Professional Documents
Culture Documents
Administrators Guide
November 2011
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.
Contents
About this guide
5
Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Chapter 1
Introduction
Understanding Centrify Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Understanding user access after you deploy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Understanding Zones and Auto Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Understanding how Centrify Suite generates profile attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2
16
Selecting a deployment option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Installing and using DirectManage Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Other options for deploying Centrify Suite packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Verifying the installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Troubleshooting adcheck errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Joining an Active Directory domain after installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Upgrading Centrify Suite Express to include licensed features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Removing Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Chapter 3
33
Logging on to your computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Getting information about the Active Directory configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Applying password policies and changing passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Mapping local accounts to Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Using standard programs such as telnet, ssh, and ftp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 4
39
Addressing log on failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Understanding diagnostic tools and log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring logging for Centrify Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Resolving Domain Name Service (DNS) problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 5
45
Understanding when to use command-line programs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Command-line programs available in Centrify Suite Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Displaying usage information and man pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Chapter 6
48
Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 PAM-related configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 DNS-related configuration parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Index
59
Intended audience
This Centrify Suite Express Administrators Guide describes how to install, configure, and use the components in the Centrify Express suite of products. This guide is intended for system and network administrators who are responsible for managing user access to servers, workstations, and network resources. This guide assumes you have a working knowledge of Microsoft Active Directory and how to perform common administrative tasks on the platforms you support. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.
Chapter 2, Installing Centrify Suite Express, describes the options available for installing Centrify Suite Express on computers to be managed. Chapter 3, Using DirectControl Express, explains how to take advantage of Active Directory when joined to a domain through Centrify Suite Express.
Chapter 4, Troubleshooting Centrify Suite Express, describes basic troubleshooting steps and how to use diagnostic tools and log files to retrieve information about the operation of Centrify Suite Express. Chapter 5, Using command-line programs, provides reference information for the command-line programs available for Centrify Suite Express. Chapter 6, Customizing Centrify Suite operations using configuration parameters, provides a quick reference for the configuration parameters that you can set to control Centrify Suite Express operations.
Bold text is used to emphasize commands, buttons, or user interface text, and to introduce new terms. Italics are used for book titles and to emphasize specific words or terms. For simplicity, UNIX is used generally in this guide to refer to all supported versions of the UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted. The variable release is used in place of a specific release number in the file names for individual Centrify DirectControl software packages. For example, the file name centrifydc-release-sol8-sparc-local.tgz can be used to refer to a software package that includes a version number such as centrifydc-5.0.1-sol8-sparc-local.tgz.
Quick Start for Express provides a brief summary of the steps for installing Centrify DirectControl Express agents so you can begin working with the product right away.
Contacting Centrify
Individual UNIX man pages for command reference information for Centrify DirectControl UNIX command line-programs.
In addition, you may want to consult documentation for the specific version of Windows, Linux, UNIX, or Mac OS X you are using, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.
Contacting Centrify
If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation with questions or suggestions, visit our Web site at www.centrify.com. From the Web site, you can get the latest news and information about Centrify Corporation products, support, services, and upcoming events. For information about purchasing or evaluating Centrify Corporation products, send email to info@centrify.com.
Chapter 1
Introduction
This chapter provides an introduction to Centrify Suite Express Edition, including a brief overview of how Centrify Suite can help you leverage your investment in Active Directory. The following topics are covered: Understanding Centrify Express
Understanding user access after you deploy Understanding Zones and Auto Zone Understanding how Centrify Suite generates profile attributes
DirectManage Express provides a centralized console for deploying and managing DirectControl agents from a Window 32-bit or 64-bit computer. It is optional but provides a convenient way to deploy and manage DirectControl Express agents. DirectControl Express agents are platform-specific software packages that enable non-Windows computers to join the Active Directory domain. After you download and install a DirectControl Express agent and specify an Active Directory domain for the agent to join, the agent manages the authentication of Active Directory users with no further configuration required. Additional Centrify Express offerings provide optimized, Kerberos-enabled OpenSSH, Samba, and PuTTY connections. Centrify Express enables you to quickly deploy Active Directory authentication and authorizations services on non-Windows computers with minimal configuration. Taken together, Centrify Express products provide a solid foundation of functionality that is suitable on its own for many organizations. If your organization outgrows the basic functionality of Express, you can upgrade to another edition of Centrify Suite to take advantage of additional features. For example, features not available in Centrify Express include: Group policies that enable you to manage configuration settings for non-Windows computers and users.
Zones that enable you to manage user identity information, group membership, computer-based access control, and delegated administration. Centrify DirectAuthorize rights and role definitions that enable you to specify and enforce role-based entitlements for privileged commands and other operations. Centrify DirectAudit that enables auditing, logging and real-time monitoring of user activity. Centrify DirectSecure that enables dynamic isolation and end-to-end encryption of data in motion.
These more advanced featured and products are available in other editions of Centrify Suite, such as Centrify Suite Standard Edition, Centrify Suite Enterprise Edition, and Centrify Suite Platinum Edition.
Authenticate all valid Active Directory users without importing or mapping any accounts. Use Centrify-compiled versions of OpenSSH, Kerberos libraries, and Samba to connect to additional network resources.
The primary reason to use DirectControl Express is that it enables Active Directory authentication without requiring any configuration or account management. For example, DirectControl Express automatically creates consistent UIDs across the domain for users with access to the computers it manages. In addition, DirectControl Express eliminates the need to create zones and configure zone properties. Zones provide a powerful and flexible structure for managing user identities, role-based access controls, and delegated administrative authority. The ability to create and manage zones is a key element of Centrify Suite Standard Edition and beyond. However, using zones effectively requires some planning and design. For some organizations, determining how best to use zones is unnecessary because they dont require more than one zone.
Introduction
DirectControl Express is designed for organizations that dont require zones to help them manage user profiles, role assignments, or administrative activities. With DirectControl Express, there is only one zone, the Auto Zone for all users, groups, and computers. The Auto Zone requires no configuration or management. Because DirectControl Express only supports a single predefined zone, however, it is most suitable for organizations: that want to add computers to a domain quickly without configuring any zones.
that do not need to maintain or manage existing UIDs and GIDs. that have a limited number of users and domains. that have a relatively flat organizational structure.
If your organization grows in size and complexity, you may find that the limited functionality of DirectControl Express no longer meets your needs. You can upgrade Centrify Suite Express Edition to add the features of another edition at any time. For more information about the features of each edition of Centrify Suite, see Understanding Zones and Auto Zone on page 14.
What the DirectControl Express agent does
The DirectControl Express agent makes a computer look and behave like a Windows client computer to Active Directory. The agent performs the following key tasks: Joins the computer to an Active Directory domain.
Communicates with Active Directory to authenticate users when they log on. Caches users credentials for offline access. Enforces Active Directory authentication and password policies. Provides a Kerberos environment so that existing Kerberos applications work transparently with Active Directory.
Agents are platform-specific, but provide an integrated suite of services that enable existing programs and applications to use Active Directory. For example, the core agent service is the adclient process. The adclient process handles all of the direct communication with Active Directory and coordinates with other services to process requests for authentication, authorization, directory assistance, or policy updates. Other services handle specific types of operations. For example, the pam_centrifydc module enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to authenticate using Active Directory. A custom NSS module modifies the nsswitch.conf configuration file so that system look-up requests use the information in Active Directory. A configurable local cache stores user credentials and other information for offline access and network efficiency.
10
In addition to the core agent services, DirectControl Express also includes Centrify-compiled versions of standard Kerberos utilities, OpenSSH, and Samba, which are optimized to work with Active Directory.
