Escolar Documentos
Profissional Documentos
Cultura Documentos
Administrators Guide
February 2011
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite, DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
7 Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Chapter 1
Introduction
13
Understanding Centrify DirectControl Express . . . . . . . . . . . . . . . . . . . . . 14 Understanding the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . 16 Comparing Centrify Suite 2011 Express Edition to other editions. . . . . 18 Understanding Zones and Auto Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Understanding how DirectControl generates consistent UNIX UIDs . . 22 Chapter 2
25
Preparing for installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Installing the Centrify DirectControl Agent. . . . . . . . . . . . . . . . . . . . . . . . . 27 Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Troubleshooting adcheck errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Joining an Active Directory domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Adding generally-licensed features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Updating the Express installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Removing Centrify DirectControl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Chapter 3
51
Applying password policies and changing passwords . . . . . . . . . . . . . . 54 Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . . 57 Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Using standard programs such as telnet, ssh, and ftp . . . . . . . . . . . . . . . 60 Using Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Setting Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . 61 Chapter 4
63
Understanding diagnostic tools and log files. . . . . . . . . . . . . . . . . . . . . . . 63 Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . 64 Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . . 68 Understanding the DirectControl DNS client . . . . . . . . . . . . . . . . . . . . . . . 75 Appendix A
79
Understanding when to use command-line programs . . . . . . . . . . . . . . 80 Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . . 81 Understanding common result codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Using adjoin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Using adleave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Using adcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Using adlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Using adpasswd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Using adquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Using adflush . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Using adid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Using adcache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Using adreload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Appendix B
155
auto.schema.primary.gid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 auto.schema.private.group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 auto.schema.shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 auto.schema.homedir. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 auto.schema.use.adhomedir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 auto.schema.remote.file.service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 auto.schema.name.format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 auto.schema.separator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 auto.schema.domain.prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 auto.schema.search.return.max. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 auto.schema.name.lower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 auto.schema.iterate.cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 adclient.ntlm.separators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Appendix C
163
pam.allow.groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 pam.allow.override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 pam.allow.password.change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 pam.allow.password.change.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 pam.allow.password.expired.access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 pam.allow.password.expired.access.mesg . . . . . . . . . . . . . . . . . . . . . . . . 168 pam.allow.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 pam.deny.groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
pam.deny.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 pam.ignore.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 pam.mapuser.username. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 pam.password.change.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 pam.password.change.required.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 pam.password.confirm.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 pam.password.empty.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 pam.password.enter.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 pam.password.expiry.warn.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 pam.password.new.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 pam.password.new.mismatch.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 pam.password.old.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 pam.policy.violation.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Appendix D
179
About SSH and DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Setting up SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Testing SSH on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Testing SSH from a Windows machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Index
183
Intended audience
Centrify DirectManage to centralize the discovery, management and user administration of UNIX and Linux systems through integration into Active Directory-based tools and processes.
Intended audience
This DirectControl Express Edition Administrators Guide provides complete information for installing and configuring Centrify DirectControl Express and authenticating users and groups with Centrify DirectControl and Active Directory. This guide is intended for system and network administrators who are responsible for managing user access to servers, workstations, and network resources. Because Centrify DirectControl Express Edition is installed on the Linux or Mac OS X computers you intend to manage, and requires you to work with Windows Active Directory, this guide assumes you have a working knowledge of performing administrative tasks across these different environments. If you are unfamiliar with any of the operating environments you need to support, you may need to consult additional, operating system-specific documentation to perform certain tasks or understand certain concepts. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.
Chapter 2, Installing Centrify DirectControl Express, summarizes the steps for installing DirectControl Express on computers to be managed by Centrify DirectControl. Chapter 3, Using DirectControl Express, explains how to take advantage of Active Directory when joined to a domain through DirectControl Express. Chapter 4, Troubleshooting Centrify DirectControl, describes how to use diagnostic tools and log files to retrieve information about the operation of DirectControl. Appendix A, Using Centrify DirectControl UNIX commands, provides reference information for the DirectControl command-line programs. Appendix B, Customizing Auto Zone configuration parameters, provides reference information for the Centrify DirectControl configuration parameters that affect the operation of a computer joined to Auto Zone. In Express Mode, a computer is automatically connected to Auto Zone. Appendix C, Customizing PAM-related configuration parameters, describes the DirectControl configuration parameters that affect the operation of PAM-related activity on the local host computer. Appendix D, Using DirectControl with SSH, explains how to install and use the Centrify release of OpenSSH. In addition to these chapters, an index is provided for your reference.
to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments. Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted. The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, centrifydc-release-sol8-sparc-local.tgz in this guide refers to the specific release of the Centrify DirectControl Agent for Solaris on SPARC available on the Centrify DirectControl CD or in a Centrify DirectControl download package. On the CD or in the download package, the file name indicates the Centrify DirectControl version number. For example, if the software package installs Centrify DirectControl version number 4.2.0 for the Sun Solaris operating system on a SPARC server, the full file name is
centrifydc-4.2.0-sol8-sparc-local.tgz.
10
11
Contacting Centrify
Contacting Centrify
If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify Corporation products, support, services, and upcoming events. For information about purchasing or evaluating Centrify Corporation products, send email to info@centrify.com.
12
Chapter 1
Introduction
This chapter provides an introduction to the main features of the Centrify DirectControl Express, including a brief overview of the ways Centrify DirectControl can help organizations leverage their investment in Active Directory. The following topics are covered: Understanding Centrify DirectControl Express Understanding the Centrify DirectControl Agent Comparing Centrify Suite 2011 Express Edition to other editions Understanding Zones and Auto Zone Understanding how DirectControl generates consistent UNIX UIDs
Chapter 1 Introduction
13
The Centrify Suite 2011 Express Edition includes an Express Edition of DirectManage that enables you to centrally discover computers and deploy software to them. DirectControl Express requires minimal configuration to join a UNIX machine to a domain and authenticate users through Active Directory. For example, DirectControl automatically creates consistent UIDs across the domain for users on the computers it manages; see Understanding how DirectControl generates consistent UNIX UIDs on page 22 for information on this topic. Also, when using DirectControl Express, you do not need to configure group policies and compliance reports, nor create zones to model your organization and control access to a domain. Therefore, DirectControl Express is ideal for an environment in which: You have a limited number of users and domains.
14
You do not need to maintain your current UNIX UIDs. The organizational structure is relatively flat. You want to configure computers quickly to join a domain. If your organization grows in size and complexity, you can easily upgrade Centrify DirectControl Express to one of the generally-featured versions; see Comparing Centrify Suite 2011 Express Edition to other editions on page 18 for more information.
Chapter 1 Introduction
15
Manage their Active Directory passwords directly from the UNIX command line, provided they can connect to Active Directory.
16
The following figure provides a closer look at the services provided through the Centrify DirectControl Agent:
Core services for UNIX shell programs and applications Kerberos-enabled applications Other add-on modules: Apache JAAS realm SPNEGO NIS
PAM module
NSS module
Kerberos environment
Centrify DirectControl Service Library Centrify DirectControl adclient Active Directory Domain Controller Centrify DirectControl Agent Command line programs
As this figure suggests, the Centrify DirectControl Agent includes the following core components: The core Centrify DirectControl Agent is the adclient process that handles all of the direct communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information. The Centrify DirectControl Pluggable Authentication Module, pam_centrifydc, enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. The Centrify DirectControl NSS module is added to the nsswitch.conf so that system look-up requests use the Centrify DirectControl agent to look up and validate information using Active Directory through LDAP. The Centrify DirectControl command line programs (CLI) enable you to perform common administrative tasks,
Chapter 1 Introduction
17
such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks. The Centrify DirectControl Kerberos environment generates a Kerberos configuration file (etc/krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled applications to authenticate through Active Directory. These files are maintained by the Centrify DirectControl Agent and are updated to reflect any changes in the Active Directory forest configuration. The Centrify DirectControl local cache stores user credentials and other information for offline access and network efficiency. In addition to these core components, the Centrify DirectControl Agent can also be extended with optional utilities and programs, such as updated Kerberos, OpenSSH, or OpenLDAP utilities, that have been optimized to work with Centrify DirectControl and Active Directory.
18
The ability to join a domain and authenticate users Centrify-enabled OpenSSH, Kerberos, and Samba DirectManage Express (a limited version of DirectManage) with the ability to discover computers and deploy software Standard Edition is the first-level commercial offering and combines the base product, DirectControl, with additional products, as follows: A fully-featured DirectControl with these features: The ability to join a domain and authenticate users Centrify-enabled OpenSSH, Kerberos, and Samba Advanced Active Directory support; for example, DirectControl is site-aware, supports trusts, and requires no modifications to the AD schema Centralized UNIX identity management; that is, the ability to map multiple UIDs to one Active Directory account Zone-based access control and separation of duties Group Policy enforcement Legacy NIS integration and migration Out-of-the-box reporting For Mac OS X users, the ability to use their PIV/CAC smart cards for authentication and single sign-on A fully-featured DirectManage to centrally discover systems and deploy software, migrate existing accounts and access rights to Active Directory, and provision and manage access, rights, and roles. DirectAuthorize to centrally manage and enforce role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems.
Chapter 1 Introduction
19
Enterprise Edition provides: All the features of Standard Edition DirectAudit for real-time auditing of user sessions on UNIXand Linux-based systems. Platinum Edition provides: All the features of Enterprise Edition DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and encrypting data in motion. Application Edition provides: All the features of Enterprise Edition Single sign-on for SAP, Web servers (Tomcat, Apache, JBoss, Websphere, and Weblogic), and IBM DB2
20
Chapter 1 Introduction
21
In addition to the UID and GID, DirectControl creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is: Linux: /home/username Mac OS X: /Users/username When you join multiple Linux or Mac OS X computers to a domain, any Active Directory user who logs on to more than one computer will have the same DirectControl-generated UID on each machine. Although local users (such as those defined in /etc/passwd) may still log in to any local computer, if you want to control access through Active Directory, you should create Active Directory
22 DirectControl Express Edition Administrators Guide
accounts for each user. You can then either delete the local account, or to preserve access to current home directories and files, map the local users on each computer to an AD account; see Mapping local UNIX accounts to Active Directory on page 57.
Chapter 1 Introduction
23
24
Chapter 2
25
For the most complete and up-to-date information about supported platforms and version information, check the Centrify Web site or the Release Notes included with the software package. Some operating environments may require patches, updates, or bundles to work correctly, so check the Release Notes for any environment-specific requirements before installing. Also, you can check the Web site of your operating system vendor to identify the most recent patches and updates available.
26
To join a domain, you need an Active Directory account (and password) with permission to add computers to the domain. Depending on your organization, this requirement might be more stringent; for example, in some organizations, an account with permission to add computers to the domain might need to be a member of the Domain Admins group. If you are not sure about the requirements of your organization, or do not know the name and password for an Active Directory account, check with your AD administrator.
Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the installation script does the following:
27
Automatically joins the computer to a domain. Sets the Agent to Express Mode. Runs operating system, network, and Active Directory tests to verify your environment. If you manually install the Agent, you must manually join a domain, manually turn off licensing to enable Express Mode after joining a domain, and manually run tests if you wish to verify your environment.
computer running Linux UNIX or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.
Note
Although you are not required to log on as the root user on the Macintosh computer, you must know the password for the Administrator account to complete the installation. In addition, joining the domain and configuring your environment is slightly different on Macintosh computers than on other platforms. Therefore, you should follow the steps in the section Joining the domain from Mac OS X computers on page 42 to join an Active Directory domain on computers running the Mac OS X operating system. local computers operating environment, if necessary. If you have copied the package to another location or downloaded the package from an FTP server or Web site and are not using the CD, verify the location and go on to the next step.
2 Mount the cdrom device using the appropriate command for the
directory where you have copied or downloaded the Centrify DirectControl package. For example, to install on a Linux
28 DirectControl Express Edition Administrators Guide
computer from the Centrify DirectControl CD, change to the Unix directory:
cd Unix
Similarly, if you are installing on a Mac OS X computer, change to the MacOS directory.
4 Run the install-express.sh script to start the installation of
The installation script runs a utility, adcheck, to verify that your environment is configured properly to work with Centrify DirectControl. You may see warning or error messages that may require immediate attention or may be something that you can fix after running the installation. For example, you will see a warning message if your machine has a version of OpenSSH that is not configured to work with Centrify DirectControl. However, by default, the installation script installs the DirectControl build of OpenSSH, which corrects this problem, so in this case you do not need to correct anything. See Troubleshooting adcheck errors on page 38 for more information about adcheck and how to fix any issues it uncovers.
5 Respond to the installation prompts as follows:
How do you want to proceed? (E|S|X|C|Q) [X]:
29
Enter the fully qualified name of your AD domain; for example, sales.acme.com.
Join an Active Directory domain? (Q|Y|N) [Y]
Accept the default answer, Y to join a domain. Enter an authorized Active Directory user (one with permission to add computers to the domain) and password at the following prompts (see Verifying account permissions on page 26 for information about the accounts required for installing DirectControl and joining a domain); the default account, if you do not enter one, is administrator:
Enter the Active Directory authorized user [administrator]: Enter the password for the Active Directory user:
6 After reviewing the choices you have made, enter Y and click
Enter. When the installation is complete, the computer prepares to reboot in 15 seconds if you specified to reboot after installation.
30 DirectControl Express Edition Administrators Guide
Before launching the installer, be certain that the Apple Directory Utility is closed. If it is open while running the installer, it causes the Centrify DirectControl Directory Access plug-in to show the incorrect status, that is, it shows that the plug-in is disabled when in fact it is enabled.
1 Log on with the Administrator or root user account. 2 Navigate to the directory on the CD or your local network
where the Centrify DirectControl Agent package is located. For example, if you are installing from the Centrify DirectControl CD, open the MacOS directory.
3 Double-click the DMG file, for example:
centrifydc-release-mac10.4.dmg
performs a set of operating system, network, and Active Directory checks to verify that the Mac OS X computer meets the system requirements necessary to install the Centrify DirectControl Agent and join an Active Directory domain.
ADCheck
The ADCheck utility has a set of options see the adcheck man page for details. You can specify options in the AD Domain window along with the domain name. For example, to run the network options only, and provide verbose output, enter the following, then click AD Check:
Note
-t net myDomain.com --verbose
computer, DNS environment, and Active Directory configuration pass all checks with no warnings or errors, you should be able to perform a successful installation and join. If you receive errors or warnings, correct them before proceeding with the installation. See Troubleshooting adcheck errors on page 38 for more information about adcheck and how to fix any issues it uncovers.
7 Double-click CentrifyDC.pkg to open the Centrify
Continue; review or print the terms of the license agreement and click Continue; then click Agree to agree to the terms of the license agreement.
9 Select a volume for installing the Centrify DirectControl Agent,
Agent If you see the following warning box, click OK. If you did not have Directory Utility running during the installation, you can ignore the warning. If Directory Utility was open, you can quit
32
and restart it to show the correct status of the Centrify DirectControl plug-in.
33
you can choose to join the domain now or manually after completing installation. To join now, enter a domain name.
services. Go to Verifying the installation on page 36 to see how to verify the installation.
Centrify highly recommends that you use the installation script to install Centrify DirectControl Express because the
34
installation automatically joins the computer to a domain, sets the Agent to Express Mode, runs operating system, network, and Active Directory tests to verify your environment, and installs the Centrify OpenSSH package all of which you have to do manually if you use a native installer. To install Centrify DirectControl using a native installation program:
1 Log on as or switch to the root user. 2 If you are installing from a CD and the CD drive is not mounted
automatically, use the appropriate command for the local computers operating environment to mount the cdrom device.
