. Options control the type of information and level of detail displayed or collected. The options you are most likely to use to collect diagnostic information are the --config, --diag, or --support options, which require you to be logged in as root. You can redirect the output from any adinfo command to a file for further analysis or to forward information to Centrify Technical Support.



For more information about the options available and the information returned with each option, see “Using adinfo” on page 127.

To display the basic configuration information for the local UNIX computer, you can type:adinfo

If the computer has joined a domain, this command displays information similar to the following:Local host name: magnoliaJoined to domain: ajax.orgJoined as: magnolia.ajax.orgCurrent DC: ginger.ajax.orgPreferred site: Default-First-Site-NameZone: Auto ZoneLast password set: 2006-12-28 14:47:57 PSTCentrifyDC mode: connectedLicensed Features Disabled

Working with DNS, Active Directory, and DirectControlCentrify DirectControl is designed to perform the same set of DNS lookups that a typical Windows workstation performs to find the nearest domain controller for the local site. This DNS lookup enables the DirectControl agent to find domain controllers as they become available on the network or as the computer is relocated to another network location where different domain controllers are present. DirectControl also uses DNS to find the Kerberos service providers and the Global Catalog service providers for the Active Directory forest.

In a typical Windows environment, the DNS server role is updated dynamically to contain the service locator (SRV) DNS entries for Active Directory’s LDAP, Kerberos, and Global Catalog services, so this information in available for Centrify DirectControl to use. However, there are some configurations of DNS that may not provide all of the SRV records for the set of domain controllers that provide Active Directory service to the enterprise. You may also run into problems if DNS for the enterprise runs on UNIX servers


that cannot locate your Active Directory domain controllers. The next sections describe how you can adjust DNS or DirectControl to ensure they work together properly in your environment.

Configuring the DNS server role on Windows

One of the most common scenarios for running DNS in an environment with Active Directory is to add the DNS server role to a Windows domain controller or another Windows server.

If you are already using DNS in Active Directory and dynamically publishing DNS service records, no additional configuration for Centrify DirectControl should be necessary. If you are using DNS in Active Directory but have disabled dynamic updates, you should change the configuration for the DNS server role to allow dynamic updates. Making this change will allow Centrify DirectControl to properly locate domain controllers in the site and select an appropriate new domain controller if a connection to its primary domain controller is lost or the managed computer is moved to a new location on the network.

Configuring DNS running on UNIX servers

If your environment is configured to use UNIX-based DNS servers instead of Active Directory-based DNS servers and the UNIX system is configured to use DHCP, the nameserver entry in /etc/resolv.conf file is set automatically to point to a DNS server.

If this DNS server is aware of the Active Directory domain you want to join, no further changes are needed. If the DNS server identified as a nameserver in the /etc/resolv.conf file is not aware of the domain you are trying to join, for example, because you are using a test domain or a separate evaluation environment, you need to either disable DHCP or manually set the location of the Active Directory domain controller in the Centrify DirectControl configuration file.



Checking whether DNS can resolve the domain controller

In most cases, you can verify whether a UNIX computer can locate the domain controller and related services by running the ping command and verifying connectivity to the correct Active Directory domain controller or by checking the nameserver entry in the /etc/resolv.conf file. This nameserver entry should be the IP address of one of the domain controllers in the domain you want to join.

If the ping command is successful, it indicates the DNS server is aware of the Active Directory domain you want to join and no further changes are needed. If the ping command is not successful, you will need to take further action to resolve the issue.

Resolving issues in locating Active Directory domain controllers

If the UNIX computer cannot find the Active Directory domain controller, there are several ways you can resolve the issue. Depending on your environment and specific situation, you should consider doing one of the following:

Set up DNS on the target Active Directory domain controller and the manually configure the nameserver entry in the /etc/resolv.conf file to use that domain controller as described in “Setting up DNS service on a target domain controller” on page 70.

Set the Centrify DirectControl configuration file to manually identify the domain controllers you want to use as described in “Setting the domain controller in the configuration file” on page 73.

Setting up DNS service on a target domain controller

One of the simplest ways to ensure that the UNIX computers can locate the Active Directory domain controller and related services is to use the DNS service on the Active Directory domain controller as a DNS slave to the enterprise DNS servers. You can do this is by configuring the DNS server role on the Active


Directory domain controller, then specifying that domain controller in the UNIX computer’s /etc/resolv.conf file. You can then add a forwarder to the local DNS on the domain controller that will pass on all lookups that it cannot satisfy to an enterprise DNS server.

This configuration does not require any changes to the enterprise DNS servers. Any look up request from the domain controller is simply a query from another computer in the enterprise. However, the UNIX computers configured to use this slave DNS service will receive the appropriate Service Location (SRV) records and Global Catalog updates for the Active Directory domain controller. In addition, the DNS service on the domain controller can be configured to forward requests to the enterprise DNS servers so those requests can be answered when the local DNS service cannot respond.

Adding a DNS server role to an Active Directory domain controller

To configure the DNS service on a Windows Server 2003 domain controller:

Note The specific steps for configuring the DNS server vary depending on whether you are configuring a Windows 2000 Server or a Windows Sever 2003 computer. The following steps describe how to configure DNS on Windows Server 2003. If you are configuring DNS on Windows 2000, you may want to consult your Windows documentation for differences that are specific to your environment.

1 Open the Start Menu and click Manage Your Server.

2 Click Add or remove a role, review the preliminary steps, then click Next.

3 Select DNS Server from the list of Server Roles. If the DNS Server role is not currently configured, click Next.



Note If this server role is already configured on this computer, you can skip the next steps and go on to “Configuring UNIX to use DNS service on the target domain controller” on page 72.

4 Review the summary of steps, then click Next to display the Configure a DNS Server Wizard. Click Next to configure the DNS server lookup zones.

5 Select the Create a forward lookup zone (recommended for small networks) option, then click Next.

6 Select This server maintains the zone, then click Next.

7 Type the domain name (dn) component of the Active Directory domain controller’s name, then click Next. In most cases, you should specify a sub-domain of the top-level domain name. For example, if the forest root domain for the organization is acme.com, you might have a sub-domain of labs.acme.com.

8 Select the Allow both nonsecure and secure dynamic updates option, then click Next.

9 Type the IP address for at least one of the enterprise DNS servers, then click Next. Setting at lease one valid IP address ensures that any request the local DNS server cannot answer will be forwarded to a valid enterprise DNS server.

10 Click Finish to complete the configuration of the DNS server.

Once you have configured DNS on the local computer, the local computer uses the local DNS server as its primary DNS server.

Configuring UNIX to use DNS service on the target domain controller

Once you have configured the DNS service to contain the required Active Directory entries, you simply need to modify the UNIX computer to send all DNS lookup requests to the newly configured DNS server.

To configure the UNIX computer to use the new DNS server:

1 Open the /etc/resolv.conf file.


2 Set the IP address of the nameserver entry to the IP address of the DNS server on the Active Directory domain controller you just configured.

Setting the domain controller in the configuration file

If you are not able to use DNS to locate the Active Directory domain controllers on your network, you can manually specify one or more domain controllers in the Centrify DirectControl configuration file.

To manually specify a domain controller, add the following entry to the Centrify DirectControl configuration file, /etc/centrifydc/centrifydc.conf:dns.dc.domain_name: server_name [server_name ...]

For example, if you want to use Centrify DirectControl in a domain called mylab.test and the domain controller for this domain is dc1.mylab.test, you would add the following line to the /etc/centrifydc/centrifydc.conf file:dns.dc.mylab.test: dc1.mylab.test

Note You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller you want to use if you are not using DNS or if the DNS server cannot locate your domain controllers.

To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test

Centrify DirectControl will attempt to connect to the domain controllers in the order specified. For example, if the domain controller dc1.mylab.test cannot be reached, Centrify DirectControl will then attempt to connect to dc2.mylab.test.

If the Global Catalog for a given domain is on a different domain controller, you can add a separate dns.gc.domain_name entry to



the configuration file to specify the location of the Global Catalog. For example:dns.gc.mylab.test: dc3.mylab.test

You can add as many domain and domain controller entries to the Centrify DirectControl configuration file as you need. Because the entries manually specified in the configuration file override any site settings for your domain, you can completely control DirectControl’s binding to the domains in your forest through this mechanism.

Note In most cases, you should use DNS whenever possible to locate your domain controllers. Using DNS ensures that any changes to the domain topology are handled automatically through the DNS lookups. The settings in the configuration file provide a manual alternative to looking up information through DNS for those cases when using DNS is not possible. If you use the manually-defined entries in the configuration file and the domain topology is changed by an Active Directory administrator, you must manually update the location of the domains in each configuration file.

Using the fixdns script

Centrify DirectControl includes a fixdns script that you can use to inspect your environment and make the necessary configuration file changes for you.

To run this script, you need to specify the domain controller name and IP address:fixdns domain_controller_name IP_address

For example if you intend to join the domain mytest.lab and the domain controller for that domain is dc1.mytest.lab and its address is 172.27.20.1, you would run the following command:fixdns dc1.mytest.lab 127.27.20.1

The fixdns script will then make the necessary changes to the /etc/hosts and the DirectControl configuration file.

Note This script does not update the /etc/resolv.conf file. If the script cannot locate the domain controller using the existing


/etc/resolv.conf settings, it will assume that you want to use settings from the configuration file.

Understanding the DirectControl DNS clientDirectControl provides a DNS subsystem that completely bypasses the local DNS resolver to address issues that occur with many local DNS resolvers, such as:

Degraded performance when connecting to and continuing to use a slow DNS server or when attempting to use dead DNS servers.

Degraded performance when reacquiring a DNS server that went offline and has come back online.

Degraded performance related to DNS timeouts.

Platform-related DNS idiosyncrasies, such as MDNS, appending .LOCAL suffixes, and so on.

The DirectControl DNS subsystem performs the following functions:

Looks up hosts by name

Looks up hosts by IP address

Queries DNS service location records (SRV) to discover Domain Controllers that support Active Directory related services including KDC, KPASSWD, LDAP and global catalog.

Resolving a host name or IP address

This section explains how the DNS client subsystem processes DNS requests.

Resolving a DNS request in /etc/hosts

When attempting to resolve a host name or IP address, the DNS subsystem first checks to see if the /etc/hosts file contains an entry to resolve the specified host name or IP address.



Entries in /etc/hosts must be in the following format:IPv4_address hostname alias alias ...

where:

IPv4_address must be in the first position

hostname is a fully-qualified domain name and must be in the second position.

aliases are optional and follow the address and hostname entries.

For example:192.169.147.135 ginger.acme.com ginger

Note Service (SRV) record queries cannot be satisfied from the /etc/hosts file.

If resolution by /etc/hosts is unsuccessful, the DNS subsystem attempts to select a DNS server that can be used to resolve the host name or IP address (as described in the next section, Selecting a DNS server).

Selecting a DNS server

If unable to resolve a hostname or IP address by finding an entry in the /etc/hosts name (as described in the previous section, Resolving a DNS request in /etc/hosts), the DirectControl DNS subsystem attempts to find a DNS server to resolve the host name or IP address, as follows:

It checks for a working DNS server that has already been selected (cached in memory and stored in /var/centrify/kset.dns.server), and if available, uses it.

If a working DNS server is not already selected, it checks /etc/resolv.conf for configured DNS servers, and if populated, selects the fastest one from the list.

If no working DNS servers are found, the request fails.

At this point, DNS is considered down, and the DirectControl DNS subsystem waits for the interval specified by the


dns.dead.resweep.interval (default is 60 seconds), before attempting again to find a DNS server.

Specifying DNS-related parameters

Parameters in the DirectControl configuration file control many aspects of DirectControl DNS subsystem operation. Although you can set any of these parameters, the default settings should provide you with optimal DNS operation. See the Configuration Parameters Guide for details about any of these parameters.

The DNS subsystem periodically checks in the background to see if a DNS server that is faster than the currently selected one is available. The dns.alive.resweep.interval parameter determines how often this background check occurs; the default value is one hour (3600 seconds).

When a DNS server is selected, its address is stored in the kset.dns.server file, and it is used for all DNS requests until one of the following occurs:

It stops responding.

A new server sweep discovers a faster DNS server and replaces it.

Adclient is stopped and restarted, which triggers a sweep for a new DNS server.

The specified server is no longer in the list of servers in /etc/resolv.conf.

For the sweep, the dns.sweep.pattern parameter determines the probe pattern that is used to find a live DNS server; that is, it sets the protocol to use (TCP or UDP) and the amount of time to wait for a response. By default, this parameter specifies both a TCP and UDP probe.

The dns.timeout and dns.udp.retries parameters determine the amount of time to wait, and how often to re-send a request when the current server does not respond to a request. If the current server does not respond to a request within the specified time out



period, it is considered down and DirectControl looks for a different server. If it cannot find a live server, DNS is considered down, and DirectControl waits for the period of the dns.dead.resweep.interval parameter, 60 seconds by default, before performing a sweep to find a new server.


Appendix A

Using Centrify DirectControl UNIX commands

This appendix provides an overview of the command line interface and complete reference information for the command-line programs you can run on Centrify DirectControl-managed systems.


Understanding when to use command-line programs

Displaying usage information and man pages

Understanding common result codes

Using adjoin

Using adleave

Using adcheck

Using adlicense

Using adpasswd

Using adquery

Using adinfo

Using addebug

Using adfinddomain

Using adflush

Using adid

Using adclient

Using adcache

Using adreload

Appendix A • Using Centrify DirectControl UNIX commands 79

Understanding when to use command-line programs

Understanding when to use command-line programsUNIX command-line programs are installed by default when you install the Centrify DirectControl Agent. The commands are typically installed in one of the following directories: /usr/sbin, /usr/bin, or /usr/share/centrifydc/bin.