Analyze the users and groups defined on discovered computers. Fix problems that prevent you from deploying Centrify software or joining the Active Directory. Add, modify, and delete local UNIX and Linux users and groups. Download the latest versions of Centrify Suite packages directly from the Centrify Download Center. Deploy operating system-specific Centrify Suite packages and join Active Directory domains.
Using the DirectManage Express Deployment Manager is optional. You can deploy DirectControl Express agents directly on local computers or using a software delivery program or another file distribution method on remote computers. However, Deployment Manager allows you to perform virtually any administrative task on remote computers from a single Windows console as long as you have account credentials that allow you to log on and perform those administrative tasks on the remote computer. Deployment Manager also enables you to download the latest Centrify Suite packages, install selected Centrify Suite components, periodically check for updated software, and join or leave an Active Directory domain from a single console. In general, Centrify recommends that you use Deployment Manager if you have a Windows computer with reliable network connectivity between the Windows computer and the computers you want to manage. If you dont have access to a Windows computer where you can install Deployment Manager or have restricted network connectivity, you can use one of the other options for deploying DirectControl Express agents. For more information, see Other options for deploying Centrify Suite packages on page 23.
Introduction
11
The Deployment Manager includes a Microsoft SQL Server Compact Edition database that stores computer and account information. The minimum disk space required depends on the number of computers and accounts discovered. Because the database stores the account credentials for users and service accounts, including the root password for each computer, in its repository, passwords are encrypted with the access token of the Active Directory user who installs Deployment Manager. Therefore, for security purposes: You should not install Deployment Manager on a laptop.
You should not use a shared account for managing access to Deployment Manager. You should use a strong password and password enforcement policies for the account used to install Deployment Manager.
Deployment Manager requires network connectivity between the Windows computer where it is installed and the UNIX computers where you want to deploy the agent. It also requires the ability to use outbound ssh or telnet connections from the Windows computer to the managed UNIX computers. or an Internet connection. If possible, you should install Deployment Manager on a computer that allows outbound connections to the Internet. If the computer has Internet access, you can connect directly to the Centrify Download Center to download software for the platforms you support. If you install Deployment Manager on a computer that does not allow outbound Internet connections, you should identify another computer for connecting to the Centrify Download Center and a network share for transferring the files between the computer that has Internet access and the computer where Deployment Manager is installed.
12
advantage of additional features or products. The descriptions below provide a brief summary of what is included in each edition.
Product offering Centrify Suite Express Edition Description Free software that provides basic integration with Active Directory. The main features are: DirectControl Express to join computers to the domain and to automatically generate user profiles. DirectManage Express Deployment Manager to discover and manage remote computers on the network and deploy software. Centrify-compiled versions of OpenSSH, Samba, and standard Kerberos utilities to enable those programs to use Active Directory credentials. Commercial offering that provides the full complement of DirectControl features and functionality. The main features are: Zones to ease the migration of existing users and groups into Active Directory, manage access to computers, and allow delegated management. Policy-based enforcement of computer and user configuration settings. Support for NIS map integration and migration. Standard out-of-the-box reports and a report creation wizard. Deployment Manager to centrally discover computers, check remote computers for potential issues, deploy new or updated software, run scripts, and manage user and group accounts. Rights and role-based entitlements for user accounts and privileged commands. Centrify-compiled versions of OpenSSH, Samba, and standard Kerberos utilities to enable those programs to use Active Directory credentials. Advanced command line programs and configuration parameters for tuning operations. For Mac OS X users, the ability to use PIV or CAC smart cards for authentication and single sign-on. Commercial offering that provides the full complement of features and functionality included in Centrify Suite Standard Edition plus: DirectAudit for real-time auditing of user sessions and record and playback features for analyzing and troubleshooting user activity. Centrify Suite Network Information Service (adnisd) to enable the servicing of NIS client requests using the information stored in Active Directory and replace legacy NIS servers. Commercial offering that provides the full complement of features and functionality included in Centrify Suite Enterprise Edition plus: DirectSecure to secure sensitive information by dynamically isolating crossplatform systems and encrypting data in motion.
Centrify Suite Application Edition Commercial offering that provides the full complement of features and functionality included in Centrify Suite Enterprise Edition plus: Authentication and authorization services for Apache and J2EE application servers Tomcat, JBoss, WebSphere, and WebLogic. Single sign-on support for SAP and IBM DB2.
Introduction
13
Log on to a computer that is disconnected from the network or unable to access Active Directory, if they have successfully logged on and been authenticated by Active Directory previously. Manage their Active Directory passwords directly from the command line, provided they can connect to Active Directory.
You can explicitly configure any computer to deny or allow specific users or groups. For information about using configuration parameters to control access, see pam.deny.users |pam.allow.users and pam.deny.groups |pam.allow.groups.
14
If a computer joins a domain through Auto Zone, and the domain has a one-way trust relationship with another domain, users and groups in the trusted domain do not become valid users and groups on the computer.
Note
You can selectively control access to computers that are joined to Auto Zone by setting configuration parameters, such as pam.deny.users and pam.deny.groups, in the ctrifydc.conf configuration file. For more information about setting these configuration parameters, see Auto Zone configuration parameters on page 48.
In addition to the UID and GID, DirectControl creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is: Linux: /home/username
Mac OS X: /Users/username
Deploying Centrify Suite Express does not affect local users. User accounts that are defined in /etc/passwd can still log on locally to any local computer. If you want to control access through Active Directory, however, you should create Active Directory accounts for each user. After you verify user access for the Active Directory user, you can then either delete the local account, or map the local users on each computer to an Active Directory account to preserve access to current home directories and files. For more information about mapping accounts, see Mapping local accounts to Active Directory on page 36.
Introduction
15
Chapter 2
Installing and using DirectManage Express Other options for deploying Centrify Suite packages Verifying the installation Upgrading Centrify Suite Express to include licensed features Removing Centrify DirectControl
Install and manage agent packages independently by running an installation script, package management program, or software distribution tool locally or remotely on individual computers.
In most cases, Centrify recommends you download DirectManage Express and use its Deployment Manager to simplify the deployment of the agent on remote computers. If you dont have access to a Windows computer where you can install Deployment Manager or have restricted network connectivity that does not allow communication between Windows and UNIX computers, use one of the other options for deploying Centrify Suite packages. For more information, see Other options for deploying Centrify Suite packages on page 23.
16
discovered on the network. After you install, Deployment Manager provides an intuitive four-step process for: Discovering non-Windows computers on your network.
Retrieving the appropriate Centrify Suite packages to install. Checking for issues that might prevent a successful deployment. Installing DirectControl agents and joining an Active Directory domain.
Typically, you install DirectManage Express on a single Windows computer with a 32-bit or 64-bit operating system that is Windows XP or higher: Windows XP (SP2 and higher)
The Deployment Manager includes a Microsoft SQL Server Compact Edition database that stores computers and account information. The minimum disk space required depends on the number of computers and accounts discovered. In general, Centrify recommends the following minimum hardware configuration: 2 GB RAM
To download and deploy software, the computer where you install DirectManage Express must have network connectivity or an Internet connection between the Windows computer where it is installed and the UNIX computers where you want to deploy the agent. Centrify recommends that you install on a computer that allows outbound Internet connections and connectivity between the Windows computer each of the UNIX, Linux, and Mac OS X computers you want to manage.
17
To install software on remote computers and join Active Directory domains, you must have access to an account with appropriate permissions: To run privileged commands, you should have access to the root account, the local Administrator account, or an account that has been granted escalated privileges using su or sudo and settings in a sudoers configuration file.
To join a domain, you need an Active Directory account and password that has permission to add computers to the domain.
Depending on your organization, the Active Directory account may be required to be a member of the Domain Admins group. If you are not sure whether you have permission to add computers to the domain using your own Active Directory account, check with the Active Directory administrator for your site.