3 Copy the appropriate package for the local computers operating
environment to a local directory. For example, if installing from the CD and the operating environment is Enterprise Linux:
cp /cdrom/cdrom0/Unix/centrify-suite-2011-rhel3-i386.tgz .
If you arent sure which file to use for the local operating environment, see the release-notes text file included in the package.
4 If the software package is a compressed file, unzip and extract
on the local computers operating environment. For example, on Red Hat Linux:
rpm -Uvh centrifydc-release-rhel3-i386.rpm
If you arent sure which command to use for the local operating environment, see the release-notes text file included in the package.
Note
You are not required to use the specific commands described in the release-notes to install the software package
Chapter 2 Installing Centrify DirectControl Express 35
manually. If your operating environment has programs such as the SMIT or YAST programs, you can use those programs to install the Centrify DirectControl package.
6 Disable licensed features by running the adlicense
--express
command:
adlicense --express
The native installer installs Centrify DirectControl in full-featured mode; you must run the adlicense command to change to Express Mode.
Note
--workstation
command, which connects you to Auto Zone; see Joining an Active Directory domain on page 40:
adjoin --workstation domainName
If you do not specify the --workstation option the join will fail because adjoin will attempt to connect you to a specific zone, which is not allowed in Express Mode you must connect to Auto Zone; see Understanding Zones and Auto Zone on page 20.
Note
example:
rpm -Uvh centrifydc-openssh-release-rhel3-i386.rpm
When a user logs in for the first time, the system creates a /home/userName directory.
2 Run the adinfo command to see information about the Active
Directory configuration for the local computer. You should see output similar to the following:
Local host name: Joined to domain: Joined as: Pre-win2K name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: QA1 sales.acme.com QA1.sales.acme.com QA1 acme-dc1.sales.acme.com Default-First-Site Auto Zone 2009-11-12 12:01:31 PST connected Disabled
Note that licensed features are disabled and that the zone is Auto Zone, which essentially is a super zone for the entire forest. Creating actual zones requires a licensed copy of Centrify DirectControl. The Linux or Mac OS X computer is now joined to a domain exactly as any Windows machines in the domain. See Chapter 3, Using DirectControl Express, for some of the ways Centrify DirectControl Express simplifies administration of your Linux and Mac OS X computers.
37
/var/centrifydc
includes the -t net checks and verifies that the domain has a valid domain controller.
-t ad
38
The operating system checks are self-explanatory. If your computer fails one of these checks, you need to upgrade the machine with a new operating system version or patch, a new Perl or Samba version, or free up sufficient disk space. If you get a warning about your Samba installation, you can install Centrify-enabled Samba as part of the DirectControl Express installation.
Note
A supported version of OpenSSH is automatically installed by the installation script. If you get a warning about your OpenSSH version before installation, you can ignore it. This option performs the following specific checks:
: : : : : Check hosts line in /etc/nsswitch.conf Probe DNS server 192.168.43.130 Analyze basic health of DNS servers Is this an SSH that DirectControl works well with SSHD version and configuration
Because Centrify DirectControl uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS nameservers need to be specified in the local /etc/resolv.conf file on each UNIX computer before the computer can join the domain. If you receive errors or warnings from these checks, you
39
need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.
net
ad
DOMNAME : Check that the domain name is reasonable ADDC : Find domain controllers in DNS ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local ADPORT : Port scan of DC centrify-mkdaze.mkline.local ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local GCPORT : Port scan of GC centrify-mkdaze.mkline.local DCUP : Check DCs in mkline.local SITEUP : Check DCs for mkline.local in our site DNSSYM : Check DNS server symmetry ADSITE : Check that this machine's subnet is in a site known by AD GSITE : See if we think this is the correct site TIME : Check clock synchronization ADSYNC : Check domains all synchronized
If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.
40
When using Centrify DirectControl Express, you can only connect to a domain through Auto Zone, not by connecting to a specific zone. Connecting to a zone requires Centrify DirectControl licensed features. To connect to Auto Zone, you use the adjoin --workstation option. On the Mac OS, joining the domain and configuring your environment is slightly different than on other platforms. Therefore, you should follow the steps in the section Joining the domain from Mac OS X computers on page 42 to join an Active Directory domain when the Centrify DirectControl Agent is installed on Mac OS X computers.
Note
should join the domain using a fully-qualified domain name. You must specify the --workstation option. For example, to join the sales.acme.com domain with the user account dylan:
adjoin --user dylan --workstation sales.acme.com
The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you dont specify a user with the --user option, the Administrator account is used by default.
3 Type the password for the specified user account.
If Centrify DirectControl can connect to Active Directory and join the domain, a confirmation message is displayed. All Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined machine.
41
2 Type the name of the Active Directory domain you want to join
and select Auto Zone. You can also type a different computer name if you want to use a different name for the local host in Active Directory. Check Overwrite existing joined Computer to overwrite the information stored in Active Directory for an existing computer account with the same name as the local computer. This is the same as running the adjoin command with the --force option.
42
If you want to use the default settings for joining the domain, you can continue to the next step. If you want to specify additional options, click Show advanced options to display the additional options:
43
To do this Specify the distinguished name (DN) of the container or Organizational Unit in which you want to place this computer account. By default, computer accounts are created in the domains default Computers container. If you want to specify a container, check this option, then type the DN without its domain suffix. For example, if the domain suffix is acme.com and you want to place this computer in the
paris.regional.sales.acme.com
Checking this option is the same as running the adjoin command with the --container option. Preferred Domain Server Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information. Checking this option is the same as running the adjoin command with the --server option. Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias. Checking this option is the same as running the adjoin command with the --alias option.
44
To do this Indicate that you do not want to update the local systems PAM and DirectoryService configuration. If you dont want to have the PAM files and DirectoryService configuration updated automatically, check this option. Checking this option is the same as running the adjoin command with the --noconf option.
For more information about these options, see Using adjoin on page 84.
3 The Disable Licensed Features button turns off licensing
for DirectControl on the local computer, making it an Express installation. For a Standard Centrify Suite 2011 installation, you can ignore this button. See the Centrify Suite Express Edition Administrators Guide for complete information on installing and configuring Centrify DirectControl Express.
4 Click Join Domain. 5 Type the Active Directory user name and password for a user
with permission to join the local computer to the Active Directory domain, then click OK.
45
6 Type the user name and password for the local Administrator
account.
As an alternative to restarting individual services, you may want to reboot the system to restart all services. Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.
Note
46
centrify.com Website.
2 On a Windows machine that is joined to the domain, run the
Centrify Suite 2011 setup program to install the Centrify DirectControl Management Tools.
3 On the UNIX machine that is running Centrify DirectControl
Express, run the following command to enable licensed features, and if successful, you will see a message about group policies:
adlicense --licensed Group policies will be initialized on background
to Auto Zone. To connect to a specific zone, you must leave, then rejoin the domain:
adleave Active Directory password:*** ... Left Active Directory domain Centrify DirectControl stopped. adjoin acme.com
If you do not specify a zone, as in this example, you are automatically connected to the default zone. If you have already
47
created zones, you can specify a zone on the command line; for example, to connect to the Finance zone:
adjoin -z Finance acme.com
You may also move a computer to a different zone by using the DirectControl Console. See the Administrators Guide for details. See the Centrify DirectControl Administrators Guide and the Planning and Deployment Guide for information about creating and managing zones, using group policy, and other Centrify DirectControl features. Although enabling licensing gives you access to all DirectControl features, the Express installation does not install all optional packages, such as CentrifyDC NIS or DirectAudit. To install additional DirectControl packages, rerun the installation script as described in the next section, Updating the Express installation.
directory where you have copied or downloaded the Centrify DirectControl package. Then run the installation script that you used originally to install Centrify DirectControl:
install.sh
Alternately, you can download and unzip a new DirectControl package and run its installation script.
2 You are prompted whether to keep, erase, or reinstall the
currently installed packages (CentrifyDC and Centrify openSSH) whether to install specific new packages. Accept the
48 DirectControl Express Edition Administrators Guide
default (K, keep) for the currently installed packages, and specify yes (Y) for the packages you want to add; for example, Centrify DirectControl NIS and DirectAudit. For the following prompt, type Y and press Enter to enable licensed features. Be certain that you have installed the Centrify DirectControl Console on a Windows machine and have an available license.
Enable licensed features? (Q|Y|N) [Y]:
You can also choose to run adcheck, enable auditing (if you installed DirectAudit), and reboot the computer after installation. The computer remains joined to the domain you previously joined and your existing /etc/centrifydc/centrifydc.conf file is backed up and any modifications you have made to the file are migrated to the new version of the file.
3 Restart running services, such as login, sshd, or gdm, (if you did
not reboot during installation) or reboot the computer to ensure all services use the updated configuration. For example, you can run the following command to stop running sessions:
pkill -1 sshd
Agent is installed.
49
The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.
3 To uninstall Centrify DirectControl, enter Y when prompted.
If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local operating environment to remove the Centrify DirectControl Agent and related files. The following table summarizes the commands to use in different environments:
To remove from Red Hat Linux SuSE Linux Debian Linux Mac OS X Do this Run the following command:
rpm -e centrifydc
You must use the uninstall.sh script to remove Centrify DirectControl files on Macintosh computers.
50
Chapter 3
51
You log in to a computer exactly as you do locally by entering a username and password. You do not have to specify the domain name when you log in. DirectControl accepts the following login formats: AD username (samAccountName or Mac OS X short name) and password
jcool
When users are defined in a local forest, you can locate them in Active Directory with any of the user login formats, that is, by their UNIX profile name, their userPrincipalName, or their
52
samAccountName in the form of their user logon name alone or in its full pre-Windows 2000 format of domainname\username.
Note that licensed features are disabled and that the zone is Auto Zone. Centrify DirectControl Standard Edition uses its zone technology to provide secure, granular access control and delegated administration for UNIX computers joined to a domain. DirectControl Express, on the other hand, does not provide the ability to create zones. When a computer joins a domain, it is automatically joined to Auto Zone. This greatly simplifies the process of joining a domain but does not provide the same granular access control as defining and using zones does. Auto Zone essentially is one super zone for the forest. With Auto Zone, UNIX attributes that would be defined in the zone to which the UNIX machine is joined (with Centrify DirectControl Standard Edition) are derived from user attributes in Active Directory, or from DirectControl configuration parameters.
53
54
For more information about using adpasswd, see the adpasswd man page or Using adpasswd on page 108.
specify an Active Directory administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:
adpasswd --adminuser admin@acme.com jane@sales.acme.com
3 Type the new password for the user specified. Because you are
changing another users password, you are not prompted for an old password. For example:
New password:
For more information about using adpasswd, see the adpasswd man page or Using adpasswd on page 108.
55
You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through
56
Centrify DirectControl parameter settings in the Centrify DirectControl configuration file. To configure how credentials are handled across multiple computers by using group policies, upgrade from Express to Centrify DirectControl Standard or Enterprise Edition.
If a local user has the same profile (user name, UID, and GID) as an Active Directory user but a different password, the local user account is used for authentication when logging on using the Mac login window. If you are logging on remotely (for example, using telnet or ssh), you must use the Active Directory users password for authentication. Mapping a local account to Active Directory is especially useful if you want to migrate an existing local user to an Active Directory account but preserve access to their current Linux home directory
57
and files. For example, if you create an Active Directory account for an existing local user but specify a different name, when the user logs in, they will have a new home directory and will not be able to access their former home directory and files. To map a local account to an Active Directory account, you can set the pam.mapuser.username configuration parameter on any individual local computer. To configure account mapping across multiple computers by using group policies, upgrade from Express to a generally-featured version of Centrify DirectControl.
On your Windows Active Directory computer, open Active Directory Users and Computers (ADUC). Navigate to the Users node, right click and select New > User. Enter the information for the user. You can create any name you want for the user, but if you want the AD user to have access to the same home directory and files as the local user, create a user logon name with the same name as the local user; for example, for local user joe.cool on the qa2 computer, in the acme.com domain:
58
[joe.cool@qa2 ~]$
Note
The information in this section applies primarily to Linux machines. Although you can map local Mac OS user accounts to Active Directory accounts, Mac OS users can still log on using their local account password, so you cannot effectively use Active Directory to enforce your password policies for local Mac OS user accounts.
account you want mapped to the Active Directory user you created; for example:
pam.mapuser.joe.cool: joe.cool
5 Save the changes to the configuration file, then run the adreload
command to reload the configuration file and have the changes take effect.
59
Using Samba
DirectControl Express includes a special Samba package, DirectControl-enabled Samba, that combines DirectControl with Samba file server technology to enable DirectControl and Active Directory to handle identity management and user credentials, such that Active Directory users on Windows or UNIX computers can access Samba shares across the enterprise. See the Samba Integration Guide for details on integrating Samba and DirectControl.
60 DirectControl Express Edition Administrators Guide
On the other hand, if you upgrade to a generally-featured version of DirectControl, Centrify-enabled Samba provides a PERL configuration script that helps migrate existing UIDs and GIDs to DirectControl zones.
61
Auto Zone, which is how all computers with DirectControl Express are connected to a domain. Because Auto Zone is essentially one large zone for the forest, you can encounter problems such as UID and GID conflicts, slow searches because of the number of users, and so on in a forest with a large number of domains. In general, the default values should work, but if you encounter problems, such as slow searches or UID conflicts, see Appendix B, Customizing Auto Zone configuration parameters, for information on how to set specific parameters to resolve the issue.
62
Chapter 4
63
In most cases, you should only enable logging when you need to troubleshoot unexpected behavior, authentication failure, or problems with connecting to Active Directory or when requested to do so by Centrify Technical Support. Other troubleshooting tools, such as command line programs, can be used at any time to collect or display information about your environment.
Note
addebug
You must type the full path to the command because is not included in the path by default.
Once you run this command, all of the Centrify DirectControl activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging.
64
Administrators Guide
For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time to diagnose a problem. Keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it. When you are ready to stop logging activity, run the addebug command.
off
With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors.
65
You can use the following keywords to specify the type of information you want to record in the log file:
Specify this level
FATAL
To log this type of information Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the users console. With this setting, only the most severe problems generate log file messages. System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages. Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages. Informational messages that describe operational status or provide event notification.
ERROR
WARN
INFO
66
Administrators Guide
67
For more information about the options available and the information returned with each option, see Using adinfo on page 127. To display the basic configuration information for the local UNIX computer, you can type:
adinfo
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features magnolia ajax.org magnolia.ajax.org ginger.ajax.org Default-First-Site-Name Auto Zone 2006-12-28 14:47:57 PST connected Disabled
68
Administrators Guide
that cannot locate your Active Directory domain controllers. The next sections describe how you can adjust DNS or DirectControl to ensure they work together properly in your environment.
69
In most cases, you can verify whether a UNIX computer can locate the domain controller and related services by running the ping command and verifying connectivity to the correct Active Directory domain controller or by checking the nameserver entry in the /etc/resolv.conf file. This nameserver entry should be the IP address of one of the domain controllers in the domain you want to join. If the ping command is successful, it indicates the DNS server is aware of the Active Directory domain you want to join and no further changes are needed. If the ping command is not successful, you will need to take further action to resolve the issue.
