Beruflich Dokumente
Kultur Dokumente
Administrator’s Guide
Version 3.0
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are
subject to the terms of a license agreement or a non-disclosure agreement. Except as
expressly set forth in such license agreement or non-disclosure agreement, Centrify
Corporation provides this document and the software described in this document “as is”
without warranty of any kind, either express or implied, including, but not limited to,
the implied warranties of merchantability or fitness for a particular purpose. Some states
do not allow disclaimers of express or implied warranties in certain transactions;
therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or
given away without the prior written permission of Centrify Corporation, except as
otherwise permitted by law. Except as expressly set forth in such license agreement or
non-disclosure agreement, no part of this document or the software described in this
document may be reproduced, stored in a retrieval system, or transmitted in any form or
by any means, electronic, mechanical, or otherwise, without the prior written consent of
Centrify Corporation. Some companies, names, and data in this document are used for
illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new
editions of this document. Centrify Corporation may make improvements in or changes
to the software described in this document at any time.
© 2004-2006 Centrify Corporation. All rights reserved. Portions of Centrify
DirectControl are derived from third party or open source software. Copyright and legal
notices for these sources are listed separately in the Acknowledgements.txt file included
with the software.
U.S. Government Restricted Rights: If the software and documentation are being
acquired by or on behalf of the U.S. Government or by a U.S. Government prime
contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for
Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for
non-DOD acquisitions), the government’s rights in the software and documentation,
including its rights to use, modify, reproduce, release, perform, display or disclose the
software or documentation, will be subject in all respects to the commercial license
rights and restrictions provided in the license agreement.
Centrify and DirectControl are trademarks of Centrify Corporation in the United States
and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and
Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
The names of any other companies and products mentioned in this document may be the
trademarks or registered trademarks of their respective owners. Unless otherwise noted,
all of the names used as examples of companies, organizations, domain names, people
and events herein are fictitious. No association with any real company, organization,
domain name, person, or event is intended or should be inferred.
Contents
Chapter 1 Introduction 17
Understanding identity and access management. . . . . . . . . . . . . . . . . . . 17
Why integrate with Active Directory?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
What is the Centrify DirectControl solution?. . . . . . . . . . . . . . . . . . . . . . . . 19
What can you do after you deploy DirectControl?. . . . . . . . . . . . . . . . . . . 24
3
Planning changes to the Active Directory structure. . . . . . . . . . . . . . . . . 83
Planning to work with multiple forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Planning how you will use zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Planning user account migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Planning group membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Planning NIS map migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4 Administrator’s Guide
Chapter 7 Managing computers 143
Using zones for Linux, Unix, and Mac OS computers . . . . . . . . . . . . . . . 143
Understanding how a computer joins a domain . . . . . . . . . . . . . . . . . . . 145
Deciding who can join computers to the domain . . . . . . . . . . . . . . . . . . 147
Preparing computer accounts before joining . . . . . . . . . . . . . . . . . . . . . 149
Joining a domain interactively or using a script. . . . . . . . . . . . . . . . . . . . 150
Changing computer properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Allowing password resets for computer accounts. . . . . . . . . . . . . . . . . . 154
Changing the domain for a computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Leaving a domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Running reports for computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Customizing configuration settings for a computer . . . . . . . . . . . . . . . . 159
Using computer-based group policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Contents 5
Chapter 9 Managing group policies for Unix users and computers 181
Understanding Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Understanding group policy for Unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Adding Unix policies to a Group Policy Object. . . . . . . . . . . . . . . . . . . . . 193
Creating a Centrify DirectControl Group Policy Object . . . . . . . . . . . . . 195
Setting policies for Unix computers and users. . . . . . . . . . . . . . . . . . . . . 196
Linking a Group Policy Object to a container . . . . . . . . . . . . . . . . . . . . . . 203
Reporting group policy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Editing the Centrify DirectControl configuration file . . . . . . . . . . . . . . . 205
Defining custom group policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Chapter 12 Using the DirectControl Information Service for NIS requests 233
Understanding the DirectControl Information Service . . . . . . . . . . . . . 233
Understanding how to deploy the adnisd daemon . . . . . . . . . . . . . . . . 236
Understanding NIS maps in Active Directory . . . . . . . . . . . . . . . . . . . . . . 237
6 Administrator’s Guide
Configuring the DirectControl Information Service . . . . . . . . . . . . . . . . 239
Configuring NIS clients to use Centrify DirectControl. . . . . . . . . . . . . . . 243
Configuring client authentication through adnisd . . . . . . . . . . . . . . . . . 246
Maintaining NIS maps in the Administrator’s Console . . . . . . . . . . . . . . 250
Discontinuing use of legacy NIS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Contents 7
Using adinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Using addebug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Using adrmlocal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Using adfinddomain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Using adsmb. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Using adclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Using runmappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Using OpenLDAP commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Index 407
8 Administrator’s Guide
About this guide
Intended audience
This Administrator’s Guide provides complete information for
installing, using, and customizing Centrify DirectControl. This
guide is intended for system and network administrators who are
responsible for managing user access to servers, workstations,
enterprise applications, and network resources.
Because Centrify DirectControl requires components to be
installed in both the Windows environment and the Linux, UNIX,
or Mac OS X environment, this guide assumes you have a working
knowledge of performing administrative tasks across these different
environments. If you are unfamiliar with any of the operating
environments you need to support with Centrify DirectControl,
you may need to consult additional, operating system-specific
documentation to perform certain tasks or understand certain
concepts.
This guide also assumes basic, but not expert, knowledge of how to
perform common tasks. If you are an experienced administrator,
9
Getting a preview of what’s in this release
10 Administrator’s Guide
DirectControl and migration to Active Directory, including
information about the permissions required to perform key
Centrify DirectControl tasks and suggestions for planning how
to use zones to suit your organization.
Chapter 4, “Installing Centrify DirectControl on Windows,”
provides step-by-step instructions for installing Centrify
DirectControl Management Tools on a Windows computer and
how to update Active Directory to get started using
DirectControl.
Chapter 5, “Installing the Centrify DirectControl Agent on
Unix,” provides step-by-step instructions for installing the
Centrify DirectControl Agent and the steps to take after
installation to get started.
Chapter 6, “Managing zones,” describes the strategies for
organizing your computers into zones, how to create new
zones, and how to manage zone properties.
Chapter 7, “Managing computers,” describes how to add Unix
computers to an Active Directory domain, how to modify
computer account properties for Unix computers, and how to
change the domain for a Unix computer.
Chapter 8, “Managing users and groups,” describes how to
define Unix-based profiles for Active Directory users and
groups and how to manage access for those accounts.
Chapter 9, “Managing group policies for Unix users and
computers,” provides an overview of group policy and describes
how to apply Centrify DirectControl group policies for Unix
users and computers.
Chapter 10, “Managing licenses,” describes how to view and
update Centrify DirectControl license keys.
Chapter 11, “Importing information from NIS maps or Unix
files,” describes how to import existing users and groups from
12 Administrator’s Guide
Conventions used in this guide
The following conventions are used in this guide:
Fixed-width font is used for sample code, program names,
program output, file names, and commands that you type at the
command line. When italicized, the fixed-width font is used
to indicate variables. In addition, in command line reference
information, square brackets ([ ]) indicate optional arguments.
Bold text is used to emphasize commands, buttons, or user
interface text, and to introduce new terms.
Italics are used for book titles and to emphasize specific words or
terms.
For simplicity, Unix is used generally in this guide to refer to all
supported versions of the UNIX, Linux, and Macintosh OS X
operating systems unless otherwise noted.
The variable release is used in place of the specific release
number in the file names for individual Centrify DirectControl
software packages. For example,
centrifydc-release-sol8-sparc-local.tgz in this guide refers to the
14 Administrator’s Guide
Administrator’s Guide provides installation, administrative, and
reference information to help you install, deploy, customize,
and use Centrify DirectControl to manage Unix computers,
users, and groups through Active Directory.
Centrify DirectControl Authentication Guide for Apache describes
how to use Centrify DirectControl with Apache Web servers
and applications to provide authentication and authorization
services through Active Directory. If you are using Centrify
DirectControl with Apache, you should refer to this
supplemental documentation for details about how to configure
your Apache server to use Centrify DirectControl and Active
Directory.
Centrify DirectControl Authentication Guide for Java Applications
describes how to use Centrify DirectControl with J2EE
applications to provide authentication and authorization services
through Active Directory. If you are using Centrify
DirectControl with Java servlets, such as Tomcat, JBoss,
WebLogic, or WebSphere, you should refer to this
supplemental documentation for details about how to configure
your applications to use Centrify DirectControl and Active
Directory.
Individual Unix man pages for command reference information
for Centrify DirectControl Unix command line programs.
In addition to the Centrify DirectControl documentation, you may
want to consult the documentation for your Windows, Linux,
Unix, or Mac OS X operating system, or the documentation for
Microsoft Active Directory. This information can help you get the
most out of Centrify DirectControl.
Contacting Centrify
If you have questions or comments, we look forward to hearing
from you. For information about contacting Centrify with
questions or suggestions, visit our Web site at
www.centrify.com. From the Web site, you can get the latest
news and information about Centrify products, support, services,
and upcoming events. For information about purchasing or
evaluating Centrify products, send email to info@centrify.com.
16 Administrator’s Guide
Chapter 1
Introduction
17
Why integrate with Active Directory?
Unix and Linux systems, but they are typically isolated from each
other and managed separately.
Local accounts stored in NIS and NIS+ servers Kerberos realms and LDAP authentication for
local files on individual and account maps Key Distribution Center LDAP transactions
Unix servers and provide a central provide authentication
workstations repository for Unix for some users and
accounts services
Unix and Linux
computers
18 Administrator’s Guide
services such as messaging or database transactions. For Windows
2000, Windows XP, and Windows Server 2003, Active Directory
is the core technology for managing users, computers, and other
resources, and, therefore, is a requirement for any organization
that manages Windows resources.
In addition to being a key component of the organization’s
infrastructure, Active Directory provides a complete set of tools
for authentication, authorization, and directory service, making it
an ideal candidate for managing user accounts and access to
computer resources. By extending Active Directory to manage
Linux and Unix computers, Centrify DirectControl provides
administrators with a comprehensive identity and access
management solution while reducing administrative complexity
and overhead.
Chapter 1 • Introduction 19
What is the Centrify DirectControl solution?
20 Administrator’s Guide
complexity and expiration for all users regardless of where they
log in.
Enforce consistent security and configuration policies across
UNIX, Linux, and Mac OS X servers and workstations by
adding Centrify DirectControl group policy templates for
computer- and user-based configuration settings to Windows
Group Policy Objects.
Improve productivity and satisfaction for end-users, who now
have only one password to remember, and fewer Help Desk
calls to reset passwords or update user accounts.
Chapter 1 • Introduction 21
What is the Centrify DirectControl solution?
22 Administrator’s Guide
can access, and which users can access any specific computer or
application.
By extending Active Directory’s password requirements and
Group Policy features to UNIX, Linux, and Mac OS X servers
and workstations, Centrify DirectControl enables IT managers
to enforce consistent, enterprise-wide security policies in a
manner that can be verified by auditors.
Centrify DirectControl ensures activity on UNIX, Linux, and
Mac OS servers and workstations is written to the proper
Active Directory logs, providing an audit trail for verifying
system access.
Chapter 1 • Introduction 23
What can you do after you deploy DirectControl?
24 Administrator’s Guide
When a computer is managed by Centrify DirectControl,
authorized users can perform the following common tasks:
Log on to the Unix shell or desktop program and use Unix
programs and services such as telnet, ssh, and ftp.
Log on to a computer that is disconnected from the network or
unable to access Active Directory, if they have successfully
logged on and been authenticated by Active Directory
previously.
Manage their Active Directory passwords directly from the
Unix command line, provided they can connect to Active
Directory.
Chapter 1 • Introduction 25
What can you do after you deploy DirectControl?
26 Administrator’s Guide
Chapter 2
27
Understanding the integration of Windows and Unix
28 Administrator’s Guide
Use Active Directory and the Centrify DirectControl
Management Tools to enable and manage access and
authorization for users and groups who need to log on to or use
Unix, Linux, and Mac OS X computers.
The next sections provide a more detailed discussion of the
Centrify DirectControl Management Tools and Centrify
DirectControl Agent, including an overview of how Centrify
DirectControl zones are used, and a summary of what happens
when a user logs on to a Unix computer that has joined the Active
Directory domain.
adclient
adclient
adclient
30 Administrator’s Guide
(MMC) snap-in that allows you to centrally manage all of the
Centrify DirectControl information in the enterprise.
32 Administrator’s Guide
Understanding Centrify DirectControl Zones
One of the most important aspects of managing Unix, Linux, and
Mac OS X systems through the Centrify DirectControl
Administrator Console is the ability to organize computers and
user’s access to those computers using zones.
A Centrify DirectControl zone is similar to an Active Directory
domain or an NIS domain. Zones allow you to organize the
computers in your organization in meaningful ways to simplify
system management and the migration of account information
from existing local files, NIS databases, LDAP servers, and other
sources to Active Directory.
How you use zones will depend primarily on the needs of your
organization. In some organizations, a single default zone is
sufficient. In other organizations, using multiple zones may be a
necessity. In general, you use zones in one of two ways:
To group computers with similar properties and
requirements. For example, you may want to create one zone
for all of your Red Hat Linux workstations and another zone for
all of your Sun Solaris Unix servers because the users of the
Linux workstations prefer a different login shell, belong to a
different functional group in the organization, or have different
administrative needs than the users of the Solaris Unix servers.
To separate computers with conflicting properties
and requirements. For example, you may want to create
separate zones when a single user has multiple conflicting
identities on multiple computers.
In large organizations, Centrify DirectControl zones are especially
useful for migrating users and computers from NIS, NIS+, local
files, or LDAP to Active Directory. Using zones, administrators can
migrate existing user accounts to Active Directory users without
having to ensure that all Unix UIDs are unique throughout the
entire enterprise. Because there’s no need to rationalize the UIDs,
zones enable you to migrate the existing users quickly and easily
34 Administrator’s Guide
Extends Active Directory group policies to manage the
configuration of Unix users and computers.
Provides a Kerberos environment so that existing Kerberos
applications automatically work transparently with Active
Directory.
Although the individual agents you install are platform-specific, the
Centrify DirectControl Agent is a tightly integrated a suite of
services that work together to ensure seamless operation between
existing Unix services and applications and Active Directory
authentication and authorization.
The following figure provides a closer look at the services provided
through the Centrify DirectControl Agent:
Unix infrastructure Apache server and Java/J2EE Kerberized
(login, ftp, ssh...) applications applications applications
Centrify DirectControl
daemon
Kerberos cache, keytab
Centrify DirectControl Agent and configuration file
Offline credentials
and search results
36 Administrator’s Guide
Information Service is a separate service that works in
conjunction with the Centrify DirectControl daemon to enable
you to store NIS maps in Active Directory and publish that
information to NIS clients through Centrify DirectControl.
Optional utilities and programs, such as updated Kerberos or
the OpenLDAP commands, that have been optimized to work
with Active Directory.
38 Administrator’s Guide
configuration file, /etc/pam.conf, or, more commonly, in
application-specific files in the /etc/pam.d directory.