Download Now.
3 Open the downloaded file to start the setup program. For example, double-click
CentrifyDM-version-win32.exe
program.
4 Follow the prompts displayed to accept the license agreement, select a location for
program files, and launch Deployment Manager. The Deployment Manager Welcome page displays the steps to follow complete the successful deployment of Centrify Suite software: Step 1 Building a computer list You specify how to find computers, for example, by specifying a subnet or IP-address range, and Deployment Manager gathers information, such as the host name and operating system, about the computers it finds.
Step 2 Downloading Centrify Suite software You specify account credentials or a folder location, and Deployment Manager downloads Centrify Suite software from the Centrify Download Center or from a network drive to make it available for deployment.
18
Step 3 Analyzing your environment You select the computers discovered, and Deployment Manager analyzes the computers to determine whether they are ready for deployment or have potential issues.
Step 4 Deploying Centrify Suite software You select the computers that are ready to have the software installed or upgraded and deploy Centrify Suite to those computers. Optionally, you can join an Active Directory domain during deployment or perform this step later after the files are installed on target computers.
After you complete a step, Deployment Manager displays the results on the Welcome page and adds an appropriate node to the console tree in the left pane. For example, after you add computers, Deployment Manager includes a Computers node.
Discover computers from the network Discover computers from a cloud service Import a computer list from a text file Add a single computer
4 Follow the prompts displayed to specify a subnet address and mask, the cloud service
provider, the location of the text file to import, or the individual computer name or IP address, then click Next.
5 Check the list of computers displayed, and decide whether any found computers should
be removed or inaccessible computers should be added to the repository, then click Next.
6 Type account information that will enable you to log on to each computer, then click
Next.
7 Select the authentication method and provide the password or private key information
19
8 Click Finish to exit the wizard and retrieve information for the specified computers.
Completing this step adds the Computers and History, and potentially, Open Issues nodes to Deployment Managers console tree.
address and password that you used to register for a Centrify account, then click Next.
4 Select Analysis Tools and Centrify Suite for the platforms you support, then click
Next. By default, only the latest packages for the platforms that have been previously discovered are displayed. You can turn these filters off to select additional packages.
5 Confirm the list of packages to be downloaded, then click Finish to begin downloading
the packages. Completing this step adds the Software node and updates the History node in Deployment Managers console tree.
Analyze.
3 Type or accept the name of the Active Directory domain to analyze.
20
This is the domain you intend to join for the selected computers. Optionally, you can also change the number of domain controllers to check. The default limit is 10.
4 Click OK to begin analysis.
Deployment Manager displays the results of the analysis by listing computers in different categories. For example, computers that do not have Centrify Suite installed are listed under the Computers with No Centrify Software category as Ready to Install, Ready to Install with Warnings, or Not Ready to Install.
5 Restart computers that are reported as Not Ready to Install or Not Ready to Update to
ensure that the operating system boots properly before making any changes to those systems.
Review and resolve open issues
There are many common problems that the Analysis Tools can report that will require you to make changes before installing Centrify Suite software. For example, if the analysis finds theres not enough disk space available on a particular computer, it reports this information as an open issue for that computer. You can then view the details about that open issue to see more detailed information how much more disk space is required. The options available for resolving open issues from Deployment Manager depend on the type of issue reported.
To resolve the errors and warnings that were found: 1 Expand one of the categories with errors or warnings. For example, click the expansion
selected computer.
3 Right-click an open issue to select an option for resolving the issue or to open a
connection on the remote computer. For example, if the user name or password provided for a computer is not valid or has not been specified, you can right-click that open issue, and select the Set user name and password option to update the user name and password. If a computer displays the Check clock synchronization issue, the right-click menu allows you to select Synchronize Clock to correct the issue.
Re-analyzing target computers after resolving open issues
You should always re-run the analysis of your environment after resolving issues to verify your changes fixed the problem and that no new issues have been introduced. You can re-run the Analyze command for all or selected computers in selected categories at any time. You can also select individual computers, right-click, then select Analyze Environment to re-run the analysis on a specific computer.
21
category, then click Deploy. You can click the check box for a category to select all computers in that category, or expand a category to select computers individually.
3 Select Centrify Suite Express Edition, then click Next. 4 Confirm the Centrify Suite edition you have selected and the version available in the
Depending on the Centrify Suite you have selected, some or all components are selected by default. You can deselect any component you do not want to install. If you deselect a component on which other components depend, DirectControl deselects the dependent components.
6 Select Add the computers into Active Directory after install if you want to join
the domain automatically after installing the software on selected computers, then click Next. For Centrify DirectControl Express, you should leave the Add the computers into Active Directory after install option selected because you are not migrating existing user and group accounts with existing profiles.
7 Use the current Active Directory login credentials or specify a different user name and
For Centrify DirectControl Express, you can typically use the default join options. However, you can change the following options, if needed, then click Next: Select the Computer name and Computer alias options if you have disjointed DNS. For example, if the Active Directory DNS uses ocean.local but the UNIX computer is registered in DNS with ocean.net, you should specify the computer name as computer.ocean.local and the computer alias as computer.ocean.net.
22
Click Container, then click Change to navigate to and select an organizational unit for the computer account, then click OK to continue selecting join options. Click Domain controller, then type the fully-qualified domain name for a specific domain controller to ensure that the UNIX computer connects to the domain controller you designate even if Deployment Manager connects to a different domain controller. Select Trusted for delegation if you want users to be able to forward their Kerberos ticket-granting ticket to other UNIX computers as they move around the network. This is useful option if users typically use SSH to a gateway UNIX computer, then use SSH to access other UNIX computers from that computer.
9 Specify whether to use the current credentials or another administrative account after
joining the domain, then click Next. If group policies lock down the use of the root account, you should specify an alternate account with appropriate permissions to perform administrative functions after the computer has joined Active Directory. If you are not keeping the current credentials, type the user name and password for an Active Directory account. You can also select whether to use the su command or sudo and the sudoers file to run privileged commands that require root permissions. If you select the su command, you must type the password for the local root user on the computer joining the domain.
10 Review your selections, then click Finish to install Centrify Suite on the selected
computers and join the domain. When the deployment of software packages is complete, the Welcome page displays a check mark for each computer on which software was successfully deployed.
Create a configuration file and run the installation script remotely on any computer in silent mode. Use the install or update operations in the native package installer for your operating environment.
If you want to use one of these installation options and need more information, see the appropriate section. If you cant use Deployment Manager, Centrify recommends that you
23
use the installation script (install-express.sh on any platform or centrifydc-version-mac10.n.dmg on Mac OS X computers).
3 Run the install-express.sh script to start the installation of the Centrify Suite on the
4 Follow the prompts displayed to check the computer for potential issues, install the
Centrify Suite Express Edition, and join a domain automatically at the conclusion of the installation. If the adcheck program finds potential issues, you may see warning or error messages. Depending on the issue reported, you may have to make changes to the computer before continuing or after installation. For most prompts, you can accept the default by pressing Enter. When prompted for the Active Directory domain, type the fully qualified name of the Active Directory domain to join. You must also type the user name and password for an Active Directory user with permission to add computers to the domain.
5 After you have responded to all of the prompts displayed, review your selections, then
24
3 Double-click ADCheck to open the ADCheck utility to check the operating system,
and Active Directory configuration pass all checks with no warnings or errors, you should be able to perform a successful installation and join.
6 Double-click CentrifyDC.pkg to open the Centrify Express Installer. 7 Follow the prompts displayed to review and agree to the terms of the license agreement
and select a volume for installing the agent, then click Install to begin the installation.