Resolving issues in locating Active Directory domain controllers
If the UNIX computer cannot find the Active Directory domain controller, there are several ways you can resolve the issue. Depending on your environment and specific situation, you should consider doing one of the following: Set up DNS on the target Active Directory domain controller and the manually configure the nameserver entry in the /etc/resolv.conf file to use that domain controller as described in Setting up DNS service on a target domain controller on page 70. Set the Centrify DirectControl configuration file to manually identify the domain controllers you want to use as described in Setting the domain controller in the configuration file on page 73.
70
Administrators Guide
Directory domain controller, then specifying that domain controller in the UNIX computers /etc/resolv.conf file. You can then add a forwarder to the local DNS on the domain controller that will pass on all lookups that it cannot satisfy to an enterprise DNS server. This configuration does not require any changes to the enterprise DNS servers. Any look up request from the domain controller is simply a query from another computer in the enterprise. However, the UNIX computers configured to use this slave DNS service will receive the appropriate Service Location (SRV) records and Global Catalog updates for the Active Directory domain controller. In addition, the DNS service on the domain controller can be configured to forward requests to the enterprise DNS servers so those requests can be answered when the local DNS service cannot respond.
Adding a DNS server role to an Active Directory domain controller
To configure the DNS service on a Windows Server 2003 domain controller: The specific steps for configuring the DNS server vary depending on whether you are configuring a Windows 2000 Server or a Windows Sever 2003 computer. The following steps describe how to configure DNS on Windows Server 2003. If you are configuring DNS on Windows 2000, you may want to consult your Windows documentation for differences that are specific to your environment.
Note
1 Open the Start Menu and click Manage Your Server. 2 Click Add or remove a role, review the preliminary steps,
71
Note
If this server role is already configured on this computer, you can skip the next steps and go on to Configuring UNIX to use DNS service on the target domain controller on page 72.
Configure a DNS Server Wizard. Click Next to configure the DNS server lookup zones.
5 Select the Create a forward lookup zone (recommended
domain controllers name, then click Next. In most cases, you should specify a sub-domain of the top-level domain name. For example, if the forest root domain for the organization is acme.com, you might have a sub-domain of labs.acme.com.
8 Select the Allow both nonsecure and secure dynamic
servers, then click Next. Setting at lease one valid IP address ensures that any request the local DNS server cannot answer will be forwarded to a valid enterprise DNS server.
10 Click Finish to complete the configuration of the DNS server.
Once you have configured DNS on the local computer, the local computer uses the local DNS server as its primary DNS server.
Configuring UNIX to use DNS service on the target domain controller
Once you have configured the DNS service to contain the required Active Directory entries, you simply need to modify the UNIX computer to send all DNS lookup requests to the newly configured DNS server. To configure the UNIX computer to use the new DNS server:
1 Open the /etc/resolv.conf file.
72
Administrators Guide
the DNS server on the Active Directory domain controller you just configured.
For example, if you want to use Centrify DirectControl in a domain called mylab.test and the domain controller for this domain is dc1.mylab.test, you would add the following line to the /etc/centrifydc/centrifydc.conf file:
dns.dc.mylab.test: dc1.mylab.test
You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller you want to use if you are not using DNS or if the DNS server cannot locate your domain controllers.
Note
To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:
dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test
Centrify DirectControl will attempt to connect to the domain controllers in the order specified. For example, if the domain controller dc1.mylab.test cannot be reached, Centrify DirectControl will then attempt to connect to dc2.mylab.test. If the Global Catalog for a given domain is on a different domain controller, you can add a separate dns.gc.domain_name entry to
73
the configuration file to specify the location of the Global Catalog. For example:
dns.gc.mylab.test: dc3.mylab.test
You can add as many domain and domain controller entries to the Centrify DirectControl configuration file as you need. Because the entries manually specified in the configuration file override any site settings for your domain, you can completely control DirectControls binding to the domains in your forest through this mechanism. In most cases, you should use DNS whenever possible to locate your domain controllers. Using DNS ensures that any changes to the domain topology are handled automatically through the DNS lookups. The settings in the configuration file provide a manual alternative to looking up information through DNS for those cases when using DNS is not possible. If you use the manually-defined entries in the configuration file and the domain topology is changed by an Active Directory administrator, you must manually update the location of the domains in each configuration file.
Note
Centrify DirectControl includes a fixdns script that you can use to inspect your environment and make the necessary configuration file changes for you. To run this script, you need to specify the domain controller name and IP address:
fixdns domain_controller_name IP_address
For example if you intend to join the domain mytest.lab and the domain controller for that domain is dc1.mytest.lab and its address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the /etc/hosts and the DirectControl configuration file.
Note
This script does not update the /etc/resolv.conf file. If the script cannot locate the domain controller using the existing
74
Administrators Guide
settings, it will assume that you want to use settings from the configuration file.
/etc/resolv.conf
When attempting to resolve a host name or IP address, the DNS subsystem first checks to see if the /etc/hosts file contains an entry to resolve the specified host name or IP address.
Chapter 4 Troubleshooting Centrify DirectControl 75
where:
IPv4_address hostname is
a fully-qualified domain name and must be in the second position. aliases are optional and follow the address and hostname entries. For example:
192.169.147.135 ginger.acme.com ginger
Note
/etc/hosts
If resolution by /etc/hosts is unsuccessful, the DNS subsystem attempts to select a DNS server that can be used to resolve the host name or IP address (as described in the next section, Selecting a DNS server).
Selecting a DNS server
If unable to resolve a hostname or IP address by finding an entry in the /etc/hosts name (as described in the previous section, Resolving a DNS request in /etc/hosts), the DirectControl DNS subsystem attempts to find a DNS server to resolve the host name or IP address, as follows: It checks for a working DNS server that has already been selected (cached in memory and stored in /var/centrify/kset.dns.server), and if available, uses it. If a working DNS server is not already selected, it checks /etc/resolv.conf for configured DNS servers, and if populated, selects the fastest one from the list. If no working DNS servers are found, the request fails. At this point, DNS is considered down, and the DirectControl DNS subsystem waits for the interval specified by the
76
Administrators Guide
period, it is considered down and DirectControl looks for a different server. If it cannot find a live server, DNS is considered down, and DirectControl waits for the period of the dns.dead.resweep.interval parameter, 60 seconds by default, before performing a sweep to find a new server.
78
Administrators Guide
Appendix A
79
80
Administrators Guide
Use adinfo to collect and display detailed diagnostic and configuration information for a UNIX computer and its Active Directory domain.
The usage information includes a list of options and arguments, and a brief description of each option. For more complete information about any command, you can review the information in the commands manual (man) page. For example, to see the manual page for the adleave command, type:
man adleave
Error name
ERR_SUCCESS
Indicates Successful completion of the operation. Miscellaneous errors occurred during the operation. Usage error occurred during the operation. Operation aborted by user.
ERR_OTHERS
ERR_USAGES
ERR_OP_ABORTED
81
Result
9
Error name
ERR_ROOT_PRIV
Indicates Root privilege is required for the operation. Computer is not currently joined to any Active Directory domain. Computer is already joined to the current Active Directory domain. another Active Directory domain.
10
ERR_NOT_JOINED
11
ERR_ALREADY_JOINED
12
13
14
15
The adclient process failed to start. The DNS server is not responding and may be down. A generic DNS problem occurred during the operation. The Active Directory domain name is incorrect or not found in DNS. User name or password provided is not correct. The account specified has been disabled. The account specified has expired. The account specified already exists, The account specified was not found in Active Directory. The account password has expired. The zone cannot be found. Invalid Active Directory container object.
16
ERR_DNS_TIMEOUT
17
ERR_DNS_GENERIC
18
ERR_INVALID_DOMAIN_NAME
19
ERR_INVALID_LOGON
20
ERR_ACCOUNT_DISABLED
21 22
ERR_ACCOUNT_EXPIRED ERR_ACCOUNT_EXISTS
23
ERR_ACCOUNT_NOTFOUND
24 25 26
82
Administrators Guide
Result
27
Error name
ERR_INSUFFICIENT_PERM
Indicates The account specified does not have permission to perform the operation. The time difference between system clocks is beyond the acceptable range. Invalid computer account. Invalid credentials. Invalid service ticket. Policy not matched. Password change rejected. Workstation denied. No matching user found. No matching group found. An attempt to open a connection to the adclient process failed. Unable to stop the adclient process. The user has exceeded the number of join operations allowed. The attempt to open a file failed. The attempt to read a file failed. The attempt to copy a file failed.
28
ERR_CLOCK_SKEW
29 30 31 32 33 34 35 36 37
38
ERR_ADLCIENT_STOP
39
ERR_QUOTA_EXCEEDED
40 41 42
Command-specific result codes are listed in the reference section for individual command-line programs.
83
Using adjoin
Using adjoin
The adjoin command adds the local host computer to the specified Active Directory domain. The basic syntax for the adjoin program is:
adjoin [options] domain_name
The domain-name should be a fully-qualified domain name; for example, sales.acme.com. If the computer is already a member of another domain, you must remove the computer account from the old domain by running adleave. Once the computer has left the old domain, you can run adjoin to join the new domain.
Note
By default, adjoin performs the following tasks: Locates the domain controller for the specified domain and contacts Active Directory. Synchronizes the local computers time with Active Directory time so the timestamp of Kerberos tickets is within an acceptable time difference for authentication. Checks whether a computer account already exists for the local computer in Active Directory, and if necessary creates a new Active Directory computer account. Updates the Kerberos principal service names used by the host computer, generating new /etc/krb5.conf and krb5.keytab files and new service keys for the host and http services. Sets the password on the Active Directory computer account to a randomly-generated password. The password is encrypted and stored locally to ensure Centrify DirectControl alone has control of the account. Starts the Centrify DirectControl daemon (adclient) on the local computer.
84
Administrators Guide
You have the option to join a specific zone. If you do not specify a domain, Centrify DirectControl automatically creates a default zone. If you are running Centrify DirectControl Express you can only join a domain through Auto Zone, not by connecting to a specific zone. See Understanding Zones and Auto Zone on page 20 for more information.
To do this Specify an Active Directory username with sufficient rights to add a computer to the specified domain and create new computer accounts. For example, depending on the security delegation policies in place, you may need to specify a user account with Domain Administrator privileges. By default, however, any authenticated Active Directory user can join a computer to the domain. You must use the username@domain format to specify the user account if the username is not a member of the domain being joined. Note When specifying username@domain, you cannot use an alternative UPN. You must use the domain defined for your account. If you do not specify the --user option, the default is the Administrator user account. Because this account has special rights that can represent a security risk, many organizations disable or restrict access to it. Therefore, in most cases, you should specify the --user option when joining a domain.
85
Using adjoin
To do this Specify the account password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running, or from command history after the command has completed execution.
userpassword
86
Administrators Guide
To do this Specify the distinguished name (DN) of the container or Organizational Unit in which to place this computer account. You can specify the containerDN by: Canonical name (ajax.org/unix/services) You cannot specify a partial name for the canonical name. Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org) Relative distinguished name without the domain suffix (cn=services,cn=unix). For example, to place the computer in the UNIX/Services container within the ajax.org domain using the canonical name, you could specify:
--container ajax.org/UNIX/Services
containerDN
The DN you specify can refer to any container within the directory but does not need to include the domain suffix. The domain suffix is appended to the containerDN programmatically to provide the complete distinguished name for the object. For example, if the domain suffix is acme.com, to place this computer in the
paris.regional.sales.acme.com
organizational unit within the acme.com domain, you would specify: ou=paris, ou=regional, ou=sales If you do not specify a container, the computer account is created in the domains default Computers container. Note The container you specify must already exist in Active Directory or the join operation will fail. In addition, you must have permission to add entries to the specified container.
87
Using adjoin
To do this Specify the host name you want to use for this computer in Active Directory. If you do not specify a computername, the computer account name in Active Directory is the same as the local host name. This option is most commonly used if you have a disjointed DNS namespace. For example, if the local UNIX host is a member of the DNS zone ajax.org, but is joining the Active Directory domain emea.ajax.org, you can use this option to join the domain with a computer name that is different from the name of the computer in DNS:
-n finserv.emea.ajax.org
This option can also be used in conjunction with the --alias option if the computer has multiple IP addresses and there are DNS records for those addresses. The maximum length for computer account names in Active Directory is 64 characters (the limit on AD common names); however, it is recommended that you limit names to 15 or fewer characters because this limit conforms to the maximum length allowed by the NetLogon service, which is the preferred service for adclient to use for NTLM pass-through authentication. NetLogon is fast and automatically returns a user's group membership. If you specify more than 15 characters adclient uses LDAP methods to fetch the user's group membership and create the computer account. Because LDAP methods are subject to the permissions on the AD container for the computer account, you may need administrative permissions to execute this command when specifying a computer name longer than 15 characters.
88
Administrators Guide
To do this Specify the pre-Windows 2000 name for this computer in Active Directory. The pre-Windows 2000 name is the name stored in the samAccountName attribute. The maximum length for the samAccountName attribute is 19 characters. Note Although the actual limit is 19 characters, it is recommended that you limit the name to 15 characters because some Windows functions use this attribute as a NetBIOS name, which has a 15-character limit. If the name is larger than 15 characters, DirectControl must use less efficient NTLM authentication methods. If you do not specify this option, the default pre-Windows 2000 name is the computer account name truncated at 15 characters. This option enables you to manually specify the pre-Windows 2000 name you want to use. This option is most commonly used if the naming conventions for computer account names result in names that are longer than the 15 character limit. Overwrite the information stored in Active Directory for an existing computer account. This option allows you to replace the information for a computer previously joined to the domain. If there is already a computer account with the same name stored in Active Directory, you must use this option if you want to replace the stored information. You should only use this option when you know it is safe to force information from the local computer to overwrite existing information.
accountname
-f, --force
89
Using adjoin
To do this Specify an alias name you want to use for this computer in Active Directory. This option creates a Kerberos service principal name for the alias and the computer may be referred to by this alias. This option would normally be used if a computer has more than one Ethernet port and each port is known by a different DNS name. You can specify more than one --alias option if you need to specify multiple aliases for a single computer. Specify the name of the zone in which to place this computer account. If you do not specify a zone, the computer joins the domain in the default zone (a zone named default can be created when you run the Setup Wizard for the first time). Note If you are using the Express mode of DirectControl, you cannot use this option. You must join a domain through Auto Zone by using the --workstation option. If individual zone names are not unique across the Active Directory forest, you can use the canonical name of the zone to uniquely identify the zone you want to join. For example, if you have more than one default zone, you can use the full canonical name of the zone to specify which default zone to join. If you specify a zone name and the named zone does not exist, the join operation fails. Note If users and groups are unique across the forest and not required to be segregated into zones, you can join the Active Directory domain by using the --workstation option to connect to Auto Zone instead of specifying a zone. The --workstation and --zone options are mutually exclusive.
computeralias
90
Administrators Guide
To do this Indicate that you do not want to update the local systems PAM and NSS configuration. If you set this option, you will need to modify the PAM and NSS configuration files manually to work with the adclient daemon. Specify the name of the domain controller to which you prefer to connect. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information. Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the one you are joining. Note You cannot use this option when using the Express deployment mode of DirectControl. Specify the name of the domain controller to use for global catalog operations. You can use this option if the default domain controller is not writable or does not support global catalog operations. Set the Trust for delegation option in Active Directory for the computer account. Trusting an account for delegation allows the account to perform operations on behalf of other accounts on the network. If you want to use this option, you should clear the local cache on the client before joining the domain. Set the computer account to use the Data Encryption Standard (DES) for keys.