Centrify DirectControl includes a customized Pluggable
Authentication Module (pam_centrifydc) that enables any
application that uses PAM, such as ftpd, telnetd, login, and
Apache, to authenticate users through Active Directory. When you
join a domain, the pam_centrifydc module is automatically placed
first in the PAM stack in system-auth, so that it takes precedence
over other authentication modules.
The pam_centrifydc module is configured to work with adclient
to provide a number of services, such as checking for password
expiration, filtering for users and groups, and creating the local
home directory and default user profile files for new users. The
services provided through the pam_centrifydc module can be
customized locally on a computer, modified through Active
Directory group policy, or configured through a combination of
local and Active Directory settings.
Working in conjunction with the Centrify DirectControl daemon,
the pam_centrifydc module provides the following services for
PAM-enabled programs and applications:
Verifies the current user name and password for a session are a
valid user name and password in Active Directory.
Requests the PAM-enabled application to prompt for a
password when appropriate and verifies whether the
application-provided user name and password are valid in Active
Directory.
Checks whether the user’s password has expired in Active
Directory. If the password has expired, the pam_centrifydc
module prompts the user to change the password, and forwards
the new password to the Centrify DirectControl daemon,
which communicates the change to Active Directory.
Checks policy settings in the
/etc/centrifydc/centrifydc.conf file to determine whether
40 Administrator’s Guide
module accesses network information that’s stored in Active
Directory through LDAP.
When a Unix program or applications needs to look up
information, it checks the nsswitch.conf file and is directed to use
the nss_centrifydc module. The nss_centrifydc module directs
the request to Active Directory through the adclient daemon. The
adclient provides the information retrieved from Active
Directory, then caches responses locally to ensure faster
performance, reduce network traffic, and allow for disconnected
operation. The cache is encrypted to ensure the security of the
responses.
42 Administrator’s Guide
Understanding the log-on process
The Centrify DirectControl Agent components work together to
identify and authenticate the user any time a user logs on to a
computer using any Unix command that requires the user to enter
credentials. The following steps summarize the interaction to help
you understand the process for a typical log on request. The
process is similar, though not identical, for Unix commands that
need to get information about the current user or group.
Note The following steps focus on the operation of the Centrify
DirectControl Agent rather than the interaction between the
Centrify DirectControl Agent and Active Directory. In addition,
these steps are intended to provide a general understanding of the
operations performed through the Centrify DirectControl Agent
and do not provide a detailed analysis of a typical log on session.
When a user starts the Unix computer and is prompted to log in,
the following takes place:
1 The user enters a local Unix user name or an Active Directory
user name.
2 The Unix login process reads the PAM configuration file,
/etc/pam.conf, and determines that it should use the Centrify
DirectControl PAM service, pam_centrifydc, for
identification.
3 The Unix login process passes the login request and the user
name to the Centrify DirectControl PAM service for processing.
4 The pam_centrifydc service checks the pam.allow.override
parameter in the Centrify DirectControl configuration file to see
if the user name entered is an account that should be
authenticated locally.
If the user should be authenticated locally, the
pam_centrifydc service passes the login request to the next
PAM module specified in the PAM configuration file, for
example, to the local configuration file etc/passwd.
44 Administrator’s Guide
daemon notifies the pam_centrifydc service of the potential
conflict.
The pam_centrifydc service checks the Centrify
DirectControl configuration file to determine to issue a
warning, ignore the conflict, or prevent the user from logging
on.
If the login continues, the pam_centrifydc service asks the
Unix login process for a password.
8 The Unix login process prompts the user to provide a password
and returns the password the user enters to the pam_centrifydc
service.
9 The pam_centrifydc service checks the pam.allow.users and
pam.deny.users parameters in the Centrify DirectControl
configuration file to see if any user filtering has been specified to
allow or deny access to specific user accounts. If any user
filtering has been specified, the current user is either allowed to
continue with the login process or denied access.
10 The pam_centrifydc service checks the pam.allow.groups and
pam.deny.groups parameters in the Centrify DirectControl
configuration file to see if any group filtering has been specified
to allow or deny access to members of specific groups. If any
group filtering has been specified, the current user is either
allowed to continue with the login process or denied access
based on group membership.
11 If the current user account is not prevented from logging on by
user or group filtering, the pam_centrifydc service queries the
adclient daemon to see if the user is authorized to log on.
46 Administrator’s Guide
The following figure provides a simplified view of a typical log-on
process when using Centrify DirectControl.
Kerberos
adclient
applications
User starts a Unix log on
process using a command
such as login, telnet, ssh
Unix look-up nss_centrifydc Cached credentials
requests and search results
Check /etc/nsswitch.conf
Now that you are familiar with both the Windows and Unix
components, you are ready to install these components on your
Windows and Unix computers and begin adding Unix, Linux, and
Mac OS computers to the Active Directory domain.
48 Administrator’s Guide
Chapter 3
49
Planning Active Directory permissions
50 Administrator’s Guide
users to successfully complete the configuration of Centrify
DirectControl.
52 Administrator’s Guide
To use the displayspecifier.vbs script to set up the display
specifiers for Centrify DirectControl:
1 Log on using an enterprise administrator account or a domain
administrator for the forest root domain.
2 Open a Command Prompt window and change to the Centrify
DirectControl directory. For example:
cd C:\Program Files\Centrify\Centrify DirectControl
In most cases, you only need to set up the display specifiers once
for the Active Directory forest. If you support multiple languages,
you can manually add the display specifiers to each language you
support. For example, if your organization supports US-English
(CN=409), Standard French (CN=40C), and Japanese (CN=411), you
would add the display specifiers to these three containers. Once
you have updated Active Directory by running the
displayspecifier.vbs script or by manually adding the display
specifiers, you can access the Centrify Profile properties using
Active Directory Users and Computers.
54 Administrator’s Guide
specific permissions and related properties on those containers and
refine who has access to them. You can create the container objects
anywhere in the forest’s directory structure, but you must have at
least one Zone container object and at least one License container
object. If you plan to use private groups for any zone, you also need
to have at least one Private Groups container object.
Normally, you can create these objects when you run the Setup
Wizard, create a new zone, or manage licenses, but you can
manually create them prior to deployment, if desired.
56 Administrator’s Guide
Selecting this task Grants these rights
Delete zone • List Contents on the ZoneName object container.
• Read All Properties on the ZoneName object container.
• Allow Delete on the ZoneName object container.
• Allow Delete Subtree on the ZoneName object container.
Note The user who creates a zone by default has full control over
the zone and can delegate administrative tasks to other users and
groups through the Zone Delegation Wizard. In most cases, users
who create zone have domain administrator privileges and only the
zone owner has the appropriate rights to delegate administrative
tasks to other users.
58 Administrator’s Guide
To open an existing zone, your user account must be set with the
following permissions:
Parent container for the individual Click the Properties tab and select Allow to
zone apply the following properties to this object
For example, a ZoneName container only:
object, such as: • Read allowedAttributes
domain/Program Data/Centrify/ • Read allowedAttributesEffective
Zones/default
• Read canonicalName
• Read Description
• Read displayName
• Read name
• Read objectClass
Parent container for Users in the Click the Properties tab and select Allow to
zone apply the following properties to this object
For example: only:
domain/Program Data/Centrify/ • Read objectClass
Zones/default/Users
Parent container for Groups in the Click the Properties tab and select Allow to
zone apply the following properties to this object
For example,: only:
domain/Program Data/Centrify/ • Read objectClass
Zones/default/Groups
To rename a zone, your user account must be set with the following
permissions:
60 Administrator’s Guide
To delete a Centrify DirectControl zone from Active Directory,
your user account must be set with the following permissions:
Active Directory account used to join the domain must be set with
the following permissions:
Parent OU container object for the On the Object tab, select Allow to apply the
computer account following permission to this object only:
For example: • Create Computer Objects
domain/myOU/UnixComputers
Computer account object in Active On the Object tab, select Allow to apply the
Directory following permission to this object only:
For example, if the computer • Full Control
account is AJAX in the default This permission is required for enabling or
Active Directory Computers disabling a computer account.
container:
domain/Computers/AJAX
62 Administrator’s Guide
To remove a Unix computer from an Active Directory domain,
your Active Directory user account must be set with the following
permissions:
Parent container object for the Click the Properties tab and select Allow to
computer account in the zone apply the following properties to this object
For example, the default only:
ZoneName/Computers container • Read objectClass
object:
domain/Program Data/Centrify/
Zones/default/Computers
64 Administrator’s Guide
Select this target object To apply these permissions
The serviceConnectionPoint Click the Properties tab and select Allow to
object for the computer account apply the following properties to this object
For example, if the computer only:
account name is AJAX, select: • Read allowedAttributes
domain/Program Data/Centrify/ • Read allowedAttributesEffective
Zones/default/Computers/AJAX
then select: • Read displayName
serviceConnectionPoint objects • Read keywords
• Read managedBy
• Read Name
• Read objectClass
• Write keywords
Computer account object in Active Click the Properties tab and select Allow to
Directory apply the following properties to this object
For example, if the computer only:
account is AJAX in the default • Read objectGUID
Active Directory Computers • Read objectSid
container: • Read objectClass
domain/Computers/AJAX
• Read Operating System
• Read Operating System Version
• Read userAccountControl
If you need to change the zone for a computer account, your user
account must have the following additional permissions:
New parent container for the On the Object tab, select Allow to apply the
computer account in the new following permission to this object only:
zone • Create serviceConnectionPoint Objects
For example, if you are moving a Click the Properties tab and select Allow to
computer from the Finance zone apply the following properties to this object
to the Corporate zone, and you only:
use the default Computers • Read objectGUID
container, the target object would
be:
domain/Program Data/Centrify/
Zones/Corporate/Computers
Note You can set the permissions for modifying computer accounts
by clicking the Security tab when you are viewing a computer’s
properties.
66 Administrator’s Guide
Adding a user with a normal Active Directory primary group
In a standard Centrify DirectControl zone when the functional
level of the forest is Windows 2000 Server or Windows Server
2003 or a standard RFC 2307-compliant zone when hen the
functional level of the forest is Windows Server 2003, adding a
user account with a standard Active Directory security group as the
primary group to a zone requires the following permissions:
Private Group container object On the Object tab, select Allow to apply the
For example, if you use the default following permission to this object if a private
container: group does not already exist for the user:
domain/Program Data/Centrify/ • Create Group Objects
Private Groups
68 Administrator’s Guide
Select this target object To apply these permissions
Parent container for groups in On the Object tab, select Allow to apply the
Centrify DirectControl following permission to this object if a private
For example, if you use the default group does not already exist for the user in the
Groups container: current zone:
domain/Program Data/Centrify/ • Create serviceConnectionPoint Objects
Zones/default/Groups
Note You can set the permissions for modifying user accounts by
clicking Permissions when you are viewing the Centrify Profile
for a user.
70 Administrator’s Guide
Modifying user accounts in private groups
In a standard Centrify DirectControl zone, modifying user account
properties for a user with a private group as the primary group
requires the following permission:
72 Administrator’s Guide
Listing user account information
In a standard Centrify DirectControl zone, listing user account
information requires the following permissions:
74 Administrator’s Guide
Select this target object To apply these permissions
Group account object in Active Click the Properties tab and select Allow to
Directory apply the following properties to this object
For example: only:
domain/Users/group_name • Read groupType
• Read objectCategory
• Read objectClass
• Read objectGUID
• Read objectSid
Parent container object for the Click the Properties tab and select Allow to
individual zone apply the following properties to this object
For example, if you are adding a only:
group to the Finance zone: • Read objectGUID
domain/Program Data/Centrify/ • Write Description
Zones/Finance
76 Administrator’s Guide
In a standard RFC 2307-compliant zone, listing group account
information requires the following permissions:
Parent container for license keys On the Object tab, select Allow to apply the
For example, the Licenses following permission to this object only:
container object you created or • List Contents
selected in the Setup Wizard:
domain/Program Data/Centrify/
Licenses
78 Administrator’s Guide
container object, the permissions you set apply to all NIS maps you
add to the zone. If you select the individual NIS map object, the
permissions you set only apply to that individual NIS map.
Note Permissions to perform administrative tasks with NIS maps
must be set through ADSI Edit because these tasks are not included
in the Zone Delegation Wizard.
1 Open the ADSI Edit console snap-in and connect to the Active
Directory domain.
2 In the console tree, navigate to the Centrify DirectControl
folder. For example, if you installed Centrify DirectControl in
the default location and are setting permissions for NIS maps in
the default zone, expand Domain > CN=Program Data >
CN=Centrify > CN=Zones > CN=default.
3 Select CN=NisMaps to set permissions for all NIS Maps in a
zone, right-click, then select Properties. If setting permissions
for an individual map, expand CN=NisMaps, then select the
map object, for example, CN=auto_master, right-click and
select Properties.
4 Click the Security tab, then click Advanced.
5 Click Add to search for the user or group to which you want to
give administrative privileges, select the user or group in the
results, then click OK.
6 Scroll to locate the appropriate permissions for the object and its
properties to allow the selected user or group to perform the
administrative task, check Allow, then click OK.
To delete NIS maps in a zone, the user account must have the
following permissions:
To add entries to any NIS map in a zone, the user account must have
the following permissions:
80 Administrator’s Guide
To delete entries from any NIS map in a zone, the user account
must have the following permissions:
To modify entries in any NIS map in a zone, the user account must
have the following permissions:
To change the map type for any NIS map in a zone, the user account
must have the following permissions:
82 Administrator’s Guide
To change the map type for a specific NIS map in a zone, the user
account must have the following permissions:
84 Administrator’s Guide
DirectControl will be installed and how those systems are used,
and how you will migrate existing user communities and legacy
information to Active Directory. With this information, you can
better plan your deployment strategy before you begin adding Unix
computers to the domain.
To help you get started, you should evaluate your existing
environment to determine how best to use zones to suit the unique
needs of your organization. In evaluating the Unix environment:
Determine whether you are enabling access for computers
that are used as workstations for individual users or small
groups of users or as application servers, or both.
Consider whether you are migrating existing user information
to Active Directory and whether there are overlapping user
and groups IDs or multiple account names for individual
users.
Identify any special system or application accounts that may
have unique requirements and decide whether or not to
manage access to those accounts through Active Directory.
86 Administrator’s Guide
location, or usage pattern. Once you have a basic strategy in place,
you can create new zones whenever you need to.
88 Administrator’s Guide
Using zones to migrate existing identity stores
In many organizations, it is impractical to attempt to rationalize
user accounts across the enterprise to achieve a single global UID
for each individual user and zones are particularly useful for
migrating multiple existing Unix identity stores to Active
Directory. For example, most organizations have multiple identity
stores already in use on their current Unix platforms. These
identity stores may include LDAP directories, NIS or NIS+
domains, and local account configuration files using /etc/passwd.
Often a single user can be a member of more than one identity
store and may have a different user name, UID, or group
memberships in each. Centrify DirectControl zones allow the
organization to import the information from these legacy identity
stores without consolidating the multiple identities that each user
may have. The result might be a structure with three zones in
Active Directory: one with the pre-existing UNIX LDAP directory
information, one with information imported from an existing NIS
domain, and one with information imported from one or more
/etc/passwd files.
90 Administrator’s Guide
server with internal applications, you may want to restrict access to
that computers and the applications hosted there.
92 Administrator’s Guide
With this scenario, you can create as many zones of different types
as you need and migrate computers to different zones over time.
94 Administrator’s Guide
Using private groups for Unix users
In the Unix environment, every user account is associated with one
primary Unix group. This primary group defines the user’s file
ownership and permissions on the Unix computer. Because of this
requirement, any time you create a Unix profile for an Active
Directory user, you must specify the primary group for that user.