8 If prompted, enter the administrator name and password. 9 Type the domain name. then click Join Domain.
Note
You can click Show Advanced Options if you want to specify additional options when joining a domain.
10 Click Join Domain and enter the Active Directory user (defaults to Administrator) and
password for the domain when prompted. The ADjoin dialog is configured to join in Express Mode.
11 Click Close to close the installer. 12 (Optionally) Reboot the computer to stop and restart all services.
Centrify highly recommends that you use the installation script to install Centrify Suite Express because the installation automatically joins the computer to a domain, sets the agent to Express Mode, runs operating system, network, and Active Directory tests to verify your environment. To install Centrify DirectControl using a native installation program:
1 Log on as or switch to the root user. 2 the software package is a compressed file, unzip and extract the contents. For example,
25
3 Run the appropriate command for installing the package based on the local computers
operating system or package manager you want to use. For example, on Red Hat Linux:
rpm -Uvh centrifydc-release-rhel3-i386.rpm
--express
command:
Note
to Auto Zone:
adjoin --workstation domainName
Note
If you do not specify the --workstation option, the join will fail because adjoin will attempt to connect you to a specific zone rather than Auto Zone.
When a user logs in for the first time, the system creates a /home/userName directory.
2 Run the adinfo command to see information about the Active Directory configuration
for the local computer. You should see output similar to the following:
Local host name: Joined to domain: Joined as: Pre-win2K name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: QA1 sales.acme.com QA1.sales.acme.com QA1 acme-dc1.sales.acme.com Default-First-Site Auto Zone 2009-11-12 12:01:31 PST connected Disabled
Note that licensed features are disabled and that the zone is Auto Zone. Creating actual zones requires a licensed copy of Centrify DirectControl.
26
-t net
checks DNS to verify that the local system is configured correctly and that the DNS server is available and healthy.
net
The operating system checks are self-explanatory. If your computer fails one of these checks, you need to upgrade the computer with a new operating system version or patch, a new Perl or Samba version, or free up sufficient disk space.
Note
If you get a warning about your Samba installation, you can install Centrify-enabled Samba as part of the DirectControl Express installation.
Because Centrify DirectControl uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS nameservers need to be specified in the local /etc/ resolv.conf file on each UNIX computer before the computer can join the domain. If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.
27
clock and domain synchronization. The specific checks performed by this option are as follows:
Note
The-t
: : : : : : : : : : : : :
ad
net
ad
checks.
DOMNAME ADDC ADDNS ADPORT ADDNS GCPORT DCUP SITEUP DNSSYM ADSITE GSITE TIME ADSYNC
Check that the domain name is reasonable Find domain controllers in DNS DNS lookup of DC centrify-mkdaze.mkline.local Port scan of DC centrify-mkdaze.mkline.local DNS lookup of DC centrify-mkdaze.mkline.local Port scan of GC centrify-mkdaze.mkline.local Check DCs in mkline.local Check DCs for mkline.local in our site Check DNS server symmetry Check that this machine's subnet is in a site known by AD See if we think this is the correct site Check clock synchronization Check domains all synchronized
If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.
using a fully-qualified domain name. You must specify the --workstation option. For example, to join the sales.acme.com domain with the user account dylan:
adjoin --user dylan --workstation sales.acme.com
The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you dont specify a user with the --user option, the Administrator account is used by default.
3 Type the password for the specified user account.
If Centrify DirectControl can connect to Active Directory and join the domain, a confirmation message is displayed. All Active Directory users and groups defined for the
28
forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined computer.
To join or leave a domain manually on Mac OS X computers: 1 Click Applications > Utilities > Centrify > Adjoin. 2 Double-click Adjoin to open it. 3 Type the name of the Active Directory domain you want to join and select Auto Zone.
You can also type a different computer name if you want to use a different name for the local host in Active Directory. Check Overwrite existing joined Computer to overwrite the information stored in Active Directory for an existing computer account with the same name as the local computer. This is the same as running the adjoin command with the --force option. If you want to use the default settings for joining the domain, you can continue to the next step. If you want to specify additional options, click Show advanced options to display the additional options:
4 Click Disable Licensed Features. 5 Click Join Domain. 6 Type the Active Directory user name and password for a user with permission to join the
As an alternative to restarting individual services, you may want to reboot the system to restart all services. Because the applications and services on different servers may vary, Centrify recommends you reboot each system to ensure all of the applications and services on the system read the Centrify DirectControl configuration changes at your earliest convenience.
Note
29
Licensing additional features on UNIX computers. Adding optional packages that are not included in Centrify Suite Express.
Upgrading on Window
The licensed version of Centrify Suite on Windows includes several DirectManage components that are not part of Centrify Suite Express. In addition to Deployment Manager, which is available in the Express product family, other editions of Centrify Suite provide an Administrator Console, Group Policy Editor Extension, NIS Map Extension, and other optional components.
To install and upgrade licensed components on Windows: 1 Obtain a license key and media for the Centrify Suite of your choice from Centrify.
You can also download an evaluation copy directly from the Centrify web site, but you must have a license key to use the software for more than a limited period of time.
2 On the Windows computer where you installed Deployment Manager or another
Windows computer that is joined to the Active Directory domain, run the Centrify Suite setup program to install the Centrify DirectManage for Windows 32-bit or Windows 64-bit. If you received the software on a CD, the Getting Started page is displayed automatically or when tou double-click the autorun.exe program. On the Getting Started page, click Centrify DirectManage to start the appropriate setup.exe program for the Windows 32-bit or Windows 64-bit operating system.
3 Follow the prompts displayed to accept the license agreement, select the components to
30
To enable licensed features on UNIX, Linux, and Mac OS X computers: 1 Log on to the computer that is running Centrify Suite Express. 2 Run the following command to enable licensed features:
adlicense --licensed
3 Verify the command displays a message indicating that group policies will be initialized:
Group policies will be initialized on background
4 Run the following command to verify that licensing has been enabled:
adinfo Local host name: Joined to domain: Joined as: Pre-win2K name: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features: qa1 acme.com qa1.acme.com qa1 acme-dc1.acme.com Default-First-Site Auto Zone 2009-11-12 12:01:31 PST connected Enabled
After enabling licensed features, the computer is still connected to Auto Zone. If you are not using zone to migrate existing user populations or define role-based access controls, you can leave the computer in Auto Zone. If you want to take advantage of zones, you must: Create at least one zone using the Centrify DirectControl Administrator Console, adedit, or another tool. Run adleave to leave the Active Directory domain and Auto Zone. Run adjoin to rejoin the Active Directory domain and a specified zone.
Note
For information about creating and managing zones, using group policy, and other Centrify DirectControl features, see the Centrify DirectControl Administrators Guide and the Planning and Deployment Guide.
31
3 When you are prompted whether to keep, erase, or reinstall the currently installed
packages: Accept the default (K, keep) for the currently installed packages. Type Y (Y, yes) for each packages you want to add.
4 When prompted to enable licensed features, type Y and press Enter.
The script will also prompt you with other choices, such as the option to run adcheck and reboot the computer after installation. The computer remains joined to the domain you previously joined and your existing / etc/centrifydc/centrifydc.conf file is backed up and any modifications you have made to the file are migrated to the new version of the file.
5 Restart running services, such as login, sshd, or gdm, or reboot the computer to ensure
The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.
3 To uninstall Centrify DirectControl, enter Y when prompted.
If you cannot locate or are unable to run the uninstall.sh script, you can use the appropriate command for the local package manager or operating environment to remove the Centrify DirectControl Agent and related files.