Command-line programs allow you to perform basic Active Directory administrative tasks directly from a UNIX shell or using a shell script. These commands use the underlying Centrify DirectControl service library to enable you to add a UNIX, Linux, or Mac OS X computer to an Active Directory domain, leave the Active Directory domain, change Active Directory user passwords, and return detailed Active Directory, network and diagnostic information for a host computer.

You should use the UNIX command-line programs interactively or in shell scripts when you must take action directly from a UNIX computer, for example to join or leave a domain, or when taking action from the UNIX computer is most convenient, for example when individual users want to set new Active Directory passwords from their UNIX login shell.

Specific tasks these commands perform include:

The adjoin command (the most important one) adds a UNIX computer to an Active Directory domain. It is the command you use first on each UNIX computer.

Use adleave if you want to remove a UNIX computer from its current Active Directory domain or from the Active Directory forest entirely.

Use adpasswd to change an Active Directory account password from a UNIX computer.

Use adquery to retrieve information from Active Directory for a user or group.


Use adinfo to collect and display detailed diagnostic and configuration information for a UNIX computer and its Active Directory domain.

Displaying usage information and man pagesTo display a summary of usage information for a UNIX command-line program, type the command and the --help or -h option. For example, to see usage information for the adleave command, type:

adleave --help

The usage information includes a list of options and arguments, and a brief description of each option.

For more complete information about any command, you can review the information in the command’s manual (man) page. For example, to see the manual page for the adleave command, type:

man adleave

Understanding common result codesCentrify DirectControl command-line programs share a number of result codes. The following table lists the result codes that are reserved for use by the command-line programs.

Result Error name Indicates

0 ERR_SUCCESS Successful completion of the operation.

6 ERR_OTHERS Miscellaneous errors occurred during the operation.

7 ERR_USAGES Usage error occurred during the operation.

8 ERR_OP_ABORTED Operation aborted by user.


Understanding common result codes

9 ERR_ROOT_PRIV Root privilege is required for the operation.

10 ERR_NOT_JOINED Computer is not currently joined to any Active Directory domain.

11 ERR_ALREADY_JOINED Computer is already joined to the current Active Directory domain.

12 ERR_JOINED_ANOTHER_DOMAIN Computer is currently joined to another Active Directory domain.

13 ERR_ADCLIENT_DOWN The adclient process is not running or not available.

14 ERR_ADCLIENT_DISCONNECTED The adclient process is running in disconnected mode.

15 ERR_ADLCIENT_STARTUP The adclient process failed to start.

16 ERR_DNS_TIMEOUT The DNS server is not responding and may be down.

17 ERR_DNS_GENERIC A generic DNS problem occurred during the operation.

18 ERR_INVALID_DOMAIN_NAME The Active Directory domain name is incorrect or not found in DNS.

19 ERR_INVALID_LOGON User name or password provided is not correct.

20 ERR_ACCOUNT_DISABLED The account specified has been disabled.

21 ERR_ACCOUNT_EXPIRED The account specified has expired.

22 ERR_ACCOUNT_EXISTS The account specified already exists,

23 ERR_ACCOUNT_NOTFOUND The account specified was not found in Active Directory.

24 ERR_PASSWORD_EXPIRED The account password has expired.

25 ERR_ZONE_NOTFOUND The zone cannot be found.

26 ERR_CONTAINER_NOTFOUND Invalid Active Directory container object.



Command-specific result codes are listed in the reference section for individual command-line programs.

27 ERR_INSUFFICIENT_PERM The account specified does not have permission to perform the operation.

28 ERR_CLOCK_SKEW The time difference between system clocks is beyond the acceptable range.

29 ERR_COMPUTER_NAME Invalid computer account.

30 ERR_CRED_INVALID Invalid credentials.

31 ERR_SERVICE_TKT_INVALID Invalid service ticket.

32 ERR_POLICY_NOT_MATCH Policy not matched.

33 ERR_REJECT_CHG_PASSWD Password change rejected.

34 ERR_WORKSTATION_DENY Workstation denied.

35 ERR_NOT_FIND_USER No matching user found.

36 ERR_NOT_FIND_GROUP No matching group found.

37 ERR_NOT_CONNECT_ADCLIENT An attempt to open a connection to the adclient process failed.

38 ERR_ADLCIENT_STOP Unable to stop the adclient process.

39 ERR_QUOTA_EXCEEDED The user has exceeded the number of join operations allowed.

40 ERR_OPEN_FILE The attempt to open a file failed.

41 ERR_READ_FILE The attempt to read a file failed.

42 ERR_COPY_FILE The attempt to copy a file failed.



Using adjoin

Using adjoinThe adjoin command adds the local host computer to the specified Active Directory domain. The basic syntax for the adjoin program is:

adjoin [options] domain_name

The domain-name should be a fully-qualified domain name; for example, sales.acme.com.

If the computer is already a member of another domain, you must remove the computer account from the old domain by running adleave. Once the computer has left the old domain, you can run adjoin to join the new domain.

Note To run adjoin, you must be logged in as root.

By default, adjoin performs the following tasks:

Locates the domain controller for the specified domain and contacts Active Directory.

Synchronizes the local computer’s time with Active Directory time so the timestamp of Kerberos tickets is within an acceptable time difference for authentication.

Checks whether a computer account already exists for the local computer in Active Directory, and if necessary creates a new Active Directory computer account.

Updates the Kerberos principal service names used by the host computer, generating new /etc/krb5.conf and krb5.keytab files and new service keys for the host and http services.

Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally to ensure Centrify DirectControl alone has control of the account.

Starts the Centrify DirectControl daemon (adclient) on the local computer.


You have the option to join a specific zone. If you do not specify a domain, Centrify DirectControl automatically creates a default zone. If you are running Centrify DirectControl Express you can only join a domain through Auto Zone, not by connecting to a specific zone. See “Understanding Zones and Auto Zone” on page 20 for more information.

Setting valid options

You can use the following options with the adjoin command.

Use this option To do this

-u, --user username[@domain]

Specify an Active Directory username with sufficient rights to add a computer to the specified domain and create new computer accounts. For example, depending on the security delegation policies in place, you may need to specify a user account with Domain Administrator privileges. By default, however, any authenticated Active Directory user can join a computer to the domain.

You must use the username@domain format to specify the user account if the username is not a member of the domain being joined.

Note When specifying username@domain, you cannot use an alternative UPN. You must use the domain defined for your account.

If you do not specify the --user option, the default is the Administrator user account. Because this account has special rights that can represent a security risk, many organizations disable or restrict access to it. Therefore, in most cases, you should specify the --user option when joining a domain.


Using adjoin

-p, --password

userpasswordSpecify the account password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes.

Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running, or from command history after the command has completed execution.



-c, --container

containerDNSpecify the distinguished name (DN) of the container or Organizational Unit in which to place this computer account.

You can specify the containerDN by:• Canonical name

(ajax.org/unix/services)You cannot specify a partial name for the canonical name.

• Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org)

• Relative distinguished name without the domain suffix (cn=services,cn=unix).

For example, to place the computer in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:--container

“ajax.org/UNIX/Services”

The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this computer in the paris.regional.sales.acme.com organizational unit within the acme.com domain, you would specify:

“ou=paris, ou=regional, ou=sales”

If you do not specify a container, the computer account is created in the domain’s default Computers container. Note The container you specify must already exist in Active Directory or the join operation will fail. In addition, you must have permission to add entries to the specified container.



Using adjoin

-n, --name computername Specify the host name you want to use for this computer in Active Directory.

If you do not specify a computername, the computer account name in Active Directory is the same as the local host name.

This option is most commonly used if you have a disjointed DNS namespace. For example, if the local UNIX host is a member of the DNS zone ajax.org, but is joining the Active Directory domain emea.ajax.org, you can use this option to join the domain with a computer name that is different from the name of the computer in DNS:-n finserv.emea.ajax.org

This option can also be used in conjunction with the --alias option if the computer has multiple IP addresses and there are DNS records for those addresses.

The maximum length for computer account names in Active Directory is 64 characters (the limit on AD common names); however, it is recommended that you limit names to 15 or fewer characters because this limit conforms to the maximum length allowed by the NetLogon service, which is the preferred service for adclient to use for NTLM pass-through authentication. NetLogon is fast and automatically returns a user's group membership.

If you specify more than 15 characters adclient uses LDAP methods to fetch the user's group membership and create the computer account. Because LDAP methods are subject to the permissions on the AD container for the computer account, you may need administrative permissions to execute this command when specifying a computer name longer than 15 characters.



-N, --prewin2k

accountnameSpecify the pre-Windows 2000 name for this computer in Active Directory. The pre-Windows 2000 name is the name stored in the samAccountName attribute.

The maximum length for the samAccountName attribute is 19 characters.

Note Although the actual limit is 19 characters, it is recommended that you limit the name to 15 characters because some Windows functions use this attribute as a NetBIOS name, which has a 15-character limit. If the name is larger than 15 characters, DirectControl must use less efficient NTLM authentication methods.

If you do not specify this option, the default pre-Windows 2000 name is the computer account name truncated at 15 characters. This option enables you to manually specify the pre-Windows 2000 name you want to use.

This option is most commonly used if the naming conventions for computer account names result in names that are longer than the 15 character limit.

-f, --force Overwrite the information stored in Active Directory for an existing computer account. This option allows you to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.



Using adjoin

-a, --alias

computeraliasSpecify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias. This option would normally be used if a computer has more than one Ethernet port and each port is known by a different DNS name. You can specify more than one --alias option if you need to specify multiple aliases for a single computer.

-z, --zone zonename Specify the name of the zone in which to place this computer account. If you do not specify a zone, the computer joins the domain in the default zone (a zone named “default” can be created when you run the Setup Wizard for the first time).

Note If you are using the Express mode of DirectControl, you cannot use this option. You must join a domain through Auto Zone by using the --workstation option.

If individual zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one “default” zone, you can use the full canonical name of the zone to specify which “default” zone to join.

If you specify a zone name and the named zone does not exist, the join operation fails.

Note If users and groups are unique across the forest and not required to be segregated into zones, you can join the Active Directory domain by using the --workstation option to connect to Auto Zone instead of specifying a zone. The --workstation and --zone options are mutually exclusive.



-C, --noconf Indicate that you do not want to update the local system’s PAM and NSS configuration. If you set this option, you will need to modify the PAM and NSS configuration files manually to work with the adclient daemon.

-s, --server domaincontroller

Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

-Z, --zoneserver

domaincontrollerSpecify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the one you are joining.

Note You cannot use this option when using the Express deployment mode of DirectControl.

-g, --gc domaincontroller

Specify the name of the domain controller to use for global catalog operations. You can use this option if the default domain controller is not writable or does not support global catalog operations.

-T, --trust Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network.

If you want to use this option, you should clear the local cache on the client before joining the domain.

-k, --des Set the computer account to use the Data Encryption Standard (DES) for keys.



Using adjoin

-P, --precreate Precreate a computer account in Active Directory without joining the domain. If you use this option, you must also specify the name of the computer account you want to precreate using the --name option.

The --precreate option does the following:• Creates a computer object in Active Directory

in the organizational unit you specify or the Computers container.

• Resets the computer account password to computer’s host name (in lower case).

• Creates an Extension object in the zone.

The following permissions are granted to the computer object: • Read and Write to:

operatingSystemServicePack, operatingSystem, andoperatingVersion attributes in Computer object.

• Reset the computer's password.

• Read userAccountControl attributes of the Computer object.

• Validate write to:servicePrincipalName and dNSHostName attributes.

By precreating the computer account and its serviceConnectionPoint, you can allow any user to join the computer to a domain without granting any special rights or performing any zone delegation. This option also enables you to create all the computer accounts you want in a batch job and automate how computers join the domain.

-m, --compat Precreate a computer object that is compatible with DirectControl version 2.x and later. You must specify this option if you want the precreated computer object to be compatible with DirectControl version 2.x and later.



-S, --selfserve Use the computer object’s account credentials to join the domain.


To use this option, you must have done one of the following:• Precreated the computer account in Active

Directory using the Pre-Create Computer wizard.

• Previously joined the computer to a domain, then left using the adleave --reset option, which resets the computer account to a precreated, pre-joined state, such that you can rejoin the domain using the --selfserve option.

Note If you use the --selfserve option, you don’t need to specify a zone for the computer. The computer is automatically made a member of the zone where the precreated object was created. You must, however, specify the Active Directory domain to successfully add the computer to the domain.

-V, --verbose Display information about each step in the join process as it occurs. This option can be useful in diagnosing join problems. This option also writes log messages to the centrifydc.log file for troubleshooting purposes.

-v, --version Display version information for the installed software.



Using adjoin

Examples of using adjoin

Joining a domain can be a very simple or fairly sophisticated operation depending on the design of your Active Directory forest, how you want to manage your UNIX systems, and the policies your organization follows. The following examples illustrate some of the options you can use when joining a domain.

When joining a domain using Centrify DirectControl Express, you must use the --workstation option. adjoin --workstation acme.com

-w, --workstation Join the computer to an Active Directory domain by connecting to Auto Zone rather than by making the computer a member of any specific zone.

When joined to Auto Zone, every Active Directory user and group defined in the forest and any users defined in a two-way trusted forest are valid UNIX users or groups. You can use this option when:• Active Directory identities are unique for the

forest and trusted external forest.

• Active Directory users and groups only require one set of properties for all computers and do not need to be segregated into zones for any reason.

For the join to be successful, all of the domains in the forest and the trusted external forest must be unique. If domains are not unique across the forest trust, you must manually configure a unique prefix for each trusted domain using parameters in the centrifydc.conf configuration file.

Note The --workstation and --zone options are mutually exclusively.

domain Specify the fully-qualified domain name you want the local computer to join. There is no default setting, so this argument is required.