-s, --server
domaincontroller
-Z, --zoneserver
domaincontroller
-g, --gc
domaincontroller
-T, --trust
-k, --des
91
Using adjoin
To do this Precreate a computer account in Active Directory without joining the domain. If you use this option, you must also specify the name of the computer account you want to precreate using the --name option. The --precreate option does the following: Creates a computer object in Active Directory in the organizational unit you specify or the Computers container. Resets the computer account password to computers host name (in lower case). Creates an Extension object in the zone. The following permissions are granted to the computer object: Read and Write to: operatingSystemServicePack, operatingSystem, and operatingVersion attributes in Computer object. Reset the computer's password. Read userAccountControl attributes of the Computer object. Validate write to: servicePrincipalName and dNSHostName attributes. By precreating the computer account and its serviceConnectionPoint, you can allow any user to join the computer to a domain without granting any special rights or performing any zone delegation. This option also enables you to create all the computer accounts you want in a batch job and automate how computers join the domain. Precreate a computer object that is compatible with DirectControl version 2.x and later. You must specify this option if you want the precreated computer object to be compatible with DirectControl version 2.x and later.
-m, --compat
92
Administrators Guide
To do this Use the computer objects account credentials to join the domain. Note You cannot use this option when using the Express deployment mode of DirectControl. To use this option, you must have done one of the following: Precreated the computer account in Active Directory using the Pre-Create Computer wizard. Previously joined the computer to a domain, then left using the adleave --reset option, which resets the computer account to a precreated, pre-joined state, such that you can rejoin the domain using the --selfserve option. Note If you use the --selfserve option, you dont need to specify a zone for the computer. The computer is automatically made a member of the zone where the precreated object was created. You must, however, specify the Active Directory domain to successfully add the computer to the domain. Display information about each step in the join process as it occurs. This option can be useful in diagnosing join problems. This option also writes log messages to the centrifydc.log file for troubleshooting purposes. Display version information for the installed software.
-V, --verbose
-v, --version
93
Using adjoin
To do this Join the computer to an Active Directory domain by connecting to Auto Zone rather than by making the computer a member of any specific zone. When joined to Auto Zone, every Active Directory user and group defined in the forest and any users defined in a two-way trusted forest are valid UNIX users or groups. You can use this option when: Active Directory identities are unique for the forest and trusted external forest. Active Directory users and groups only require one set of properties for all computers and do not need to be segregated into zones for any reason. For the join to be successful, all of the domains in the forest and the trusted external forest must be unique. If domains are not unique across the forest trust, you must manually configure a unique prefix for each trusted domain using parameters in the centrifydc.conf configuration file. Note The --workstation and --zone options are mutually exclusively. Specify the fully-qualified domain name you want the local computer to join. There is no default setting, so this argument is required.
domain
94
Administrators Guide
If you want to join the sales.acme.com domain using a user account that is not in that domain, using a specified host name and Organizational Unit, you could type a command line similar to the following:
adjoin --workstation --user jeff@acme.com --name orlando --container ou=UNIX computers sales.acme.com
You are then prompted to provide the password for the user jeff@acme.com. If the password is correct and the local computer can successfully connect to Active Directory, a new computer account is added to Active Directory using the computer name orlando in the UNIX computers Organizational Unit. When specifying username@domain to join a domain, you cannot use an alternative UPN. For example, if your organization uses an alternate UPN to allow you to log in as garcia@mission.org but your account is actually defined in the sf.mission.org domain, you must use that domain when specifying the user account. For example:
Note
adjoin --workstation --user garcia@sf.mission.org la.mission.org
Kerberos configuration file Most platforms Solaris Kerberos keytab file Most platforms Solaris NSS configuration file Most platforms
95
Using adjoin
File location
/etc/pam.d/system-auth /etc/pam.d/*
In addition, the following files are created in the /var/centrifydc directory by running adjoin or by starting the Centrify DirectControl Agent for the first time:
Name
daemon
Purpose This is the pipe which clients open to communicate to the agent. Cache of objects from the Domain Controller Cache of objects from the Global Catalog Cache index Cache index Cache index Cache index Cache index Cache index Cache index Cache index The domain name The domain controller host name The host name used to join The current schema version The preferred site The Zone GUID Readable zone name
dc.cache
gc.cache dcdn.idx extmgr.idx gcdn.idx gid.idx gname.idx search.idx uid.idx uname.idx kset.domain kset.domaincontroller kset.host kset.schema kset.site kset.zone kset.zonename
96
Administrators Guide
Name
reg/*/*/*
Error name
ERR_JOIN_ATTRMAP
Indicates The mapping of computer account properties to Active Directory attributes failed. If you encounter this problem, you may need to map all attributes, then rerun the adjoin command.
97
Using adjoin
Result
157
Error name
ERR_JOIN_UPDATE
Indicates The computer failed to join the domain. If you encounter this problem, you may need to take corrective action: Check whether the computers hostname exceeds 15 characters. If the hostname exceeds 15 characters, shorten it or use the --name option to specify a name that is 15 characters or less, then rerun the adjoin command. Check whether the computer's primary DNS suffix matches the Active Directory domain DNS name or another allowed primary DNS suffix. If the DNS suffix does not match the Active Directory domain or is not an allowed primary DNS suffix, you may need to change the DNS or domain configuration, then rerun the adjoin command. A stronger authentication method is required by Active Directory. If you encounter this problem, you should set the LDAP traffic encryption parameter, adclient.ldap.packet.encrypt, to Allowed or Required in the Centrify DirectControl configuration file, then rerun the adjoin command. There was an unexpected referral response. This is usually caused by an erroneous replication object in Active Directory. If you encounter this problem, you should check the zone container for replication errors, then rerun the adjoin command.
158
ERR_STRONGER_AUTH_NEEDED
159
ERR_UNEXPECTED_LDAP_REFERRAL
98
Administrators Guide
Result
160
Error name
ERR_SPN_NOT_UNIQUE
Indicates The servicePrincipalName (SPN) was not unique. Each SPN must be unique across the Active Directory forest. If you encounter this problem, you should use a servicePrincipalName that is unique across the forest, then rerun the adjoin command. You can search for duplicate service principal names using the Analyze wizard. The domain server was specified using an IP address. If you encounter this problem, you should specify the domain controller name using a fully-qualified DNS name. The attempt to change to the data directory failed. The domain specified is not in the same forest or is not a trusted domain. If you encounter this problem, you should check the trust relationship for the domain or use a different domain, then rerun the adjoin command. Multiple zones were detected. If you encounter this problem, you should check the zones defined, then rerun the adjoin command and specify only one zone.
161
ERR_SERVERNAME_INVALID
162
ERR_CHANGE_DIR
163
ERR_DOMAIN_NOT_TRUSTED
164
ERR_MULTIPLE_ZONES_FOUND
Using adleave
The adleave command removes the local host computer from its current Active Directory domain. Once a computer has become a member of a domain, you must run the adleave command to leave that domain before you can move a computer to a new domain.
99
Using adleave
By default, when you run adleave, the program performs the following tasks: Contacts Active Directory and deactivates the computer account associated with the local UNIX host. The program does not remove the computer account from Active Directory. To remove the computer account entirely, you must delete it from Active Directory manually with Active Directory Users and Computers. Reverts any computer settings that were changed by the adjoin command to their pre-adjoin condition. This includes reverting PAM, NSS, and Kerberos configuration files to their pre-join states, deleting the /var/centrifydc/* files, and deleting /etc/krb5.keytab. When you join a domain, the Kerberos configuration file, /etc/krb5.conf, and keytab file, /etc/krb5.keytab, are automatically generated for you. Because the /etc/krb5.conf file can contain entries used by other applications, it is not removed automatically when you leave a domain. If you leave the domain, you should check whether this file is used by any other applications or if it has been manually edited. If it is not used by other applications, you can safely delete the file after leaving the domain. Stops the Centrify DirectControl daemon (adclient).
Note
100
Administrators Guide
To do this Identify an Active Directory user account with sufficient rights to remove a computer from the domain. You must use the username@domain format to specify the user account if the username is not a member of the computer's current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account performing the leave operation. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. controller that you prefer to use to disconnect from the domain. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information.
-Z, --zoneserver
domaincontroller
Specify the name of the domain controller to use for zone operations. You can use this option, for example, if the zone is defined in a different domain than the domain you are leaving. Note You cannot use this option when using the Express deployment mode of DirectControl.
101
Using adleave
To do this Indicate that you do not want to revert the local system's PAM and NSS configuration files to their original state. Normally, if you leave a domain, any changes that have been made to the PAM and NSS configuration files to work with the adclient daemon during the join operation are removed. If you set this option to leave the file changes in place, you should review the PAM and NSS configuration files for potential changes. Note Be sure to review and, if necessary, edit the PAM and NSS configuration files before you use this option. If you don't take precautions before using this option, the computer may become inoperable and require a reboot in single user mode to fix the problem. Indicate that you want to force the local computers settings to their pre-join conditions even if the adleave command cannot connect to Active Directory or is not successful in deactivating the Active Directory computer account. You must use this option if the Active Directory computer account has been modified or deleted so that the host computer can no longer work with it.
-f, --force
102
Administrators Guide
To do this Indicate that you do not want to revert any group policies applied to the computer to their original state. Note This option has no effect when using the Express deployment mode of DirectControl as group policies are not supported by Centrify DirectControl Express. Normally, if you leave a domain, any group policy changes that have been applied to UNIX configuration files are reverted to restore the files to their pre-join state. Remove the computer account from Active Directory. Restore system configuration files to their pre-join state without leaving the domain. Reset the computer account to its precreated, pre-joined state. This option resets the computer account password to the hostname (in lowercase) and disables the computer zone object. Specifying --reset allows you to leave a domain, then rejoin using the adjoin --selfserve option, which allows you to specify machine credentials when joining a domain. This option is valuable for virtual, cloud-computing environments that require the ability to dynamically join and leave a domain. Display version information for the installed software. Display detailed information for each operation.
-r, --remove
-R, --restore
-t, --reset
-v, --version
-V, --verbose
103
Using adleave
You are then prompted for the Active Directory Administrator password. To remove a computer from its current domain using a specific user account and without reverting the PAM and NSS configuration files to their pre-join state, you could type a command line similar to the following:
adleave --user raj@acme.com --noconf
You are then prompted for the password for the user raj@acme.com. To revert all computer settings to their pre-join state even if unable to deactivate the host computer's in Active Directory account, you could type a command line similar to the following:
adleave --force
Error name
ERR_STOP_NIS_ADCLIENT
Indicates The adleave command was unable to stop the adnisd or adclient process. If you encounter this problem, you may need to manually stop the processes, then rerun the adleave command.
104
Administrators Guide
Result
157
Error name
ERR_DELETE_CONTENT
Indicates The adleave command was unable to delete all content. The attempt to leave the domain failed. If you encounter this problem, you may need to rerun the adleave command with the --force option. The adleave command was unable to connect to domain controller. If you encounter this problem, you may need to rerun the adleave command with the --force option. Time is not synchronized between the local system clock and the domain controller.
158
ERR_LEAVE_FAILED
159
ERR_CONNECT_DC
160
ERR_SYNC_TIME
Using adcheck
The adcheck command can be used to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The domain should be a fully-qualified domain name, for example, sales.acme.com. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them. By default, adcheck performs the following tests: Operating system check to verify that the operating system is supported and at the correct patch levels, and that there is sufficient disk space. Network check to verify DNS and SSH. Active Directory check to verify various aspects of the Active Directory configuration, including the domain name, time and domain synchronization, and checking up to 10 domain
105
Using adcheck
controllers (which can be extended by an adcheck parameter for large domains). You must specify a domain unless you are running the operating system check only (-t os). The adcheck program is run automatically when you install the Centrify DirectControl Agent by running the install.sh program or the graphical-user-interface installer on a Mac OS X platform.
Note
To run adcheck you must be logged in as root. The basic syntax for the adcheck program is: adcheck [domainName] [--alldc] [--siteonly] [--bigdomain number] [--xml filename][--test os|net|ad] [--servername domainController] [--verbose] [--version]
To do this Check all domain controllers. This option overrides the --siteonly and --bigdomain options. The --servername option overrides this option. If you do not specify --alldc, --siteonly, or --servername, adcheck checks the number of domain controllers specified by the --bigdomain option (default is 10). Check all domain controllers for the first detected site. This option overrides the --bigdomain option. The --alldc and --servername options override this option. Specify the number of domain controllers to check. The default is 10. The --alldc --siteonly, and --servername options override this option. Specify the filename in which to generate XML output.
-s, --siteonly
106
Administrators Guide
To do this Run a subset of the tests, as follows: os Operating system check only; does not require that you specify a domain. net Network check only; requires that you specify a domain. ad Active Directory check, which also runs the network check; requires that you specify a domain. You can enter multiple -t options to specify multiple sub-tests, for example:
adcheck ajax.com -t os -t net
-s, servername
domainController
Specify the domain controller to connect to when performing the network checks. You can use this option to override the automatic selection of a domain controller based on the Active Directory site information. This option overrides the --alldc, --siteonly, and --bigdomain options. Display diagnostic information about the host, the domain, and the domain controller. Display version information for the installed software.
-V, --verbose
-v, --version
Using adlicense
The adlicense command can be used to enable or disable licensed features on a local computer. If you execute adlicense with no options, it displays the current mode, either licensed or express. In licensed mode, a computer has access to group policies and may join any existing zones. In express mode (licensing is disabled) a computer may not download or execute group policies and cannot join a zone. The computer is automatically joined to Auto Zone. To run adlicense you must be logged in as root.
Appendix A Using Centrify DirectControl UNIX commands 107
Using adpasswd
To do this Enable licensed features, including the ability to use group policies and join a specific zone. After you enable licensed features, the computer is still joined to Auto Zone. You may keep the computer joined to Auto Zone or join a specific zone, in which case, you must first leave the zone with adleave, then rejoin the domain with the adjoin --zone command. To enable licensing, you must have installed a valid license key. Enabling licensing consumes a license. Disable licensed features. This option unmaps group policies and prevents the machine from joining any specific zones. The computer is automatically joined to Auto Zone. If you are running in licensed mode, and execute adlicense --express to switch to Express mode, a license is restored. Note You cannot use this option if the machine is currently joined to a zone. You must first leave the domain, then connect to Auto Zone when rejoining the domain. Display detailed information about the operation performed. Display version information for the installed software.
-e, --express
-V, --verbose
-v, --version
Using adpasswd
The adpasswd command changes the password for an Active Directory user account. It can be used to change the password of the current user executing the command or to change the password
108 Administrators Guide
of another Active Directory user. If you want to change the password for any Active Directory account other than your own, you must provide the user name and password of an administrative account with the authority to change that users password. The basic syntax for the adpasswd program is:
adpasswd [options] [user[@domain]]
If a user@domain is specified in the command line, you must provide an administrative user name and password for an Active Directory account with the authority to set passwords for other Active Directory users. If a user@domain is not specified in the command line, this command can only be used to change the password for the current user account. Because adpasswd allows a user to change his or her own password, you do not need to be logged in as root to run this command.
Note
Changing a users password with this command updates the users Active Directory account. Once changed, the new password must be used for all activities that are authenticated through Active Directory, including logging on to the UNIX shell, logging on to Windows computers, and accessing applications on both UNIX and Windows.