32
Chapter 3
Getting information about the Active Directory configuration Applying password policies and changing passwords Working in disconnected mode Mapping local accounts to Active Directory Setting a local override account Using standard programs such as telnet, ssh, and ftp Using Samba Setting Auto Zone configuration parameters
Active Directory userPrincipalName (jcool@acme.com) Windows NTLM format for domain and user name (acme.com\jcool)
You can also use any of these formats to locate users in Active Directory. By default, Centrify Suite Express uses the Active Directory samAccountName attribute or the Mac OS X short name for the UNIX profile user name. You can specify a different form for the UNIX name by setting the value of the auto.schema.name.format parameter in the centrifydc.conf configuration file.
33
For Centrify Suite Express, licensed features are disabled until you upgrade to a different edition and the only zone supported is Auto Zone. If you upgrade at a later time, the licensed features will be enables, and you will be able to use zones to provide secure, granular access control and delegated administration for computers joined to a domain.
34
2 Type your old password. When changing your own password, you must always provide
policies.
4 Retype the new password.
For more information about using adpasswd, see the adpasswd man page.
administrative account name with the authority to change the password for users in the domain. For example, to use the admin user account to change the password for the user jane in the sales.acme.com domain:
adpasswd --adminuser admin@acme.com jane@sales.acme.com
3 Type the new password for the user specified. Because you are changing another users
password, you are not prompted for an old password. For example:
New password:
For more information about using adpasswd, see the adpasswd man page.
35
or access a new service. For example, if a user account is disabled or has its password changed in Active Directory while the user is disconnected from the network, the user can still log on and use the old password until reconnected to the network. Once the user reconnects to Active Directory, the changes take effect and the user is denied access or prompted to provide an updated password. Because changing the password for an Active Directory account requires a connection to an Active Directory domain controller, users cannot change their own Active Directory password when working in disconnected mode. If users log out of a session while disconnected from Active Directory, they can be authenticated using the information in the cache when they log back on because they have been successfully authenticated in a previous session. They cannot, however, be authenticated automatically to any additional services after logging back on. To enable automatic authentication for additional services, the users credentials must be presented to the Key Distribution Center (KDC) then issued a ticket that can be presented to other services for unprompted, single sign-on authentication. Because the KDC is unavailable when disconnected from Active Directory, single sign-on authentication is also unavailable.
Note
You can configure many aspects of how credentials are handled, including how frequently they are updated or discarded, through parameter settings in the centrifydc.conf configuration file. To configure how credentials are handled using group policies, you must upgrade to Centrify Suite Standard Edition or beyond.
Mapping local accounts to Active Directory is especially useful if you want to preserve access to a users current home directory and files. For example, if a local user has a UID of 518 but Centrify Suite Express generates a different UID for the users profile, that user will not have file ownership permissions for his home directory and files. To map a local account to an Active Directory account, you can set the pam.mapuser.username configuration parameter on any individual local computer. To configure account mapping using group policies, you must upgrade to Centrify Suite Standard Edition or beyond.
36
On your Windows Active Directory computer, open Active Directory Users and Computers (ADUC). Navigate to the Users node, right click and select New > User. You should create a user logon name with the same name as the local user.
2 On the computer with the local account, open the centrifydc.conf configuration file. 3 Locate the pam.mapuser.username configuration parameter and un-comment the line to
5 Save the changes to the configuration file, then run the adreload command to reload the
37
Using Samba
Using Samba
Centrify Suite Express includes a Centrify-compiled version of the Samba package that enables the Samba file server to use DirectControl and Active Directory to handle identity management and user credentials. For more information. see the Centrify Suite Samba Integration Guide.
Conflicting UIDs and GIDs will be assigned to the same Active Directory users and groups because the algorithms for generating these values differ between Samba and DirectControl, leading to file ownership confusion and access control problems.
To address these issues, you can install the Samba package compiled by Centrify to ensure DirectControl and Samba can co-exist on the same UNIX computer.
Notes
Because Centrify Suite Express only supports Auto Zone, the only way to migrate existing Samba generated UIDs and GIDs is to manually convert those values to the same UIDs and GIDs generated by Centrify.
If you upgrade to a Centrify Suite Standard Edition or beyond, Centrify provides a Perl configuration script that helps migrate Samba-generated UIDs and GIDs into DirectControl zones.
38
Chapter 4
Configuring logging for Centrify Suite Collecting diagnostic information Resolving Domain Name Service (DNS) problems
Users do not have a valid Active Directory user account in the appropriate forest. Users have typed their non-Active Directory password or typed the wrong password more times than allowed.
If users report that they cannot access computer resources they think they should have access to, take the following steps to troubleshoot the problem:
1 Verify the user has an Active Directory user account in the forest or in a forest with a
is unable to log on to can connect to it and open a communication channel. For example, log on to the UNIX computer using a locally authenticated user, and run the ping command with the name of a domain controller in the forest. If the command receives a reply from the domain controller, the DNS service is functioning and the local computer is able to locate the domain controller on the network. If the ping command does not generate a reply, check your DNS configuration and check whether the local computer or the domain controller is disconnected from the network.
39
4 Use adinfo or Active Directory Users and Computers to check that the computer is
disconnected. If the adinfo command reports the mode is disconnected, try restarting adclient and testing network response time. On a slow network, adclient may drop the connection to Active Directory if there is a long delay in response time. If the adinfo displays an <unavailable> error, try running adleave to leave Active Directory, re-run the adjoin command to re-join the domain. If a problem still exists, check the DNS host name of the local computer and the domain controller, the user name joining the domain, and the domain name you are using.
6 Check the clock synchronization between the local UNIX computer and the Active
Directory domain controller. If the clocks are not synchronized, reset the system clock on the UNIX computer using the date command.
7 Check for user and group filters set in the /etc/centrifydc/centrifydc.conf file. For
example, check the pam.deny.users parameter to verify that the user who is trying to log on is not listed or a member of a group listed for the pam.deny.groups parameter.
8 Check the contents of the system log files or the centrifydc.log file after the user
attempts to log on. You can use information in this file to help determine whether the issue is with the configuration of the software or with the users account.
9 Check for conflicts between local user accounts and the user profile generated by
DirectControl Express. If none of these steps reveal the problem, you can enable detailed logging of adclient activity using the addebug command. You can use the information in the /var/log/centrifydc.log file to further diagnose the problem or to provide information to Centrify Support.
40
locate points of failure. However, log files and other diagnostic tools provide an internal view of operation and can be difficult to interpret. The log files are primarily intended for Centrify Suite experts and technical staff. In most cases, you should only enable logging when you need to troubleshoot unexpected behavior, authentication failures, or problems with connecting to Active Directory or when requested to do so by Centrify Support. Other troubleshooting tools, such as command line programs, can be used at any time to collect or display information about your environment.
You must type the full path to the command because addebug is not included in the path by default.
Note
After you run this command, all of the Centrify Suite activity is written to the /var/log/centrifydc.log file. If the adclient process stops running while you have logging on, the addebug program records messages from PAM and NSS requests in the /var/centrifydc/centrify_client.log file. Therefore, you should also check that file location if you enable logging. For performance and security reasons, you should only enable logging when necessary. For example, if you open a case with Centrify Support, the Support representative may request that you enable logging and submit log files to investigate your case. You should also limit logging to short periods of time while you or Centrify Support attempt to diagnose a problem. You should keep in mind that sensitive information may be written to this file and you should evaluate the contents of the file before giving others access to it. When you are ready to stop logging activity, run the addebug
off
command.