The primary group you specify for any user can be either a standard
Active Directory group, for example an existing domain or global
security group, or a private group.
A private group is an Active Directory group that can be reserved
for the exclusive use of an individual user within a specific zone. By
using private groups, you can allow users to manage group
membership and file access permissions outside of Active
Directory. For example, users can modify the membership of their
private group to give another user access to their files.
Depending on the zone properties you set, new Unix users are
assigned either a private group or a normal Active Directory group
by default. If you choose to use a private group, the Unix group
profile is created automatically and assigned the same name and
GID as the user account.
Because private groups can be used on a zone-by-zone basis, you
may find it convenient to use them while you plan your Active
Directory group strategy and zones. For example, if you are
importing account information from an existing identity store, you
may want to use private groups to set up accounts in Active
Directory without impacting any of your existing Active Directory
group management infrastructure. You may also want to use
private groups to allow individual users to maintain control over
their files on the Unix computers they log on to within each zone.
If you already have a well-defined Active Directory group
structure, however, you may simply want to add Unix users to the
appropriate groups within that structure. Whether you choose to
use private groups or your existing Active Directory group
structure, you can change the primary group for any user at any
time by modifying the user’s Unix profile.
Enabling Unix access for Active Directory groups gives you greater
control, consistency, and visibility for managing user accounts. For
example, you can create a nested group hierarchy in Active
Directory to manage Unix users accounts in the same way you
manage Windows accounts. Whether you create new Unix-specific
groups or use existing Active Directory groups access to Unix
computers depends on the needs of your organization and the
structure of your Active Directory forest.
96 Administrator’s Guide
Active Directory, you may notice slow performance when you run
commands that retrieve group information from Active Directory
for the first time.
For example, the id command displays the system identifications,
such as the user’s name, numeric ID, and group membership, for a
specified user. The first time you run this command for any user, it
may take longer than you expect it to because of the time it takes to
determine all of the Active Directory groups the user is a member
of. As an example, if you have nested groups or groups with more
than 1000 members, iterating through a user’s group membership
may take more than one to two minutes. Once the information is
retrieved from Active Directory, however, it is stored in the local
cache and commands that require this information take less time to
execute. Therefore, the first time you run the id command for any
user, it will take longer to execute than subsequent executions
unless you clear the cache or configure objects to expire. The same
is true for other commands that retrieve group information.
In the Unix operating environment, a user’s primary group is
normally defined in the user’s /etc/passwd entry, and, therefore,
does not need to be identified in the /etc/group entry. This is
different from the way groups are defined in Active Directory
where user accounts are defined as members of one or more
groups. By default, when you enable Unix access for an Active
Directory user, Centrify DirectControl adds the Active Directory
user to the Active Directory group associated with the default Unix
group for the zone you are giving the user access to. This
association of the user with an Active Directory group allows for
configuration management using group policies, but the Unix
environment does not require this secondary association.
To avoid a slow-down when retrieving group information using
commands such as id, you can remove Unix-enabled users from
their default group membership list. This will prevent Unix
commands like id from retrieving the complete list of users
associated with the Active Directory group, but allow the
98 Administrator’s Guide
Chapter 4
99
Preparing for installation on Windows
When you configure Centrify DirectControl for the first time, you
will be able to place Centrify DirectControl containers at any point
within your existing structure or create new containers at any
location in the tree you choose. In addition, as you add Unix
computers to the domain, you will be adding new computer
accounts to Active Directory. You may also be adding new group
and user accounts. Therefore, it is a good practice to determine a
general plan for where in Active Directory you want to place Unix
users, groups, and computers and the Centrify DirectControl
containers for licenses and zones.
6 Select the components you want to install, then click Next. For
example:
In most cases, the first time you run the setup program you
should accept the default to install all components, but there is
no requirement to do so.
Note For administrative purposes, you should install either the
Centrify DirectControl property extensions for Active
Directory Users and Computers, or the main Centrify
DirectControl Administrator Console on each computer that
needs access to the Unix attributes in the Centrify Profile. If
Active Directory Users and Computers is available on the local
computer, you can choose to install just the property extensions.
If Active Directory Users and Computers is not installed on the
local computer, you can choose to install only the Centrify
DirectControl Administrator Console.
7 Click Next to install components in the default location, or click
Browse to choose a different location, then click Next.
8 Verify your installation settings, then click Next.
9 Click Finish to complete the installation.
To start the Setup Wizard and update the Active Directory forest:
1 Log onto the computer where you installed the Centrify
DirectControl Administrator Console and start the Centrify
DirectControl Administrator Console.
2 At the Welcome page, click Next.
3 Select Use currently connected user credentials to use
your current log on account or select Specify another user’s
credentials and type a user name and password, then click
Next.
4 Select a location for installing license keys in Active Directory,
then click Next. You can create a new container object for
license keys or select an existing container object.
11 Type the numeric user identifier (UID) you want to start with
for new Unix users in this zone, then click Next.
By default, new Unix users are automatically assigned the next
available UID for the zone. For example, if you set the default
UID for a zone to 500, the first Active Directory account that
you authorize to log on to the Unix shell is assigned a user ID of
500 by default. The next user account that you give this
permission to is assigned a user ID of 501, and so on. You can
override this default value for any user, if desired.
You can also set aside some user IDs to be reserved for special
purposes. For example, if you run an application that requires a
specific user account, you may want to reserve the UID for that
account so no other users can be assigned that ID.
To prevent some UIDs from being assigned, click Add. You can
then specify individual UIDs or a range of UIDs you want to
prevent from being used. To specify both individual values and a
range of range, use a comma to separate the entries. For
example, to reserve the UIDs from 2006 to 2010 and 2025 and
2400, you could click Add, type, 2006-2010,2025,2400, then
click OK.
12 Type the numeric group identifier (GID) you want to start with
for new Unix groups in this zone, then click Next.
By default, new Unix groups are automatically assigned the next
available GID for the zone. For example, if you set the default
GID for a zone to 500, the first Active Directory group that you
authorize to log on to the Unix shell is assigned a group ID of 500
by default. The next group account that you give this permission
to is assigned a group ID of 501, and so on. You can override this
default value for any group, if desired.
You can also set aside some group IDs to be reserved for special
purposes. For example, if you run an application that requires a
specific group account, you may want to reserve the GID for that
account so no other groups can be assigned that ID.
To prevent some GIDs from being assigned, click Add. You can
then specify individual GIDs or a range of GIDs you want to
prevent from being used in the same way you reserve UIDs.
13 Type the default location you want to use when creating new
home directories for new Unix users, then click Next.
The default setting, /home/${user}, uses the special keyword
$user to create a new directory using the user’s Unix login
name. For example, if you are enabling access for the Unix user
account shea, the default home directory created is /home/shea.
You can create a different home directory for any user, if
desired.
Note The ${user} keyword is the only keyword supported. This
keyword substitutes a user’s Unix login name to create the
directory name. Although /home is the typical location of a user’s
home directory in the Unix environment, you can specify a
different directory name, if needed, for example,
/nfshome/${user}. You should be sure, however, that the
parent directory—for example, the /home or/nfshome
directory—already exists in your Unix environment, or the
115
Installing the Centrify DirectControl Agent
mount /mnt/cdrom
Using SMB shares on a Windows server For any Mac OS X users to access
SMB shares on a Windows server, you also need to disable the
Windows group policies that prevent this access.
To check and disable, if necessary, the Windows group policies that
prevent access to SMB shares:
1 Open Active Directory Users and Computers, select the
domain, right-click, then select Properties.
2 Click the Group Policy tab.
If the Default Domain Controller Policy is linked to this
domain, click Edit, then click Computer Configuration >
Windows Settings > Security Settings > Local Policies >
Security Options > Microsoft network server: Digitally
sign communications (always) and disable this policy.
If the Default Domain Policy is linked to this domain, click
Edit, then click Computer Configuration > Windows
Settings > Security Settings > Local Policies > Security
Options > Microsoft network server: Digitally sign
communications (always) and disable this policy.
If these group policies are not currently defined, you can leave
them not configured. If either policy is enabled and linked to the
domain, however, Mac OS X computers will not be able to use
SMB connections to automount the Windows file shares.
3 If you change these policies on the domain controller, run the
gpupdate command to refresh the group policies before logging
on to Mac OS X computers.
If you do not specify a zone to join, the computer will join the
“default” zone, if it exists. If you did not create the “default” zone
when you ran the Centrify DirectControl Setup Wizard, you
must specify a valid zone name to join the domain.
3 Restart running services, such as login, sshd, or gdm, or reboot
the computer to ensure all services use the updated
configuration. For example, you can run the following
command to stop running sessions:
pkill -1 sshd
Managing zones
129
Creating a new zone
you see will depend on the specific steps you took during the initial
configuration of Centrify DirectControl.
6 Select the tasks you want to delegate to the user or group, then
click Next. For example, if you want members of the selected
user or group to be able perform all administrative tasks for a
zone, check the All task.
Each time you run the Zones Report, you generate a new report
about the zones currently defined. For more information about
Managing computers
143
Using zones for Linux, Unix, and Mac OS computers
the computer joins the domain using the Windows NETDOM ADD
command, the dsadd computer command, or Active Directory
Users and Computers. (For information about the syntax for
running the commands, type NETDOM HELP ADD or dsadd computer
/? in a Command Prompt window.)
NoteAlthough you can set other properties, you cannot set any
Centrify Profile properties for the computer account until the
computer joins the domain.
7 Click OK.
You can now join the domain and enable Active Directory groups
and users to work with this Unix computer.
3 Type the Active Directory password for the user account you
specified.
If the adclient daemon is able to connect to Active Directory
and the leave operation is successful, a confirmation message is
displayed.
4 Run adjoin to join a different Active Directory domain. For
example:
adjoin --user gharris operations.acme.com
5 Type the Active Directory password for the user account you
specified.
For more information about using the adjoin and adleave
commands, see Appendix A, “Using Centrify DirectControl Unix
commands.”
3 Type the Active Directory password for the user account you
specified.
If the adclient daemon is able to connect to Active Directory and
the leave operation is successful, a confirmation message is
displayed and the Centrify DirectControl Agent is stopped.
Each time you run the Computers Report, you generate a new
report about the Unix computers currently enabled. For more
information about generating and working with reports, see
“Running reports” on page 257.
161
Using private groups for Unix users
Enabling Unix access for Active Directory groups gives you greater
control, consistency, and visibility for managing user accounts. For
example, you can create a nested group hierarchy in Active
Directory to manage Unix users accounts in the same way you
manage Windows accounts. Whether you create new Unix-specific
groups or use existing Active Directory groups access to Unix
computers depends on the needs of your organization and the
structure of your Active Directory forest.
Once you have identified the Active Directory groups that you
want to use, there are two ways to give an existing Active
Directory group access to Linux, Unix, and Macintosh computers:
You can use Active Directory Users and Computers to open the
Properties for a group, then click the Centrify Profile tab to
specify Unix properties for the group.
You can use the Centrify DirectControl Administrator Console
to add a group to any Centrify DirectControl zone.
For simplicity, the following steps describe how to add groups to a
Centrify DirectControl zone.
To add groups to a Centrify DirectControl zone:
1 Open the Centrify DirectControl Administrator Console.
Local forest
Trusted forest
Note You can only add users from the remote forest to a local
Centrify DirectControl zone. You cannot add groups from the
remote forest.
5 Type a search string to locate the user in the selected forest or
domain, then click Find Now.
6 Select one or more users in the results, then click OK.
7 Review the Unix profile settings for the user and make any
changes necessary, then click OK.
Users from a remote forest are identified in the Centrify
DirectControl Administrator Console with the following icon:
your new password. However, you can also change your own
password at any time using adpasswd.
To change your own password using adpasswd:
1 At the Unix command line, run the following command:
adpasswd
3 Type the new password for the user specified. Because you are
changing another user’s password, you are not prompted for an
old password. For example:
New password:
To map the local root account to the default Active Directory user,
you simply need to create the Active Directory user account using
the root_zonename naming convention.
To map the local root account on a specific computer to an Active
Directory user:
1 Create the Active Directory user account you want to use. For
example, if you want to use a unique Active Directory account
for each root account, you may want use the computer’s host
name in the Active Directory account name.
2 On the Unix computer, open the Centrify DirectControl
configuration file /etc/centrifydc/centrifydc.conf.
3 Modify the local account mapping so that the local root user is
mapped to the Active Directory you created. You can use
environment variables such as $DOMAIN, $ZONE, or $HOSTNAME if
you used the domain, zone, or host name in the Active Directory
account name. For example:
pam.mapuser.root: root_$HOSTNAME
Each time you run the Users Report or Groups Report, you
generate a new report about the users or group currently defined.
For more information about generating and working with reports,
see “Running reports” on page 257.
181
Understanding Group Policy Objects
Chapter 9 • Managing group policies for Unix users and computers 183
Understanding Group Policy Objects
When all of the policies are applied in their default order, the
computer’s resulting set of policies reflect these configuration
settings so that a computer in the Windows QA organizational unit
would be configured with the following policy settings:
Configure Automatic Updates: Enabled with Notify for
download and notify for install
Prevent Desktop Shortcut Creation: Disabled
It is important to consider the impact of these inheritance rules
when you are planning how you will apply Group Policy Objects to
sites, domains, or organizational units that contain Unix users and
computers.
Chapter 9 • Managing group policies for Unix users and computers 185
Understanding Group Policy Objects
Chapter 9 • Managing group policies for Unix users and computers 187
Understanding Group Policy Objects
Chapter 9 • Managing group policies for Unix users and computers 189
Understanding group policy for Unix
Chapter 9 • Managing group policies for Unix users and computers 191
Understanding group policy for Unix
Checks for the Group Policy Objects that are linked to each
organizational unit the user logging in is a member of.
Determines all of the configuration settings that apply to the
user account, and retrieves those settings from the System
Volume (SYSVOL).
Writes all of the configuration settings to a virtual registry on
the Unix computer.
Starts the runmappers program to initiate the mapping of
configuration settings using individual mapping programs for
user policies.
The mapping programs then read the virtual registry for the
appropriate Unix-specific user configuration settings and the
mapping programs locate the appropriate Unix configuration files
to change and modify those files accordingly.
After the user has logged on, the adclient daemon will
periodically check with Active Directory to determine the current
group policy settings for the user unless you explicitly disable
group policy updates.
Chapter 9 • Managing group policies for Unix users and computers 193
Adding Unix policies to a Group Policy Object
Chapter 9 • Managing group policies for Unix users and computers 195
Setting policies for Unix computers and users
The DirectControl
administrative templates
are listed under
Computer Configuration
and User Configuration
Chapter 9 • Managing group policies for Unix users and computers 197
Setting policies for Unix computers and users
SuDo Permissions Control which users can use the sudo command to run
commands as another user on a selected computers. The
policy also specifies the individual commands that the
user run as the sudo user.
Filesystem mounts Specify the file system mount points to be defined in the
/etc/fstab file.
For information about the specific policies available and how to set
them, see the Centrify DirectControl Help.
Chapter 9 • Managing group policies for Unix users and computers 199
Setting policies for Unix computers and users
For information about the specific policies available and how to set
them, see the Centrify DirectControl Help.
For information about the specific policies available and how to set
them, see the Centrify DirectControl Help.
For information about the specific policies available and how to set
them, see the Centrify DirectControl Help.