To do this Identify an Active Directory user account with sufficient rights to modify another Active Directory user account. You must use the adminuser@domain format to specify the account if the administrative user is not a member of the host computer's current domain. If you do not specify this option, the default is the Administrator user account.
adminuser[@domain]
109
Using adpasswd
To do this Directory administrative account when changing another users Active Directory password. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. However, if adpasswd detects Kerberos credentials, it uses those for the command, and if these credentials are not sufficient, you receive an error message rather than a prompt for a password. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution.
-V, --validate
Check the validity of a users password. This option is used to verify whether a specified user can log on with the specified password. Specify the current password for the Active Directory user account. This option is only used when the user executing the command is trying to change the password for his own account. This option is ignored if the administrator is trying to change the password for another user account. If you are trying to changing your own password and do not provide the current password at the command line, you are prompted to enter the old password before the command executes.
110
Administrators Guide
To do this Specify the new password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the new password and confirm the new password by retyping it before the command executes. The new password must meet the Active Directory domain password policy requirements for length and complexity. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Display version information for the installed software. Specify the Active Directory user account for the password change. You must use this option if you are changing another Active Directory users account password. You should not use this option when changing your own account password. If a user name is not specified, the default is always the current users account. You must use the user@domain format to specify the account if the user is not a member of the host computers current domain.
-v, --version
user[@domain]
111
Using adpasswd
the old and new passwords because they arent provided in the command line:
adpasswd Old password: xxx New password: xxx Repeat password: xxx
The following command illustrates changing the password for another user account, jane@acme.com, which is in a domain outside the host computers own Active Directory domain. Because this example changes the password for another user, the command specifies an Active Directory administrative account, admin@acme.com, with the authority to change the password for Janes account:
adpasswd --adminuser admin@acme.com jane@acme.com
You are then prompted for the administrator password and the users new password because these values arent provided in the command line.
Administrator password: xxx New password for jane@acme.com: xxx Repeat password: xxx
To check whether a user can log on with a specific password, you can use the --validate option. For example:
adpasswd --validate pablo@acme.com Password: xxx
If the user name and password are valid and can be authenticated by Active Directory, a successful validation message is displayed. If the user name and password specified cannot be authenticated, the command displays a message indicating the authentication failure:
Password validate failed for user pablo Account cannot be accessed at this time Please contact your system administrator
112
Administrators Guide
are encountered. The following table lists these command-specific result codes.
Result
156
Error name
ERR_PASSWDFILE_MISS
Indicates The password could not be updated because the passwd file could not be found. The password could not be updated because the passwd file was being used by another program.
157
ERR_PASSWDFILE_BUSY
Using adquery
The adquery command enables you to query Active Directory for information about users and groups from the command line on a Centrify DirectControl-managed system. The options you can use depend on whether you are looking up user information or group information. You can look up information for a specific user or group or for all of the users or groups in a zone. The basic syntax for the adquery program is as follows: adquery user|group [options] [username|groupname] You can specify a single option in the command line to have the information returned as one value per line suitable for use in scripts. If you specify multiple options in the command line, the information returned is formatted in a list with field labels identifying each value.
113
Using adquery
You can specify the username in any supported format. If the user name includes any blank spaces, the name should be enclosed by quotation marks. For example, if you want to specify an Active Directory account name consisting of a first name and a last name, you can type a command similar to the following:
adquery user --samname --enabled "Jae Park"
All options, including --all, return formatted attributes and values, with the exception of --dump, which returns raw attributes and values, and --attribute, which allows you to specify individual raw attributes. Raw attributes are the form in which attributes are stored internally in Active Directory or DirectControl, that is, without regard to readability. For example, the raw attribute for the account expiration date is a numeric string:
#adquery user -j |grep -i expires accountExpires:129389472000000000
You can use the following options with the adquery command:
Use this option
-U, --admin user@domain
user
To do this Specify an Active Directory user account with sufficient rights to query Active Directory and retrieve zone information. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account.
114
Administrators Guide
To do this Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes. Display the value of the specified Active Directory or DirectControl raw attribute. Use the -j (--dump) option to see a list of raw attributes. The -A (--all) option returns formatted attributes and values. Note Attribute names are case-sensitive. Internal DirectControl attributes begin with an underscore character. You can specify multiple --attribute (-b) options, in which case, the name of the attribute is returned along with the value. For example:
#-b cn rajai davis #-b cn -b sAMAccountName cn:rajai davis sAMAccountName:rdavis
-b, --attribute
attributename
-h, --home
Display the specified users home directory or the home directory for all users in the zone.
115
Using adquery
To do this Display the specified users primary group identifier (GID) or the primary group identifier (GID) for all users in the zone. List the UNIX-enabled groups the user is a member of. List all of the Active Directory groups the user is a member of. Active Directory groups are listed by canonical name. Display the users default shell. Display the user identifier (UID) for the specified user or for all users in the zone. Display the displayName attribute for the user or for all users in the zone. Display the contents of the GECOS field for the user or for all users in the zone. Display the UNIX login name for the specified user or for all users in the zone. Display the Active Directory logon name for the specified user or for all users in the zone. Display the Active Directory security identifier (SID) for the specified user or for all users in the zone. Display the Kerberos user principal name (UPN) for the specified user or for all users in the zone. Display the Kerberos service principal name (SPN) for the specified user or for all users in the zone. Display the Active Directory canonical name for the specified user or for all users in the zone.
-G, --groups
-a, --adgroups
-p, --display
-o, --gecos
-n, --unixname
-M, --samname
-i, --sid
-P, --principal
-S, --service
-C, --canonical
116
Administrators Guide
To do this Display the UNIX password hash for the specified user if you are using password synchronization between Active Directory and DirectControl-managed computers. You must be logged on as the root user or querying Active Directory for your own account information to retrieve the password hash. Display the date the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date the current password for the user account expires. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Display the date after which the user may change their password. You must be either logged on as the root user or be querying Active Directory for your own account information to retrieve this information. Display the date of the last password change for the user. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user is locked because of failed attempts to log on. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information.
-x, --acct-expire
-w, --pwd-expire
-c, --pwd-nextchange
-l, --pwd-lastchange
-k, --locked
117
Using adquery
To do this Determine whether the Active Directory account for the user has been disabled. You must be logged on as the root user or querying Active Directory for your own account information to retrieve this information. Determine whether the Active Directory account for the user has been enabled for UNIX access in the current zone. Display the distinguished name (dn) for the specified user or for all users in the zone. List the value of the users Active Directory userWorkstations attribute, which specifies the machines from which the user may log into the domain. If the output is blank, the user is not restricted to a particular machine. List all of the information returned by the other command line options for the user. List all the users raw attributes and values. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the separator character or string (char) to use between fields. The default separator between fields is a colon (:). For example:
jae:uid:525
-e, --enabled
-D, --dn
-W, --userWorkstations
-A, --all
(char) to use between the values in a list. The default separator between values in a list is a comma (,). For example:
jae:unixGroups:testlab,dev2
118
Administrators Guide
To do this Add the users UNIX user name as a prefix when returning single values. This option formats the information returned to include the users UNIX name when you are querying for a specific attribute, such as the users UID or displayName. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the users UNIX name and a label identifying each attribute by default. Display version information for the installed software.
-v, --version
You must use the canonical format for the group name if specifying the Active Directory group name. For example, if you want to specify the Active Directory group name, you can type a command similar to the following:
adquery group ajax.org/Users/TestExpert Team
All options, including --all, return formatted attributes and values, with the exception of --dump, which returns raw attributes and values, and --attribute, which allows you to specify individual raw attributes. Raw attributes are the form in which attributes are stored internally in Active Directory or DirectControl, that is, without regard to readability. For example, the raw attribute for the group type is a numeric string:
#adquery group -j |grep -i type dnsadmin:groupType:-2147483644
119
Using adquery
You can use the following options with the adquery command:
Use this option
-U, --admin user@domain
group
To do this Specify an Active Directory user account with sufficient rights to query Active Directory and retrieve zone information. You must use the user@domain format to specify the user account if the administrative user is not a member of the host computers current domain. If you do not specify this option, the current Kerberos credentials are used. If there are no Kerberos credentials available, the default value is the Administrator user account. Specify the password for the Active Directory user account with administrative rights. If you are using the current Kerberos credentials, you dont need to specify the password at the command line. If you are not using the current Kerberos credentials and do not specify the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. You can pipe the password into standard input for scripting purposes.
120
Administrators Guide
To do this Display the value of the specified Active Directory or DirectControl raw attribute. Use the -j (--dump) option to see a list of raw attributes. The -A (--all) option returns formatted attributes and values. Note Attribute names are case-sensitive. Internal DirectControl attributes begin with an underscore character. You can specify multiple --attribute (-b) options, in which case, the name of the attribute is returned along with the value. For example:
#-b cn DnsAdmins #-b cn -b sAMAccountName cn:DnsAdmins sAMAccountName:DnsAdmins
attributename
-m, --members
List the UNIX members of the specified group or of all groups in the zone. List the Active Directory members of the specified group or of all groups in the zone. List Active Directory members of the specified group or all groups in the form: name@domain; for example,
jsmith@AJAX.COM
-a, --admembers
-s, --sammembers
-g, --gid
Display the group identifier (GID) for the specified group or of all groups in the zone. Display whether membership in the specified group is required or not. For more information about required groups, see adsetgroups. Display the UNIX group name for the group. Display the Active Directory name for the group.
-q, --required
-n, --unixname
-M, --samname
121
Using adquery
To do this Display the Active Directory security identifier (SID) for the group. Display the Active Directory canonical name for the group. Display the distinguished name (dn) for the group. List all of the information returned by the other command line options for the group. If you use this option without specifying a group name, the command lists details for all of the groups in the zone. List all the groups raw attributes and values. Read data from the cache rather than from Active Directory. Only read from Active Directory if an object has expired. Specify the character or string (char) to use as the separator between an attribute name and its value. The default separator between attributes and values is a colon (:). For example:
unixname:qa-euro
-C, --canonical
-D, --dn
-A, --all
-j, --dump
-F, --cache-first
-R,--list-separator char
Specify the character or string (char) to use as the separator between the values in a list. The default separator between values in a list is a comma (,). For example:
unixGroups:unixdev,testexpe
122
Administrators Guide
To do this Add the UNIX group name as a prefix when returning single values. This option formats the information returned to include the UNIX group name when you are querying for a specific attribute, such as the group GID or membership list. This option is not necessary if you query for multiple attributes in the command line. If you query for multiple attributes, the information returned is formatted with the UNIX group name and a label identifying each attribute by default. Display the scope and group type for a specified group. The valid group types are: local security global security universal security Display version information for the installed software.
-t, --type
-v, --version
This command returns the results for the unixdev group in the following format:
unixname:unixdev gid:400 required:false dn:CN=Unix Developers,CN=Users,DC=ajax,DC=org groupType:global security samAccountName:Unix Developers
123
Using adquery
sid:S-1-5-21-3619768212-1024502798-2657341593-1106 canonicalName:ajax.org/Users/Unix Developers members:ajax.org/Users/Ashish Menendez,ajax.org/Users/Ben Waters,ajax.org/Users/Monte Fisher,ajax.org/Users/Jae Kim,ajax.org/Users/Jay W. Reynolds,ajax.org/Users/Pierre Leroy,ajax.org/Users/Rae Parker,ajax.org/Users/Zoe Green unixMembers:ashish,ben,fisher,jae,jay,pierre,rae,zoe
Similarly, to see a complete list of details about the user jae@ajax.org, type:
adquery user --all jae@ajax.org
This command returns the results for the user in the following format:
unixname:jae uid:409 gid:400 gecos:Jae Kim home:/home/jae shell:/bin/bash dn:CN=Jae Kim,CN=Users,DC=ajax,DC=org samAccountName:jae display:jae sid:S-1-5-21-3619768212-1024502798-2657341593-1185 userPrincipalName:jae@AJAX.ORG servicePrincipalName: canonicalName:ajax.org/Users/Jae Kim passwordHash:x accountExpires:Never passwordExpires:Thu Apr 12 15:21:04 2007 nextPasswordChange:Fri Mar 2 14:21:04 2007 lastPasswordChange:Thu Mar 1 14:21:04 2007 accountLocked:false accountDisabled:false zoneEnabled:true unixGroups:unixdev,testexpe memberOf:ajax.org/Users/Unix Developers, ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert Team
When you specify a single attribute in the command line, the information is displayed as one value per line without any attribute label or identifier. For example, if you want to return the canonical name for the qa-euro group as an unlabeled value, you would type:
adquery group --canonical qa-euro
124
Administrators Guide
This command displays the canonical name without any prefix or label:
ajax.org/Users/QA Europe
Similarly, if you want to return only the UID for the user rae@ajax.org, you would type:
adquery user --uid rae@ajax.org 10003
To list a single attribute about multiple groups or users, you can specify the additional groups or users in the command line. For example, to see a list of the UNIX user names of Active Directory members for the testexp, performx and unixdev groups, you would type:
adquery group --members testexp performx unixdev
This command returns the UNIX user names of the members in each group in the following format:
ben,fisher,jae,jolie,rae zoe ashish,ben,fisher,jae,jay,pierre,rae,zoe
If you want the results to include the UNIX user name or group name, you can add the --prefix option to the command line. For example, to include the UNIX group name with a membership list for the testexp, performx and unixdev groups, you would type:
adquery group --members --prefix testexp performx unixdev
This command returns the members in each group in the following format:
testexp:ben,fisher,jae,jolie,rae performx:zoe unixdev:ashish,ben,fisher,jae,jay,pierre,rae,zoe
When you query multiple attributes for a user or group, the results display the UNIX user or group name, followed by an attribute label to identify the attribute values displayed. For example, to return the samAccountName and unixGroups for the users rae, ben, ashish, and jae, you would type:
adquery user --samname --groups rae ben ashish jae
125
Using adquery
This command returns the requested information for each user in the following format:
rae:samAccountName:rae-old rae:unixGroups:unixdev,testexpe,perform2 ben:samAccountName:ben ben:unixGroups:qualtrak,unixdev,testexpe ashish:samAccountName:ashish ashish:unixGroups:qualtrak,unixdev jae:samAccountName:jae jae:unixGroups:unixdev,testexpe,perform2
If you dont specify a username or groupname in the command line, the adquery command returns information for all users or all groups in the current zone. The format of the output depends on whether you specify a single attribute or multiple attributes and any other options you set. For example, to list the UNIX group names and GIDs for all of the groups in the current zone, you would type:
adquery group --gid --prefix
This command returns the group names and GIDs in the following format:
unixdev:400 oracle:700 qualtrak:800 performi:401 perform2:402 financeu:403 testexpe:404 integrit:405
Similarly, to return a list of UIDs and display names for all of the users in the current zone, you would type:
adquery user --uid --display
For example:
rae-old:uid:10003 rae-old:displayName:Rae S. Parker jay:uid:501 jay:displayName:Jay W. Reynolds zoe:uid:502 zoe:displayName:Zoe Green ben:uid:503 ben:displayName:Ben Waters ashish:uid:504
126
Administrators Guide
ashish:displayName:Ashish Menendez fisher:uid:505 fisher:displayName:Monte Fisher pierre:uid:506 pierre:displayName:Pierre Leroy lynn:uid:507 lynn:displayName:Lynn Hogan tess:uid:508 tess:displayName:Tess Adams jolie:uid:509 jolie:displayName:Jolie Ames-Anderson jae:uid:510 jae:displayName:Jae Kim
Using adinfo
The adinfo command displays detailed Active Directory, network, and diagnostic information for a local UNIX computer. Options control the type of information and level of detail displayed. The basic syntax for the adinfo program is:
adinfo [option] [--user username[@domain]] [--password password]
The --domain, --gc, --zone, --zonedn, --site, --server, and --name options are intended for use in scripts to return the current Active Directory domain, global catalog domain controller, zone, site, domain controller, and computer account name, respectively. The other options provide more detailed or operation-specific information. You can use the --user and --password options in conjunction with the --all, --support, --diag, or --auth option to specify the user name and password of an Active Directory account with permission to read the computer account information in the Active
127
Using adinfo
Directory domain controller you are accessing. If you run adinfo while logged in as root, you do not need to specify the --user or --password option because the command uses the Active Directory account associated with the local host. If you run the adinfo command with a user account that doesnt have permission to read the computer account information in Active Directory, some information may not be available in the command output. To run the adinfo --support command, you must be logged in as root. You are not required to log in as root for any of the other adinfo options.