If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified host name and Organizational Unit, you could type a command line similar to the following:adjoin --workstation --user [email protected] --name orlando --container “ou=UNIX computers” sales.acme.com

You are then prompted to provide the password for the user [email protected]. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name “orlando” in the “UNIX computers” Organizational Unit.

Note When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as [email protected] but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:

adjoin --workstation --user [email protected] la.mission.org

Understanding the files modified by running adjoin

Running adjoin modifies several key files to complete the join operation and configure your environment to work with Active Directory for authentication, authorization, and directory services. By default, the following files are modified by running adjoin:

Type On File location

Kerberos configuration file Most platforms /etc/krb5.conf

Solaris /etc/krb5/krb5.conf

Kerberos keytab file Most platforms /etc/krb5.keytab

Solaris /etc/krb5/krb5.keytab

NSS configuration file Most platforms /etc/nsswitch.conf


Using adjoin

In addition, the following files are created in the /var/centrifydc directory by running adjoin or by starting the Centrify DirectControl Agent for the first time:

PAM configuration file

Red Hat Linux /etc/pam.d/system-auth

All other Linux /etc/pam.d/*

Name Purpose

daemon This is the pipe which clients open to communicate to the agent.

dc.cache Cache of objects from the Domain Controller

gc.cache Cache of objects from the Global Catalog

dcdn.idx Cache index

extmgr.idx Cache index

gcdn.idx Cache index

gid.idx Cache index

gname.idx Cache index

search.idx Cache index

uid.idx Cache index

uname.idx Cache index

kset.domain The domain name

kset.domaincontroller The domain controller host name

kset.host The host name used to join

kset.schema The current schema version

kset.site The preferred site

kset.zone The Zone GUID

kset.zonename Readable zone name

Type On File location


Working in an environment without a global catalog

If you join a UNIX computer to a domain where there is no global catalog available, users from other domains must use their fully-qualified login name to be authenticated successfully.

Understanding join-specific result codes

Most of the common result codes described in “Understanding common result codes” on page 81 apply to join operations. In addition to those common codes, however, the adjoin command can generate join-specific result codes when there are errors that prevent a computer from joining a domain. The following table lists these join-specific result codes.

reg/*/*/* Group Policy registry files downloaded from AD


156 ERR_JOIN_ATTRMAP The mapping of computer account properties to Active Directory attributes failed. If you encounter this problem, you may need to map all attributes, then rerun the adjoin command.

Name Purpose


Using adjoin

157 ERR_JOIN_UPDATE The computer failed to join the domain. If you encounter this problem, you may need to take corrective action:• Check whether the computer’s

hostname exceeds 15 characters. If the hostname exceeds 15 characters, shorten it or use the --name option to specify a name that is 15 characters or less, then rerun the adjoin command.

• Check whether the computer's primary DNS suffix matches the Active Directory domain DNS name or another allowed primary DNS suffix. If the DNS suffix does not match the Active Directory domain or is not an allowed primary DNS suffix, you may need to change the DNS or domain configuration, then rerun the adjoin command.

158 ERR_STRONGER_AUTH_NEEDED A stronger authentication method is required by Active Directory. If you encounter this problem, you should set the LDAP traffic encryption parameter, adclient.ldap.packet.encrypt, to Allowed or Required in the Centrify DirectControl configuration file, then rerun the adjoin command.

159 ERR_UNEXPECTED_LDAP_REFERRAL There was an unexpected referral response. This is usually caused by an erroneous replication object in Active Directory. If you encounter this problem, you should check the zone container for replication errors, then rerun the adjoin command.



Using adleaveThe adleave command removes the local host computer from its current Active Directory domain. Once a computer has become a member of a domain, you must run the adleave command to leave that domain before you can move a computer to a new domain.

160 ERR_SPN_NOT_UNIQUE The servicePrincipalName (SPN) was not unique. Each SPN must be unique across the Active Directory forest. If you encounter this problem, you should use a servicePrincipalName that is unique across the forest, then rerun the adjoin command.

You can search for duplicate service principal names using the Analyze wizard.

161 ERR_SERVERNAME_INVALID The domain server was specified using an IP address. If you encounter this problem, you should specify the domain controller name using a fully-qualified DNS name.

162 ERR_CHANGE_DIR The attempt to change to the data directory failed.

163 ERR_DOMAIN_NOT_TRUSTED The domain specified is not in the same forest or is not a trusted domain. If you encounter this problem, you should check the trust relationship for the domain or use a different domain, then rerun the adjoin command.

164 ERR_MULTIPLE_ZONES_FOUND Multiple zones were detected. If you encounter this problem, you should check the zones defined, then rerun the adjoin command and specify only one zone.



Using adleave

The basic syntax for the adleave program is:adleave [options]

By default, when you run adleave, the program performs the following tasks:

Contacts Active Directory and deactivates the computer account associated with the local UNIX host. The program does not remove the computer account from Active Directory. To remove the computer account entirely, you must delete it from Active Directory manually with Active Directory Users and Computers.

Reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-join states, deleting the /var/centrifydc/* files, and deleting /etc/krb5.keytab.

When you join a domain, the Kerberos configuration file, /etc/krb5.conf, and keytab file, /etc/krb5.keytab, are automatically generated for you. Because the /etc/krb5.conf file can contain entries used by other applications, it is not removed automatically when you leave a domain. If you leave the domain, you should check whether this file is used by any other applications or if it has been manually edited. If it is not used by other applications, you can safely delete the file after leaving the domain.

Stops the Centrify DirectControl daemon (adclient).

Note To run adleave you must be logged in as root.



You can use the following options with this command:


-u, --user username[@domain] Identify an Active Directory user account with sufficient rights to remove a computer from the domain.

You must use the username@domain format to specify the user account if the username is not a member of the computer's current domain. If you do not specify the --user option, the default is the Administrator user account.

-p, --password userpassword Specify the password for the Active Directory user account performing the leave operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes.

Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.

-s, --server domaincontroller Specify the name of the domain controller that you prefer to use to disconnect from the domain. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

-Z, --zoneserver

domaincontrollerSpecify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the domain you are leaving.



Using adleave

-C, --noconf Indicate that you do not want to revert the local system's PAM and NSS configuration files to their original state. Normally, if you leave a domain, any changes that have been made to the PAM and NSS configuration files to work with the adclient daemon during the join operation are removed. If you set this option to leave the file changes in place, you should review the PAM and NSS configuration files for potential changes.

Note Be sure to review and, if necessary, edit the PAM and NSS configuration files before you use this option. If you don't take precautions before using this option, the computer may become inoperable and require a reboot in single user mode to fix the problem.

-f, --force Indicate that you want to force the local computer’s settings to their pre-join conditions even if the adleave command cannot connect to Active Directory or is not successful in deactivating the Active Directory computer account.

You must use this option if the Active Directory computer account has been modified or deleted so that the host computer can no longer work with it.



-G, --nogp Indicate that you do not want to revert any group policies applied to the computer to their original state.

Note This option has no effect when using the Express deployment mode of DirectControl as group policies are not supported by Centrify DirectControl Express.

Normally, if you leave a domain, any group policy changes that have been applied to UNIX configuration files are reverted to restore the files to their pre-join state.

-r, --remove Remove the computer account from Active Directory.

-R, --restore Restore system configuration files to their pre-join state without leaving the domain.

-t, --reset Reset the computer account to its precreated, pre-joined state.

This option resets the computer account password to the hostname (in lowercase) and disables the computer zone object.

Specifying --reset allows you to leave a domain, then rejoin using the adjoin --selfserve option, which allows you to specify machine credentials when joining a domain. This option is valuable for virtual, cloud-computing environments that require the ability to dynamically join and leave a domain.


-V, --verbose Display detailed information for each operation.



Using adleave

Examples of using adleave

Leaving a domain is a straightforward process that returns a computer to its pre-join state. The following examples illustrate the options you can use when leaving a domain.

To remove a computer from its current domain using the default options and the Administrator user account, you could type a command line similar to the following:adleave

You are then prompted for the Active Directory Administrator password.

To remove a computer from its current domain using a specific user account and without reverting the PAM and NSS configuration files to their pre-join state, you could type a command line similar to the following:adleave --user [email protected] --noconf

You are then prompted for the password for the user [email protected].

To revert all computer settings to their pre-join state even if unable to deactivate the host computer's in Active Directory account, you could type a command line similar to the following:adleave --force

Understanding adleave-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adleave command can generate leave-specific result codes when there are errors that prevent a computer from leaving a domain. The following table lists these leave-specific result codes.


156 ERR_STOP_NIS_ADCLIENT The adleave command was unable to stop the adnisd or adclient process. If you encounter this problem, you may need to manually stop the processes, then rerun the adleave command.


Using adcheckThe adcheck command can be used to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The domain should be a fully-qualified domain name, for example, sales.acme.com.

The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them.

By default, adcheck performs the following tests:

Operating system check to verify that the operating system is supported and at the correct patch levels, and that there is sufficient disk space.

Network check to verify DNS and SSH.

Active Directory check to verify various aspects of the Active Directory configuration, including the domain name, time and domain synchronization, and checking up to 10 domain

157 ERR_DELETE_CONTENT The adleave command was unable to delete all content.

158 ERR_LEAVE_FAILED The attempt to leave the domain failed. If you encounter this problem, you may need to rerun the adleave command with the --force option.

159 ERR_CONNECT_DC The adleave command was unable to connect to domain controller. If you encounter this problem, you may need to rerun the adleave command with the --force option.

160 ERR_SYNC_TIME Time is not synchronized between the local system clock and the domain controller.



Using adcheck

controllers (which can be extended by an adcheck parameter for large domains).

You must specify a domain unless you are running the operating system check only (-t os).

Note The adcheck program is run automatically when you install the Centrify DirectControl Agent by running the install.sh program or the graphical-user-interface installer on a Mac OS X platform.

To run adcheck you must be logged in as root.

The basic syntax for the adcheck program is:adcheck [domainName] [--alldc] [--siteonly] [--bigdomain number] [--xml filename][--test os|net|ad] [--servername domainController] [--verbose] [--version]




-a, --alldc Check all domain controllers. This option overrides the --siteonly and --bigdomain options. The --servername option overrides this option. If you do not specify --alldc, --siteonly, or --servername, adcheck checks the number of domain controllers specified by the --bigdomain option (default is 10).

-s, --siteonly Check all domain controllers for the first detected site. This option overrides the --bigdomain option. The --alldc and --servername options override this option.

-b, bigdomain number Specify the number of domain controllers to check. The default is 10. The --alldc --siteonly, and --servername options override this option.

-x, --xml filename Specify the filename in which to generate XML output.


Using adlicenseThe adlicense command can be used to enable or disable licensed features on a local computer.

If you execute adlicense with no options, it displays the current mode, either licensed or express.

In licensed mode, a computer has access to group policies and may join any existing zones.

In express mode (licensing is disabled) a computer may not download or execute group policies and cannot join a zone. The computer is automatically joined to Auto Zone.

To run adlicense you must be logged in as root.

-t, --test os|net|ad Run a subset of the tests, as follows:• os — Operating system check only; does not

require that you specify a domain.

• net — Network check only; requires that you specify a domain.

• ad — Active Directory check, which also runs the network check; requires that you specify a domain.

You can enter multiple -t options to specify multiple sub-tests, for example:adcheck ajax.com -t os -t net

-s, servername domainController

Specify the domain controller to connect to when performing the network checks. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.

This option overrides the --alldc, --siteonly, and --bigdomain options.

-V, --verbose Display diagnostic information about the host, the domain, and the domain controller.




Using adpasswd

The basic syntax for the adlicense program is:adlicense [--licensed] [--express] [--verbose] [--version]



Using adpasswdThe adpasswd command changes the password for an Active Directory user account. It can be used to change the password of the current user executing the command or to change the password


-l, --licensed Enable licensed features, including the ability to use group policies and join a specific zone. After you enable licensed features, the computer is still joined to Auto Zone. You may keep the computer joined to Auto Zone or join a specific zone, in which case, you must first leave the zone with adleave, then rejoin the domain with the adjoin --zone command.

To enable licensing, you must have installed a valid license key. Enabling licensing consumes a license.

-e, --express Disable licensed features. This option unmaps group policies and prevents the machine from joining any specific zones. The computer is automatically joined to Auto Zone.

If you are running in licensed mode, and execute adlicense --express to switch to Express mode, a license is restored.

Note You cannot use this option if the machine is currently joined to a zone. You must first leave the domain, then connect to Auto Zone when rejoining the domain.

-V, --verbose Display detailed information about the operation performed.



of another Active Directory user. If you want to change the password for any Active Directory account other than your own, you must provide the user name and password of an administrative account with the authority to change that user’s password.

The basic syntax for the adpasswd program is:adpasswd [options] [user[@domain]]

If a user@domain is specified in the command line, you must provide an administrative user name and password for an Active Directory account with the authority to set passwords for other Active Directory users. If a user@domain is not specified in the command line, this command can only be used to change the password for the current user account.

Because adpasswd allows a user to change his or her own password, you do not need to be logged in as root to run this command.

Note Changing a user’s password with this command updates the user’s Active Directory account. Once changed, the new password must be used for all activities that are authenticated through Active Directory, including logging on to the UNIX shell, logging on to Windows computers, and accessing applications on both UNIX and Windows.




-a, --adminuser adminuser[@domain]

Identify an Active Directory user account with sufficient rights to modify another Active Directory user account.

You must use the adminuser@domain format to specify the account if the administrative user is not a member of the host computer's current domain.

If you do not specify this option, the default is the Administrator user account.


Using adpasswd

-p, --adminpass adminpassword Specify the password for the Active Directory administrative account when changing another user’s Active Directory password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. However, if adpasswd detects Kerberos credentials, it uses those for the command, and if these credentials are not sufficient, you receive an error message rather than a prompt for a password.