Chapter 9 • Managing group policies for Unix users and computers 201
Setting policies for Unix computers and users
Chapter 9 • Managing group policies for Unix users and computers 203
Reporting group policy settings
Chapter 9 • Managing group policies for Unix users and computers 205
Defining custom group policies
Chapter 9 • Managing group policies for Unix users and computers 207
Defining custom group policies
Chapter 9 • Managing group policies for Unix users and computers 209
Defining custom group policies
Chapter 9 • Managing group policies for Unix users and computers 211
Defining custom group policies
Managing licenses
213
Understanding how licensing works
enable Unix or Web server access and reduces the total number of
available licenses by one.
click OK, then click OK to close the Browse for container dialog
box.
5 Click Yes to add the license container to Active Directory.
6 Click Permissions to assign Read License and Modify License
permissions to specific users or groups. The users or groups that
you give the Modify License permission to can then add license
keys to the new license container.
4 Click Add.
5 Type the new license key, then click OK.
6 Click the Summary tab to view the installed licenses. Note that
license keys are Licensed, that is, available to be used, until you
begin adding computers to the domain.
7 Click OK.
Each time you run a license report, you generate a new report
about the licenses currently installed. For more information about
generating and working with reports, see “Running reports” on
page 257.
223
Importing from NIS
3 Select the zone into which you want to import users and groups,
right-click, then click Import from Unix.
4 Select Unix configuration files, then click Browse to locate
the passwd and group files on the Windows network.
Note These files must be accessible on the Windows network.
You can make them available using FTP, by copying them to a
network share, or by navigating to them directly if your Unix
computers are configured to be accessible over the Windows
network using Samba or a similar program.
When you have identified both the /etc/passwd and
/etc/group files you want to import, click Next. Although the
files can be imported independently, group information must be
available before you can import user information. Therefore,
Centrify recommends you import both files at the same time.
5 Check that both Users and Groups are selected for import,
then click Next.
6 Review the summary of information to be imported, then click
Finish.
When you click Finish, all of the user and group information is
placed in a Pending Import state to allow you to decide how
exactly in should be imported into your existing Active Directory
structure. For example, for each group you need to decide whether
it should be ignored, mapped to an existing Active Directory group
you have already created, or used to create a new Active Directory
group of its own in the Active Directory structure.
Note If you have existing NIS servers that are handling client
requests, those servers can continue to run until you have imported
sufficient data into Active Directory to transfer the client requests
to Centrify DirectControl. Although you can the leave standard NIS
servers in place indefinitely, you should plan to migrate all of your
data and NIS clients to use the DirectControl Network Information
Service if you want you to centralize all directory service in Active
Directory. Once you have imported all of the data you need into
Active Directory and configured your existing NIS clients to use the
appropriate Centrify DirectControl Network Information Service,
you can decommission any legacy NIS servers and stop any related
services.
233
Understanding the DirectControl Information Service
Although you can leave standard NIS servers in place on the Unix
network, using the DirectControl Network Information Service
allows you to centralize all directory service in Active Directory.
Once you have imported all relevant data into Active Directory and
configured the NIS clients to use the Centrify DirectControl
Network Information Service, you can discontinue using your
legacy NIS servers.
The following figure provides a simplified view of operation.
Computers that are not managed by Centrify DirectControl but
send NIS lookup requests to the NIS port on a Centrify
DirectControl-managed computer
NIS Map
xxxxxx
xxxxxx DirectControl-managed
xxxxxx adnisd
computer
adclient
Finance Zone
Active Directory
Chapter 12 • Using the DirectControl Information Service for NIS requests 235
Understanding how to deploy the adnisd daemon
Chapter 12 • Using the DirectControl Information Service for NIS requests 237
Understanding NIS maps in Active Directory
Chapter 12 • Using the DirectControl Information Service for NIS requests 239
Configuring the DirectControl Information Service
rather than use the default zone. For example, to join the
troilus.com domain and add the computer to the sales zone:
adjoin --user steph --zone sales troilus.com
To accept NIS client requests from any computer, you can set the
nisd.securenets configuration parameter as follows:
nisd.securenets: 0/0
Chapter 12 • Using the DirectControl Information Service for NIS requests 241
Configuring the DirectControl Information Service
client requests using the data in its local NIS data store. Because this
information is available in the local data store, the adnisd daemon
can respond to NIS requests even when it is unable to contact
Active Directory for map refreshes.
NoteKeep in mind that if you don’t add the adnisd daemon to a
computer’s startup script, you must manually restart the adnisd
daemon whenever the computer is rebooted.
Chapter 12 • Using the DirectControl Information Service for NIS requests 243
Configuring NIS clients to use Centrify DirectControl
3 Start the ypbind service. On Linux, you can start the service by
running the following command:
/sbin/service ypbind start
If you are using the broadcast option to locate the server, you
must start the service with the broadcast option. For example:
/usr/lib/netsvc/yp/ypbind -broadcast
Note This step is not required if you want to use the broadcast
option to locate the server when you run the ypbind command.
3 Set the NIS domain name for the client to the zone name of the
computer where the adnisd daemon is running.
domainname zone_name
4 Start the ypbind service. On HP-UX, you can start the service
by running:
/sbin/init.d/nis.client start
Chapter 12 • Using the DirectControl Information Service for NIS requests 245
Configuring client authentication through adnisd
Chapter 12 • Using the DirectControl Information Service for NIS requests 247
Configuring client authentication through adnisd
In this example, the user paul has a password hash, but the users
mlopez and jsmith do not have password hashes.
Chapter 12 • Using the DirectControl Information Service for NIS requests 249
Maintaining NIS maps in the Administrator’s Console
Chapter 12 • Using the DirectControl Information Service for NIS requests 251
Maintaining NIS maps in the Administrator’s Console
Chapter 12 • Using the DirectControl Information Service for NIS requests 253
Maintaining NIS maps in the Administrator’s Console
Once you have added map entries, you can edit or remove
information for any entry by selecting the map row to work
with, right-clicking, then selecting Properties to modify the
entry or Delete to remove the entry.
For this type of map You can edit these fields for each record
autoMaster Mountpoint to use. This field is required.
Map file to be consulted for the specified mountpoint.
This field is required.
Options to be applied. This field is optional.
Comments that describe the mountpoint or provide
additional information. This field is optional.
autoMount Name to use. This field is required.
Network path specifies from where the file system is to
be mounted. This field is required.
Options to be applied to the entry. This field is optional.
Comments that describe the mountpoint or provide
additional information. This field is optional.
Chapter 12 • Using the DirectControl Information Service for NIS requests 255
Discontinuing use of legacy NIS servers
For this type of map You can edit these fields for each record
netgroup Name of member groups. This field is required.
Comments that describe the member group or provide
additional information. This field is optional.
Each group listed in the netgroup map can then have
member entries. Member entries can be selected from
existing netgroup entries or specify an individual
machine name, user name, and domain name.
Generic Key to use in looking up the entry in the map.
Value to be returned when looking up the entry in the
map.
Comments that describe the key-value pair or provide
additional information. This field is optional.
When you are satisfied that you have all of the appropriate NIS
information stored in Active Directory and have deployed the
adnisd daemon across the enterprise, as needed, you can then stop
any remaining legacy NIS servers and complete the migration to
Active Directory for secure, centralized directory service.
Running reports
257
Understanding the information each report provides
user access and provide the information you require for business
planning and regulatory compliance.
By default, reports include information for all Unix users, groups,
computers, or zones depending on the type of report you select.
You can, however, filter report information to include only specific
zones, specific user accounts, or other attributes.
Printing reports
You can print reports either directly from the Main Report window
or by exporting to another format, then printing the exported
report.
267
Analyzing zone information in Active Directory
Note You must type the full path to the command because
addebug is not included in the path by default.
Once you run this command, all of the Centrify DirectControl
daemon activity is written to the /var/log/centrifydc.log
file.
For performance and security reasons, you should only enable
Centrify DirectControl logging when necessary, for example,
when requested to do so by Centrify Technical Support, and for
short periods of time to diagnose a problem. Keep in mind that
sensitive information may be written to this file and you should
evaluate the contents of the file before giving others access to it.
When you are ready to stop logging activity, run the addebug off
command.
With this parameter, the log level works as a filter to define the
type of information you are interested in and ensure that only the
messages that meet the criteria are written to the log. For example,
if you want to see warning and error messages but not
informational messages, you can change the log level from INFO to
WARN. By changing the log level, you can reduce the number of
messages included in the log and record only messages that indicate
a problem. Conversely, if you want to see more detail about system
activity, you can change the log level to INFO or DEBUG to log
information about operations that do not generate any warnings or
errors.
You can use the following keywords to specify the type of
information you want to record in the log file:
# Add the name of the adclient logical log and specify the
# logging level to use for it and its children:
log.com.centrify.adclient: INFO
3 Select DNS Server from the list of Server Roles. If the DNS
Server role is not currently configured, click Next.
Note If this server role is already configured on this computer,
you can skip the next steps and go on to “Configuring Unix to use
DNS service on the target domain controller” on page 278.
4 Review the summary of steps, then click Next to display the
Configure a DNS Server Wizard. Click Next to configure
the DNS server lookup zones.
5 Select the Create a forward lookup zone (recommended
for small networks) option, then click Next.
6 Select This server maintains the zone, then click Next.
7 Type the domain name (dn) component of the Active Directory
domain controller’s name, then click Next. In most cases, you
should specify a sub-domain of the top-level domain name. For
example, if the forest root domain for the organization is
acme.com, you might have a sub-domain of labs.acme.com.
Note You must specify the name of the domain controller, not its IP
address. In addition, the domain controller name must be resolvable
using either DNS or in the local /etc/hosts file. Therefore, you
must add entries to the local /etc/hosts for each domain controller
you want to use if you are not using DNS or if the DNS server
cannot locate your domain controllers.
You can add as many domain and domain controller entries to the
Centrify DirectControl configuration file as you need. Because the
entries manually specified in the configuration file override any site
settings for your domain, you can completely control
DirectControl’s binding to the domains in your forest through this
mechanism.
Note In most cases, you should use DNS whenever possible to
locate your domain controllers. Using DNS ensures that any
changes to the domain topology are handled automatically through
the DNS lookups. The settings in the configuration file provide a
manual alternative to looking up information through DNS for those
cases when using DNS is not possible. If you use the
manually-defined entries in the configuration file and the domain
topology is changed by an Active Directory administrator, you must
manually update the location of the domains in each configuration
file.
For example if you intend to join the domain mytest.lab and the
domain controller for that domain is dc1.mytest.lab and its
address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the
/etc/hosts and the DirectControl configuration file.
283
Understanding when to use command line programs
Using adjoin
The adjoin command adds the local host computer to the specified
Active Directory domain. The basic syntax for the adjoin program
is:
adjoin [options] domain
You are then prompted to provide the password for the user
jeff@acme.com.
Solaris /etc/krb5/krb5.conf
Solaris /etc/krb5/krb5.keytab
Name Purpose
daemon This is the pipe which clients open to
communicate to the agent.
dc.cache Cache of objects from the Domain
Controller
gc.cache Cache of objects from the Global Catalog
Using adleave
The adleave command removes the local host computer from its
current Active Directory domain. Once a computer has become a
member of a domain, you must run the adleave command to leave
that domain before you can move a computer to a new domain.
The basic syntax for the adleave program is:
adleave [options]
You are then prompted for the password for the user
raj@acme.com.
Using adpasswd
The adpasswd command changes the password for an Active
Directory user account. It can be used to change the password of
the current user executing the command or to change the password
of another Active Directory user. If you want to change the
password for any Active Directory account other than your own,
you must provide the user name and password of an administrative
account with the authority to change that user’s password.
The basic syntax for the adpasswd program is:
adpasswd [options] [user[@domain]]
Using adgpupdate
The adgpupdate command retrieves group policies from the Active
Directory domain controller and applies the policy settings to the
local computer and current user immediately. Under normal
conditions, without running this command, group policies are
updated automatically every 90 to 120 minutes by default. If you
want a policy change to take effect immediately, however, you can
force the group policy to be refreshed by running the adgpupdate
command. Upon updating the group policy, the adgpupdate
command then resets the timer for the next automatic update to
occur in the next 90 to 120 minutes.
Note Automatic group policy updates occur at a random interval
between 90 and 120 minutes to prevent multiple computers from
connecting to and requesting updates from the Active Directory
domain controllers at the same time. However, both the default
interval of 90 minutes and the default offset period of 30 minutes
can be configured to other values using group policy settings.
Therefore, the automatic group policy update may occur more or
less frequently in your environment. For information about setting
computer and user group policies, see Chapter 9, “Managing group
policies for Unix users and computers.” For information about
customizing the group policy update, see Appendix B,
“Customizing Centrify DirectControl configuration options.”
for the user who is currently logged in and running the adgpupdate
command. With a command line setting, you can restrict the group
policies updated to be only computer group policies or only the
current user’s group policies, if needed.
For example:
arcade.com
IP Diagnostics
Local host name: mission-sf-04
Full local host name: localhost.localdomain
Local IP Address: 192.168.147.134
Domain Diagnostics:
Domain: arcade.com
DNS query for: _gc._tcp.arcade.com
DNS query for: _ldap._tcp.arcade.com
Locating global catalogs for arcade.com from DNS
Found SRV records:
fire.arcade.com:3268
Locating domain controllers for arcade.com from DNS
Found SRV records:
fire.arcade.com:389
Testing Active Directory TCP connectivity:
Global Catalog: fire.arcade.com
gc: 3268 - good
Domain Controller: fire.arcade.com
ldap: 389 - good
smb: 445 - good
kdc: 88 - good
kpasswd: 464 - good
Anonymous LDAP bind to fire.arcade.com:3268
Retrieve DC root object
Domain Controller: fire.arcade.com:3268
Domain controller type: Windows 2003
Domain Name: ARCADE.COM
isGlobalCatalogReady: TRUE
domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Anonymous LDAP bind to fire.arcade.com:389
Retrieve DC root object
Domain Controller: fire.arcade.com:389
Domain controller type: Windows 2003
Domain Name: ARCADE.COM
isGlobalCatalogReady: TRUE
domainFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Forest Name: ARCADE.COM
Retrieving site data from arcade.com
Using machine credentials
Using principal name 'mission-sf-04$@ARCADE.COM'
Binding to arcade.com, cache=MEMORY:0x862e5e0
Retrieving subnet objects from
CN=Subnets,CN=Sites,CN=Configuration,DC=arcade,DC=com
Retrieving zone data from arcade.com
Centrify DirectControl 2.x zones:
default - arcade.com/Program Data/Centrify/Zones/default
Computer Account Diagnostics
Joined as: mission-sf-04
Searching for
(&(samAccountName=mission-sf-04$)(objectClass=computer))
in dc=ARCADE,dc=COM
Found computer account:
CN=mission-sf-04,CN=Computers,DC=arcade,DC=com
Kerberos key number from computer account: 2
Examining local keys
Keys in /etc/krb5.keytab for arcade.com
version - timestamp - principal - encryption
2 02/22/06 09:20:31 cifs/mission-sf-04@ARCADE.COM ...
2 02/22/06 09:20:31 ftp/mission-sf-04@ARCADE.COM ...
2 02/22/06 09:20:31 HTTP/mission-sf-04@ARCADE.COM ...
Using addebug
The addebug command is used to start or stop detailed logging
activity for the Centrify DirectControl daemon on a local Unix
computer.