Note
If you do not specify an option, adinfo returns the basic set of configuration details for the local computer, which is equivalent to specifying adinfo --all. The last line returned by adinfo on Mac OS X and Linux machines shows Licensed Features: Enabled | Disabled to indicate whether the standard or express version of DirectControl is running. This information is only relevant to Mac OS X and Linux machines so it does not appear when you run adinfo on other platforms.
Note
To do this Return the name of the local computers Active Directory domain. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10. Return the name of the local computers Active Directory domain controller used for global catalog operations. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10.
-G, --gc
128
Administrators Guide
To do this Return the name of the local computers Active Directory zone or Auto Zone if a computer is joined to Auto Zone and not a member of any specific zone. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10. Return the distinguished name (DN) of the local computers Active Directory zone or the distinguished name (DN) of the computers Active Directory domain if the computer is joined to Auto Zone. The distinguished name is the name that uniquely identifies an entry in the directory, beginning with the most specific attribute and continuing with progressively broader attributes. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10. Return the name of the local computers Active Directory site. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10. Return the fully-qualified name of the local computers Active Directory domain controller. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10. Return the fully-qualified name of the local computers computer account name in Active Directory. If the computer isnt currently joined to an Active Directory domain, then the command exits and returns an exit status of 10.
-Z, --zonedn
-s, --site
-r, --server
-n, --name
129
Using adinfo
To do this Return the following information: Local host name Domain the computer is joined to Computer account name in Active Directory Local preferred site Centrify DirectControl zone The date and time that the password was last reset for the computers Active Directory computer account Current operational mode indicating whether the computer is connected to Active Directory or running in disconnected mode Whether licensed features are enabled (Mac OS X and Linux only) Note If you use this option but the user account doesnt have permission to read the computer account information in Active Directory, the command output does not indicate whether shell access has been enabled or information about the last password set.
130
Administrators Guide
To do this Return all of the information supplied by the --all option and the following additional information: The current configuration parameters set in
/etc/centrifydc/centrifydc.conf
The key list from /etc/krb5.keytab This option is typically used to send complete diagnostic information to a file, which can then be sent to Centrify Technical Support for analysis. By default, the output for the command is written to the file /tmp/adinfo_support.txt. You can save the output in a different location or using a different file name by using the optional --output argument. To send --support output to stdout, use a hyphen (-) in the command line in place of the filename. Note The root account is required if you want to retrieve the Kerberos key version stored in Active Directory for comparison with the local Kerberos key.
131
Using adinfo
To do this Return the diagnostic information for the host computer and a specific Active Directory domain. If you dont specify the domain, the command returns information for the computer's current domain. Specifying a domain is useful when an attempt to join the computer to an Active Directory domain fails. By specifying adinfo --diag and the domain you tried to join, you can better diagnose why an attempt to join failed. This option returns the following information: Local host name. Local IP address. List of the DNS servers for the specified domain. Host name or IP address of the DNS server supplied by the domain controller. Whether the domain controller has up-to-date global catalog data so that it can become the global catalog, if necessary. Functional level of the specified Active Directory domain. Functional level of the domain's Active Directory forest. Functional level of the domain controller. Name of the Active Directory forest to which the specified domain belongs. Name of the computer account in Active Directory for this computer. Kerberos key version for this computer. List of Kerberos service principal names this computer has registered with Active Directory. Note You should use the root user account when you use this option. If you dont use the root account, the command will not be able to bind to domain controller or locate the computer account. The root account is also required to compare the local key version with the key version stored in Active Directory.
132
Administrators Guide
To do this Return the parsed contents of the Centrify DirectControl configuration file. Display whether the computer is currently connected to Active Directory or running in disconnected mode. If the adclient process is not currently running at all, this option will return the agent status as down. Note You should use the root user account when you use this option to display the appropriate status. If you dont use the root account, the command will not be able to check the adclient lock file to confirm whether adclient is running or not. Display system information for the current domain. You can specify one or more options in a comma-separated list, or specify all to show all available information: all Display all available system information; specifying this option is the same as specifying all the following options. dns Display the address, state, and cache contents of the current DNS server. domain Display domain info map for the current domain. netstate Display network state. adagent Display adagent information. config Display adclient in-memory configuration parameter values. For example, to show DNS, domain, and configuration information, type the following command:
adinfo --sysinfo dns,domain,config
-m, --mode
-T, --test
Test the availability of the ports Centrify DirectControl requires for authentication through Active Directory. Display detailed information about each operation as it is performed. You can use this option in combination with other options.
-V, --verbose
133
Using adinfo
To do this Display version information for the installed software. Identify an Active Directory user account with sufficient rights to read the computer account information. You must use the username@domain format to specify the user account if the username is not a member of the computers current domain. If you do not specify the --user option, the default is the Administrator user account. Specify the password for the Active Directory user account. If you do not provide the password at the command line, you are prompted to enter the password before the command executes. Note Specifying a password at the command line represents a security risk because the password can be retrieved while the command is running or from command history after the command has completed its execution. Authenticate the user name and password for the user specified with the --user option against the specified domain. If you dont specify a domain, the user is validated against the currently joined domain. This option only validates the user name and password you enter can be authenticated by Active Directory. You cannot use this option in combination with other options to display other types of information Connect to a specific domain controller to perform network diagnostics. You can use this option in combination with any of the other options. Display the service principal names (SPNs) associated with the computer account.
-u, --user
username[@domain]
-p, --password
userpassword
-A,--auth [domain]
-S, --servername
domain_controller
-C, --computer
134
Administrators Guide
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Pre-win2k name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: magnolia ajax.org magnolia.ajax.org magnolia ginger.ajax.org Default-First-Site-Name ajax.org/Program Data/Centrify/Zones/default 2006-12-21 11:37:22 PST connected Enabled
Note
Whether licensed features are enabled or disabled is only relevant for Linux and Mac computers and is not shown for Solaris and other UNIX systems.
You can also use adinfo in shell scripts to return specific information, such as the domain a computer has joined. For example, the following command returns the host computers current domain and no other information:
adinfo --domain
For example:
ajax.org
The adinfo --diag command can also be useful in diagnosing Active Directory configuration issues and Kerberos problems. For example, in addition to other information, the --diag option returns the Kerberos key version for the UNIX computer. The key version is stored both locally and in the computers Active Directory account. It is incremented when a service principals password key changes. If the local key differs from the Active Directory account key version, it indicates that the local key is no longer in sync with the Active Directory key and this may cause authentication to fail.
Appendix A Using Centrify DirectControl UNIX commands 135
Using adinfo
By running adinfo --diag and checking the Key Version: field you can determine whether the key versions are the same or out of sync. If the versions are different, the Key Version field shows both keys and indicates which is local and which comes from Active Directory. If the computer isnt joined to a domain, it has no local key and the following is displayed:
Key Version: local key version unavailable
If the computer is joined to a domain other than the specified domain, the Active Directory key is shown as:
<unavailable>
If the computer has joined a domain, the adinfo --diag command displays information similar to the following truncated example:
Host Diagnostics uname: Linux magnolia 2.4.21-15.EL #1 Thu Apr 22 00:27:41 EDT 2004 i686 OS: Red Hat Enterprise Linux ES Version: 3 (Taroon Update 2) Number of CPUs: 1 IP Diagnostics Local host name: magnolia FQDN host name: magnolia (domain missing?) Local IP Address: 192.168.147.135 Domain Diagnostics: Domain: ajax.org Subnet site: Default-First-Site-Name DNS query for: _ldap._tcp.ajax.org Found SRV records: ginger.ajax.org:389 Testing Active Directory connectivity: Domain Controller: ginger.ajax.org ldap: 389/udp - good ldap: 389/tcp - good smb: 445/tcp - good kdc: 88/tcp - good kpasswd: 464/tcp - good Domain Controller: ginger.ajax.org:389 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000) domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG DNS query for: _gc._tcp.AJAX.ORG Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org:3268 Domain controller type: Windows 2003 Domain Name: AJAX.ORG isGlobalCatalogReady: TRUE domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000) forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
136
Administrators Guide
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003) Forest Name: AJAX.ORG Retrieving zone data from ajax.org Centrify DirectControl 2.x zones: ConsumerDiv - ajax.org/Program Data/Centrify/Zones/ConsumerDiv Manufacturing - ajax.org/Program Data/Centrify/Zones/Manufacturing London - ajax.org/Program Data/Centrify/Zones/London Centrify Microsoft SFU zones: default - ajax.org/Program Data/Centrify/Zones/default Computer Account Diagnostics Joined as: magnolia Key Version: 5 Service Principal Names: nfs/magnolia.ajax.org nfs/magnolia host/magnolia.ajax.org host/magnolia ftp/magnolia.ajax.org ftp/magnolia cifs/magnolia.ajax.org cifs/magnolia HTTP/magnolia.ajax.org HTTP/magnolia Centrify DirectControl Status Running in connected mode
To test whether a specific user can be authenticated by a specific Active Directory domain controller, you could type a command similar to the following:
adinfo --auth --user rae --servername ginger.ajax.org
You are then prompted for the Active Directory password for the user rae account. If Active Directory can authenticate the user, a confirmation message similar to the following is displayed:
Password for user rae is correct
To test connectivity and the availability of required ports on the Active Directory domain controller, you could type a command similar to the following:
adinfo --test
If the computer is joined to a domain and the connection to Active Directory succeeds, the command displays information similar to the following:
Domain Diagnostics: Domain: ajax.org DNS query for: _ldap._tcp.ajax.org DNS query for: _gc._tcp.ajax.org Testing Active Directory connectivity: Global Catalog: ginger.ajax.org gc: 3268/tcp - good Domain Controller: ginger.ajax.org ldap: 389/tcp - good ldap: 389/udp - good
137
Using addebug
Indicates The computer account password has been changed. If you encounter this error, you may need to manually reset the computer account password in Active Directory, then rerun the adinfo command. A Kerberos format error occurred when reading the Kerberos configuration file. You should rename or remove the configuration file, then rerun the adinfo command. The server name must be a fully-qualified domain name.
157
ERR_KRB_READ_FORMAT
158
ERR_NOT_FQDN_NAME
Using addebug
The addebug command is used to start or stop detailed logging activity for Centrify DirectControl on a local UNIX computer. The basic syntax for the addebug program is:
addebug [on | off| clear]
If you run the addebug on command, all of the Centrify DirectControl activity is written to the /systemLog/centrifydc.log file.
Note
138
Administrators Guide
If the adclient process stops running while logging is on, the addebug program records messages from PAM and NSS requests in the /systemLog/centrify_client.log file. Therefore, you should also check that file location if you enable logging. If you do not specify an option, addebug displays its current status, indicating whether logging is active or disabled.
To do this Start logging all Centrify DirectControl daemon activity. Stop logging Centrify DirectControl daemon activity. Clear the existing log file, then continue logging activity to the cleared log file.
off
clear
You must type the full path to the command because addebug is not included in the path by default.
Note
This command records information in the /systemLog/centrifydc.log file similar to the following:
... Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Joining domain
139
Using adfinddomain
garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Getting the KDC List for garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.base: Updating config file with domain garfield.com Dec 14 00:31:59 jon adjoin[11198]: com.centrify.join: Created user LDAP connection Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Destroying binding to 'garfield.com' Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Attempting connection to server Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connecting to odie.garfield.com:389 Dec 14 00:31:59 jon adjoin[11198]: com.centrify.daemon.ADBinding: Connected ...
For performance and security reasons, you should only enable Centrify DirectControl logging when necessary, for example, when requested to do so by Centrify Technical Support, and for short periods of time. To discontinue logging, type:
addebug off
By default, the sanitized log file is written to obfuscate.txt in the directory in which you run adobfuscate. You can use the --outputfile option to specify a different filename or directory.
Using adfinddomain
The adfinddomain command displays the domain controller associated with the Active Directory domain you specify. The basic syntax for the adfinddomain program is:
adfinddomain [--format name|ldap|ip] [--port] [--verify] [--version] [domain | $]
If you dont specify a domain, the command returns information for the domain the local computer is joined to. If you specify a dollar sign ($) instead of a domain, the command returns the host name and, optionally the port number, for the Global Catalog server.
140
Administrators Guide
To do this Control the format of the information displayed for the domain controller. For example, if you set the format to name, the command displays the host name of the domain controller. Similarly, you can specify the format to be the format used for LDAP requests or to be the fully-qualified host name of the domain controller.
adfinddomain -f ldap ldap:://fire.arcade.org
Include the port number in the output. Check whether the specified domain controller is currently operational. Display version information for the installed software. Specify the domain name or the global catalog for which you want to display information.
-v, --version
[domain | $]
To display the host name for the global catalog server, type:
adfinddomain $ zen.ajax.org
To include the port number for the domain controller or global catalog, type:
adfinddomain --format name --port ajax.org ginger.ajax.org:389
or:
adfinddomain $ --port
141
Using adfinddomain
zen.ajax.org:3268
Indicates The command is unable to obtain the IP address for the server. The command is unable to find the domain controller for the domain specified. You should verify the domain name, then try rerunning the adfinddomain command.
157
ERR_UNDETECT_SERVICE
142
Administrators Guide
Using adflush
The adflush command can be used to clear the Centrify DirectControl cache on a local computer. The basic syntax for the adflush program is:
adflush [option]
To do this Remove DirectAuthorize information from the adclient authorization store cache. Remove stored DNS information from the adclient local cache. Clear the adclient local cache of all data even if the Centrify DirectControl Agent is currently disconnected from Active Directory. Remove only domain controller and global catalog objects from the cache. Display detailed information about the operation. Display version information for the installed software.
-d, --dns
-f, --force
-o, --objects
143
Using adid
To display verbose output and force the local cache to be cleared when the Centrify DirectControl Agent (adclient) is running in disconnected mode without access to Active Directory, you would type:
adflush --verbose --force
Using adid
The adid command can be used to display the real and effective UIDs and GIDs for the current user or a specified user. The basic syntax for the adid program is:
adid [option] [username|uid]
The adid command is intended as a replacement for the standard id program to look up user and group information for a specified user. For Active Directory users, the adid command is more efficient than the standard id program because it can request the users group membership list directly through the Centrify DirectControl Agent, resulting in better performance. For the standard id program, requesting a users group membership requires the program to search through all the groups on the system to find which groups include the user as a member. If you run the adid command and specify a user who is not an Active Directory user, the adid command transfers the request to the local id program with the same arguments you have specified.