41
With this parameter, the log level works as a filter to define the type of information you are interested in and ensure that only the messages that meet the criteria are written to the log. For example, if you want to see warning and error messages but not informational messages, you can change the log level from INFO to WARN. By changing the log level, you can reduce the number of messages included in the log and record only messages that indicate a problem. Conversely, if you want to see more detail about system activity, you can change the log level to INFO or DEBUG to log information about operations that do not generate any warnings or errors. You can use the following keywords to specify the type of information you want to record in the log file:
Specify this level
FATAL
To log this type of information Fatal error messages that indicate a system failure or other severe, critical event. In addition to being recorded in the system log, this type of message is typically written to the users console. With this setting, only the most severe problems generate log file messages. System error messages for problems that may require operator intervention or from which system recovery is not likely. With this setting, both fatal and less-severe error events generate log file messages. Warning messages that indicate an undesirable condition or describe a problem from which system recovery is likely. With this setting, warnings, errors, and fatal events generate log file messages. Informational messages that describe operational status or provide event notification.
ERROR
WARN
INFO
42
If the computer has joined a domain, this command displays information similar to the following:
Local host name: Joined to domain: Joined as: Current DC: Preferred site: Zone: Last password set: CentrifyDC mode: Licensed Features magnolia ajax.org magnolia.ajax.org ginger.ajax.org Default-First-Site-Name Auto Zone 2010-12-28 14:47:57 PST connected Disabled
43
The Windows DNS server role is not configured to dynamically update service locator (SRV) records. These records enable Active Directory to find the nearest domain controller, Key Distribution Center (KDC), and Global Catalog (GC) for the site. The DNS servers do not publish the SRV records for the domain controllers that provide Active Directory service to the enterprise. These records must be available for computers to connect to Active Directory and locate required services. The DNS servers for the enterprise run on UNIX servers that are not configured to locate Active Directory domain controllers. In many cases, DNS servers for an enterprise are configured with a different domain namespace than Active Directory or Active Directory domain controllers are considered internal servers and not registered in the enterprise DNS.
If you encounter problems, you should contact your Active Directory administrator to determine whether the DNS server role is being used and if it is configured to allow dynamic updates. If the Active Directory DNS server role is not being used to provide DNS to the enterprise, you should contact the DNS administrator to resolve the issue. There are several possible scenarios: If the enterprise uses UNIX-based DNS servers instead of Active Directory-based DNS servers and DHCP, computers should have a nameserver entry in /etc/resolv.conf file that points to a valid DNS server.
Forward and reverse lookup zones should be configured to allow enterprise DNS servers to locate Active Directory domain controllers. If the Active Directory domain namespace is different from the namespace registered in enterprise DNS servers, you should use the --name and --alias join option to resolve the namespace differences. If the enterprise DNS servers do not include records for Active Directory domain controllers, you can manually set the location of the Active Directory domain controller using parameters in the centrifydc.conf configuration file.
44
Chapter 5
Command-line programs available in Centrify Suite Express Displaying usage information and man pages
In general, you should only use command-line programs when you must take action directly on a local computer. For example, if you want to join or leave a domain or set a new password while logged on to a shell, you may want to run a command interactively from that shell. You can also use command-line programs in scripts to perform administrative tasks programmatically.
Note
You can also use Deployment Manager Express to perform the most common administrative tasks. For more information about using Deployment Manager, see Deployment Manager online help.
45
adds a computer to an Active Directory domain. This command configures a local computer to use Active Directory. No changes are made to authentication services or configuration files on a computer until you run the adjoin command. This command requires you to be logged on as root.
adjoin adleave enables you to remove a computer from its current Active Directory domain or
adpasswd changes the Active Directory account password for a user from within a UNIX
shell.
adinfo
displays summary or detailed diagnostic and configuration information for a computer and its Active Directory domain. starts or stops logging activity for Centrify operations.
addebug
displays the domain controller associated with the Active Directory domain you specify.
adfinddomain adflush adid
displays the real and effective UIDs and GIDs for the current user or a specified
user.
adcache
enables you to manually clear the local cache on a computer or check a cache file for a specific key value. forces the adclient process to reload configuration properties in the file and in other files in the /etc/centrifydc directory.
adreload
/etc/centrifydc.conf
enables or disables licensed features on a local computer. This command requires you to be logged on as root.
adlicense adclient manages most Centrify Suite operations, and is normally started automatically
when a computer starts up. In most cases, you should only run adclient directly from the command line if Centrify Support recommends you do so. Other commands that support Centrify Suite operations are also installed in the directory with the commands listed, but are not applicable for Centrify Suite Express.
The usage information includes a list of options and arguments, and a brief description of each option.
46
For more complete information about any command, you can review the information in the commands manual (man) page. For example, to see the manual page for the adleave command, type:
man adleave
47
Chapter 6
auto.schema.private.group
auto.schema.shell
48
Does this Specifies the home directory for logged in users. The default value is /Users/%{user} on Mac OS X and /home/%{user} on other platforms. The variable %{user} is substituted at runtime and replaced with the logon name of the user who is logging on. For example, if the user jsmith logs on to a Mac OS X computer, the default home directory is set to:
/Users/jsmith
For example:
auto.schema.homedir:/allusers/home/%{user}
This parameter is not used if the parameter auto.schema.use.adhomedir is set to true and a home directory is defined in Active Directory for the user. If auto.schema.use.adhomedir is false or no home directory is defined for the user in Active Directory, the home directory is set to the value defined for this parameter. auto.schema.use.adhomedir Specifies whether or not to use the Active Directory value for the home directory on Mac OS X computers. Set this parameter value to true to use the home directory defined in Active Directory. If you set this parameter to true but do not define a home directory in Active Directory, the value for auto.schema.homedir is used. Set this parameter to false if you do not want to use the home directory defined in Active Directory. Specifies the type of remote file service to use for mounting a network home directory on Mac OS X computers. The valid options are: SMB AFP For example:
auto.schema.remote.file.service: SMB
auto.schema.remote.file.service
On Mac OS X computers, mounting a network directory requires that you specify the remote file service type. By identifying the remote file-service type using this parameter, you can type the network path in the format required by Active Directory:
/server/share/path
Centrify Suite then converts the Active Directory path into the format required by Mac OS X. auto.schema.name.format Specifies how Active Directory user names are transformed into UNIX login names. The valid options are: Active Directory samAccountName or Mac OS X short name (jcool) Active Directory userPrincipalName (jcool@acme.com) Windows NTLM format for domain and user name (acme.com\jcool) Specifies the separator to be used between the domain name and the user name if NTLM format is used. The default is separator is a plus (+) sign. For example:
auto.schema.separator: +
auto.schema.separator
49
Does this Specifies a unique prefix for a trusted domain. You must specify a whole number in the range of 0 - 511. Centrify Suite combines the prefix with the lower 22 bits of each user or group RID (relative identifier) to create unique UNIX user identifier (UID) and group identifier (GID) for each user and group. In most cases, this parameter is not necessary because Centrify Suite automatically generates the domain prefix from the user or group Security Identifier (SID). However, in a forest with a large number of domains or with cross-forest trusts, domain prefix conflicts are possible. If you attempt to join a computer to a domain and Centrify Suite detects conflicting domain prefixes, the join fails with a warning message. You can then set a unique prefix for the conflicting domains. To set this parameter, append the domain name and specify a prefix in the range 0 - 511. For example:
auto.schema.domain.prefix.acme.com: 3 auto.schema.domain.prefix.finance.com: 4 auto.schema.domain.prefix.corp.com: 5
auto.schema.search.return.max
Specifies the maximum number of users to returned in search results. Because Auto Zone enables access to all users in a domain, a search could potentially return tens of thousands of users. This parameter causes the search to truncate after the specified number of users. The default is 1000 entries. Converts all user names and home directory names to lower case in Active Directory. Set to true to convert user names and home directory names to lowercase. Set to false to leave user names and home directories in their original upper, lower, or mixed case. The default for a new installation is true. The default for an upgrade installation is false.
auto.schema.name.lower
50
Does this Specifies that user and group iteration take place only over cached users and groups. The valid options are: true restricts iteration to cached users and groups. false iterates over all users and groups. The default value is false. Specifies the separators that can be used between the domain name and the user name when NTLM format is used. For example:
adclient.ntlm.separators: +/\\
adclient.ntlm.separators
The default allows the following formats for the user joe in the acme.com domain:
acme.com+joe acme.com/joe acme.com\joe
Note The backslash character (\) can be problematic on some UNIX shells, in which case you may need to specify domain\\user. The first character in the list is the one that adclient uses when generating NTLM names.