The basic syntax for the addebug program is:
addebug [on | off]
Note You must type the full path to the command because addebug
is not included in the path by default.
Using adrmlocal
The adrmlocal command reports and removes local user names
that duplicate Active Directory user names.
The basic syntax for the adrmlocal program is:
adrmlocal [--interactive] [--commit] [--force] [--version]
Using adfinddomain
The adfinddomain command displays the domain controller
associated with the Active Directory domain you specify.
The basic syntax for the adfinddomain program is:
adfinddomain [--format name|ldap|ip] [--verify] [--version]
[domain]
Using adsmb
The adsmb command allows you to perform various file operations,
such as get a file, write a file, or display the contents of a directory
using the Centrify DirectControl smb stack. You can run this
command using your log-on credentials or using the credentials for
the local computer account. To use the local computer’s credential,
you must have root-level permission. You can specify the domain
controller to use or use the nearest domain controller for the
joined domain.
Note You can use this command in conjunction with group policies
to copy files and directories to and from Windows file shares.
Using adclient
Most Centrify DirectControl operations are managed by the
central daemon process adclient. This daemon is automatically
started when the system is first booted. The daemon generally
remains running as long as the computer is powered up so that it
can handle all of the authentication and authorization interaction
between Active Directory and the Unix shell programs or Web
applications that need this information.
Although you typically start and stop adclient from a startup
script, you can run adclient directly from the command line to
control the operation of the Centrify DirectControl Agent on a
local computer.
The basic syntax for running adclient at the command line is:
adclient [-x] [-c] [-d] [-F]
Using runmappers
The runmappers command allows you to manually run the mapper
programs that configure group policies for Unix users or
computers. As discussed in “Understanding group policy for Unix”
on page 189, individual mapper programs located in the
/usr/share/centrifydc/mappers/machine and
/usr/share/centrifydc/mappers/user/user_name directories
read settings from the Unix “virtual registry” and translate them
into the appropriate settings in application-specific configuration
files. By default, the Centrify DirectControl Agent is normally
323
Understanding the syntax in the configuration file
lrpc.connect.timeout
lrpc.session.timeout
lrpc.timeout
adclient.autoedit
This configuration parameter specifies whether or not the Centrify
DirectControl daemon is allowed to automatically edit the NSS and
PAM configuration files on the local computer.
The parameter value is set to true to allow the files to be edited, or
false to prevent the files from being edited. The following
example allows the NSS and PAM configuration files to be edited:
adclient.autoedit: true
On Solaris, you need to add the following lines to the top of the
/etc/pam.conf file:
rlogin auth sufficient pam_centrifydc.so debug
rlogin auth requisite pam_centrifydc.so deny debug
login auth sufficient pam_centrifydc.so debug
login auth requisite pam_centrifydc.so deny debug
passwd auth sufficient pam_centrifydc.so try_first_pass debug
passwd auth requisite pam_centrifydc.so deny debug
other auth sufficient pam_centrifydc.so debug
other auth requisite pam_centrifydc.so deny debug
cron account sufficient pam_centrifydc.so debug
other account sufficient pam_centrifydc.so debug
other password sufficient pam_centrifydc.so debug
other session sufficient pam_centrifydc.so debug
adclient.binding.refresh.interval
This configuration parameter specifies how often to refresh the
LDAP bindings to the preferred Active Directory site if a computer
is connected to a domain controller in another site.
If the Centrify DirectControl daemon is unable to communicate
with a local domain controller, it automatically connects to an
available domain controller in another site until a domain
controller in its preferred site becomes available. To determine
when a domain controller in the preferred site is available, the
daemon periodically attempts to re-connect to domain controllers
in its preferred site whenever it is connected to a backup domain
controller in another site. This parameter controls how frequently
the daemon performs the attempt to re-connect to the preferred
site.
The parameter value specifies the number of seconds between
refresh attempts. It must be an integer greater than zero. The
following example sets the interval time to 60 minutes:
adclient.binding.refresh.interval: 60
adclient.cache.encrypt
This configuration parameter specifies whether you want to
encrypt the local cache of Active Directory data. If you set this
parameter to true, all of the Active Directory data stored in the
cache is encrypted and the cache is flushed each time the Centrify
DirectControl daemon starts up. If you set this parameter to false,
the cache is not encrypted and is not flushed when the Centrify
DirectControl daemon starts up.
For example, to encrypt all data in the cache:
adclient.cache.encrypt: true
adclient.cache.encryption.type
This configuration parameter specifies the type of encryption to use
when encrypting the local cache. The encryption type you specify
must be a type supported in the Kerberos environment. For
example, Windows Server 2003 Kerberos supports the following
cryptographic algorithms: RC4-HMAC, DES-CBC-CRC and
DES-CBC-MD5.
For example:
adclient.cache.encryption.type: des-cbc-md5
adclient.cache.expires
This configuration parameter specifies the number of seconds
before an object in the Centrify DirectControl domain controller
cache expires.
Every object retrieved from Active Directory is stamped with the
system time when it enters the domain controller cache. The
object can then be retrieved from the local cache until it expires.
Once an object expires, if it is needed again, the Centrify
DirectControl daemon will contact Active Directory to determine
whether to retrieve an updated object (because the object has
changed) or renew the expired object (because no changes have
been made). To make this determination, the Centrify
DirectControl daemon checks the highestUSN for the expired
object. If the value has changed, the daemon retrieves the updated
object. If the highestUSN has not changed, the daemon resets the
object’s timestamp to the new system time and retrieves the object
from the cache.
Note This configuration parameter applies to generic objects in the
domain controller cache and becomes the default expiration period
for all object types. You can set separate expiration periods for
specific objects types using the object-specific configuration
parameters. For example, you can set different expiration times for
computer objects and user objects using the
adclient.cache.expires.computer, and
adclient.cache.expires.user configuration parameters. This
generic object expiration setting applies to any object for which you
do not set an object-specific expiration period.
adclient.cache.expires.computer
This configuration parameter specifies the number of seconds
before a computer object in the Centrify DirectControl domain
controller cache expires. If this parameter is not specified, the
generic object cache expiration value is used.
Every computer object retrieved from Active Directory is stamped
with the system time when it enters the domain controller cache.
The object can then be retrieved from the local cache until it
expires.
Once an object expires, if it is needed again, the Centrify
DirectControl daemon will contact Active Directory to determine
whether to retrieve an updated object (because the object has
changed) or renew the expired object (because no changes have
been made). To make this determination, the Centrify
DirectControl daemon checks the highestUSN for the expired
object. If the value has changed, the daemon retrieves the updated
object. If the highestUSN has not changed, the daemon resets the
object’s timestamp to the new system time and retrieves the object
from the cache.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > Computer Object
adclient.cache.expires.extension
This configuration parameter specifies the number of seconds
before an extension object in the Centrify DirectControl domain
controller cache expires. If this parameter is not specified, the
generic object cache expiration value is used.
Every object retrieved from Active Directory is stamped with the
system time when it enters the domain controller cache. The
object can then be retrieved from the local cache until it expires.
Once an object expires, if it is needed again, the Centrify
DirectControl daemon will contact Active Directory to determine
whether to retrieve an updated object (because the object has
changed) or renew the expired object (because no changes have
been made). To make this determination, the Centrify
DirectControl daemon checks the highestUSN for the expired
object. If the value has changed, the daemon retrieves the updated
object. If the highestUSN has not changed, the daemon resets the
object’s timestamp to the new system time and retrieves the object
from the cache.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > Extension Object
adclient.cache.expires.gc
This configuration parameter specifies the number of seconds
before information in the Centrify DirectControl Global Catalog
cache expires. The Global Catalog cache contains the distinguished
name (DN) for each object that has been looked up in Active
Directory. The primary purpose of the Global Catalog cache is to
store the results from paged object searches. Object attributes are
stored in the Centrify DirectControl domain controller cache.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > Global Catalog Object
Expiration Time group policy by selecting Enabled and
specifying the maximum number of seconds for a computer object
to be kept in the local cache. You can, however, set it manually in
the configuration file if you aren’t using group policy or want to
temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. The following example sets the cache
expiration time for Global Catalog objects to 1800 seconds (30
minutes):
adclient.cache.expires.gc: 1800
adclient.cache.expires.group
This configuration parameter specifies the number of seconds
before a group object in the Centrify DirectControl domain
controller cache expires. If this parameter is not specified, the
generic object cache expiration value is used.
Every group object retrieved from Active Directory is stamped
with the system time when it enters the domain controller cache.
The object can then be retrieved from the local cache until it
expires.
Once an object expires, if it is needed again, the Centrify
DirectControl daemon will contact Active Directory to determine
whether to retrieve an updated object (because the object has
changed) or renew the expired object (because no changes have
been made). To make this determination, the Centrify
DirectControl daemon checks the highestUSN for the expired
object. If the value has changed, the daemon retrieves the updated
object. If the highestUSN has not changed, the daemon resets the
object’s timestamp to the new system time and retrieves the object
from the cache.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > Group Object
Expiration Time group policy by selecting Enabled and
specifying the maximum number of seconds for a group object to
be kept in the local cache. You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. The following example sets the cache
expiration time for group objects to 1800 seconds (30 minutes):
adclient.cache.expires.group: 1800
adclient.cache.expires.search
This configuration parameter specifies the number of seconds
before the results of an Active Directory search expire.
Search expiration is handled separately from object expiration
because a search result may include objects that have been deleted
or be missing objects that have been added that meet the search
criteria.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > Search Expiration Time
group policy by selecting Enabled and specifying the maximum
number of seconds for a search result to be kept in the local cache.
You can, however, set it manually in the configuration file if you
aren’t using group policy or want to temporarily override group
policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. The following example sets the cache
expiration time for search to 1800 seconds (30 minutes):
adclient.cache.expires.search: 1800
adclient.cache.expires.user
This configuration parameter specifies the number of seconds
before a user object in the Centrify DirectControl domain
controller cache expires. If this parameter is not specified, the
generic object cache expiration value is used.
Every user object retrieved from Active Directory is stamped with
the system time when it enters the domain controller cache. The
object can then be retrieved from the local cache until it expires.
adclient.cache.negative.lifetime
This configuration parameter specifies how long, in minutes, a
negative object should remain in the cache. A negative object is
returned when an object is not found in a search result. This
configuration parameter determines how long that negative result
should remain in the cache, regardless of the object type or object
expiration time. By storing this negative result in the cache, the
Centrify DirectControl daemon does not need to connect to Active
Directory to look for an object that was previously not found.
adclient.cache.object.lifetime
This configuration parameter specifies how long, in hours, an
Active Directory object should remain in the local cache. Setting
the parameter value to 0 keeps objects in the cache indefinitely.
When you set this parameter to 0, objects remain in the cache until
they are deleted from Active Directory or the cache is manually
flushed with the adflush command. If you don’t want objects to
remain in the cache indefinitely, you can use this parameter to set
the maximum amount of time an object should be available in the
cache.
For example, if you want to set the maximum time for an object to
be held in the cache to 12 hours, you can set this configuration
parameters as follows:
adclient.cache.object.lifetime: 12
With this setting, object values can be retrieved from the local
domain controller cache for 12 hours. At the end of the 12 hour
period, however, the object is removed from the local cache and
must be retrieved from Active Directory if it is needed again.
If this parameter is not defined in the configuration file, its default
value is 0.
adclient.client.idle.timeout
This configuration parameter specifies the number of seconds
before the Centrify DirectControl daemon will drop a socket
connection to an inactive client.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
adclient.clients.socket
This configuration parameter specifies the named socket through
which clients communicate with the Centrify DirectControl
daemon.
The parameter value must be the name of the socket. For example:
adclient.clients.socket: /var/centrifydc/daemon
adclient.clients.threads
This configuration parameter specifies the number of threads the
Centrify DirectControl daemon pre-allocates for processing client
requests.
The parameter value must be an integer zero or greater. If you set
this parameter to zero, the Centrify DirectControl daemon
processes requests sequentially. For example:
adclient.clients.threads: 4
adclient.clients.threads.poll
This configuration parameter specifies the number of milliseconds
the Centrify DirectControl daemon waits between checks to see if
a client's request has been completed.
Request completion polling is necessary to eliminate race
conditions in operating environments such as Linux that don't have
pselect implemented in the kernel. This polling mechanism
should be disabled if the operating system has an atomic pselect.
The parameter value must be an integer zero or greater. A value of
zero turns off polling. For example:
adclient.clients.threads.poll: 100
adclient.fetch.object.count
This configuration parameter specifies the number of objects to
obtain in a single LDAP request. You can use this parameter to
optimize the number of objects to suit your environment.
The parameter value must be a positive integer. For example:
adclient.fetch.object.count: 5
adclient.hash.allow
This configuration parameter specifies the list of users you want to
allow to have their password hash stored. By default, Centrify
DirectControl stores a Unix-style MD5 hash of each user’s
password in the cache when the user is authenticated during login.
Storing the password hash allows previously authenticated users to
log on when the computer is disconnected from the network or
Active Directory is unavailable.
Although the default behavior is to store the password hash for all
users, you can use this parameter to explicitly list the users whose
hashed passwords are stored in the cache. If you use this parameter,
only the users you specify can log on when the computer is
disconnected from the network or Active Directory is unavailable.
The parameter value can be one or more user names. If more than
one name, the names can be separated by commas or spaces. For
example:
adclient.hash.allow: jdoe bsmith
adclient.hash.expires
This configuration parameter specifies the number of days the
password hash for any user can be stored in the cache before it
expires.
The parameter value must be a positive integer. A value of zero (0)
specifies that the password hash should never expire. For example,
to set this parameter so that the password hash expires after 7 days:
adclient.hash.expires: 7
adclient.ldap.packet.encrypt
This configuration parameter specifies the LDAP encryption policy
you use. This configuration parameter is equivalent to the
encryption policy setting on the Windows Server 2003. For
example, if your organization has a security policy that does not
allow unencrypted LDAP traffic, you can use this parameter to
specify that all connections to Active Directory are encrypted. If
your organization isn’t concerned with the encryption of LDAP
data and you want better performance, you can force all
connections to be unencrypted.
The parameter value must be one of the following valid options:
Allowed to allow both encrypted and unencrypted LDAP
traffic.
Disabled to prevent encrypted LDAP traffic.
Required to require all LDAP traffic to be encrypted.
For example:
adclient.ldap.packet.encrypt: Allowed
adclient.ldap.socket.timeout
This configuration parameter specifies the time, in seconds, the
Centrify DirectControl daemon will wait for a socket connection
timeout during LDAP binding.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > LDAP Connect Timeout
group policy by selecting Enabled and specifying the maximum
number of seconds to wait for a connection. You can, however, set
it manually in the configuration file if you aren’t using group policy
or want to temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer greater than zero. For example:
adclient.ldap.timeout
This configuration parameter specifies the time, in seconds, the
Centrify DirectControl daemon will wait for a response from
Active Directory before it gives up on the LDAP connection.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > LDAP Response
Timeout group policy by selecting Enabled and specifying the
maximum number of seconds to wait for a response from the
LDAP server. You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. For example:
adclient.ldap.timeout: 60
adclient.paged.search.max
This configuration parameter specifies the maximum number of
items included in each page of a paged LDAP search.