-V, --validate Check the validity of a user’s password. This option is used to verify whether a specified user can log on with the specified password.

-o, --oldpass oldpassword Specify the current password for the Active Directory user account.

This option is only used when the user executing the command is trying to change the password for his own account. This option is ignored if the administrator is trying to change the password for another user account.

If you are trying to changing your own password and do not provide the current password at the command line, you are prompted to enter the old password before the command executes.



Examples of using adpasswd

In most cases, you use this command to change the password for your own account. The following command illustrates how to change the password for the current user account. It prompts for

-n, --newpass newpassword Specify the new password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the new password and confirm the new password by retyping it before the command executes.

The new password must meet the Active Directory domain password policy requirements for length and complexity.



user[@domain] Specify the Active Directory user account for the password change. You must use this option if you are changing another Active Directory user’s account password. You should not use this option when changing your own account password. If a user name is not specified, the default is always the current user’s account.

You must use the user@domain format to specify the account if the user is not a member of the host computer’s current domain.



Using adpasswd

the old and new passwords because they aren’t provided in the command line:adpasswdOld password: xxxNew password: xxxRepeat password: xxx

The following command illustrates changing the password for another user account, [email protected], which is in a domain outside the host computer’s own Active Directory domain. Because this example changes the password for another user, the command specifies an Active Directory administrative account, [email protected], with the authority to change the password for Jane’s account:adpasswd --adminuser [email protected] [email protected]

You are then prompted for the administrator password and the user’s new password because these values aren’t provided in the command line.Administrator password: xxxNew password for [email protected]: xxxRepeat password: xxx

To check whether a user can log on with a specific password, you can use the --validate option. For example:adpasswd --validate [email protected]: xxx

If the user name and password are valid and can be authenticated by Active Directory, a successful validation message is displayed. If the user name and password specified cannot be authenticated, the command displays a message indicating the authentication failure:Password validate failed for user pabloAccount cannot be accessed at this timePlease contact your system administrator

Understanding adpasswd-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adpasswd command can generate command-specific result codes when errors


are encountered. The following table lists these command-specific result codes.

Using adqueryThe adquery command enables you to query Active Directory for information about users and groups from the command line on a Centrify DirectControl-managed system. The options you can use depend on whether you are looking up user information or group information. You can look up information for a specific user or group or for all of the users or groups in a zone.

The basic syntax for the adquery program is as follows:adquery user|group [options] [username|groupname]

You can specify a single option in the command line to have the information returned as one value per line suitable for use in scripts. If you specify multiple options in the command line, the information returned is formatted in a list with field labels identifying each value.

Querying user information

You can use adquery user command to look up one or more details about one or more specified users in Active Directory. If you don’t specify any users in the command line, the command lists all of the users in the zone.

The basic syntax for querying user information is:adquery user [options] [username]


156 ERR_PASSWDFILE_MISS The password could not be updated because the passwd file could not be found.

157 ERR_PASSWDFILE_BUSY The password could not be updated because the passwd file was being used by another program.


Using adquery

You can specify the username in any supported format. If the user name includes any blank spaces, the name should be enclosed by quotation marks. For example, if you want to specify an Active Directory account name consisting of a first name and a last name, you can type a command similar to the following:adquery user --samname --enabled "Jae Park"

All options, including --all, return formatted attributes and values, with the exception of --dump, which returns raw attributes and values, and --attribute, which allows you to specify individual raw attributes. Raw attributes are the form in which attributes are stored internally in Active Directory or DirectControl, that is, without regard to readability. For example, the raw attribute for the account expiration date is a numeric string:#adquery user -j |grep -i expiresaccountExpires:129389472000000000

whereas, the formatted attribute shows a date field:#adquery user - xSat Jan 8 00:00:00 2011

Setting valid options for user information

You can use the following options with the adquery user command:


-U, --admin user@domain Specify an Active Directory user account with sufficient rights to query Active Directory and retrieve zone information.

You must use the user@domain format to specify the user account if the administrative user is not a member of the host computer’s current domain.

If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account.


-E, --password password Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you don’t need to specify the password at the command line.

If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes.

Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes.

-b, --attribute

attributename Display the value of the specified Active Directory or DirectControl raw attribute.

Use the -j (--dump) option to see a list of raw attributes. The -A (--all) option returns formatted attributes and values.

Note Attribute names are case-sensitive. Internal DirectControl attributes begin with an underscore character.

You can specify multiple --attribute (-b) options, in which case, the name of the attribute is returned along with the value. For example:#-b cn

rajai davis

#-b cn -b sAMAccountName

cn:rajai davis

sAMAccountName:rdavis

-h, --home Display the specified user’s home directory or the home directory for all users in the zone.



Using adquery

-g, --group Display the specified user’s primary group identifier (GID) or the primary group identifier (GID) for all users in the zone.

-G, --groups List the UNIX-enabled groups the user is a member of.

-a, --adgroups List all of the Active Directory groups the user is a member of. Active Directory groups are listed by canonical name.

-s, --shell Display the user’s default shell.

-u, --uid Display the user identifier (UID) for the specified user or for all users in the zone.

-p, --display Display the displayName attribute for the user or for all users in the zone.

-o, --gecos Display the contents of the GECOS field for the user or for all users in the zone.

-n, --unixname Display the UNIX login name for the specified user or for all users in the zone.

-M, --samname Display the Active Directory logon name for the specified user or for all users in the zone.

-i, --sid Display the Active Directory security identifier (SID) for the specified user or for all users in the zone.

-P, --principal Display the Kerberos user principal name (UPN) for the specified user or for all users in the zone.

-S, --service Display the Kerberos service principal name (SPN) for the specified user or for all users in the zone.

-C, --canonical Display the Active Directory canonical name for the specified user or for all users in the zone.



-H, --hash Display the UNIX password hash for the specified user if you are using password synchronization between Active Directory and DirectControl-managed computers.

You must be logged on as the root user or querying Active Directory for your own account information to retrieve the password hash.

-x, --acct-expire Display the date the user account expires.

You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information.

-w, --pwd-expire Display the date the current password for the user account expires.


-c, --pwd-nextchange Display the date after which the user may change their password.

You must be either logged on as the root user or be querying Active Directory for your own account information to retrieve this information.

-l, --pwd-lastchange Display the date of the last password change for the user.


-k, --locked Determine whether the Active Directory account for the user is locked because of failed attempts to log on.




Using adquery

-d, --disabled Determine whether the Active Directory account for the user has been disabled.


-e, --enabled Determine whether the Active Directory account for the user has been enabled for UNIX access in the current zone.

-D, --dn Display the distinguished name (dn) for the specified user or for all users in the zone.

-W, --userWorkstations List the value of the user’s Active Directory userWorkstations attribute, which specifies the machines from which the user may log into the domain. If the output is blank, the user is not restricted to a particular machine.

-A, --all List all of the information returned by the other command line options for the user.

-j, --dump List all the user’s raw attributes and values.

-F, --cache-first Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired.

-r, --separator char Specify the separator character or string (char) to use between fields. The default separator between fields is a colon (:). For example:jae:uid:525

-R, --list-separator char Specify the separator character or string (char) to use between the values in a list. The default separator between values in a list is a comma (,). For example:jae:unixGroups:testlab,dev2



Querying group information

You can use adquery group command to look up one or more details about a specified group or multiple groups in Active Directory. If you don’t specify any groups in the command line, the command lists all of the groups in the zone.

The basic syntax for querying group information is:adquery group [options] groupname

You must use the canonical format for the group name if specifying the Active Directory group name. For example, if you want to specify the Active Directory group name, you can type a command similar to the following:adquery group “ajax.org/Users/TestExpert Team”

All options, including --all, return formatted attributes and values, with the exception of --dump, which returns raw attributes and values, and --attribute, which allows you to specify individual raw attributes. Raw attributes are the form in which attributes are stored internally in Active Directory or DirectControl, that is, without regard to readability. For example, the raw attribute for the group type is a numeric string:#adquery group -j |grep -i typednsadmin:groupType:-2147483644

-f, --prefix Add the user’s UNIX user name as a prefix when returning single values. This option formats the information returned to include the user’s UNIX name when you are querying for a specific attribute, such as the user’s UID or displayName.

This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the user’s UNIX name and a label identifying each attribute by default.




Using adquery

whereas, the formatted attribute shows a name:#adquery group - tlocal security

Setting valid options for group information

You can use the following options with the adquery group command:


-U, --admin user@domain Specify an Active Directory user account with sufficient rights to query Active Directory and retrieve zone information.

You must use the user@domain format to specify the user account if the administrative user is not a member of the host computer’s current domain.

If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account.

-E, --password password Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you don’t need to specify the password at the command line.

If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes.

Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes.


-b, --attribute

attributename Display the value of the specified Active Directory or DirectControl raw attribute.

Use the -j (--dump) option to see a list of raw attributes. The -A (--all) option returns formatted attributes and values.

Note Attribute names are case-sensitive. Internal DirectControl attributes begin with an underscore character.

You can specify multiple --attribute (-b) options, in which case, the name of the attribute is returned along with the value. For example:#-b cn

DnsAdmins

#-b cn -b sAMAccountNamecn:DnsAdmins

sAMAccountName:DnsAdmins

-m, --members List the UNIX members of the specified group or of all groups in the zone.

-a, --admembers List the Active Directory members of the specified group or of all groups in the zone.

-s, --sammembers List Active Directory members of the specified group or all groups in the form: name@domain; for example,[email protected]

-g, --gid Display the group identifier (GID) for the specified group or of all groups in the zone.

-q, --required Display whether membership in the specified group is required or not. For more information about required groups, see adsetgroups.

-n, --unixname Display the UNIX group name for the group.

-M, --samname Display the Active Directory name for the group.



Using adquery

-i, --sid Display the Active Directory security identifier (SID) for the group.

-C, --canonical Display the Active Directory canonical name for the group.

-D, --dn Display the distinguished name (dn) for the group.

-A, --all List all of the information returned by the other command line options for the group.

If you use this option without specifying a group name, the command lists details for all of the groups in the zone.

-j, --dump List all the group’s raw attributes and values.

-F, --cache-first Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired.

-r, --separator char Specify the character or string (char) to use as the separator between an attribute name and its value. The default separator between attributes and values is a colon (:). For example:unixname:qa-euro

-R,--list-separator char Specify the character or string (char) to use as the separator between the values in a list. The default separator between values in a list is a comma (,). For example:unixGroups:unixdev,testexpe



Examples of using adquery

You can use adquery to return a specific value for a user or group or to list multiple details about a user or group. The format of the output depends on whether you specify a single attribute or multiple attributes on the command line. For example, if you want to see a complete list of details about the group unixdev, you would type:adquery group --all unixdev

This command returns the results for the unixdev group in the following format:unixname:unixdevgid:400required:falsedn:CN=Unix Developers,CN=Users,DC=ajax,DC=orggroupType:global securitysamAccountName:Unix Developers

-f, --prefix Add the UNIX group name as a prefix when returning single values. This option formats the information returned to include the UNIX group name when you are querying for a specific attribute, such as the group GID or membership list.

This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the UNIX group name and a label identifying each attribute by default.

-t, --type Display the scope and group type for a specified group. The valid group types are:• local security

• global security

• universal security




Using adquery

sid:S-1-5-21-3619768212-1024502798-2657341593-1106canonicalName:ajax.org/Users/Unix Developersmembers:ajax.org/Users/Ashish Menendez,ajax.org/Users/Ben Waters,ajax.org/Users/Monte Fisher,ajax.org/Users/Jae Kim,ajax.org/Users/Jay W. Reynolds,ajax.org/Users/Pierre Leroy,ajax.org/Users/Rae Parker,ajax.org/Users/Zoe GreenunixMembers:ashish,ben,fisher,jae,jay,pierre,rae,zoe

Similarly, to see a complete list of details about the user [email protected], type:adquery user --all [email protected]

This command returns the results for the user in the following format:unixname:jaeuid:409gid:400gecos:Jae Kimhome:/home/jaeshell:/bin/bashdn:CN=Jae Kim,CN=Users,DC=ajax,DC=orgsamAccountName:jaedisplay:jaesid:S-1-5-21-3619768212-1024502798-2657341593-1185userPrincipalName:[email protected]:canonicalName:ajax.org/Users/Jae KimpasswordHash:xaccountExpires:NeverpasswordExpires:Thu Apr 12 15:21:04 2007nextPasswordChange:Fri Mar 2 14:21:04 2007lastPasswordChange:Thu Mar 1 14:21:04 2007accountLocked:falseaccountDisabled:falsezoneEnabled:trueunixGroups:unixdev,testexpememberOf:ajax.org/Users/Unix Developers, ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert Team

Specifying a single attribute for users and groups

When you specify a single attribute in the command line, the information is displayed as one value per line without any attribute label or identifier. For example, if you want to return the canonical name for the qa-euro group as an unlabeled value, you would type:adquery group --canonical qa-euro


This command displays the canonical name without any prefix or label:ajax.org/Users/QA Europe

Similarly, if you want to return only the UID for the user [email protected], you would type:adquery user --uid [email protected]

To list a single attribute about multiple groups or users, you can specify the additional groups or users in the command line. For example, to see a list of the UNIX user names of Active Directory members for the testexp, performx and unixdev groups, you would type:adquery group --members testexp performx unixdev

This command returns the UNIX user names of the members in each group in the following format:ben,fisher,jae,jolie,raezoeashish,ben,fisher,jae,jay,pierre,rae,zoe

If you want the results to include the UNIX user name or group name, you can add the --prefix option to the command line. For example, to include the UNIX group name with a membership list for the testexp, performx and unixdev groups, you would type:adquery group --members --prefix testexp performx unixdev