51
To enter group names with spaces, enclose them in double quotes. For example:
pam.allow.groups: "domain admins","domain users"
To specify a file that contains a list of groups, type the path to the file:
pam.allow.groups: file:/tmp/cdc/groups.allow
Note Be sure to use the format specified by the auto.schema.name.format parameter. For example, if the auto.schema.name.format parameter is set to SAM, use the samAccountName (finance_admins). If you change this parameter, you should run adflush to clear the Centrify Suite cache to ensure your changes take effect.
52
Does this Enables local authentication to ensure the root user or another local account has permission to log on if authentication through Active Directory is not possible, there are problems running Centrify Suite, or there are network communication issues. For the user accounts you specify, authentication is passed on to a legacy authentication mechanism, such as /etc/passwd. For example:
pam.allow.override: root
To log in locally with the override account, you must specify the local user name and password. If the account is mapped to an Active Directory account, you must append @localhost to the user name. For example, to log on with the root override account when root is mapped to an Active Directory account, you type:
root@localhost
You can then type the local password for the root account and log in without being authenticated through Active Directory. Note You should set this parameter to root or to a local user account with root-level permissions (UID 0), so that you always have at least one local account with permission to access system files and perform privileged tasks on the computer even if there are problems with the network connection, Active Directory, or Centrify Suite. pam.allow.password.change Specifies whether users who log in with an expired password should be allowed to change their password. The valid options are: true allows users to change their password. false notifies users that a password change is not allowed. You can use this parameter in conjunction with the pam.allow.password.expired.access parameter to control access for users who attempt to log on with an expired password. If both parameters are set to true, users are prompted to change their password. Specifies the message displayed when users are not permitted to change their expired password because the pam.allow.password.change parameter is set to false. Specifies whether users who log in with an expired password should be allowed access. The valid options are: true allows users with expired passwords to log on. false denies access to users with expired passwords. You can use this parameter in conjunction with the pam.allow.password.change parameter. If both parameters are true, users logging on with an expired password are allowed to log on, and prompted to change their password.
pam.allow.password.change.mesg
pam.allow.password.expired.access
pam.allow.password.expired.access.mesg Specifies the message displayed when users are not permitted to log on with an expired password because the pam.allow.password.expired.access parameter is set to false.
53
Does this Specifies the users who are allowed to access PAM-enabled applications. If this parameter is defined, only the listed users are allowed access. The users you specify should be valid Active Directory users. Local user accounts or invalid Active Directory user names are ignored. The parameter value can be a list of user names, separated by commas, or the file: keyword and a file location. For example:
pam.allow.users: root,joan7,bbenton
To enter user names with spaces, enclose them in double quotes. For example:
pam.allow.users: "sui chen","alberto cruz"
To specify a file that contains a list of the users allowed access, type the path to the file:
pam.allow.users: file:/tmp/cdc/users.allow
Note Be sure to use the format specified by the auto.schema.name.format parameter. For example, if the auto.schema.name.format parameter is set to SAM, use the samAccountName (jcool). If you change this parameter, you should run adflush to clear the Centrify Suite cache to ensure your changes take effect. pam.deny.groups Specifies the groups that should be denied access to PAM-enabled applications. If this parameter is defined, only the listed groups are denied access. The groups you specify should be valid Active Directory groups. Local group membership and invalid Active Directory group names are ignored. The parameter value can be a list of group names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent all members of the vendors and azul groups from logging on:
pam.deny.groups: vendors,azul
To enter group names with spaces, enclose them in double quotes. For example:
pam.deny.groups: "domain admins","denali team"
To specify a file that contains a list of the groups that should be denied access:
pam.deny.groups: file:/etc/centrifydc/groups.deny
Note Be sure to use the format specified by the auto.schema.name.format parameter. For example, if the auto.schema.name.format parameter is set to SAM, use the samAccountName (finance_admins). If you change this parameter, you should run adflush to clear the Centrify Suite cache to ensure your changes take effect.
54
Does this Specifies the users that should be denied access to PAM-enabled applications. If this parameter is defined, only the listed users are denied access. The users you specify should be valid Active Directory users. Local user accounts or invalid Active Directory user names are ignored. The parameter value can be a list of user names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent the user accounts starr and guestuser from logging on:
pam.deny.users: starr,guestuser
To enter user names with spaces, enclose them in double quotes. For example:
pam.deny.users: "tia jones@acme.com"
To specify a file that contains a list of the users that should be denied access:
pam.deny.users: file:/etc/centrifydc/users.deny
Note Be sure to use the format specified by the auto.schema.name.format parameter. For example, if the auto.schema.name.format parameter is set to SAM, use the samAccountName (jcool). If you change this parameter, you should run adflush to clear the Centrify Suite cache to ensure your changes take effect. pam.ignore.users Specifies the users that you want Centrify Suite to ignore. This parameter enables faster lookup requests for system accounts such as tty, root, and bin and local accounts that dont require Active Directory authentication. The parameter value should be a list of user names, separated by a space, or the file: keyword and a file location. For example, to specify a list of users to authenticate locally:
pam.ignore.users: root sys tty
55
Does this Maps a local UNIX user account to an Active Directory account. This parameter is most commonly used to map local system or application service accounts to an Active Directory account and password, but it can be used for any local user account. For more information about mapping local accounts to Active Directory users, see Mapping local accounts to Active Directory on page 36. To use this parameter, set the last part of the parameter name to the local account name, and the parameter value to the Active Directory account name For example, to map the local oracle account to the Active Directory account oracle_storm@acme.com if the host computers name is storm:
pam.mapuser.oracle: oracle_$HOSTNAME@acme.com
You can specify the user name in any of the following valid formats: Standard Windows format: domain\user_name Universal Principal Name (UPN): user_name@domain Alternate UPN: alt_user_name@alt_domain UNIX user name: user You must include the domain name in the format if the user account is not in the local computers current Active Directory domain. pam.password.change.mesg Specifies the text displayed by a PAM-enabled application when it requests a user to change a password. The parameter value must be an ASCII string. Special characters and environment variables are allowed. Specifies the message displayed if the user enters the correct password, but the password must be changed immediately. Specifies the text displayed by a PAM-enabled application when it requests a user to confirm his new password by entering it again. The parameter value must be an ASCII string. Special characters and environment variables are allowed. Specifies the message displayed if the user to enter an empty password. Specifies the text displayed by a PAM-enabled application when it requests a user to enter his password. The parameter value must be an ASCII string. Special characters and environment variables are allowed. Specifies how many days before a password is due to expire PAM-enabled applications should issue a warning to the user. The parameter value must be a positive integer. The default value is 14 days. Specifies the text displayed by a PAM-enabled application when it requests a user to enter his new password during a password change. The parameter value must be an ASCII string. Special characters and environment variables are allowed. Specifies the message displayed during a password change when the two new passwords do not match each other.
pam.password.change.required.mesg pam.password.confirm.mesg
pam.password.empty.mesg pam.password.enter.mesg
pam.password.expiry.warn.mesg
pam.password.new.mesg
pam.password.new.mismatch.mesg
56
Does this Specifies the message displayed by a PAM-enabled application when it requests a user to enter his old password during a password change. The parameter value must be an ASCII string. Special characters and environment variables are allowed. Specifies the message displayed during password change if the operation fails because of a domain password policy violation. For example, if the user attempts to enter a password that doesnt contain the minimum number of characters or doesnt meet complexity requirements, this message is displayed.
pam.policy.violation.mesg
To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:
dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test
Centrify Suite will attempt to connect to the domain controllers in the order specified. dns.gc.domain_name Specifies the domain controller that hosts the Global Catalog for a domain. If the Global Catalog is on a different domain controller than the domain controllers you specify with the dns.dc.domain_name parameter, you can use this parameter to specify the location of the Global Catalog. For example:
dns.gc.mylab.test: dc3.mylab.test
dns.alive.resweep.interval
Controls how frequently the Centrify Suite DNS client checks whether there is a faster DNS server available. The default interval for this check is one hour.