The parameter value must be a positive integer. For example:
adclient.paged.search.max: 100
increased traffic places on the server, but you decrease the RAM
used by the Centrify DirectControl daemon. If you increase the
number of items included in each LDAP page, you decrease the
number of connections to Active Directory and reduce the overall
demand on the server, but you increase the RAM used by the
Centrify DirectControl daemon.
adclient.sntp.enabled
This configuration parameter specifies whether you want to use the
Windows Time Service to keep the local system clock in sync with
the domain the computer has joined.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
System > Windows Time Service > Time Providers >
Enable Windows NTP Client group policy by selecting
Enabled. You can, however, set it manually in the configuration
file if you aren’t using group policy or want to temporarily override
group policy.
If you are manually setting this parameter, the parameter value
must be true or false. For example:
adclient.sntp.enabled: true
adclient.sntp.poll
This configuration parameter specifies whether the interval, in
seconds, between SNTP clock updates when you are using the
Windows Time Service to keep the local system clock in sync with
the domain the computer has joined.
For example, to set the interval to every 300 seconds:
adclient.sntp.poll: 300
adjoin.adclient.wait.seconds
This configuration parameter specifies the number of seconds the
adjoin command should wait before exiting to ensure the Centrify
DirectControl Agent is available to complete the join operation.
dns.dc.domain_name
This configuration parameter can be used to specify the domain
controller host names if your DNS is not configured to use Active
Directory. In most cases, you should not use this configuration
parameter in a production environment because Active Directory
automatically updates DNS with failover and replica servers
optimized for the Active Directory site configuration. This
configuration parameter is used primarily for configuring an
evaluation environment when the DNS server is on a Unix
computer and can’t provide the _ldap service records.
To set this parameter, the Active Directory domain name must be
specified as the last portion of the configuration parameter name,
and the parameter value is the host name of the domain controller.
For example, if the Active Directory domain is acme.com and the
domain controller for that domain is coyote.acme.com:
dns.dc.acme.com: coyote.acme.com
Note You must specify the name of the domain controller, not its IP
address. In addition, the domain controller name must be resolvable
using either DNS or in the local /etc/hosts file. Therefore, you
must add entries to the local /etc/hosts for each domain controller
you want to use if you are not using DNS or if the DNS server
cannot locate your domain controllers.
dns.forcetcp
This configuration parameter can be used to force all DNS queries
to use TCP rather than UDP. The parameter value can be true or
false. For example:
dns.forcetcp: false
dns.gc.domain_name
This configuration parameter can be used to specify the domain
controller used as the global catalog if your DNS is not configured
to use Active Directory. In most cases, you do not use this
configuration parameter in a production environment. This
configuration parameter is used primarily for configuring an
evaluation environment when the DNS server is on a Unix
computer and can’t provide the _gc service records.
To set this parameter, the Active Directory domain name must be
specified as the last portion of the configuration parameter name,
and the parameter value is the host name of the domain controller.
For example, if the Active Directory domain is arcade.com and the
domain controller for that domain is fire.arcade.com:
dns.gc.arcade.com: fire.arcade.com
Note You must specify the name of the domain controller, not its IP
address. In addition, the domain controller name must be resolvable
using either DNS or in the local /etc/hosts file. Therefore, you
must add entries to the local /etc/hosts for each domain controller
you want to use if you are not using DNS or if the DNS server
cannot locate your domain controllers.
log
This configuration parameter defines the level of detail written to
the Centrify DirectControl log file. The log level works as a filter
to define the type of information you are interested in and ensure
that only the messages that meet the criteria are written to the log.
For example, if you want to see warning and error messages but
not informational messages, you can change the log level from INFO
to WARN.
For more information about logging and setting the log level, see
“Configuring logging for Centrify DirectControl” on page 270.
lrpc.connect.timeout
This configuration parameter specifies the number of seconds the
Centrify DirectControl NSS or PAM service should wait for a
response from the Centrify DirectControl daemon during an initial
connection attempt. If the initial connection to adclient takes
longer than specified by this parameter, the service will time out
and terminate the attempt to connect. In most cases, there’s no
need to modify this parameter.
The parameter value must be a positive integer. For example:
lrpc.connect.timeout: 5
lrpc.session.timeout
This configuration parameter specifies the maximum number of
seconds to keep the adclient connection open to respond to
context-dependent requests, such as pwgetent or lsgroup
requests. Lowering this value reduces the chance of a
multi-threaded program being affected by an adclient restart, but
may cause slow context-dependent commands to fail to return
results because the session times out before the command
completes its operation. Increasing the value of this parameter
reduces the overhead of re-establishing a connection for multiple
requests.
For example:
ldap.session.timeout: 30
lrpc.timeout
This configuration parameter specifies the number of seconds the
local client should wait for a response from the Centrify
DirectControl daemon before ending a requested operation.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Timeout Settings > LRPC Response
Timeout group policy by selecting Enabled and specifying the
maximum number of seconds to wait for a response. You can,
however, set it manually in the configuration file if you aren’t using
group policy or want to temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be an integer greater than zero. The following example sets
the inactive client timeout to 5 minutes:
lrpc.timeout: 300
adclient.krb5.autoedit
This configuration parameter specifies whether or not the Centrify
DirectControl daemon should automatically update the Kerberos
configuration file with new information, such as domains and IP
addresses, as the daemon discovers this information.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Kerberos Settings > Manage Kerberos
Configuration group policy by selecting Enabled and selecting
the Manage Kerberos Configuration option. You can,
however, set it manually in the configuration file if you aren’t using
group policy or want to temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be true or false. In most cases, this parameter should be set
adclient.krb5.conf.file
This configuration parameter specifies the location and file name of
the Kerberos configuration file on the local computer.
The parameter value must be an absolute path to a file. For
example:
adclient.krb5.conf.file: /etc/krb5/krb5.conf
adclient.krb5.keytab
This configuration parameter specifies the location and file name of
the Kerberos key table file.
The parameter value must be a path name. For example:
adclient.krb5.keytab: /etc/krb5/krb5.keytab
adclient.krb5.keytab.entries
This configuration parameter specifies the number of entries that
the Centrify DirectControl daemon maintains in the Kerberos key
table for a service principal.
This value determines the number of key versions that are kept per
service principal. Its value must be a positive integer. For example:
adclient.krb5.keytab.entries: 3
adclient.krb5.passwd_check_s_address
This configuration parameter specifies whether Kerberos should
ignore the source address on private messages. This setting is useful
when Active Directory uses NAT.
The parameter value can be true or false. The default value for
this parameter is true. For example:
adclient.krb5.passwd_check_s_address: false
adclient.krb5.permitted.encryption.types
This configuration parameter specifies the types of encryption that
can be used in Kerberos client credentials.
The parameter value must be one or more encryption types,
separated by a space. For example:
adclient.krb5.permitted.encryption.types: rc4-hmac
des-cbc-md5
adclient.krb5.service.principals
This configuration parameter specifies additional service principals
for entries in the Kerberos key table. The key table is populated by
default with the service principals host and http.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Kerberos Settings > Service Principals
group policy by selecting Enabled and listing the service
principals to add. You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
This parameter’s value must be one or more principal service
names, separated by a space or by a comma. For example:
adclient.krb5.service.principals: ldap nfs
adclient.krb5.tkt.encryption.types
This configuration parameter specifies the types of encryption that
can be presented to the server in the TGT when the computer is
requesting service tickets.
adjoin.krb5.conf.file
This configuration parameter specifies the path to a customized
Kerberos configuration file you want to use to join a domain.
The parameter value must be a path name. For example:
adjoin.krb5.conf.file: /etc/centrifydc/krb5_join.conf
krb5.cache.clean
This configuration parameter specifies whether Kerberos
credentials in the cache should be deleted when a user logs out. By
default, credentials stored in the Kerberos cache that belong to
users who are not logged in are periodically deleted. This
configuration parameter allows you to control this operation
specifically for Centrify DirectControl users or for all users.
The parameter value must be one of the following valid settings:
off to turn off the deletion of the credentials cache for all users.
For example, to remove the credentials cache for all users when
they log out:
krb5.cache.clean: all
krb5.cache.clean.interval
This configuration parameter specifies how frequently in minutes
to check the Kerberos cache for credentials that belong to users
who are not logged on that need to be deleted.
The parameter value should be a positive integer. Setting this
parameter to zero disables periodic clean-up of the cache. For
example, to set the clean-up interval to 5 minutes:
krb5.cache.clean.interval: 5
The default value for this parameter deletes the credential cache for
users who have logged off every one minute.
krb5.cache.renew.interval
This configuration parameter specifies, in hours, how often to
renew the Kerberos credentials stored in the cache for users who
have logged on successfully. Because Kerberos tickets expire after a
set period of time, you can use this configuration parameter to
periodically renew the existing Kerberos ticket to keep existing
credentials valid.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Kerberos Settings > Credential Renewal
Interval group policy by selecting Enabled and setting the
interval for renewing Kerberos credentials. You can, however, set it
manually in the configuration file if you aren’t using group policy or
want to temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. A value of zero disables renewal. For
example, to set the renewal interval to 8 hours:
krb5.config.update
This configuration parameter specifies, in hours, how frequently
the Centrify DirectControl daemon updates the Kerberos
configuration file.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Kerberos Settings > Configuration Update
Interval group policy by selecting Enabled and setting the
interval for automatically updating the Kerberos configuration file.
You can, however, set it manually in the configuration file if you
aren’t using group policy or want to temporarily override group
policy.
If adclient.krb5.autoedit is set to false, this parameter has no
effect. If adclient.krb5.autoedit is set to true, this parameter
value must be a positive integer. For example, to set the update
interval to 8 hours:
krb5.config.update: 8
krb5.forwardable.user.tickets
This configuration parameter specifies whether you want Centrify
DirectControl to create forwardable Kerberos user tickets.
Creating a forwardable ticket allows a user’s logon ticket to be sent
to another computer and used to access to additional systems and
resources. For example, if a user logs on and is authenticated on
one computer, then uses a Kerberized telnet session to connect to
a second computer, a forwarded ticket allows the user to access to
additional Kerberized resources from that second computer
without separate authentication.
krb5.permit.dns.spn.lookups
This configuration parameter specifies whether you want to permit
Centrify DirectControl to look up service principal names (SPN)
using DNS. In most cases, you should set this parameter to false
to ensure the security of the system. You should only set this
configuration parameter to true if you can safely rely on DNS for
security and want to use programs that use the Centrify
DirectControl Kerberos libraries to access a computer using an IP
address or localhost.
For example:
krb5.permit.dns.spn.lookups: false
pam.account.locked.mesg
This configuration parameter specifies the message displayed if a
user account is locked because of too many failed login attempts.
For example:
pam.account.locked.mesg: Account locked
pam.allow.groups
This configuration parameter specifies the groups allowed to access
PAM-enabled applications. When this parameter is defined, only
the listed groups are allowed access. All other groups are denied
access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not have to
be enabled for Unix. Local group membership and invalid Active
Directory group names are ignored.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > Login Controls group policy
by selecting the allow option and specifying one or more group
names. You can, however, set it manually in the configuration file if
you aren’t using group policy or want to temporarily override
group policy.
If you use this parameter to control access by group name, Centrify
DirectControl checks the Active Directory group membership for
every user who attempts to use PAM-enabled applications on the
host computer.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks with Active Directory to see
what groups the user belongs to. If the user is a member of any
Active Directory group specified by this parameter, the user is
accepted and authentication proceeds. If the user is not a member
Note If you are specifying an Active Directory group that has been
Unix-enabled, you can use the short format of the group name as in
the previous example. If you are specifying an Active Directory
group that has not been enabled for Unix access, you must use the
full canonical name of the group. For example, if the domain is
arcade.com and the group is HelpDesk:
pam.allow.groups: arcade.com/Users/HelpDesk
pam.allow.override
This configuration parameter is used to override authentication
through Active Directory to ensure the root user or another local
account has permission to log on when authentication through
Active Directory is not possible, when there are problems running
the Centrify DirectControl daemon, or when there are network
communication issues.
When you specify a user account for this parameter, authentication
is passed on to a legacy authentication mechanism, such as
/etc/passwd. You can use this parameter to specify an account that
you want to ensure always has access, even if communication with
Active Directory or the Centrify DirectControl daemon fails. For
example, to ensure the local root user always has access to a system
even in an environment where you have enabled root mapping, you
can specify:
pam.allow.override: root
To log in locally with the override account, you must specify the
local user name and password. However, because the account is
mapped to an Active Directory account, you must append
@localhost to the user name. For example, if you have specified
root as the override account and are using root mapping, you
would type root@localhost when prompted for the user name.
You can then type the local password for the root account and log
in without being authenticated through Active Directory.
Note If you are mapping the root user to an Active Directory
account and password, you should set this parameter to root or to
a local user account with root-level permissions (UID 0), so that you
always have at least one local account with permission to access
system files and perform privileged tasks on the computer even if
there are problems with the network connection, Active Directory,
or the Centrify DirectControl daemon.
pam.allow.password.change
This configuration parameter specifies whether users who log in
with an expired password should be allowed to change their
password. You can set this parameter to true or false and use it in
conjunction with the pam.allow.password.expired.access
parameter to control access for users who attempt to log on with
an expired password.
If both this parameter and pam.allow.password.expired.access
are set to true, users logging on with an expired password are
allowed to log on and are prompted to change their password.
pam.allow.password.change.mesg
This configuration parameter specifies the message displayed when
users are not permitted to change their expired password because
the pam.allow.password.change parameter is set to false.
For example:
pam.allow.password.change.mesg: Password change not
permitted
pam.allow.password.expired.access
This configuration parameter specifies whether users who log in
with an expired password should be allowed access. You can set this
parameter to true or false and use it in conjunction with the
pam.allow.password.change parameter to control access for users
who attempt to log on with an expired password.
If this parameter is set to true, users logging on with an expired
password are allowed to log on, and either prompted to change
their password if the pam.allow.password.change parameter is set
to true, or notified that they are not allowed to change their
expired password if the pam.allow.password.change parameter is
set to false.
pam.allow.password.expired.access.mesg
This configuration parameter specifies the message displayed when
users are not permitted to log on with an expired password because
the pam.allow.password.expired.access parameter is set to
false.
For example:
pam.allow.password.expired.access.mesg: Password expired -
access denied
pam.allow.users
This configuration parameter specifies the users who are allowed to
access PAM-enabled applications. When this parameter is defined,
only the listed users are allowed access. All other users are denied
access.
If you want to use this parameter to control which users can log in,
the users you specify should be valid Active Directory users that
have a valid Unix profile for the local computer’s zone. If you
specify local user accounts or invalid Active Directory user names,
these entries are ignored.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > Login Controls group policy
by selecting the allow option and specifying one or more user
names. You can, however, set it manually in the configuration file if
you aren’t using group policy or want to temporarily override
group policy.
To specify a file that contains a list of the users allowed access, type
the path to the file:
pam.allow.users: file:/etc/centrifydc/users.allow
pam.create.k5login
This configuration parameter specifies whether the .k5login file
should be created automatically in the user’s home directory. This
file is used to enable Kerberos authentication and single sign-on in
PAM-aware applications.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > PAM Settings > Create .5login group policy
by selecting Enabled. You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
The parameter value can be true or false. If set to true, Centrify
DirectControl will create the .k5login file in the user’s home
directory.