This command returns the members in each group in the following format:testexp:ben,fisher,jae,jolie,raeperformx:zoeunixdev:ashish,ben,fisher,jae,jay,pierre,rae,zoe

Specifying multiple attributes for users and groups

When you query multiple attributes for a user or group, the results display the UNIX user or group name, followed by an attribute label to identify the attribute values displayed. For example, to return the samAccountName and unixGroups for the users rae, ben, ashish, and jae, you would type:adquery user --samname --groups rae ben ashish jae


Using adquery

This command returns the requested information for each user in the following format:rae:samAccountName:rae-oldrae:unixGroups:unixdev,testexpe,perform2ben:samAccountName:benben:unixGroups:qualtrak,unixdev,testexpeashish:samAccountName:ashishashish:unixGroups:qualtrak,unixdevjae:samAccountName:jaejae:unixGroups:unixdev,testexpe,perform2

Listing information for all users and groups in a zone

If you don’t specify a username or groupname in the command line, the adquery command returns information for all users or all groups in the current zone. The format of the output depends on whether you specify a single attribute or multiple attributes and any other options you set. For example, to list the UNIX group names and GIDs for all of the groups in the current zone, you would type:adquery group --gid --prefix

This command returns the group names and GIDs in the following format:unixdev:400oracle:700qualtrak:800performi:401perform2:402financeu:403testexpe:404integrit:405

Similarly, to return a list of UIDs and display names for all of the users in the current zone, you would type:adquery user --uid --display

For example:rae-old:uid:10003rae-old:displayName:Rae S. Parkerjay:uid:501jay:displayName:Jay W. Reynoldszoe:uid:502zoe:displayName:Zoe Greenben:uid:503ben:displayName:Ben Watersashish:uid:504


ashish:displayName:Ashish Menendezfisher:uid:505fisher:displayName:Monte Fisherpierre:uid:506pierre:displayName:Pierre Leroylynn:uid:507lynn:displayName:Lynn Hogantess:uid:508tess:displayName:Tess Adamsjolie:uid:509jolie:displayName:Jolie Ames-Andersonjae:uid:510jae:displayName:Jae Kim

Using adinfoThe adinfo command displays detailed Active Directory, network, and diagnostic information for a local UNIX computer. Options control the type of information and level of detail displayed.

The basic syntax for the adinfo program is:adinfo [option] [--user username[@domain]] [--password password]

The option argument can be any of the following:adinfo [--domain] [--gc] [--zone] [--zonedn] [--site] [--server] [--name] [--all] [--support [--output filename]] [--diag [domain]] [-–config] [--mode] [--sysinfo all | [dns],[domain],[netstate],[adagent],[config]] [--test] [--verbose] [--version] [--auth [domain]] [--servername domain_controller] [--computer]

The --domain, --gc, --zone, --zonedn, --site, --server, and --name options are intended for use in scripts to return the current Active Directory domain, global catalog domain controller, zone, site, domain controller, and computer account name, respectively. The other options provide more detailed or operation-specific information.

You can use the --user and --password options in conjunction with the --all, --support, --diag, or --auth option to specify the user name and password of an Active Directory account with permission to read the computer account information in the Active


Using adinfo

Directory domain controller you are accessing. If you run adinfo while logged in as root, you do not need to specify the --user or --password option because the command uses the Active Directory account associated with the local host. If you run the adinfo command with a user account that doesn’t have permission to read the computer account information in Active Directory, some information may not be available in the command output.

Note To run the adinfo --support command, you must be logged in as root. You are not required to log in as root for any of the other adinfo options.

If you do not specify an option, adinfo returns the basic set of configuration details for the local computer, which is equivalent to specifying adinfo --all.

Note The last line returned by adinfo on Mac OS X and Linux machines shows Licensed Features: Enabled | Disabled to indicate whether the standard or express version of DirectControl is running. This information is only relevant to Mac OS X and Linux machines so it does not appear when you run adinfo on other platforms.




-d, --domain Return the name of the local computer’s Active Directory domain.

If the computer isn’t currently joined to an Active Directory domain, then the command exits and returns an exit status of 10.

-G, --gc Return the name of the local computer’s Active Directory domain controller used for global catalog operations.



-z, --zone Return the name of the local computer’s Active Directory zone or “Auto Zone” if a computer is joined to Auto Zone and not a member of any specific zone.


-Z, --zonedn Return the distinguished name (DN) of the local computer’s Active Directory zone or the distinguished name (DN) of the computer’s Active Directory domain if the computer is joined to Auto Zone.

The distinguished name is the name that uniquely identifies an entry in the directory, beginning with the most specific attribute and continuing with progressively broader attributes.


-s, --site Return the name of the local computer’s Active Directory site.


-r, --server Return the fully-qualified name of the local computer’s Active Directory domain controller.


-n, --name Return the fully-qualified name of the local computer’s computer account name in Active Directory.




Using adinfo

-a, --all Return the following information:• Local host name

• Domain the computer is joined to

• Computer account name in Active Directory

• Local preferred site

• Centrify DirectControl zone

• The date and time that the password was last reset for the computer’s Active Directory computer account

• Current operational mode indicating whether the computer is connected to Active Directory or running in disconnected mode

• Whether licensed features are enabled (Mac OS X and Linux only)

Note If you use this option but the user account doesn’t have permission to read the computer account information in Active Directory, the command output does not indicate whether shell access has been enabled or information about the last password set.



-t, --support

[--output filename]Return all of the information supplied by the --all option and the following additional information:• The current configuration parameters set in /etc/centrifydc/centrifydc.conf

• The settings from /etc/krb5.conf

• The contents of the log file /var/log/centrifydc.log

• The key list from /etc/krb5.keytab

This option is typically used to send complete diagnostic information to a file, which can then be sent to Centrify Technical Support for analysis.

By default, the output for the command is written to the file /tmp/adinfo_support.txt. You can save the output in a different location or using a different file name by using the optional --output argument. To send --support output to stdout, use a hyphen (-) in the command line in place of the filename.

Note The root account is required if you want to retrieve the Kerberos key version stored in Active Directory for comparison with the local Kerberos key.



Using adinfo

-g, --diag [domain] Return the diagnostic information for the host computer and a specific Active Directory domain. If you don’t specify the domain, the command returns information for the computer's current domain.

Specifying a domain is useful when an attempt to join the computer to an Active Directory domain fails. By specifying adinfo --diag and the domain you tried to join, you can better diagnose why an attempt to join failed.

This option returns the following information:• Local host name.

• Local IP address.

• List of the DNS servers for the specified domain.

• Host name or IP address of the DNS server supplied by the domain controller.

• Whether the domain controller has up-to-date global catalog data so that it can become the global catalog, if necessary.

• Functional level of the specified Active Directory domain.

• Functional level of the domain's Active Directory forest.

• Functional level of the domain controller.

• Name of the Active Directory forest to which the specified domain belongs.

• Name of the computer account in Active Directory for this computer.

• Kerberos key version for this computer.

• List of Kerberos service principal names this computer has registered with Active Directory.

Note You should use the root user account when you use this option. If you don’t use the root account, the command will not be able to bind to domain controller or locate the computer account. The root account is also required to compare the local key version with the key version stored in Active Directory.



-c, --config Return the parsed contents of the Centrify DirectControl configuration file.

-m, --mode Display whether the computer is currently connected to Active Directory or running in disconnected mode. If the adclient process is not currently running at all, this option will return the agent status as down.

Note You should use the root user account when you use this option to display the appropriate status. If you don’t use the root account, the command will not be able to check the adclient lock file to confirm whether adclient is running or not.

-y, --sysinfo all | dns,domain,netstate,

adagent,config

Display system information for the current domain. You can specify one or more options in a comma-separated list, or specify all to show all available information:• all — Display all available system information;

specifying this option is the same as specifying all the following options.

• dns — Display the address, state, and cache contents of the current DNS server.

• domain — Display domain info map for the current domain.

• netstate — Display network state.

• adagent — Display adagent information.

• config — Display adclient in-memory configuration parameter values.

For example, to show DNS, domain, and configuration information, type the following command:adinfo --sysinfo dns,domain,config

-T, --test Test the availability of the ports Centrify DirectControl requires for authentication through Active Directory.

-V, --verbose Display detailed information about each operation as it is performed. You can use this option in combination with other options.



Using adinfo


-u, --user username[@domain]

Identify an Active Directory user account with sufficient rights to read the computer account information.

You must use the username@domain format to specify the user account if the username is not a member of the computer’s current domain. If you do not specify the --user option, the default is the Administrator user account.

-p, --password

userpasswordSpecify the password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes.


-A,--auth [domain] Authenticate the user name and password for the user specified with the --user option against the specified domain. If you don’t specify a domain, the user is validated against the currently joined domain.

This option only validates the user name and password you enter can be authenticated by Active Directory. You cannot use this option in combination with other options to display other types of information

-S, --servername

domain_controllerConnect to a specific domain controller to perform network diagnostics. You can use this option in combination with any of the other options.

-C, --computer Display the service principal names (SPNs) associated with the computer account.



Examples of using adinfo

In most cases, you use the adinfo command to provide information that will help you diagnose and resolve problems with Centrify DirectControl or Active Directory environments.

To display the basic configuration information for the local UNIX computer, you can type:adinfo

If the computer has joined a domain, this command displays information similar to the following:Local host name: magnoliaJoined to domain: ajax.orgJoined as: magnolia.ajax.orgPre-win2k name: magnoliaCurrent DC: ginger.ajax.orgPreferred site: Default-First-Site-NameZone: ajax.org/Program Data/Centrify/Zones/defaultLast password set: 2006-12-21 11:37:22 PSTCentrifyDC mode: connectedLicensed Features: Enabled

Note Whether licensed features are enabled or disabled is only relevant for Linux and Mac computers and is not shown for Solaris and other UNIX systems.

You can also use adinfo in shell scripts to return specific information, such as the domain a computer has joined. For example, the following command returns the host computer’s current domain and no other information:adinfo --domain

For example:ajax.org

The adinfo --diag command can also be useful in diagnosing Active Directory configuration issues and Kerberos problems. For example, in addition to other information, the --diag option returns the Kerberos key version for the UNIX computer. The key version is stored both locally and in the computer’s Active Directory account. It is incremented when a service principal’s password key changes. If the local key differs from the Active Directory account key version, it indicates that the local key is no longer in sync with the Active Directory key and this may cause authentication to fail.


Using adinfo

By running adinfo --diag and checking the Key Version: field you can determine whether the key versions are the same or out of sync. If the versions are different, the Key Version field shows both keys and indicates which is local and which comes from Active Directory. If the computer isn’t joined to a domain, it has no local key and the following is displayed:Key Version: local key version unavailable

If the computer is joined to a domain other than the specified domain, the Active Directory key is shown as:<unavailable>

If the computer has joined a domain, the adinfo --diag command displays information similar to the following truncated example:Host Diagnostics uname: Linux magnolia 2.4.21-15.EL #1 Thu Apr 22 00:27:41 EDT 2004 i686 OS: Red Hat Enterprise Linux ES Version: 3 (Taroon Update 2) Number of CPUs: 1

IP Diagnostics Local host name: magnolia FQDN host name: magnolia (domain missing?) Local IP Address: 192.168.147.135

Domain Diagnostics: Domain: ajax.org Subnet site: Default-First-Site-Name DNS query for: _ldap._tcp.ajax.org Found SRV records: ginger.ajax.org:389 Testing Active Directory connectivity: Domain Controller: ginger.ajax.org ldap: 389/udp - good ldap: 389/tcp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good Domain Controller: ginger.ajax.org:389 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG DNS query for: _gc._tcp.AJAX.ORG Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org:3268 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)


domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG

Retrieving zone data from ajax.org Centrify DirectControl 2.x zones: ConsumerDiv - ajax.org/Program Data/Centrify/Zones/ConsumerDiv Manufacturing - ajax.org/Program Data/Centrify/Zones/Manufacturing London - ajax.org/Program Data/Centrify/Zones/London Centrify Microsoft SFU zones: default - ajax.org/Program Data/Centrify/Zones/default

Computer Account Diagnostics Joined as: magnolia Key Version: 5 Service Principal Names: nfs/magnolia.ajax.org nfs/magnolia host/magnolia.ajax.org host/magnolia ftp/magnolia.ajax.org ftp/magnolia cifs/magnolia.ajax.org cifs/magnolia HTTP/magnolia.ajax.org HTTP/magnolia

Centrify DirectControl Status Running in connected mode

To test whether a specific user can be authenticated by a specific Active Directory domain controller, you could type a command similar to the following:adinfo --auth --user rae --servername ginger.ajax.org

You are then prompted for the Active Directory password for the user rae account. If Active Directory can authenticate the user, a confirmation message similar to the following is displayed:Password for user “rae” is correct

To test connectivity and the availability of required ports on the Active Directory domain controller, you could type a command similar to the following:adinfo --test

If the computer is joined to a domain and the connection to Active Directory succeeds, the command displays information similar to the following:Domain Diagnostics: Domain: ajax.org DNS query for: _ldap._tcp.ajax.org DNS query for: _gc._tcp.ajax.org Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org ldap: 389/tcp - good ldap: 389/udp - good


Using addebug

smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good ntp: 123/udp - good

Understanding adinfo-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adinfo command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.

Using addebugThe addebug command is used to start or stop detailed logging activity for Centrify DirectControl on a local UNIX computer.

The basic syntax for the addebug program is:addebug [on | off| clear]

If you run the addebug on command, all of the Centrify DirectControl activity is written to the /systemLog/centrifydc.log file.

Note For most systems, the systemLog directory is /var/log.


156 ERR_MACHINE_PASSWORD_CHANGED The computer account password has been changed. If you encounter this error, you may need to manually reset the computer account password in Active Directory, then rerun the adinfo command.