144
Administrators Guide
-a
-n, --name
-u, --user
--help
To display the user ID and group ID for a specific user name, you can type:
adid alan uid=505(alan) gid=100(users)
To display the user ID and group ID for a specific user ID, you can type:
adid 505 uid=505(alan) gid=100(users)
145
Using adclient
To display only the user ID for a specific user name, you can type:
adid --user sloane 506
Using adclient
Most Centrify DirectControl operations are managed by the central daemon process adclient. This daemon is automatically started when the system is first booted. The daemon generally remains running as long as the computer is powered up so that it can handle all of the authentication and authorization interaction between Active Directory and the UNIX shell programs or Web applications that need this information. Although you can run adclient directly from the command line to control the operation of the Centrify DirectControl Agent on a local computer, it is recommended that you do so only under the direction of Centrify support. Typically, you should start and stop adclient from a startup script; see Using the startup script on page 147.
Notes
On Solaris, Mac OS X, and certain Red Hat computers, such as computers running RHEL 5.2, you cannot use the -x option to stop adclient. When running computers with any of these operating systems, you should use the centrifydc startup script or system resource controller commands, such as startsrc, stopsrc, and lssrc. For example, to stop the agent use:
/usr/share/centrifydc/bin/centrifydc stop
The basic syntax for running adclient at the command line is:
adclient [-x] [-d] [-F]
146
Administrators Guide
To do this Stop the Centrify DirectControl Agent if it is currently running. Note: On computers running Solaris, Mac OS X, or RHEL 5.2, this option is not available. Set the Centrify DirectControl Agent to run in debug mode when it is restarted. Flush the Active Directory cache when the Centrify DirectControl Agent is restarted. Enable in-memory logging of Centrify DirectControl Agent operations.
-d
-F
-M
For example, to flush the cache when the Centrify DirectControl Agent starts:
adclient -F
147
Using adcache
for startup scripts, see the documentation for the operating environment.
Starting the daemon
To manually start the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc start
To manually stop the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc stop
To manually stop then restart the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc restart
You can also check whether the daemon is currently running or stopped. To view the current status of the daemon when the startup script is located in the /usr/share/centrifydc/bin directory, you run this command:
/usr/share/centrifydc/bin/centrifydc status
Using adcache
The adcache command enables you to manually clear the local Centrify DirectControl cache on a computer. You can use this command to dump all cache files or a specific cache file. You can also use the command to check a cache file for a specific key value and to reclaim disk space. By default, the program dumps all cache files.
148
Administrators Guide
Before running adcache, you should stop the adclient process using the following command:
/usr/share/centrifydc/bin/centrifydc stop
To do this Specify the full path to the cache file you want to check or clear. Run the command without displaying any output. This option is useful for running the command as a scheduled maintenance job. Check the Centrify DirectControl cache for a specific key value. Reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items. To use this option, you must be run the adcache command as root. If you use this option, adcache stops and restarts the adclient process.
-q, --quiet
-r, --reorg
149
Using adcache
_HomeDirectory(s):/home/andre, _LoginShell(s):/bin/bash, _ObjectExtended(s):a30d50f5ef182e42b7687fa1ae07b776, _ParentLink(s):S-1-5-21-3619768212-1024502798-2657341593-1 153, _PwSync(s):altSecurityIdentities, _SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153, _ShellEnabled(s):True, _Uid(s):504, _UnixName(s):andre, _dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org, _extendedObjUSN(s):127065, _groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>, <GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e 6c4d8d89c0919f4a2b6e>, _hashTimestamp(s):1190416207, _maxPwdAge(s):-1, _minPwdAge(s):128323800679025000, _objectCategory(s):Person, _pacGroups(s):0105000000000005150000009447c1d70eac103d99d0 639e94040000,0105000000000005150000009447c1d70eac103d99d06 39e00020000,0105000000000005150000009447c1d70eac103d99d063 9e01020000, _passwordHash(s):b450a7940716ea44d980322df1773b10, _passwordSalt(s):$1$wJkhxUEB$, _server(s):ginger.ajax.org, _userPrincipalName(s):andre@AJAX.ORG, accountExpires(s):9223372036854775807, cn(s):Andre Garcia, displayName(s):Andre Garcia, msDS-KeyVersionNumber(s):3, name(s):Andre Garcia, objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC= ajax,DC=org, objectClass(s):top,person,organizationalPerson,user, primaryGroupID(s):513, pwdLastSet(s):-1, sAMAccountName(s):andre, uSNChanged(s):1, userAccountControl(s):512, userPrincipalName(s):andre@ajax.org, ----------------------------------------------------------
To reorganize the Centrify DirectControl cache and index files and recover disk space used by negative items, you would run the following command:
adcache --reorg
150
Administrators Guide
You should run the adcache --reorg command on a regular basis in a cron job to remove negative results and to prevent the cache from consuming too much disk space. Depending on how quickly the size of the Centrify DirectControl cache tends to increase in your environment, you may want to schedule this command to run approximately once a week.
Indicates The Centrify DirectControl Agent is currently running. You should stop the adclient process, then attempt to rerun the command. The cache may be corrupt.
157
ERR_CACHE_CORRUPT
Using adreload
The adreload command enables you to force the Centrify DirectControl Agent (adclient) to reload configuration properties in the /etc/centrifydc.conf file and in other files in the /etc/centrifydc directory. Running this command enables changes made to the configuration properties to take effect without restarting the adclient process. Running adreload, however, does not reload the properties set with the following configuration parameters:
adclient.ldap.timeout adclient.ldap.socket.timeout adclient.udp.timeout adclient.clients.threads adclient.clients.threads.max
151
Using adreload
For the configuration parameters listed above, you must restart the adclient process for changes to take effect. The basic syntax for running the adreload program is:
adreload
152
Administrators Guide
153
Using adreload
154
Administrators Guide
Appendix B
155
auto.schema.primary.gid
auto.schema.primary.gid
This configuration parameter specifies the primary GID for the user. The auto.schema.private.group parameter must be set to false (the default) to use this parameter. Specify the GID for an existing group. To find the GID for a group, you can use the adquery command. For example, to find the GID for the group Support, open a terminal session and type:
>adquery group --gid Support 1003
If you do not set this parameter, the value defaults to the following: On Mac OS X: 20. On Linux: 65534
auto.schema.private.group
This configuration parameter specifies whether to use dynamic private groups. Specify true to create dynamic private groups. In this case, the primary GID is set to the user's UID and a group is automatically created with a single member. Specify false (the default) to not create private groups. In this case, the primary GID is set to the value of auto.schema.primary.gid, which defaults to 20.
auto.schema.shell
This configuration parameter specifies the default shell for the logged in user. The default value is /bin/bash on Mac OS X and Linux systems and /bin/sh on all other systems.
156
auto.schema.homedir
This configuration parameter specifies the home directory for logged in users. The default, if you do not specify this parameter, is: Mac OS X: /Users/%{user}. UNIX: /home/%[user] The syntax %{user} specifies the logon name of the user. For example, in the Centrify DirectControl configuration file, if you add:
auto.schema.homedir:/Users/%{user}
and jsmith logs on to a Mac OS X machine, the home directory is set to /Users/jsmith. If the parameter, auto.schema.use.adhomedir, is true, the home directory is set to the value in Active Directory for the user, if one is defined. If auto.schema.use.adhomedir, is false or if a home directory is not specified for the user in Active Directory, the home directory is set to the value defined for this parameter, auto.schema.homedir.
auto.schema.use.adhomedir
Note
only. This configuration parameter specifies whether to use the Active Directory value for the home directory, if one is defined. Set to true to use the Active Directory value (the default), or false to not use the Active Directory value. If you set the value to false, or if you set the value to true but a home directory is not specified in Active Directory, the value for auto.schema.homedir is used.
157
auto.schema.remote.file.service
auto.schema.remote.file.service
Note
only. This configuration parameter specifies the type of remote file service to use for the network home directory. The options are: SMB (default) and AFP. When you type a path for the network home directory in Active Directory, it requires a specific format: /server/share/path, but on Mac OS X, the format for mounting a network directory requires the remote file service type: /type/server/share/path. By identifying the remote file-service type, you can type the network path in the format required by Active Directory, and Centrify DirectControl translates the path into the format required by Mac OS X. For example:
auto.schema.remote.file.service:SMB
auto.schema.name.format
This configuration parameter specifies how the Active Directory username is transformed into a UNIX name (short name in Mac OS X). The options are SAM (default) An example SAM name is joe SAM@domainName An example SAM@domainName is joe@acme.com NTLM An example NTLM name is acme.com-joe
158
auto.schema.separator
This configuration parameter has been deprecated in favor of which applies whenever NTLM format is used. The auto.schema.separator parameter only applies when the computer is connected to Auto Zone.
Note
adclient.ntlm.separators,
This configuration parameter specifies the separator to be used between the domain name and the user name if NTLM format is used. The default is +; for example:
auto.schema.separator:+
auto.schema.domain.prefix
This configuration parameter specifies a unique prefix for a trusted domain. You must specify a whole number in the range of 0 - 511. Centrify DirectControl combines the prefix with the lower 22 bits of each user or group RID (relative identifier) to create unique UNIX user (UID) and group (GID) IDs for each user and group in the forest and in any two-way trusted forests. Ordinarily, you do not need to set this parameter because Centrify DirectControl automatically generates the domain prefix from the user or group Security Identifier (SID). However, in a forest with a large number of domains, domain prefix conflicts are possible. When you join a machine to a domain, if Centrify DirectControl detects any conflicting domain prefixes, the join fails with a warning message. You can then set a unique prefix for the conflicting domains. To set this parameter, append the domain name and specify a prefix in the range 0 - 511. For example:
auto.schema.domain.prefix.acme.com:3 auto.schema.domain.prefix.finance.com:4 auto.schema.domain.prefix.corp.com:5
159
auto.schema.search.return.max
The default behavior, if you do not set this parameter, is for Centrify DirectControl to automatically generate the domain prefix from the user or group Security Identifier (SID).
auto.schema.search.return.max
This configuration parameter specifies the number of users that will be returned for searches by utilities such as dscl and the Workgroup Manager application. Because Auto Zone enables access to all users in a domain, a search could potentially return tens of thousands of users. This parameter causes the search to truncate after the specified number of users. The default is 1000 entries.
auto.schema.name.lower
This configuration parameter converts all usernames and home directory names to lower case in Active Directory. Set to true to convert usernames and home directory names to lowercase. Set to false to leave usernames and home directories in their original case, upper, lower, or mixed. The default for a new installation is true. The default for an upgrade installation is false.
auto.schema.iterate.cache
This parameter, specifies that user and group iteration take place only over cached users and groups. Set the value for auto.schema.iterate.cache to true to restrict iteration to cached users and groups.
160
Set the value for auto.schema.iterate.cache to false to iterate over all users and groups. The default value is false.
adclient.ntlm.separators
This configuration parameter specifies the separators that may be used between the domain name and the user name when NTLM format is used. For example, the following setting:
adclient.ntlm.separators: +/\\
allows any of the following formats (assuming a user joe in the acme.com domain):
acme.com+joe acme.com/joe acme.com\joe
The backslash character (\) can be problematic on some UNIX shells, in which case you may need to specify domain\\user.
Note
The first character in the list is the one that adclient uses when generating NTLM names. The default values are +/\\, with + being the adclient default.
161
adclient.ntlm.separators
162
Appendix C
163
pam.allow.groups
pam.password.old.mesg
user1 10001 #AD User user1 10002 #local user user2 10001 #local user user1 10001 #local user user1 10002 #AD user user2 10001 #AD user
pam.allow.groups
This configuration parameter specifies the groups allowed to access PAM-enabled applications. When this parameter is defined, only the listed groups are allowed access. All other groups are denied access. If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not have to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored. If you use this parameter to control access by group name, Centrify DirectControl checks the Active Directory group membership for every user who attempts to use PAM-enabled applications on the host computer. When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see what groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is accepted and authentication proceeds. If the user is not a member of any group specified by this parameter, authentication fails and the user is rejected. The parameters value can be one or more group names, separated by commas, or the file: keyword and a file location. For example, to allow only members of the administrators, sales, and engineering groups in Active Directory to log in:
pam.allow.groups: administrators,sales,engineering
164
You can use the short format of the group name or the full canonical name of the group. To enter group names with spaces, enclose them in double quotes; for example:
pam.allow.groups: "domain admins",sales,"domain users"
To specify a file that contains a list of the groups allowed access, type the path to the file:
pam.allow.groups: file:/etc/centrifydc/groups.allow
If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter: SAM (samAccountName this is the default); for example:
Notes
finance_admins samAccountName@domain_name; finance_admins@acme.com NTLM;
for example:
You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:
[root]#adquery group -n Finance_Admins finance_admins
If you make changes to this parameter, you should run to clear the Centrify DirectControl cache to ensure your changes take effect.
165
pam.allow.override
pam.allow.override
This configuration parameter is used to override authentication through Active Directory to ensure the root user or another local account has permission to log on when authentication through Active Directory is not possible, when there are problems running the Centrify DirectControl daemon, or when there are network communication issues. When you specify a user account for this parameter, authentication is passed on to a legacy authentication mechanism, such as /etc/passwd. You can use this parameter to specify an account that you want to ensure always has access, even if communication with Active Directory or the Centrify DirectControl daemon fails. For example, to ensure the local root user always has access to a system even in an environment where you have enabled root mapping, you can specify:
pam.allow.override: root
To log in locally with the override account, you must specify the local user name and password. However, because the account is mapped to an Active Directory account, you must append @localhost to the user name. For example, if you have specified root as the override account and are using root mapping, you would type root@localhost when prompted for the user name. You can then type the local password for the root account and log in without being authenticated through Active Directory. If you are mapping the root user to an Active Directory account and password, you should set this parameter to root or to a local user account with root-level permissions (UID 0), so that you always have at least one local account with permission to access system files and perform privileged tasks on the computer even if there are problems with the network connection, Active Directory, or the Centrify DirectControl daemon.
Note
166
pam.allow.password.change
This configuration parameter specifies whether users who log in with an expired password should be allowed to change their password. You can set this parameter to true or false and use it in conjunction with the pam.allow.password.expired.access parameter to control access for users who attempt to log on with an expired password. If both this parameter and pam.allow.password.expired.access are set to true, users logging on with an expired password are allowed to log on and are prompted to change their password. If the pam.allow.password.expired.access parameter is set to true, but this parameter is set to false, users logging on with an expired password are allowed to log on but are not prompted to change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed. If both this parameter and pam.allow.password.expired.access are set to false, users who attempt to log on with an expired password are not allowed to log on or change their password and the message defined for the pam.allow.password.change.mesg parameter is displayed. For example, to allow users with expired passwords to change their password:
pam.allow.password.change: true
pam.allow.password.change.mesg
This configuration parameter specifies the message displayed when users are not permitted to change their expired password because the pam.allow.password.change parameter is set to false. For example:
pam.allow.password.change.mesg: Password change not permitted
167
pam.allow.password.expired.access
pam.allow.password.expired.access
This configuration parameter specifies whether users who log in with an expired password should be allowed access. You can set this parameter to true or false and use it in conjunction with the pam.allow.password.change parameter to control access for users who attempt to log on with an expired password. If this parameter is set to true, users logging on with an expired password are allowed to log on, and either prompted to change their password if the pam.allow.password.change parameter is set to true, or notified that they are not allowed to change their expired password if the pam.allow.password.change parameter is set to false. If this parameter is set to false, users logging on with an expired password are not allowed to log on and the message defined for the pam.allow.password.expired.access.mesg parameter is displayed. For example, to allow users with expired passwords to log on:
pam.allow.password.expired.access: true
pam.allow.password.expired.access.mesg
This configuration parameter specifies the message displayed when users are not permitted to log on with an expired password because the pam.allow.password.expired.access parameter is set to false. For example:
pam.allow.password.expired.access.mesg: Password expired - access denied
pam.allow.users
This configuration parameter specifies the users who are allowed to access PAM-enabled applications. When this parameter is defined,
168
only the listed users are allowed access. All other users are denied access. If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have a valid UNIX profile for the local computers zone. If you specify local user accounts or invalid Active Directory user names, these entries are ignored. If you specify one or more users with this parameter, user filtering is performed for all PAM-enabled applications on the host computer. When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is accepted and authentication proceeds. If the user is not listed, the user is rejected. The parameter value can be one or more user names, separated by commas, or the file: keyword and a file location. For example:
pam.allow.users: root,joan7,bbenton pam.allow.groups: administrators,sales,engineering
You can use the short format of the user name or the full canonical name of the user. To enter user names with spaces, enclose them in double quotes; for example:
pam.allow.users: "sp1 user@acme.com",joan@acme.com,"sp2 user@acme.com"
To specify a file that contains a list of the users allowed access, type the path to the file:
pam.allow.users: file:/etc/centrifydc/users.allow
If a computer is configured to use Auto Zone without a zone, enter user names in the format specified by the auto.schema.name.format parameter: SAM (samAccountName this is the default); for example:
Notes
jcool
169
pam.deny.groups
samAccountName@domain_name; NTLM;
You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery user -n to see the UNIX name for any user. For example, to see the UNIX name for jcool (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:
[root]#adquery user -n jcool jcool
If no user names are specified, then no user filtering is performed. If you make changes to this parameter, you should run adflush to clear the Centrify DirectControl cache to ensure your changes take effect.