57
Does this Specifies the protocol and response time to use when the DNS client scans the network for available DNS servers. The dns.tcp.timeout and dns.udp.timeout parameters determine the amount of time to wait if the current server does not respond to a request. If the current server does not respond to a request within the specified time out period, it is considered down and Centrify Suite looks for a different server. If the DNS subsystem cannot find a live server, DNS is considered down, and Centrify Suite waits for the period of the dns.dead.resweep.interval parameter before performing a sweep to find a new server. Specifies the amount of time to wait if the current server does not respond to a TCP request. If the current server does not respond to a request within the specified time out period, it is considered down and Centrify Suite looks for a different server. Specifies the amount of time to wait if the current server does not respond to a UDP request. If the current server does not respond to a request within the specified time out period, it is considered down and Centrify Suite looks for a different server. Specifies the amount of time to wait if DNS is before performing a sweep to find a new DNS server to use.
dns.tcp.timeout
dns.udp.timeout
dns.dead.resweep.interval
58
Index
A
account mapping configuration file setting 37, 56 purpose of 36 Active Directory account requirements 18 disjointed DNS 22 groups denied 54 integration 5 joining after installation 28 joining using Deployment Manager 22 non-Windows clients 9 offline authentication 35 password policy enforcement 36 restricting user access 55 specifying a domain 29 specifying the domain 24 adcheck DNS configuration test 27 Mac OS X utility 25 operating system test 26 running during installation 24 adclient core service 10 log file 40 reloading configuration 46 setting a log level 42 starting 46 troubleshooting 40 watchdog process 43 adclient.ntlm.separators 51 Add Computers Wizard 19 adinfo introduction 43 troubleshooting log on failures 40 when to use 46 adjoin running after installation 28 specifying a zone 31 when to use 45 adleave changing to a specific zone 31 when to use 46 adpasswd changing your own password 35 resetting passwords 35 use cases 34 when to use 46 analysis categories 21 download tools 20 re-running 21 resolving issues 21 restarting computers 21 Auto Zone access controls 15 configuration parameters 48 to 51 defined 14 to 15 leaving 31 Samba migration 38 valid users 14 auto.schema.domain.prefix 50 auto.schema.homedir 49 auto.schema.iterate.cache 51 auto.schema.name.format 49 auto.schema.name.lower 50 auto.schema.primary.gid 48 auto.schema.private.group 48 auto.schema.remote.file.service 49 auto.schema.search.return.max 50 auto.schema.shell 48 auto.schema.use.adhomedir 49
59
C
Centrify DirectControl access control summary 37 agents installation 24 command line programs 45 diagnostic information 43 documentation 6 joining the domain 28 log files 41 password enforcement 34 removing the software 32 technical support 7 troubleshooting issues 40 Centrify DirectControl Agent enabling logging 40 installed on each computer 9 key tasks 10 Centrify Download Center connecting to 11 latest packages 20 Centrify Suite adding packages 31 additional features 8 deployment process 18 Express components 16 Express family 8 insstall.sh 24 introduction 8 logging activity 40 Centrify web site downloading OpenSSH 37 links available 7 clock synchronization 40 command line programs basic usage 45 displaying help 46 location 45 man pages 47 computer discovery account information 19 Add Computers wizard 19 authentication method 19 methods available 19
configuration file (centrifydc.conf) Auto Zone parameters 48 to 51 DNS parameters 57 to 58 PAM parameters 52 to 57 conventions, documentation 6
D
Deployment Manager account credentials 18 Computers node 20 database 17 downloading 18 hardware requirements 17 History node 20 introduction 16 isolated network 20 network connectivity 12, 17 nodes displayed 19 Open Issues node 20 operating system requirements 17 outbound Internet connections 17 security 12 Software node 20 system requirements 12 Welcome page 18 deployment process connecting to remote computers 19 deploying packages 22 identify computers 19 resolving problems 21 diagnostic information 43 DirectControl agent packages 16 integration with Samba 38 DirectManage Express console installed 16 introduction 8 recommended for deployment 16 system requirements 17 disconnected operation account changes 35 checking the network 39 credential storage 35 disjointed DNS 22
60
documentation additional 6 audience 5 conventions 6 summary of contents 5 to 6 Domain Name Server (DNS) configuration parameters 57 to 58 nameserver entry 44 server role 44 UNIX configuration 27
L
Linux joining the domain 28 log files adinfo output 43 enabling 41 location 41 performance impact 41 purpose 40
E
Express Edition 8
M
man pages displaying 47 source of information 7 messages confirmation 56 empty password 56 mismatch between password 56 new password 56 old password 57 password changes 53 policy violation 57 prompt for password 56
F
file ownership conflicts between Directcontrol and Samba 38 guaranteed by generated UIDs 15 ftp 37
G
groups allowing access 52 denying access 54 generating consistent GIDs 15
N
NSS configuration 10 NTLM formatting 51
H
hardware requirements 17 History node 20
O
Open Issues node 20
I
installation agents 24 interactive using install.sh 24 restarting services 29
P
PAM configuration agent component 10 group filtering 52, 54 ignored users 55 mapping local users 56 messages displayed 56 override account 53 password management 53 policy violation message 57 user filtering 54, 55
J
join account requirements 18 Mac OS X utility 29 restarting services 29 workstation option 28
Index
61
pam.allow.groups 52, 54 pam.allow.override 53 pam.allow.password.change.mesg 53 pam.allow.password.expired.access 53 pam.allow.password.expired.access.mesg 53 pam.allow.users 54, 56 pam.deny.users 56 pam.password.change.mesg 56 pam.password.change.required.mesg 56 pam.password.confirm.mesg 56 pam.password.empty.mesg 56 pam.password.enter.mesg 56 password management changing your own 34 disconnected mode 36 expired passwords 53 messages displayed 56 policy definition 34 policy enforcement 14 resetting for other users 35
T
technical support 7 telnet 37 troubleshooting agent operation 40 enabling logging 41 using adinfo 43
U
UNIX agent requirements 16 clock synchronization 40 command line programs 45 DNS configuration 27 installing DirectControl 24 local account mapping 36 man pages 47 restarting services 29 users account mapping 36 allowing access 54 consistent UIDs 9 denying access 55 disconnected logins 35 generating consistent UIDs 15 ignoring for lookups 55 local authentication 53 mapping local accounts 56 password policies 34
Q
Quick Start 6
R
root user access to privileged commands 18 adinfo options 43 enabling logging 41 join operation 46 local override account 37 override account 53 running native installers 25
W
Windows Deployment Manager 16 DirectManage components 30 knowledge of 5
S
Samba checking 27 Express offering 8 included in Centrify Suite 13 optimized version 11 potential conflicts 38 software packages filtering options 20 versions deployed 22 SSH 37 system requirements 17
Z
zones primary benefits 9 suite features 13 understanding the use of 14 using a single zone 9
62