157 ERR_KRB_READ_FORMAT A Kerberos format error occurred when reading the Kerberos configuration file. You should rename or remove the configuration file, then rerun the adinfo command.

158 ERR_NOT_FQDN_NAME The server name must be a fully-qualified domain name.


If the adclient process stops running while logging is on, the addebug program records messages from PAM and NSS requests in the /systemLog/centrify_client.log file. Therefore, you should also check that file location if you enable logging.

If you do not specify an option, addebug displays its current status, indicating whether logging is active or disabled.



Examples of using addebug

You use the addebug command to start and stop detailed Centrify DirectControl-specific logging to help you trace and resolve problems.

To display the current status of logging, type:/usr/share/centrifydc/bin/addebug

Note You must type the full path to the command because addebug is not included in the path by default.

This command displays information similar to the following:Centrify DirectControl debug logging is off

To turn on logging, type:/usr/share/centrifydc/bin/addebug on

This command records information in the /systemLog/centrifydc.log file similar to the following:...Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Joining domain


on Start logging all Centrify DirectControl daemon activity.

off Stop logging Centrify DirectControl daemon activity.

clear Clear the existing log file, then continue logging activity to the cleared log file.


Using adfinddomain

garfield.comDec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Getting the KDC List for garfield.comDec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Updating config file with domain garfield.comDec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Created user LDAP connectionDec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Destroying binding to 'garfield.com'Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Attempting connection to server Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connecting to odie.garfield.com:389Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connected...

For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time.

To discontinue logging, type:addebug off

By default, the sanitized log file is written to obfuscate.txt in the directory in which you run adobfuscate. You can use the --outputfile option to specify a different filename or directory.

Using adfinddomainThe adfinddomain command displays the domain controller associated with the Active Directory domain you specify.

The basic syntax for the adfinddomain program is:adfinddomain [--format name|ldap|ip] [--port] [--verify] [--version] [domain | $]

If you don’t specify a domain, the command returns information for the domain the local computer is joined to. If you specify a dollar sign ($) instead of a domain, the command returns the host name and, optionally the port number, for the Global Catalog server.




Examples of using adfinddomain

You can use the adfinddomain command to display the host name, LDAP URL, or IP address of the domain controller for a specified domain. For example, to display the full host name for the domain controller in the arcade.org domain, you would type:adfinddomain --format name ajax.orgginger.ajax.org

To display the host name for the global catalog server, type:adfinddomain $zen.ajax.org

To include the port number for the domain controller or global catalog, type:adfinddomain --format name --port ajax.orgginger.ajax.org:389

or:adfinddomain $ --port


-f, --format

name|ldap|ipControl the format of the information displayed for the domain controller. For example, if you set the format to name, the command displays the host name of the domain controller. Similarly, you can specify the format to be the format used for LDAP requests or to be the fully-qualified host name of the domain controller. adfinddomain -f ldap

ldap:://fire.arcade.org

-p, --port Include the port number in the output.

-V, --verify Check whether the specified domain controller is currently operational.


[domain | $] Specify the domain name or the global catalog for which you want to display information.


Using adfinddomain

zen.ajax.org:3268

Understanding adfinddomain-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adfinddomain command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.


156 ERR_NOT_OBTAIN_IP The command is unable to obtain the IP address for the server.

157 ERR_UNDETECT_SERVICE The command is unable to find the domain controller for the domain specified. You should verify the domain name, then try rerunning the adfinddomain command.


Using adflushThe adflush command can be used to clear the Centrify DirectControl cache on a local computer.

The basic syntax for the adflush program is:adflush [option]



Examples of using adflush

The adflush command enables you to completely clear the Centrify DirectControl cache at any time. This command can be useful when you want to force the Centrify DirectControl Agent to read new information from Active Directory, or when you want to remove obsolete data from the cache. You can also use this command as part of routine housekeeping to free up disc space.

To clear the cache of information from the Active Directory domain controller and global catalog, you would type: adflush


-a, --auth Remove DirectAuthorize information from the adclient authorization store cache.

-d, --dns Remove stored DNS information from the adclient local cache.

-f, --force Clear the adclient local cache of all data even if the Centrify DirectControl Agent is currently disconnected from Active Directory.

-o, --objects Remove only domain controller and global catalog objects from the cache.

-V, --verbose Display detailed information about the operation.



Using adid

To display verbose output and force the local cache to be cleared when the Centrify DirectControl Agent (adclient) is running in disconnected mode without access to Active Directory, you would type:adflush --verbose --force

Using adidThe adid command can be used to display the real and effective UIDs and GIDs for the current user or a specified user.

The basic syntax for the adid program is:adid [option] [username|uid]

The adid command is intended as a replacement for the standard id program to look up user and group information for a specified user. For Active Directory users, the adid command is more efficient than the standard id program because it can request the user’s group membership list directly through the Centrify DirectControl Agent, resulting in better performance. For the standard id program, requesting a user’s group membership requires the program to search through all the groups on the system to find which groups include the user as a member. If you run the adid command and specify a user who is not an Active Directory user, the adid command transfers the request to the local id program with the same arguments you have specified.




Examples of using adid

You can use the adid command to display user and group information for the current user or any specified user. For example, to display the user name, default group, and complete group membership for the current user, you can type:adiduid=505(alan) gid=100(users) groups=100(users),700(oracle),507(testexpert)

To display the user ID and group ID for a specific user name, you can type:adid alanuid=505(alan) gid=100(users)

To display the user ID and group ID for a specific user ID, you can type:adid 505uid=505(alan) gid=100(users)


-a Display all of the group IDs for the specified user or the current user if no user name or user ID is specified.

Note This option is provided to support compatibility with other versions of the program. The information adid displays with this option is the same as the information displayed without this option.

-n, --name Display only the effective user name for the specified user or the current user. You must include the --user (or -u) option on the command line to use this option.

-u, --user Display only the effective user ID for the specified user or the current user if no user name or user ID is specified.

--help Display usage information for the command.


Using adclient

To display only the user ID for a specific user name, you can type:adid --user sloane506

Using adclientMost Centrify DirectControl operations are managed by the central daemon process adclient. This daemon is automatically started when the system is first booted. The daemon generally remains running as long as the computer is powered up so that it can handle all of the authentication and authorization interaction between Active Directory and the UNIX shell programs or Web applications that need this information.

Notes Although you can run adclient directly from the command line to control the operation of the Centrify DirectControl Agent on a local computer, it is recommended that you do so only under the direction of Centrify support. Typically, you should start and stop adclient from a startup script; see “Using the startup script” on page 147.

On Solaris, Mac OS X, and certain Red Hat computers, such as computers running RHEL 5.2, you cannot use the -x option to stop adclient. When running computers with any of these operating systems, you should use the centrifydc startup script or system resource controller commands, such as startsrc, stopsrc, and lssrc. For example, to stop the agent use:/usr/share/centrifydc/bin/centrifydc stop

The basic syntax for running adclient at the command line is:adclient [-x] [-d] [-F]



You can use the following options with adclient:

For example, to flush the cache when the Centrify DirectControl Agent starts:adclient -F

Using the startup script

Although adclient normally runs as long as a computer is powered up, periodically you may want to manually stop or restart adclient without rebooting the computer. You do this by running a startup script called centrifydc and specifying whether you want to start, stop, or restart the daemon. The location of the startup scripts that run when a computer is started can vary depending on the platform. For example, on Linux and Solaris the startup script is in the directory /etc/init.d. For convenience, a copy of the Centrify DirectControl startup script is installed in the /usr/share/centrifydc/bin directory, and you can use the copy in that directory when you want to manually start, stop, or restart the Centrify DirectControl daemon.

For more information about how daemons are started and stopped in a specific operating environment, including the normal location


-x Stop the Centrify DirectControl Agent if it is currently running.

Note: On computers running Solaris, Mac OS X, or RHEL 5.2, this option is not available.

-d Set the Centrify DirectControl Agent to run in debug mode when it is restarted.

-F Flush the Active Directory cache when the Centrify DirectControl Agent is restarted.

-M Enable in-memory logging of Centrify DirectControl Agent operations.


Using adcache

for startup scripts, see the documentation for the operating environment.

Starting the daemon

To manually start the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:/usr/share/centrifydc/bin/centrifydc start

Stopping the daemon

To manually stop the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:/usr/share/centrifydc/bin/centrifydc stop

Restarting the daemon

To manually stop then restart the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:/usr/share/centrifydc/bin/centrifydc restart

Checking the status of the daemon

You can also check whether the daemon is currently running or stopped. To view the current status of the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:/usr/share/centrifydc/bin/centrifydc status

Using adcacheThe adcache command enables you to manually clear the local Centrify DirectControl cache on a computer. You can use this command to dump all cache files or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space. By default, the program dumps all cache files.


Before running adcache, you should stop the adclient process using the following command:/usr/share/centrifydc/bin/centrifydc stop

The basic syntax for running the adcache program is:adcache [options]


You can use the following options with adcache:

Examples of using adcache

To check domain controller cache for a specific key value, you would type a command similar to this:adcache --cachename /var/centrifydc/dc.cache --key andre----------------------------------------------------------Dumping /var/centrifydc/dc.cache----------------------------------------------------------ADObject: <GUID=83db76a5dfca5243a788d98128d2e101>Acquired: Fri Sep 21 16:10:07 2007Deserialized data:_ExpiryTime(s):-1,_Foreign(s):False,_GECOS(s):Andre Garcia,_Gid(s):500,


-c, --cachename path Specify the full path to the cache file you want to check or clear.

-q, --quiet Run the command without displaying any output. This option is useful for running the command as a scheduled maintenance job.

-k, --key value Check the Centrify DirectControl cache for a specific key value.

-r, --reorg Reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items.

To use this option, you must be run the adcache command as root. If you use this option, adcache stops and restarts the adclient process.


Using adcache

_HomeDirectory(s):/home/andre,_LoginShell(s):/bin/bash,_ObjectExtended(s):a30d50f5ef182e42b7687fa1ae07b776,_ParentLink(s):S-1-5-21-3619768212-1024502798-2657341593-1153,_PwSync(s):altSecurityIdentities,_SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153,_ShellEnabled(s):True,_Uid(s):504,_UnixName(s):andre,_dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org,_extendedObjUSN(s):127065,_groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>,<GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e6c4d8d89c0919f4a2b6e>,_hashTimestamp(s):1190416207,_maxPwdAge(s):-1,_minPwdAge(s):128323800679025000,_objectCategory(s):Person,_pacGroups(s):0105000000000005150000009447c1d70eac103d99d0639e94040000,0105000000000005150000009447c1d70eac103d99d0639e00020000,0105000000000005150000009447c1d70eac103d99d0639e01020000,_passwordHash(s):b450a7940716ea44d980322df1773b10,_passwordSalt(s):$1$wJkhxUEB$,_server(s):ginger.ajax.org,_userPrincipalName(s):[email protected],accountExpires(s):9223372036854775807,cn(s):Andre Garcia,displayName(s):Andre Garcia,msDS-KeyVersionNumber(s):3,name(s):Andre Garcia,objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC=ajax,DC=org,objectClass(s):top,person,organizationalPerson,user,primaryGroupID(s):513,pwdLastSet(s):-1,sAMAccountName(s):andre,uSNChanged(s):1,userAccountControl(s):512,userPrincipalName(s):[email protected],----------------------------------------------------------

To reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items, you would run the following command:adcache --reorg


You should run the adcache --reorg command on a regular basis in a cron job to remove negative results and to prevent the cache from consuming too much disk space. Depending on how quickly the size of the Centrify DirectControl cache tends to increase in your environment, you may want to schedule this command to run approximately once a week.

Understanding adcache-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adcache command can generate command-specific result codes when errors are encountered. The following table lists these command-specific result codes.

Using adreloadThe adreload command enables you to force the Centrify DirectControl Agent (adclient) to reload configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. Running this command enables changes made to the configuration properties to take effect without restarting the adclient process. Running adreload, however, does not reload the properties set with the following configuration parameters:

adclient.ldap.timeout

adclient.ldap.socket.timeout

adclient.udp.timeout

adclient.clients.threads

adclient.clients.threads.max


156 ERR_ADCLIENT_NOT_SHUTDOWN The Centrify DirectControl Agent is currently running. You should stop the adclient process, then attempt to rerun the command.

157 ERR_CACHE_CORRUPT The cache may be corrupt.


Using adreload

adclient.use.all.cpus

adclient.clients.listen.backlog

adclient.dumpcore

For the configuration parameters listed above, you must restart the adclient process for changes to take effect.

The basic syntax for running the adreload program is:adreload

This command returns the following exit codes:


You can use the following option with adreload:

Examples of using adreload

To reload the configuration properties on a local computer after making changes to the /etc/centrifydc/centrifydc.conf file, you would type a command similar to this:adreload

Understanding adreload-specific result codes

In addition to the common result codes described in “Understanding common result codes” on page 81, the adreload

This exit code Indicates

0 Command executed successfully

2 Process not authorized

3 Reload failed


-h, --help Display the usage message.


command can generate the following operation-specific result code:.


156 ERR_RELOAD_CENTRIFYCONF The attempt to reload the centrifydc.conf file failed.


Using adreload


Appendix B

Customizing Auto Zone configuration parameters

This appendix describes the Centrify DirectControl configuration parameters that affect the operation of a local host computer joined to Auto Zone. These parameters have no effect if the machine is not joined to Auto Zone.

auto.schema.primary.gid

auto.schema.private.group

auto.schema.shell

auto.schema.homedir

auto.schema.use.adhomedir

auto.schema.remote.file.service

auto.schema.name.format

auto.schema.separator

auto.schema.domain.prefix

auto.schema.search.return.max

auto.schema.name.lower

auto.schema.iterate.cache

adclient.ntlm.separators

Customizing Auto Zone configuration parameters 155

auto.schema.primary.gid

auto.schema.primary.gid This configuration parameter specifies the primary GID for the user. The auto.schema.private.group parameter must be set to false (the default) to use this parameter.