Note
pam.deny.groups
This configuration parameter specifies the groups that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed groups are denied access. All other groups are allowed access. If you want to use this parameter to control which users can log in based on group membership, the groups you specify should be valid Active Directory groups, but the groups you specify do not need to be enabled for UNIX. Local group membership and invalid Active Directory group names are ignored. When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks with Active Directory to see which groups the user belongs to. If the user is a member of any Active Directory group specified by this parameter, the user is denied access and authentication fails. If the user is not a member of
170
any group specified by this parameter, authentication succeeds and the user is logged on. The parameters value can be one or more group names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent all members of the vendors and azul groups in Active Directory from logging on:
pam.deny.groups: vendors,azul
You can use the short format of the group name or the full canonical name of the group. To enter group names with spaces, enclose them in double quotes; for example:
pam.deny.groups: "domain admins",sales,"domain users"
To specify a file that contains a list of the groups that should be denied access:
pam.deny.groups: file:/etc/centrifydc/groups.deny
If a computer is configured to use Auto Zone without a zone, enter group names in the format specified by the auto.schema.name.format parameter: SAM (samAccountName this is the default); for example:
Notes
finance_admins samAccountName@domain_name; finance_admins@acme.com NTLM;
for example:
You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery group -n to see the UNIX name for any group. For example, to see the UNIX name for the Finance_Admins group (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:
[root]#adquery group -n Finance_Admins finance_admins
171
pam.deny.users
If this parameter is not defined in the configuration file, no group filtering is performed. If you make changes to this parameter, you should run adflush to clear the Centrify DirectControl cache to ensure your changes take effect.
Note
pam.deny.users
This configuration parameter specifies the users that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed users are denied access. All other users are allowed access. If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have been enabled for UNIX. If you specify local user accounts or invalid Active Directory user names, these entries are ignored. When a user attempts to log on or access a PAM-enabled service, the pam_centrifydc module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is rejected and authentication fails. If the user is not listed, the user is accepted and authentication proceeds. The parameter value can be one or more user names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent the user accounts starr and guestuser from logging on:
pam.deny.users: starr,guestuser
You can use the short format of the user name or the full canonical name of the user. To enter user names with spaces, enclose them in double quotes; for example:
pam.deny.users: "sp1 user@acme.com",joan@acme.com,"sp2 user@acme.com"
To specify a file that contains a list of the users that should be denied access:
172 Configuration Parameters Reference Guide
pam.deny.users: file:/etc/centrifydc/users.deny
If a computer is configured to use Auto Zone without a zone, enter user names in the format specified by the auto.schema.name.format parameter: SAM (samAccountName this is the default); for example:
Notes
jcool samAccountName@domain_name; NTLM;
You can look in the DirectControl configuration file for the value of auto.schema.name.format, or run adquery user -n to see the UNIX name for any user. For example, to see the UNIX name for jcool (and SAM, the default, is set for auto.schema.name.format), execute the following command, which returns the UNIX name as shown:
[root]#adquery user -n jcool jcool
If this parameter is not defined in the configuration file, no user filtering is performed. If you make changes to this parameter, you should run adflush to clear the Centrify DirectControl cache to ensure your changes take effect.
Note
pam.ignore.users
This configuration parameter specifies one or more users that Centrify DirectControl will ignore for lookup in Active Directory. Because this parameter allows you to intentionally skip looking up an account in Active Directory, it allows faster lookup for system accounts such as tty, root, and bin and local login accounts. This configuration parameter ignores listed users for authentication and NSS lookups.
Note
173
pam.mapuser.username
If you are manually setting this parameter, the parameter value should be one or more user names, separated by a space, or the file: keyword and a file location. For example, to specify a list of users to authenticate locally:
pam.ignore.users: root sys tty
If this parameter is not defined in the configuration file, no users are specified.
pam.mapuser.username
This configuration parameter maps a local UNIX user account to an Active Directory account. Local user mapping allows you to set password policies in Active Directory even when a local UNIX account is used to log in. This parameter is most commonly used to map local system or application service accounts to an Active Directory account and password, but it can be used for any local user account. For more information about mapping local accounts to Active Directory users, see Mapping local UNIX accounts to Active Directory on page 57. If you are manually setting this parameter, you should note that the local account name you want to map to Active Directory is specified as the last portion of the configuration parameter name. The parameter value is the Active Directory account name for the specified local user. For example, the following parameter maps the local UNIX account oracle to the Active Directory account oracle_storm@acme.com if the host computers name is storm:
pam.mapuser.oracle: oracle_$HOSTNAME@acme.com
You can specify the user name in the configuration file with any of the following valid formats: Standard Windows format: domain\user_name Universal Principal Name (UPN): user_name@domain Alternate UPN: alt_user_name@alt_domain
174
UNIX user name: user You must include the domain name in the format if the user account is not in the local computers current Active Directory domain. If this parameter is not defined in the configuration file, no local UNIX user accounts are mapped to Active Directory accounts.
pam.password.change.mesg
This configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to change a password. The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:
pam.password.change.mesg: Changing Active Directory password for\
If this parameter is not present, its default value is Change password for.
pam.password.change.required.mesg
This configuration parameter specifies the message displayed if the user enters the correct password, but the password must be changed immediately. For example:
pam.password.change.required.mesg: \ You are required to change your password immediately
pam.password.confirm.mesg
This configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to confirm his new password by entering it again.
175
pam.password.empty.mesg
The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:
pam.password.confirm.mesg: Confirm new Active Directory password:\
If this parameter is not present, its default value is Confirm new password:.
pam.password.empty.mesg
This configuration parameter specifies the message displayed if the user to enter an empty password. For example:
pam.password.empty.mesg: Empty password not allowed
pam.password.enter.mesg
This configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to enter his password. The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:
pam.password.enter.mesg: Active Directory password:\
pam.password.expiry.warn.mesg
This configuration parameter specifies how many days before a password is due to expire PAM-enabled applications should issue a warning to the user. The parameter value must be a positive integer. For example, to issue a password expiration warning 10 days before a password is set to expire:
pam.password.expiry.warn: 10
176
pam.password.new.mesg
This configuration parameter specifies the text displayed by a PAM-enabled application when it requests a user to enter his new password during a password change. The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:
pam.password.new.mesg: Enter new Active Directory password:\
If this parameter is not present, its default value is Enter new password:.
pam.password.new.mismatch.mesg
This configuration parameter specifies the message displayed during password change when the two new passwords do not match each other. For example:
pam.password.new.mismatch.mesg: New passwords don't match
pam.password.old.mesg
This configuration parameter specifies the message displayed by a PAM-enabled application when it requests a user to enter his old password during a password change. The parameter value must be an ASCII string. UNIX special characters and environment variables are allowed. For example:
pam.password.old.mesg: (current) Active Directory password:\
pam.policy.violation.mesg
This configuration parameter specifies the message displayed during password change if the operation fails because of a domain
177
pam.policy.violation.mesg
password policy violation. For example, if the user attempts to enter a password that doesnt contain the minimum number of characters or doesnt meet complexity requirements, this message is displayed. For example:
pam.policy.violation.mesg: \ The password change operation failed due to a policy restriction set by the\nActive Directory administrator. This may be due to the new password length,\nlack of complexity or a minimum age for the current password.
178
Appendix D
179
Confirm with yes when prompted, then use the following command to stop sshd:
pkill sshd
180
To install DirectControl and join the AD domain, see Installing the Centrify DirectControl Agent. The installation installs OpenSSH into the /usr/share/centrifydc/ directory structure, where the server daemon is in the sbin directory, the client applications are in the bin directory, and the man pages are in the man directory. The installation process also configures the OpenSSH server to start automatically on computer startup.
Setting up SSH
All configuration of the SSH server is taken care of for you by the installation. The only thing left to do is to start the server and test connectivity to the sshd server process. The first time the server starts, it tries to find the current set of host keys in /etc/ssh and import them. If it doesnt find the keys, it generates new keys and stores them in /etc/centrifydc/ssh. To start the server, run the following command (Red Hat Linux only):
service centrify-sshd start
For Sun Solaris, or as an alternative method on Red Hat Linux, run the following command:
/etc/init.d/centrify-sshd start
You can test the server by connecting to the local host to make sure that SSH is running and accepting connections. The following command should result in a local connection to the SSH server:
/usr/share/centrifydc/bin/ssh root@localhost
181
You can now see the Centrify Resource Center for a list of tested clients, and connect to the UNIX computer without being prompted for user ID or password as long as the user has a valid UNIX profile and permissions to log in to the UNIX computer.
182
Index
A
account mapping configuration setting 174 purpose of 57 Active Directory joining the domain 41 specifying a domain 42 adcache command reference 148 examples 149 options 149 ADCheck 31 adcheck command reference 105 adclient log file 63 starting and stopping 146 adclient.ntlm.separators 161 addebug command reference 138 examples 139 options 139 adfinddomain command reference 140 examples 141 options 141 adfixid examples 143 adflush command reference 143 options 143 adid command reference 144 examples 145
options 145 adinfo command reference 127 displaying help 81 examples 135 introduction 67 options 128 when to use 81 adjoin command reference 84 displaying help 81 examples 94 options 85 running after installation 41 when to use 80 adleave command reference 99 displaying help 81 examples 104 options 101 when to use 80 adlicense options 106, 108 adlicense command reference 107 adpasswd command reference 108 displaying help 81 examples 111 options 109 when to use 80 adquery command reference 113 examples 123 group 119 user 113 when to use 80 adreload examples 152 options 152
Index
183
adupdate displaying help 81 Auto Zone 20 to 21 configuration parameters 155 to 161 auto.schema.domain.prefix 159 auto.schema.homedir 157 auto.schema.iterate.cache 160 auto.schema.name.format 158 auto.schema.name.lower 160 auto.schema.primary.gid 156 auto.schema.private.group 156 auto.schema.remote.file.service 158 auto.schema.search.return.max 160 auto.schema.separator 159 auto.schema.shell 156 auto.schema.use.adhomedir 157
Centrify web site 12 command line programs basic usage 80 displaying help 81 location 80 man pages 81 configuration file (centrifydc.conf) Auto Zone parameters 155 to 161 PAM parameters 163 to 178 conventions, documentation 9
D
daemon enabling logging 63 introduction 146 Debian Linux removing DirectControl 50 diagnostic information 67, 135 DirectControl integration with Samba 61 disconnected operation account changes 56 credential storage 56 documentation additional 11 audience 8 conventions 9 summary of contents 8 to 9 domain controllers adding DNS server role 71 setting manually 73 testing connectivity 70 Domain Name Server (DNS) manual setting 70 nameserver entry 69 server role 69, 71 services provided 68 testing connectivity 70 Unix configuration 39
C
Centrify DirectControl access control summary 15, 60 command line programs 80 daemon 146 diagnostic information 67 documentation 11 joining the domain 41 log files 64 managed system 15 package location 31 password enforcement 54 removing the software 49 solution overview 14 to 16 support for UNIX services 16 technical support 12 troubleshooting issues 63 Unix installation 27 UNIX requirements 26 Centrify DirectControl Agent architecture 17 key tasks 16
184
using a forwarder 71
purpose 63
E
etc/ssh 181
M
Mac OS X directory on CD 31 removing DirectControl 50 man pages displaying 81 source of information 11 managed system 15 messages confirmation 175 empty password 176 mismatch between password 177 new password 177 old password 177 password changes 167, 168 policy violation 177 prompt for password 176
F
file sharing ownership 61 ftp 60
G
global catalog, defining manually 73 groups allowing access 164 denying access 170
I
installation files and directories 38 prerequisites Unix platforms 26 restarting services 46 Unix components 27
N
NSS configuration modification 17 users ignored 173 NTLM name format 161
J
join operation command reference 84 joining a domain 42 to 46
P
PAM configuration account mapping 174 agent component 17 group filtering 164, 170 ignore authentication 166 messages displayed 175 to 176 parameter settings 163 to 178 user filtering 168, 172 pam.allow.groups 164, 170 pam.allow.override 166 pam.allow.password.change 167
L
Linux joining the domain 41 naming convention 10 log files adinfo output 67 enabling 64 location 64, 138 performance impact 65
Index
185
join operation 84 local override account 60 override account 166 running native installers 35
pam.allow.users 168, 172 pam.deny.users 172 pam.ignore.users 173 pam.mapuser.username 174 pam.password.change.mesg 175 pam.password.change.required.mesg 175 pam.password.confirm.mesg 175 pam.password.empty.mesg 176 pam.password.enter.mesg 176 pam.password.expiry.warn 176 pam.password.new.mesg 177 pam.password.new.mismatch.mesg 177 pam.password.old.mesg 177 pam.policy.violation.mesg 177 pam.user.ignore 173 password management changing your own 54 disconnected mode 56 expired passwords 167 to 168 messages displayed 175 to 176 policy definition 54 policy enforcement 16 resetting for other users 55
S
Samba 60 integration with DirectControl 61 SSH 60, 179 to 182 about 180 installing 180 setting up 181 testing on UNIX 181 testing on Windows 182 SuSE Linux removing DirectControl 50
T
technical support 12 telnet 60 troubleshooting daemon operation 63 enabling logging 64 using adinfo 67
U
UNIX command line programs 80 man pages 81 naming convention 10 Unix DNS configuration 39 files and directories 38 installing DirectControl 27 restarting services 46 system requirements 26 UNIX users local account mapping 57 users
Q
Quick Start 11
R
Red Hat Linux removing DirectControl 50 root user adinfo options 67 adleave operation 100 enabling logging 64 installation requirement 28
186
account mapping 57 allowing access 168 denying access 172 disconnected logins 56 ignoring for lookups 173 local authentication 166 mapping local accounts 174 password policies 54
W
Windows knowledge of 8
Z
zones understanding the use of 20
Index
187
188