For example:
pam.create.k5login: true
pam.deny.groups
This configuration parameter specifies the groups that should be
denied access to PAM-enabled applications. When this parameter is
defined, only the listed groups are denied access. All other groups
are allowed access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not need to
be enabled for Unix. Local group membership and invalid Active
Directory group names are ignored.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > Login Controls group policy
by selecting the deny option and specifying one or more group
names. You can, however, set it manually in the configuration file if
you aren’t using group policy or want to temporarily override
group policy.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks with Active Directory to see
which groups the user belongs to. If the user is a member of any
Active Directory group specified by this parameter, the user is
denied access and authentication fails. If the user is not a member of
any group specified by this parameter, authentication succeeds and
the user is logged on.
The parameter’s value can be one or more group names, separated
by commas or spaces, or the file: keyword and a file location. For
example, to prevent all members of the vendors and azul groups
in Active Directory from logging on:
pam.deny.groups: vendors,azul
Note If you are specifying an Active Directory group that has been
Unix-enabled, you can use the short format of the group name as in
the previous example. If you are specifying an Active Directory
group that has not been enabled for Unix access, however, you must
pam.deny.users
This configuration parameter specifies the users that should be
denied access to PAM-enabled applications. When this parameter is
defined, only the listed users are denied access. All other users are
allowed access.
If you want to use this parameter to control which users can log in,
the users you specify should be valid Active Directory users that
have been enabled for Unix. If you specify local user accounts or
invalid Active Directory user names, these entries are ignored.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > Login Controls group policy
by selecting the deny option and specifying one or more user
names. You can, however, set it manually in the configuration file if
you aren’t using group policy or want to temporarily override
group policy.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks the users specified by this
parameter to see if the user is listed there. If the user is included in
the list, the user is rejected and authentication fails. If the user is
not listed, the user is accepted and authentication proceeds.
The parameter value can be one or more user names, separated by
commas or spaces, or the file: keyword and a file location. For
pam.homedir.perms
This configuration parameter specifies the permissions for a user’s
home directory if a new home directory is created for the user on
the local computer.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > PAM Settings > Home Directory
Permissions group policy by selecting Enabled and typing the
permission value.
For example, to give read, write, and execute permissions on the
directory to the user and no other permissions:
pam.homedir.perms: 0700
pam.homeskel.dir
This configuration parameter specifies where the PAM skeleton
directory is located. The skeleton directory to used to
automatically create a new home directory and Unix profile for a
new user, if needed.
The parameter value must be a path name. For example:
pam.homeskel.dir: /etc/skel
pam.mapuser.username
This configuration parameter maps a local Unix user account to an
Active Directory account. Local user mapping allows you to set
password policies in Active Directory even when a local Unix
account is used to log in. This parameter is most commonly used to
map the root user on each computer or in each zone to a different
Active Directory account and password, but it can be used for any
local user account. For more information about mapping local
Unix accounts to Active Directory accounts, see “Mapping local
Unix accounts to Active Directory” on page 172.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > User Map group policy. You can, however, set it
manually in the configuration file if you aren’t using group policy or
want to temporarily override group policy.
If you are manually setting this parameter, you should note that the
local account name you want to map to Active Directory is
specified as the last portion of the configuration parameter name.
The parameter value is the Active Directory account name for the
specified local user. For example, the following maps the local Unix
account root to the Active Directory account
root_storm@acme.com if the host computer’s name is storm:
pam.mapuser.root: root_$HOSTNAME@acme.com
You can specify the user name in the configuration file with any of
the following valid formats:
Standard Windows format: domain\user_name
Universal Principal Name (UPN): user_name@domain
Alternate UPN: alt_user_name@alt_domain
Unix user name: user
You must include the domain name in the format if the user
account is not in the local computer’s current Active Directory
domain.
If this parameter is not defined in the configuration file, no local
Unix user accounts are mapped to Active Directory accounts.
pam.password.change.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to change a
password.
pam.password.confirm.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to confirm his
new password by entering it again.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC >Password Prompts > Change Password
Prompt to Confirm New Password group policy by selecting
Enabled and typing the text you want displayed for Active
Directory users. You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
The parameter value must be an ASCII string. Unix special
characters and environment variables are allowed. For example:
pam.password.confirm.mesg: Confirm new Active Directory
password:\
pam.password.enter.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to enter his
password.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC >Password Prompts > Login Password
Prompt group policy by selecting Enabled and typing the text
you want displayed for Active Directory users. You can, however,
set it manually in the configuration file if you aren’t using group
policy or want to temporarily override group policy.
The parameter value must be an ASCII string. Unix special
characters and environment variables are allowed. For example:
pam.password.enter.mesg: Active Directory password:\
pam.password.expiry.warn
This configuration parameter specifies how many days before a
password is due to expire PAM-enabled applications should issue a
warning to the user.
The parameter value must be a positive integer. For example, to
issue a password expiration warning 10 days before a password is
set to expire:
pam.password.expiry.warn: 10
pam.password.new.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to enter his new
password during a password change.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC >Password Prompts > Change Password
pam.password.old.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to enter his old
password during a password change.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC >Password Prompts > Change Password
Prompt for Old Password group policy by selecting Enabled
and typing the text you want displayed for Active Directory users.
You can, however, set it manually in the configuration file if you
aren’t using group policy or want to temporarily override group
policy.
The parameter value must be an ASCII string. Unix special
characters and environment variables are allowed. For example:
pam.password.old.mesg: (current) Active Directory
password:\
pam.uid.conflict
This configuration parameter specifies how you want Centrify
DirectControl to respond if a user logs on with an Active Directory
For example:
pam.uid.conflict: warn
Note If both the Active Directory user name and Active Directory
UID are the same as a local user name and UID, the accounts do not
conflict and the user can log on regardless of how you set this
parameter. Although this situation is rare, you should avoid using
Active Directory user names and UIDs that duplicate local user
names and UIDs but apply to different individual users.
lam.max.group.count
This configuration parameter applies to the AIX Loadable
Authentication Module (LAM) and specifies the maximum number
of Active Directory groups that the lsgroup ALL command will
return.
lam.max.user.count
This configuration parameter applies to the AIX Loadable
Authentication Module (LAM) and specifies the maximum number
of Active Directory users that the lsuser ALL command will
return. This value also limit the results returned by the getpwent()
and nextuser() functions.
The parameter value must be an integer. The default value for this
parameter is 1000 users. If you specify 0 or a negative value (for
example, -1), there is no limit on the number of users returned.
For example:
lam.max.user.count: 100
nss.group.override
This configuration parameter allows you to override entries in the
/etc/group file. By defining override filters, you can use this
parameter to give you fine-grain control over the groups that can
access a local computer. You can also use the override controls to
modify the information for specific fields in each group entry on
the local computer. For example, you can override the group ID or
member list for a specific group on the local computer without
modifying the group entry itself.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > NSS Group Overrides
group policy by selecting Enabled and typing the appropriate
For example:
+users::::
+admins::::jdoe,bsmith,frank
+ftpusers:ftp::300:
-webusers
+::::
nss.mingid
This configuration parameter specifies the minimum group ID
(GID) that the Centrify DirectControl NSS module will look up in
Active Directory. By setting this parameter, you allow the NSS
module to ignore the GIDs for special system or application
accounts that are not stored in Active Directory. Because this
parameter allows you to intentionally skip looking up account
nss.minuid
This configuration parameter specifies the minimum user ID (UID)
value that the Centrify DirectControl NSS module will look up in
Active Directory. By setting this parameter, you can allow the NSS
module to ignore the UIDs for special system or application
accounts that are not stored in Active Directory. Because this
parameter allows you to intentionally skip looking up account
information in Active Directory, it results in faster name lookup
service for system accounts such as tty, root, and bin.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > Minimum User ID group
policy by selecting Enabled and setting the minimum user ID
value. You can, however, set it manually in the configuration file if
you aren’t using group policy or want to temporarily override
group policy.
The parameter value must be a positive integer. For example, to
only check Active Directory for account information when the
UID for an account is more than 200:
nss.minuid: 200
Setting this parameter value to 0 disables the feature and may cause
delays in responding to lookup service requests. If this parameter is
not defined in the configuration file, its default value is 100.
nss.passwd.override
This configuration parameter allows you to override entries in the
/etc/passwd file. By defining override filters, you can use this
parameter to give you fine-grain control over the user accounts that
can access a local computer. You can also use the override controls
to modify the information for specific fields in each /etc/passwd
entry on the local computer. For example, you can override the
user ID, primary group ID, default shell, or home directory for
specific login accounts on the local computer without modifying
the account entry itself.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Login Settings > NSS User Overrides group
policy by selecting Enabled and typing the appropriate passwd file
override entries. These entries are then stored in the
/etc/centrifydc/passwd.ovr file and used to filter user access to
a local computer.You can, however, set it manually in the
configuration file if you aren’t using group policy or want to
temporarily override group policy.
The syntax for overriding passwd entries is similar to the syntax
used for overriding NIS. You use + and – entries to allow or deny
access for specific users on the local system. Additional fields
correspond to the standard /etc/passwd fields separated by colons
(:).
In most cases, the nss.passwd.override parameter is used to
identify a file location of an override file that contains all of passwd
override entries you want to use on the local computer. For
example:
nss.group.override: file:/etc/centrifydc/passwd.ovr
Within the override file, you use the following format for entries:
+zone_username:username:password:uid:gid:GECOS:home_directory:shell
For example:
+mike:::::::/usr/local/ultrabash
+kris:kdavis:x:6:6:Kris Davis:/home/kdavis:/bin/bash
+janedoe@centrify.test:jdoe::300:300:::
+@sysadmins:::::::
-ftp
+@staff:::::::
+@rejected-users:::32767:32767:::/bin/false
+:::::::/sbin/nologin
+:::::::
Note If you manually create the passwd.ovr file, you must include
the following as the last line in the file:
+:::::::
nss.program.ignore
This configuration parameter specifies one or more programs that
should not look up account information in Active Directory. The
programs you specify for this parameter do not use the Centrify
DirectControl daemon to contact Active Directory.
Setting this parameter helps to ensure that local programs that
create, manage, or use local user and group information do not
attempt to look up conflicting information in Active Directory. For
example, you can specify programs such as adduser and addgroup
to ensure those programs can still be used to create and update
local accounts independent of Active Directory:
nss.program.ignore: addgroup,adduser
nss.shell.login
This configuration parameter specifies the default login shell to use
when a user or group attempting to access the computer is not
allowed to log on. The default no-login shell and its location is
nss.user.ignore
This configuration parameter specifies one or more users that the
Centrify DirectControl NSS module will ignore for lookup in
Active Directory. Because this parameter allows you to
intentionally skip looking up specific accounts in Active Directory,
it allows faster lookup for system accounts such as tty, root, and
bin.
Note This configuration parameter only ignores the listed users for
NSS lookups. To ignore users for authentication and NSS lookups,
use the pam.ignore.user configuration parameter.
If you later decide you want to migrate the local user account to use
Active Directory, you can run the following command for the user
to reset the default authentication:
chuser SYSTEM= username
nisd.maps
This configuration parameter specifies the name of the NIS maps
currently available for NIS service. When the adnisd daemon
connects to Active Directory, it retrieves the list of NIS maps
available for the local computer’s zone, creates a local map data
store, and updates this configuration parameter, if necessary, to
indicate the maps retrieved. If any NIS client requests a map that is
not in the list specified by this parameter, the daemon refuses the
request.
The parameter value must be a list of NIS map names. If the
parameter is included in the configuration file but no value is set,
no maps are retrieved from Active Directory or available for
service. For example, to specify that you want to make the
netgroup maps available but no other maps, you can set this
parameter as follows:
nisd.maps: netgroup,netgroup.byhost,netgroup.byuser
nisd.securenets
This configuration parameter specifies a list of one or more subnets
from which the daemon will accept NIS requests. You use this
parameter to restrict access to the Centrify DirectControl
Network Information Service by IP address. NIS requests that do
not come from the IP addresses specified in this configuration
parameters are refused by the asnisd daemon.
Note You do not need to specify the local IP address for this
parameter. The Centrify DirectControl Network Information
Service will always accept local NIS client requests.
nisd.server.switch.delay
This configuration parameter specifies how long, in seconds, to
wait before loading maps from a backup domain controller when
the connection to the primary domain controller is lost. If the
Centrify DirectControl Network Information Service is unable to
connect to its primary Active Directory domain controller, it will
respond to NIS client requests using information in the local cache
until the switch to the backup domain controller is complete.
The parameter value must be an integer equal to or greater than
zero. If the value is zero, then the delay is disabled. For example, to
delay period to 2 hours:
nisd.server.switch.delay: 7200
nisd.threads
This configuration parameter specifies the number of threads to use
for processing NIS requests.
nisd.update.interval
This configuration parameter specifies the interval, in seconds, that
the adnisd daemon waits between connections to Active
Directory. At each interval, the adnisd daemon connects to Active
Directory, gets the latest NIS maps for the local computer’s zone,
and updates its local NIS map data store.
The parameter value must be an integer equal to or greater than
zero. If the value is zero, then the update interval is disabled and the
local NIS map data store is not updated. For example, to set the
interval for getting NIS maps to 1 hour:
nisd.update.rate: 3600
nisd.maps.max
This configuration parameter specifies the number of alternate sets
of NIS maps to retain. A new set of NIS maps is normally created
when adnisd switches to an alternate domain controller. Keeping
these alternate sets of maps allows Centrify DirectControl
Network Information Service to more efficiently switch between
domain controllers.
The parameter value must be an integer greater than zero. The
default is 2 map sets. For example:
nisd.maps.max: 2
log.adnisd
This configuration parameter specifies the logging level for the
Centrify DirectControl Network Information Service. The default
logging level is the logging level set for the log configuration
parameter or INFO if neither parameter is defined in the
gp.disable.all
This configuration parameter can be used to disable both computer
and user group policies on a local computer. If set to true, all
gp.disable.machine
This configuration parameter can be used to disable
computer-based group policies on a local computer. If set to true,
all computer-based group policy settings are ignored. If this
parameter is not defined in the configuration file, its default value is
false.
gp.disable.user
This configuration parameter can be used to disable user-based
group policies on a local computer. If set to true, all user-based
group policy settings are ignored. If this parameter is not defined in
the configuration file, its default value is false.
gp.mappers.directory.machine
This configuration parameter specifies the root directory that
contains the all of the mapping programs for computer-based
group policy settings. Individual mapping programs translate
entries from the virtual registry into configuration settings in the
appropriate files on the local computer.
The parameter value must be a path name. For example:
gp.mappers.directory.machine: /usr/share/centrifydc/mappers/machine
gp.mappers.directory.user
This configuration parameter specifies the root directory that
contains the all of the mapping programs for user-based group
policy settings. Individual mapping programs translate entries from
the virtual registry into configuration settings in the appropriate
files on the local computer.
gp.mappers.machine
This configuration parameter specifies the list of mapping programs
to run to configure computer-based policies. The mapping
programs are executed in the order in which they are specified.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Group Policy Settings > Group Policy
Machine Mapper List group policy by selecting Enabled and
specifying the list of mapping programs to run. You can, however,
set it manually in the configuration file if you want to temporarily
override group policy.
In defining the list of mapping programs to run, you can use an
asterisk (*) as a wild card to match a set of program names. For
example, you can specify a* to match all programs with names that
start with the letter a. You can use square brackets ([ ]) to match
any character within the brackets. For example, you can specify
mapprogram[123] to match the program names of mapprogram1,
mapprogram2, and mapprogram3. You can also use an exclamation
point (!) with a program name to prevent a mapping program from
running. For example, you can specify !mysample to prevent the
mapping program mysample from running. These rules can be
combined to give you precise control over which mapping
programs run.