Specify the GID for an existing group. To find the GID for a group, you can use the adquery command. For example, to find the GID for the group Support, open a terminal session and type:>adquery group --gid Support1003

If you do not set this parameter, the value defaults to the following:

On Mac OS X: 20.

On Linux: 65534

auto.schema.private.group This configuration parameter specifies whether to use dynamic private groups.

Specify true to create dynamic private groups. In this case, the primary GID is set to the user's UID and a group is automatically created with a single member.

Specify false (the default) to not create private groups. In this case, the primary GID is set to the value of auto.schema.primary.gid, which defaults to 20.

auto.schema.shell This configuration parameter specifies the default shell for the logged in user. The default value is /bin/bash on Mac OS X and Linux systems and /bin/sh on all other systems.

156 Configuration Parameters Reference Guide

auto.schema.homedir This configuration parameter specifies the home directory for logged in users. The default, if you do not specify this parameter, is:

Mac OS X: /Users/%{user}.

UNIX: /home/%[user]

The syntax %{user} specifies the logon name of the user. For example, in the Centrify DirectControl configuration file, if you add:auto.schema.homedir:/Users/%{user}

and jsmith logs on to a Mac OS X machine, the home directory is set to /Users/jsmith.

If the parameter, auto.schema.use.adhomedir, is true, the home directory is set to the value in Active Directory for the user, if one is defined. If auto.schema.use.adhomedir, is false or if a home directory is not specified for the user in Active Directory, the home directory is set to the value defined for this parameter, auto.schema.homedir.

auto.schema.use.adhomedir Note This configuration parameter applies to Mac OS X computers only.

This configuration parameter specifies whether to use the Active Directory value for the home directory, if one is defined. Set to true to use the Active Directory value (the default), or false to not use the Active Directory value. If you set the value to false, or if you set the value to true but a home directory is not specified in Active Directory, the value for auto.schema.homedir is used.


auto.schema.remote.file.service

auto.schema.remote.file.service Note This configuration parameter applies to Mac OS X computers only.

This configuration parameter specifies the type of remote file service to use for the network home directory. The options are: SMB (default) and AFP.

When you type a path for the network home directory in Active Directory, it requires a specific format: /server/share/path, but on Mac OS X, the format for mounting a network directory requires the remote file service type: /type/server/share/path. By identifying the remote file-service type, you can type the network path in the format required by Active Directory, and Centrify DirectControl translates the path into the format required by Mac OS X.

For example:auto.schema.remote.file.service:SMB

auto.schema.name.format This configuration parameter specifies how the Active Directory username is transformed into a UNIX name (short name in Mac OS X). The options are

SAM (default)An example SAM name is joe

SAM@domainName An example SAM@domainName is [email protected]

NTLMAn example NTLM name is acme.com-joe


auto.schema.separator Note This configuration parameter has been deprecated in favor of adclient.ntlm.separators, which applies whenever NTLM format is used. The auto.schema.separator parameter only applies when the computer is connected to Auto Zone.

This configuration parameter specifies the separator to be used between the domain name and the user name if NTLM format is used. The default is +; for example:auto.schema.separator:+

which results in a name such as:acme.com+jcool

auto.schema.domain.prefixThis configuration parameter specifies a unique prefix for a trusted domain. You must specify a whole number in the range of 0 - 511.

Centrify DirectControl combines the prefix with the lower 22 bits of each user or group RID (relative identifier) to create unique UNIX user (UID) and group (GID) IDs for each user and group in the forest and in any two-way trusted forests.

Ordinarily, you do not need to set this parameter because Centrify DirectControl automatically generates the domain prefix from the user or group Security Identifier (SID). However, in a forest with a large number of domains, domain prefix conflicts are possible. When you join a machine to a domain, if Centrify DirectControl detects any conflicting domain prefixes, the join fails with a warning message. You can then set a unique prefix for the conflicting domains.

To set this parameter, append the domain name and specify a prefix in the range 0 - 511. For example:auto.schema.domain.prefix.acme.com:3auto.schema.domain.prefix.finance.com:4auto.schema.domain.prefix.corp.com:5


auto.schema.search.return.max

The default behavior, if you do not set this parameter, is for Centrify DirectControl to automatically generate the domain prefix from the user or group Security Identifier (SID).

auto.schema.search.return.max This configuration parameter specifies the number of users that will be returned for searches by utilities such as dscl and the Workgroup Manager application. Because Auto Zone enables access to all users in a domain, a search could potentially return tens of thousands of users. This parameter causes the search to truncate after the specified number of users.

The default is 1000 entries.

auto.schema.name.lower This configuration parameter converts all usernames and home directory names to lower case in Active Directory.

Set to true to convert usernames and home directory names to lowercase.

Set to false to leave usernames and home directories in their original case, upper, lower, or mixed.

The default for a new installation is true. The default for an upgrade installation is false.

auto.schema.iterate.cache This parameter, specifies that user and group iteration take place only over cached users and groups.

Set the value for auto.schema.iterate.cache to true to restrict iteration to cached users and groups.


Set the value for auto.schema.iterate.cache to false to iterate over all users and groups. The default value is false.

adclient.ntlm.separators This configuration parameter specifies the separators that may be used between the domain name and the user name when NTLM format is used. For example, the following setting:adclient.ntlm.separators: +/\\

allows any of the following formats (assuming a user joe in the acme.com domain):acme.com+joeacme.com/joeacme.com\joe

Note The backslash character (\) can be problematic on some UNIX shells, in which case you may need to specify domain\\user.

The first character in the list is the one that adclient uses when generating NTLM names.

The default values are +/\\, with + being the adclient default.


adclient.ntlm.separators


Appendix C

Customizing PAM-related configuration parameters

This appendix describes the DirectControl configuration parameters that affect the operation of PAM-related activity on the local host computer.

pam.allow.groups

pam.allow.override

pam.allow.password.change

pam.allow.password.change.mesg

pam.allow.password.expired.access

pam.allow.password.expired.access.mesg

pam.allow.users

pam.deny.groups

pam.deny.users

pam.ignore.users

pam.mapuser.username

pam.password.change.mesg

pam.password.change.required.mesg

pam.password.confirm.mesg

pam.password.empty.mesg

pam.password.enter.mesg

pam.password.expiry.warn.mesg

pam.password.new.mesg

pam.password.new.mismatch.mesg

Customizing PAM-related configuration parameters 163

pam.allow.groups

pam.password.old.mesguser1 10001 #AD Useruser1 10002 #local useruser2 10001 #local useruser1 10001 #local useruser1 10002 #AD user

user2 10001 #AD user

pam.allow.groupsThis configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access.

If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not have to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored.

If you use this parameter to control access by group name, Centrify DirectControl checks the Active Directory group membership for every user who attempts to use PAM-enabled applications on the host computer.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see what groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is accepted and authentication proceeds. If the user is not a member of any group specified by this parameter, authentication fails and the user is rejected.

The parameter’s value can be one or more group names, separated by commas, or the file: keyword and a file location. For example, to allow only members of the administrators, sales, and engineering groups in Active Directory to log in:pam.allow.groups: administrators,sales,engineering


You can use the short format of the group name or the full canonical name of the group.

To enter group names with spaces, enclose them in double quotes; for example:pam.allow.groups: "domain admins",sales,"domain users"

To specify a file that contains a list of the groups allowed access, type the path to the file:pam.allow.groups: file:/etc/centrifydc/groups.allow

Notes If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter:

SAM (samAccountName — this is the default); for example: finance_admins

samAccountName@domain_name; for example: [email protected]

NTLM; for example: acme.com+finance_admins

You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:[root]#adquery group -n Finance_Admins

finance_admins

If no group names are specified, no group filtering is performed.

Note If you make changes to this parameter, you should run adflush to clear the Centrify DirectControl cache to ensure your changes take effect.


pam.allow.override

pam.allow.overrideThis configuration parameter is used to override authentication through Active Directory to ensure the root user or another local account has permission to log on when authentication through Active Directory is not possible, when there are problems running the Centrify DirectControl daemon, or when there are network communication issues.

When you specify a user account for this parameter, authentication is passed on to a legacy authentication mechanism, such as /etc/passwd. You can use this parameter to specify an account that you want to ensure always has access, even if communication with Active Directory or the Centrify DirectControl daemon fails. For example, to ensure the local root user always has access to a system even in an environment where you have enabled root mapping, you can specify:pam.allow.override: root

To log in locally with the override account, you must specify the local user name and password. However, because the account is mapped to an Active Directory account, you must append @localhost to the user name. For example, if you have specified root as the override account and are using root mapping, you would type root@localhost when prompted for the user name. You can then type the local password for the root account and log in without being authenticated through Active Directory.

Note If you are mapping the root user to an Active Directory account and password, you should set this parameter to root or to a local user account with root-level permissions (UID 0), so that you always have at least one local account with permission to access system files and perform privileged tasks on the computer even if there are problems with the network connection, Active Directory, or the Centrify DirectControl daemon.


pam.allow.password.changeThis configuration parameter specifies whether users who log in with an expired password should be allowed to change their password. You can set this parameter to true or false and use it in conjunction with the pam.allow.password.expired.access parameter to control access for users who attempt to log on with an expired password.

If both this parameter and pam.allow.password.expired.access are set to true, users logging on with an expired password are allowed to log on and are prompted to change their password.

If the pam.allow.password.expired.access parameter is set to true, but this parameter is set to false, users logging on with an expired password are allowed to log on but are not prompted to change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed.

If both this parameter and pam.allow.password.expired.access are set to false, users who attempt to log on with an expired password are not allowed to log on or change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed.

For example, to allow users with expired passwords to change their password:pam.allow.password.change: true

pam.allow.password.change.mesgThis configuration parameter specifies the message displayed when users are not permitted to change their expired password because the pam.allow.password.change parameter is set to false.

For example:pam.allow.password.change.mesg: Password change not permitted


pam.allow.password.expired.access

pam.allow.password.expired.accessThis configuration parameter specifies whether users who log in with an expired password should be allowed access. You can set this parameter to true or false and use it in conjunction with the pam.allow.password.change parameter to control access for users who attempt to log on with an expired password.

If this parameter is set to true, users logging on with an expired password are allowed to log on, and either prompted to change their password if the pam.allow.password.change parameter is set to true, or notified that they are not allowed to change their expired password if the pam.allow.password.change parameter is set to false.

If this parameter is set to false, users logging on with an expired password are not allowed to log on and the message defined for the pam.allow.password.expired.access.mesg parameter is displayed.

For example, to allow users with expired passwords to log on:pam.allow.password.expired.access: true

pam.allow.password.expired.access.mesgThis configuration parameter specifies the message displayed when users are not permitted to log on with an expired password because the pam.allow.password.expired.access parameter is set to false.

For example:pam.allow.password.expired.access.mesg: Password expired - access denied

pam.allow.usersThis configuration parameter specifies the users who are allowed to access PAM-enabled applications. When this parameter is defined,


only the listed users are allowed access. All other users are denied access.

If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have a valid UNIX profile for the local computer’s zone. If you specify local user accounts or invalid Active Directory user names, these entries are ignored.

If you specify one or more users with this parameter, user filtering is performed for all PAM-enabled applications on the host computer.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is accepted and authentication proceeds. If the user is not listed, the user is rejected.

The parameter value can be one or more user names, separated by commas, or the file: keyword and a file location. For example:pam.allow.users: root,joan7,bbentonpam.allow.groups: administrators,sales,engineering

You can use the short format of the user name or the full canonical name of the user.

To enter user names with spaces, enclose them in double quotes; for example:pam.allow.users: "sp1 [email protected]",[email protected],"sp2 [email protected]"

To specify a file that contains a list of the users allowed access, type the path to the file:pam.allow.users: file:/etc/centrifydc/users.allow

Notes If a computer is configured to use Auto Zone without a zone, enter user names in the format specified by the auto.schema.name.format parameter:

SAM (samAccountName — this is the default); for example: jcool


pam.deny.groups


NTLM; for example: acme.com+jcool

You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery user -n to see the UNIX name for any user. For example, to see the UNIX name for jcool (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:[root]#adquery user -n jcool

jcool

If no user names are specified, then no user filtering is performed.


pam.deny.groupsThis configuration parameter specifies the groups that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed groups are denied access. All other groups are allowed access.

If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not need to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see which groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is denied access and authentication fails. If the user is not a member of


any group specified by this parameter, authentication succeeds and the user is logged on.

The parameter’s value can be one or more group names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent all members of the vendors and azul groups in Active Directory from logging on:pam.deny.groups: vendors,azul

You can use the short format of the group name or the full canonical name of the group.

To enter group names with spaces, enclose them in double quotes; for example:pam.deny.groups: "domain admins",sales,"domain users"

To specify a file that contains a list of the groups that should be denied access:pam.deny.groups: file:/etc/centrifydc/groups.deny

Notes If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter:

SAM (samAccountName — this is the default); for example: finance_admins


NTLM; for example: acme.com+finance_admins

You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:[root]#adquery group -n Finance_Admins

finance_admins


pam.deny.users

If this parameter is not defined in the configuration file, no group filtering is performed.


pam.deny.usersThis configuration parameter specifies the users that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed users are denied access. All other users are allowed access.

If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have been enabled for UNIX. If you specify local user accounts or invalid Active Directory user names, these entries are ignored.

When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is rejected and authentication fails. If the user is not listed, the user is accepted and authentication proceeds.

The parameter value can be one or more user names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent the user accounts starr and guestuser from logging on:pam.deny.users: starr,guestuser

You can use the short format of the user name or the full canonical name of the user.

To enter user names with spaces, enclose them in double quotes; for example:pam.deny.users: "sp1 [email protected]",[email protected],"sp2 [email protected]"

To specify a file that contains a list of the users that should be denied access:


pam.deny.users: file:/etc/centrifydc/users.deny

Notes If a computer is configured to use Auto Zone without a zone, enter user names in the format specified by the auto.schema.name.format parameter:

SAM (samAccountName — this is the default); for example: jcool


NTLM; for example: acme.com+jcool

You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery user -n to see the UNIX name for any user. For example, to see the UNIX name for jcool (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:[root]#adquery user -n jcool

jcool

If this parameter is not defined in the configuration file, no user filtering is performed.


pam.ignore.usersThis configuration parameter specifies one or more users that Centrify DirectControl will ignore for lookup in Active Directory. Because this parameter allows you to intentionally skip looking up an account in Active Directory, it allows faster lookup for system accounts such as tty, root, and bin and local login accounts.

Note This configuration parameter ignores listed users for authentication and NSS lookups.


pam.mapuser.username

If you are manually setting this parameter, the parameter value should be one or more user names, separated by a space, or the file: keyword and a file location. For example, to specify a list of users to authenticate locally:pam.ignore.users: root sys tty

To specify a file that contains a list of the users to ignore:pam.ignore.users: file:/etc/centrifydc/users.ignore

If this parameter is not defined in the configuration file, no users are specified.

pam.mapuser.usernameThis configuration parameter maps a local UNIX user account to an Active Directory account. Local user mapping allows you to set password policies in Active Directory even when a local UNIX account is used to log in. This parameter is most commonly used to map local system or application service accounts to an Active Directory account and password, but it can be used for any local user account. For more information about mapping local accounts to Active Directory users, see “Mapping local UNIX accounts to Active Directory” on page 57.

If you are manually setting this parameter, you should note that the local account name you want to map to Active Directory is specified as the last portion of the configuration parameter name. The parameter value is the Active Directory account name for the specified local user. For example, the following parameter maps the local UNIX account oracle to the Active Directory account [email protected] if the host computer’s name is storm:pam.mapuser.oracle: [email protected]

You can specify the user name in the configuration file with any of the following valid formats:

Standard Windows format: domain\user_name

Universal Principal Name (UPN): user_name@domain

Alternate UPN: alt_user_name@alt_domain


UNIX user name: user

You must include the domain name in the format if the user account is not in the local computer’s current Active Directory domain.

If this parameter is not defined in the configuration file, no local UNIX user accounts are mapped to Active Directory accounts.

pam.password.change.mesgThis configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to change a password.

The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:pam.password.change.mesg: Changing Active Directory password for\

If this parameter is not present, its default value is “Change password for”.

pam.password.change.required.mesgThis configuration parameter specifies the message displayed if the user enters the correct password, but the password must be changed immediately.

For example:pam.password.change.required.mesg: \You are required to change your password immediately

pam.password.confirm.mesgThis configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to confirm his new password by entering it again.


pam.password.empty.mesg

The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:pam.password.confirm.mesg: Confirm new Active Directory password:\

If this parameter is not present, its default value is “Confirm new password:”.

pam.password.empty.mesgThis configuration parameter specifies the message displayed if the user to enter an empty password.

For example:pam.password.empty.mesg: Empty password not allowed

pam.password.enter.mesgThis configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to enter his password.

The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:pam.password.enter.mesg: Active Directory password:\

If this parameter is not present, its default value is “Password:”.

pam.password.expiry.warn.mesgThis configuration parameter specifies how many days before a password is due to expire PAM-enabled applications should issue a warning to the user.

The parameter value must be a positive integer. For example, to issue a password expiration warning 10 days before a password is set to expire:pam.password.expiry.warn: 10

If this parameter is not present, its default value is 14 days.


pam.password.new.mesgThis configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to enter his new password during a password change.

The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:pam.password.new.mesg: Enter new Active Directory password:\

If this parameter is not present, its default value is “Enter new password:”.

pam.password.new.mismatch.mesgThis configuration parameter specifies the message displayed during password change when the two new passwords do not match each other.

For example:pam.password.new.mismatch.mesg: New passwords don't match

pam.password.old.mesgThis configuration parameter specifies the message displayed by a PAM-enabled application when it requests a user to enter his old password during a password change.

The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:pam.password.old.mesg: (current) Active Directory password:\

If this parameter is not present, its default value is “(current) password:”.

pam.policy.violation.mesgThis configuration parameter specifies the message displayed during password change if the operation fails because of a domain


pam.policy.violation.mesg

password policy violation. For example, if the user attempts to enter a password that doesn’t contain the minimum number of characters or doesn’t meet complexity requirements, this message is displayed.

For example:pam.policy.violation.mesg: \The password change operation failed due to a policy restriction set by the\nActive Directory administrator. This may be due to the new password length,\nlack of complexity or a minimum age for the current password.


Appendix D

Using DirectControl with SSH

After you have installed DirectControl and joined the Active Directory domain on the UNIX computer, you can install a Kerberized OpenSSH server on your system. There is an OpenSSH client and server in the package, allowing a user to connect to a UNIX computer running Centrify DirectControl or connect between UNIX computers running DirectControl without entering a username or password.

This appendix shows you how to install the Centrify release of OpenSSH and demonstrates its use.


About SSH and DirectControl

Setting up SSH

Testing SSH on UNIX

Testing SSH from a Windows machine

Appendix D • Using DirectControl with SSH 179

About SSH and DirectControl

About SSH and DirectControlAlthough many UNIX systems have an sshd server installed, most are older implementations that do not support Kerberos. Centrify provides a compiled version of the latest OpenSSH distribution to make it easier for you to install and use SSH with DirectControl for secured authentication to Active Directory using Kerberos. This compiled version of OpenSSH is automatically installed when you run the installation script to install Centrify DirectControl Express.

Centrify has compiled the standard OpenSSH distribution unmodified, but in the compile process links OpenSSH with the DirectControl Kerberos libraries to ensure that sign-on works as expected in an Active Directory environment. This provides several advantages, including:

DirectControl will accept connections to any of the computer's valid host names, either fully qualified or not, because all combinations are registered with Active Directory. This reduces Kerberos’ dependency on accurate DNS entries.

The installation process makes direct access to the Kerberos tools possible by automatically adding /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users to the $PATH environment.

Centrify OpenSSH is installed as part of installing DirectControl.

If you already have OpenSSH installed on your system, you need to remove the OpenSSH server. To do this on a Red Hat Linux computer, log on as root and use the following command:rpm --nodeps -e openssh openssh-server openssh-clients

On Sun Solaris, log on as root and use the following command:pkgrm SUNWsshdu SUNWsshdr

Confirm with yes when prompted, then use the following command to stop sshd:pkill sshd


To install DirectControl and join the AD domain, see Installing the Centrify DirectControl Agent.

The installation installs OpenSSH into the /usr/share/centrifydc/ directory structure, where the server daemon is in the sbin directory, the client applications are in the bin directory, and the man pages are in the man directory. The installation process also configures the OpenSSH server to start automatically on computer startup.

Setting up SSHAll configuration of the SSH server is taken care of for you by the installation. The only thing left to do is to start the server and test connectivity to the sshd server process.

The first time the server starts, it tries to find the current set of host keys in /etc/ssh and import them. If it doesn’t find the keys, it generates new keys and stores them in /etc/centrifydc/ssh.

To start the server, run the following command (Red Hat Linux only): service centrify-sshd start

For Sun Solaris, or as an alternative method on Red Hat Linux, run the following command: /etc/init.d/centrify-sshd start

You can test the server by connecting to the local host to make sure that SSH is running and accepting connections. The following command should result in a local connection to the SSH server:/usr/share/centrifydc/bin/ssh root@localhost

Testing SSH on UNIXTo test SSH on your UNIX system, log on to the UNIX system as an ordinary Active Directory user and execute the following command, where hostname is the hostname of the SSH server: /usr/share/centrifydc/bin/ssh hostname

Appendix D • Using DirectControl with SSH 181

Testing SSH from a Windows machine

This command should result in a silent connection to the SSH server.

Testing SSH from a Windows machineOn a Windows computer joined to the same Active Directory domain, you can now use PuTTY as distributed by Centrify (available on the Centrify Resource Center) or any other SSH solution that supports Kerberos. But first you must configure the following setting in PuTTY:

To configure PuTTY for SSH login:

1 Open PuTTY.

2 In the Category window, expand Connection > SSH.

3 In Kerberos flags, select Attempt Kerberos auth (SSH2).

4 Save the settings.

You can now see the Centrify Resource Center for a list of tested clients, and connect to the UNIX computer without being prompted for user ID or password as long as the user has a valid UNIX profile and permissions to log in to the UNIX computer.


Index

Aaccount mapping

configuration setting 174purpose of 57

Active Directoryjoining the domain 41specifying a domain 42

adcachecommand reference 148examples 149options 149

ADCheck 31adcheck command reference 105adclient

log file 63starting and stopping 146

adclient.ntlm.separators 161addebug

command reference 138examples 139options 139

adfinddomaincommand reference 140examples 141options 141

adfixidexamples 143

adflushcommand reference 143options 143

adidcommand reference 144examples 145

options 145adinfo

command reference 127displaying help 81examples 135introduction 67options 128when to use 81

adjoincommand reference 84displaying help 81examples 94options 85running after installation 41when to use 80

adleavecommand reference 99displaying help 81examples 104options 101when to use 80

adlicenseoptions 106, 108

adlicense command reference 107adpasswd

command reference 108displaying help 81examples 111options 109when to use 80

adquerycommand reference 113examples 123group 119user 113when to use 80

adreloadexamples 152options 152

• Index 183

adupdatedisplaying help 81

Auto Zone 20 to 21configuration parameters 155 to 161

auto.schema.domain.prefix 159auto.schema.homedir 157auto.schema.iterate.cache 160auto.schema.name.format 158auto.schema.name.lower 160auto.schema.primary.gid 156auto.schema.private.group 156auto.schema.remote.file.service 158auto.schema.search.return.max 160auto.schema.separator 159auto.schema.shell 156auto.schema.use.adhomedir 157

CCentrify DirectControl

access control summary 15, 60command line programs 80daemon 146diagnostic information 67documentation 11joining the domain 41log files 64managed system 15package location 31password enforcement 54removing the software 49solution overview 14 to 16support for UNIX services 16technical support 12troubleshooting issues 63Unix installation 27UNIX requirements 26

Centrify DirectControl Agentarchitecture 17key tasks 16

Centrify web site 12command line programs

basic usage 80displaying help 81location 80man pages 81

configuration file (centrifydc.conf)Auto Zone parameters 155 to 161PAM parameters 163 to 178

conventions, documentation 9

Ddaemon

enabling logging 63introduction 146

Debian Linuxremoving DirectControl 50

diagnostic information 67, 135DirectControl

integration with Samba 61disconnected operation

account changes 56credential storage 56

documentationadditional 11audience 8conventions 9summary of contents 8 to 9

domain controllersadding DNS server role 71setting manually 73testing connectivity 70

Domain Name Server (DNS)manual setting 70nameserver entry 69server role 69, 71services provided 68testing connectivity 70Unix configuration 39


using a forwarder 71

Eetc/ssh 181

Ffile sharing

ownership 61ftp 60

Gglobal catalog, defining manually 73groups

allowing access 164denying access 170

Iinstallation

files and directories 38prerequisites

Unix platforms 26restarting services 46Unix components 27

Jjoin operation

command reference 84joining a domain 42 to 46

LLinux

joining the domain 41naming convention 10

log filesadinfo output 67enabling 64location 64, 138performance impact 65

purpose 63

MMac OS X

directory on CD 31removing DirectControl 50

man pagesdisplaying 81source of information 11

managed system 15messages

confirmation 175empty password 176mismatch between password 177new password 177old password 177password changes 167, 168policy violation 177prompt for password 176

NNSS configuration

modification 17users ignored 173

NTLMname format 161

PPAM configuration

account mapping 174agent component 17group filtering 164, 170ignore authentication 166messages displayed 175 to 176parameter settings 163 to 178user filtering 168, 172

pam.allow.groups 164, 170pam.allow.override 166pam.allow.password.change 167

• Index 185

pam.allow.password.change.mesg 167pam.allow.password.expired.access 168pam.allow.password.expired.access.mesg

168pam.allow.users 168, 172pam.deny.users 172pam.ignore.users 173pam.mapuser.username 174pam.password.change.mesg 175pam.password.change.required.mesg 175pam.password.confirm.mesg 175pam.password.empty.mesg 176pam.password.enter.mesg 176pam.password.expiry.warn 176pam.password.new.mesg 177pam.password.new.mismatch.mesg 177pam.password.old.mesg 177pam.policy.violation.mesg 177pam.user.ignore 173password management

changing your own 54disconnected mode 56expired passwords 167 to 168messages displayed 175 to 176policy definition 54policy enforcement 16resetting for other users 55

QQuick Start 11

RRed Hat Linux

removing DirectControl 50root user

adinfo options 67adleave operation 100enabling logging 64installation requirement 28

join operation 84local override account 60override account 166running native installers 35

SSamba 60

integration with DirectControl 61SSH 60, 179 to 182

about 180installing 180setting up 181testing on UNIX 181testing on Windows 182

SuSE Linuxremoving DirectControl 50

Ttechnical support 12telnet 60troubleshooting

daemon operation 63enabling logging 64using adinfo 67

UUNIX

command line programs 80man pages 81naming convention 10

UnixDNS configuration 39files and directories 38installing DirectControl 27restarting services 46system requirements 26

UNIX userslocal account mapping 57

users


account mapping 57allowing access 168denying access 172disconnected logins 56ignoring for lookups 173local authentication 166mapping local accounts 174password policies 54

WWindows

knowledge of 8

Zzones

understanding the use of 20

• Index 187