To run all of the mapping programs for computer-based policy
settings, you can specify:
gp.mappers.machine: *
gp.mappers.runmappers
This configuration parameter specifies the location of the
runmappers program. The runmappers program is started by the
Centrify DirectControl daemon and invokes individual mapping
programs for computers, users or both.
The parameter value must be a path name. For example:
gp.mappers.runmappers: /usr/share/centrifydc/mappers/runmappers
gp.mappers.timeout
This configuration parameter specifies the maximum time, in
seconds, to allow for a mapping program to complete execution. If
a mapping program takes longer than this period to successfully
complete its execution, the process is stopped and the next
mapping program is started.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Group Policy Settings > Group Policy
Mapper Execution Timeout group policy by selecting
Enabled and specifying the maximum amount of time to allow for
a group policy mapper program to run before the process is
stopped. You can, however, set it manually in the configuration file
if you want to temporarily override group policy.
If you are manually setting this parameter, the parameter value
must be a positive integer. For example, to set the timeout interval
to 60 seconds:
gp.mappers.timeout: 60
gp.mappers.user
This configuration parameter specifies the mapping programs that
map user-based policy settings to run. The mapping programs are
executed in the order in which they are specified.
In most cases, you set this configuration parameter using the
Computer Configuration > Administrative Templates >
CentrifyDC > Group Policy Settings > Group Policy User
Mapper List group policy by selecting Enabled and specifying
the list of mapping programs to run. You can, however, set it
manually in the configuration file if you want to temporarily
override group policy.
In defining the list of mapping programs to run, you can use an
asterisk (*) as a wild card to match a set of program names. For
example, you can specify a* to match all programs with names that
start with the letter a. You can use square brackets ([ ]) to match
any character within the brackets. For example, you can specify
mapprogram[123] to match the program names of mapprogram1,
mapprogram2, and mapprogram3. You can also use an exclamation
point (!) with a program name to exclude a program from the list.
For example, you can specify !mysample to prevent the mapping
program mysample from running.
To run all of the mapping programs for user-based policy settings,
you can specify:
gp.mappers.user: *
gp.refresh.disable
This configuration parameter specifies whether to disable the
background processing of group policy updates. This configuration
parameter applies to both computer- and user-based policies.
gp.refresh.frequency.machine
This configuration parameter specifies the base refresh interval, in
minutes, between updates for computer-based group policies on
the local computer. At each update interval, the Centrify
DirectControl daemon adclient connects to Active Directory to
get the computer group policies that apply to the local computer.
The base refresh interval is supplemented by an offset value so that
group policy updates occur at a random interval to prevent
multiple computers from connecting to and requesting updates
from the Active Directory domain controllers at the same time.
The offset value specifies the maximum number of minutes to add
to the base interval, and thereby defines the maximum period of
time between group policy updates. For example, if the
gp.refresh.frequency.machine parameter is set to 90 minutes
and the offset value specified for the gp.refresh.offset.machine
configuration parameter is 30 minutes, computer group policies
are updated at a random interval between 90 and 120 minutes.
The parameter value must be an integer equal to or greater than
zero. For example, to set the base interval for updating computer
group policies to 20 minutes:
gp.refresh.frequency.machine: 20
increased traffic places on the server, but you ensure that policy
changes are implemented more quickly and you decrease the RAM
used by the Centrify DirectControl daemon. If you set this
parameter to update group policies less frequently, you decrease
the number of connections to Active Directory and reduce the
overall demand on the server, but policy changes take longer to
take effect and you increase the RAM used by the Centrify
DirectControl daemon.
If your computer group policies rarely change, you may want to
have the policies updated less frequently. If you have a large number
of computers or a widely distributed network, you may want to
increase the offset period to allow for a longer period of time for
updates to be completed.
gp.refresh.offset.machine
This configuration parameter specifies the maximum number of
minutes that are added to the base refresh interval specified by the
gp.refresh.frequency.machine configuration parameter. This
offset value defines a period of time during which group policy
updates can occur at random. Using a random rather than a fixed
interval prevents multiple computers from connecting to and
requesting updates from the Active Directory domain controllers
at the same time. For example, if you boot up several computers at
the same time and they all attempt to get policy updates
simultaneously, the demand might overload the domain controller.
To prevent this, the offset value specifies the maximum number of
minutes to add to the base refresh interval—thereby defining the
maximum period of time between group policy updates—but the
actual policy update can occur at any point within the offset period.
If the gp.refresh.frequency.machine parameter is set to 90
minutes and the offset value specified for the
gp.refresh.offset.machine configuration parameter is 30
minutes, computer group policies are updated at a random interval
between 90 and 120 minutes.
gp.refresh.frequency.user
This configuration parameter specifies the base refresh interval, in
minutes, between updates for user-based group policies on the
local computer. At each update interval, the Centrify
DirectControl daemon adclient connects to Active Directory to
get the user group policies that apply to the currently logged-in
user.
The base refresh interval is supplemented by an offset value so that
group policy updates occur at a random interval to prevent
multiple computers from connecting to and requesting updates
from the Active Directory domain controllers at the same time.
The offset value specifies the maximum number of minutes to add
to the base interval, and thereby defines the maximum period of
time between group policy updates. For example, if the
gp.refresh.frequency.user parameter is set to 90 minutes and
the offset value specified for the gp.refresh.offset.user
configuration parameter is 30 minutes, user group policies are
updated at a random interval between 90 and 120 minutes.
The parameter value must be an integer equal to or greater than
zero. For example, to set the base interval for updating user group
policies to 20 minutes:
gp.refresh.frequency.user: 20
gp.refresh.offset.user
This configuration parameter specifies the maximum number of
minutes that are added to the base refresh interval specified by the
gp.refresh.frequency.user configuration parameter. This offset
value defines a period of time during which group policy updates
can occur at random. Using a random rather than a fixed interval
prevents multiple computers from connecting to and requesting
updates from the Active Directory domain controllers at the same
time. For example, if multiple users log on and attempt to get
policy updates simultaneously, the demand might overload the
domain controller. To prevent this, the offset value specifies the
maximum number of minutes to add to the base refresh interval—
thereby defining the maximum period of time between group
policy updates—but the actual policy update can occur at any point
within the offset period. If the gp.refresh.frequency.user
parameter is set to 90 minutes and the offset value specified for the
gp.refresh.offset.user parameter is 30 minutes, user group
policies are updated at a random interval between 90 and 120
minutes.
gp.reg.directory.machine
This configuration parameter specifies the root directory of the
virtual registry for computer-based group policies. The parameter
value must be a path name. For example:
gp.reg.directory.machine: /var/centrifydc/reg/machine
gp.reg.directory.user
This configuration parameter specifies the root directory of the
virtual registry for user-based group policies.
The parameter value must be a path name. For example:
gp.reg.directory.user: /var/centrifydc/reg/users
399
Installing DirectControl on Red Hat, SuSE, or VMware
After you insert the CD in the drive, run a command similar to the
following to display the long file names:
mount -F cdfs -o rr /dev/dsk/c0t0d0 /mnt/cdrom
You can then change to the Unix directory and determine the
proper agent package to install for the local HP-UX operating
environment.
To install the package on HP-UX, follow these steps:
1 On the HP-UX computer, log in as or switch to the root user.
2 Copy the package from the CD to a local directory, replacing
release with the version of the Centrify DirectControl package
you are installing. For example, if your operating environment
is HP-UX B.11.11:
cp /cdrom/Unix/centrifydc-release-hp11.11-pa.depot.gz .
You need to mark the Centrify files for installation, select Actions
and Install, then click OK to complete the installation.
4 Once you have unzipped the file, create the .toc file by running
the following command:
inutoc .
You may also need to open the following ports depending on the
requirements of your organization:
If you want to allow non-administrative users to join the Active
Directory domain, you should open port 135 for TCP
connections to handle RPC communication. The traffic on this
port is initiated by the Unix computer attempting to contact the
Active Directory server.
405
To maintain time synchronization between the local computer
and the domain controller, you should open port 123 for UDP
connections to handle Simple Network Time Protocol (SNTP)
operations. You can close this port if your external servers can
get accurate time updates and stay synchronized with the Active
Directory domain controller.
A adclient
account mapping configuration parameters 326 to 350
configuration setting 369 log file 267
default behavior 173 NSS operation 41
groups pending import 228 operations performed 37 to 38
other local users 175, 176 PAM operation 39
purpose of 172 starting and stopping 317
strategies for root 173 web modules 42
users pending import 230 adclient.autoedit 328
Active Directory adclient.binding.refresh.interval 330
DNS configuration 100 adclient.cache.expires 332
domain controller selection 37 adclient.cache.expires.group 333, 334,
enabling existing users 165 335, 336
forest integrity for zones 268 adclient.cache.expires.user 337
group definition 138 adclient.client.idle.timeout 339
importing Unix information 223 adclient.clients.socket 340
joining the domain 121 adclient.clients.threads 340
local file import 225 adclient.clients.threads.poll 341
mapping Unix fields 226 adclient.fetch.object.count 341
migrating user accounts 33 adclient.hash.allow 342
NIS import 224 adclient.hash.deny 343
planning deployment 85 adclient.hash.expires 343
planning the structure 101 adclient.krb5.autoedit 351
preferred site connection 330 adclient.krb5.conf.file 352
updating first 102 adclient.krb5.encryption.types 354
users pending import 229 to 231 adclient.krb5.keytab 352
Windows infrastructure 18 adclient.krb5.keytab.entries 352
Active Directory Users and Computers adclient.krb5.password.change.interval
creating computer accounts 148, 149 353
managing computer properties 146 adclient.krb5.service.principals 354
setting permissions 57 adclient.ldap.packet.encrypt 344
Unix properties 32 adclient.ldap.socket.timeout 344
407
adclient.ldap.timeout 345 adpasswd
adclient.paged.search.max 345 command reference 297
addebug displaying help 285
command reference 311 examples 300
examples 311, 314 options 298, 302
options 311, 313, 315, 316 when to use 284
adgpupdate applications
examples 302 authentication issues 18
adinfo licenses 214
command reference 303 reporting 259
displaying help 285 authentication
examples 308 mechanisms available 17
introduction 274
options 304 C
when to use 285 Centrify DirectControl
adjoin access control summary 24, 25
command reference 285 Administrator Console 30
displaying help 285 architectural components 47
examples 291 cached information 38
operations performed 145 command line programs 284
options 287 configuration file 323
running after installation 121 daemon 317
when to use 284 diagnostic information 273
adleave documentation 14
changing a computer’s domain 156 evaluation license 107
command reference 294 joining the domain 121
displaying help 285 log files 270
examples 296 managed system 24
options 295 Management Tools 29
when to use 284 Name Service Switch (NSS) 40
Administrator Console password enforcement 169
installation requirements 101 platform-dependent components 27
introduction 30 Pluggable Authentication Module 39
key tasks 31 prerequisites 99
updating license keys 215 release information 10
viewing users 32 removing 114
Index 409
diagnostic information 273, 309 groups
disconnected operation available GIDs 140
account changes 171 customizing access 360, 366, 377
credential storage 37, 171 default GID setting 110, 132
display specifiers 52 defining scope 96, 163
documentation ignoring for import 228
additional 14 importing 177, 223
audience 9 local file import 225 to 226
conventions 13 NIS import 224 to 225
latest information 10 pending import 227 to 229
online help 14 planning access 162
summary of contents 10 to 12 planning to import 223
domain controller private by default 138
selection of 37 reporting 177, 258
domain local groups 96, 163 reserved GID values 140
Domain Name Server (DNS) using private 95, 162
forwarding requests 120
Unix configuration 119 H
Windows requirement 100 heterogeneous environments
duplicate Unix users 269 challenges 17
dynamic provisioning 90 HP-UX
installing DirectControl manually 402
E removing DirectControl 127
Evaluation Guide 14 system requirements 116
evaluation license key 107, 214
I
G IBM AIX
GID installing DirectControl manually 402
new zone creation 132 removing DirectControl 127
next available 140 system requirements 116
reserved values 110, 140 identity management
starting value 110 importance 17
global groups 96, 164 integrated solution 48
group policy multiple mechanisms 18
configuration parameters 388 to 397 simplifying 19
Index 411
log files NSS configuration
adinfo output 274 automatic editing 328
enabling 270 groups ignored 377
location 271 introduction 40
performance impact 271 manual editing 328
purpose 267 minimum group identifier 378
lrpc.timeout 350 minimum user identifier 379
parameter settings 376 to 383
M reverting to pre-join state 157
Mac OS X users ignored 369, 382, 383
installing DirectControl manually 403 nss.group.ignore 377
joining the domain 122 nss.mingid 378
removing DirectControl 127 nss.minuid 379
system requirements 116 nss.user.ignore 369, 383
Macintosh
configuring WINS 122 O
man pages online help 14
displaying 285
source of information 15 P
managed system 24 PAM configuration
Microsoft Management Console (MMC) account mapping 369
DirectControl snap-in 30 automatic editing 328
Microsoft Services for Unix (SFU) group filtering 360, 366
zone creation 131 home directory skeleton 368
ignore authentication 361
N local computer policies 159
Name Service Switch (NSS) manual editing 329
DirectControl module 40 messages displayed 370 to 372
nested groups 96, 164 parameter settings 358 to 374
Network Information Service (NIS) reverting to pre-join state 157
configuration parameters 384 to 387 user filtering 364, 367
default mapping 226 user identifier conflicts 374
described 224 pam.allow.groups 360, 366
groups pending import 227 to 229 pam.allow.users 364, 367
importing maps 224 to 225 pam.homeskel.dir 368
planning to import 223 pam.mapuser.username 369
server accessibility 224 pam.password.change.mesg 370
users pending import 229 to 231 pam.password.confirm.mesg 371
pam.password.enter.mesg 372
Index 413
S Unix
Setup Wizard authentication mechanisms 18
creating the Licenses container 107 available shells 111, 138
creating the Zones container 108 clock maintenance 38
permission requirements 50 credentials for basic services 35, 317
starting after install 105 DNS configuration 119
Single Sign-On domain controller selection 37
web applications 42 files and directories 119
Sun Solaris groups pending import 227 to 229
installing DirectControl manually 401 importing from common sources 223
removing DirectControl 127 installing DirectControl 116
system requirements 116 knowledge of 9
SuSE Linux local configuration files 225
installing DirectControl manually 400 man pages 285
removing DirectControl 127 managing from Windows 30
system requirements 116 manually importing accounts 226
naming convention 13
T new users 40
technical support 16 NIS servers and domains 224
troubleshooting restarting services 124
daemon operation 267 server licenses 214
enabling logging 270 system requirements 115
forest integrity 268 users pending import 229 to 231
using adinfo 273 Unix command line programs 284
Unix computers
U changing the zone 153
UID domain changes 156
minimum setting 379 joining a domain 145
new zone creation 109, 132 local configuration 159
next available 139 organizing in zones 144
preventing conflicts 88 reporting 158, 258
reserved values 109, 139 restricting who can join 147
response to conflicts 374 server and workstation licenses 214
starting value 109 web application access 152
universal groups 96, 164 web application hosting 214
Unix groups
duplicate information 269
Index 415
zones continued
opening 134
organizing principles 33
parent container 108
permission requirements 58
permissions assigned by delegation 55
policy management by 91 to 92
private groups 138
reports 141, 258
strategies for 85 to 92
understanding the use of 33