Professional Documents
Culture Documents
Edition
Administrator’s Guide
May 2010
Centrify Corporation
Legal notice
This document and the software described in this document are furnished under and are subject to
the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such
license agreement or non-disclosure agreement, Centrify Corporation provides this document and
the software described in this document “as is” without warranty of any kind, either express or
implied, including, but not limited to, the implied warranties of merchantability or fitness for a
particular purpose. Some states do not allow disclaimers of express or implied warranties in certain
transactions; therefore, this statement may not apply to you.
This document and the software described in this document may not be lent, sold, or given away
without the prior written permission of Centrify Corporation, except as otherwise permitted by
law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of
this document or the software described in this document may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without
the prior written consent of Centrify Corporation. Some companies, names, and data in this
document are used for illustration purposes and may not represent real companies, individuals, or
data.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new editions of
this document. Centrify Corporation may make improvements in or changes to the software
described in this document at any time.
© 2004-2010 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl
are derived from third party or open source software. Copyright and legal notices for these sources
are listed separately in the Acknowledgements.txt file included with the software.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on
behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any
tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions)
and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the
software and documentation, including its rights to use, modify, reproduce, release, perform,
display or disclose the software or documentation, will be subject in all respects to the commercial
license rights and restrictions provided in the license agreement.
Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite,
DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United States
and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server
are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of any other companies and products mentioned in this document may be the trademarks
or registered trademarks of their respective owners. Unless otherwise noted, all of the names used
as examples of companies, organizations, domain names, people and events herein are fictitious. No
association with any real company, organization, domain name, person, or event is intended or
should be inferred.
• 2
Contents
About this guide 7
Intended audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Where to go for more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 1 Introduction 13
Understanding Centrify DirectControl Express . . . . . . . . . . . . . . . . . . . . . 14
Understanding the Centrify DirectControl Agent . . . . . . . . . . . . . . . . . . . 16
Comparing Centrify Suite 2010 Express Edition to other editions. . . . . 18
Understanding Zones and Auto Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Understanding how DirectControl generates consistent UNIX UIDs . . 22
• 3
Applying password policies and changing passwords . . . . . . . . . . . . . . 54
Working in disconnected mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Mapping local UNIX accounts to Active Directory. . . . . . . . . . . . . . . . . . . 57
Setting a local override account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Using standard programs such as telnet, ssh, and ftp . . . . . . . . . . . . . . . 59
Using Samba. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Setting Auto Zone configuration parameters . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 4 Troubleshooting 63
Understanding diagnostic tools and log files. . . . . . . . . . . . . . . . . . . . . . . 63
Configuring logging for Centrify DirectControl . . . . . . . . . . . . . . . . . . . . . 64
Collecting diagnostic information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Working with DNS, Active Directory, and DirectControl . . . . . . . . . . . . . 68
• 5
pam.ignore.users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
pam.mapuser.username. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
pam.password.change.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
pam.password.change.required.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
pam.password.confirm.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.empty.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.enter.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
pam.password.expiry.warn.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.new.mesg. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.new.mismatch.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
pam.password.old.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
pam.policy.violation.mesg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Index 173
Intended audience
This DirectControl Express Edition Administrator’s Guide provides
complete information for installing and configuring Centrify
DirectControl Express and authenticating users and groups with
Centrify DirectControl and Active Directory. This guide is
intended for system and network administrators who are
responsible for managing user access to servers, workstations, and
network resources.
Because Centrify DirectControl Express Edition is installed on the
Linux or Mac OS X computers you intend to manage, and requires
you to work with Windows Active Directory, this guide assumes
you have a working knowledge of performing administrative tasks
across these different environments. If you are unfamiliar with any
of the operating environments you need to support, you may need
to consult additional, operating system-specific documentation to
perform certain tasks or understand certain concepts.
This guide also assumes basic, but not expert, knowledge of how to
perform common tasks. If you are an experienced administrator,
you may be able simplify or automate some tasks described in this
guide using platform-specific scripts or other tools.
Contacting Centrify
If you have questions or comments, we look forward to hearing
from you. For information about contacting Centrify Corporation
with questions or suggestions, visit our Web site at
www.centrify.com. From the Web site, you can get the latest news
and information about Centrify Corporation products, support,
services, and upcoming events. For information about purchasing
or evaluating Centrify Corporation products, send email to
info@centrify.com.
Introduction
This chapter provides an introduction to the main features of the
Centrify DirectControl Express, including a brief overview of the
ways Centrify DirectControl can help organizations leverage their
investment in Active Directory.
The following topics are covered:
Understanding Centrify DirectControl Express
Understanding the Centrify DirectControl Agent
Comparing Centrify Suite 2010 Express Edition to other
editions
Understanding Zones and Auto Zone
Understanding how DirectControl generates consistent UNIX
UIDs
Chapter 1 • Introduction 13
Understanding Centrify DirectControl Express
Chapter 1 • Introduction 15
Understanding the Centrify DirectControl Agent
Chapter 1 • Introduction 17
Comparing Centrify Suite 2010 Express Edition to other editions
Chapter 1 • Introduction 19
Understanding Zones and Auto Zone
Chapter 1 • Introduction 21
Understanding how DirectControl generates consistent UNIX UIDs
Chapter 1 • Introduction 23
Understanding how DirectControl generates consistent UNIX UIDs
6 After reviewing the choices you have made, enter Y and click
Enter.
When the installation is complete, the computer prepares to
reboot in 15 seconds if you specified to reboot after installation.
If you aren’t sure which file to use for the local operating
environment, see the release-notes text file included in the
package.
If you aren’t sure which command to use for the local operating
environment, see the release-notes text file included in the
package.
Note You are not required to use the specific commands
described in the release-notes to install the software package
manually. If your operating environment has programs such as
the SMIT or YAST programs, you can use those programs to
install the Centrify DirectControl package.
6 Disable licensed features by running the adlicense --express
command:
adlicense --express
Note that licensed features are disabled and that the zone is Auto
Zone, which essentially is a super zone for the entire forest.
Creating actual zones requires a licensed copy of Centrify
DirectControl.
The Linux or Mac OS X computer is now joined to a domain
exactly as any Windows machines in the domain. See Chapter 3,
“Using DirectControl Express,” for some of the ways Centrify
Note On the Mac OS, joining the domain and configuring your
environment is slightly different than on other platforms.
Therefore, you should follow the steps in the section “Joining the
domain from Mac OS X computers” on page 42 to join an Active
Directory domain when the Centrify DirectControl Agent is
installed on Mac OS X computers.
2 Type the name of the Active Directory domain you want to join
and select Auto Zone.
You can also type a different computer name if you want to use
a different name for the local host in Active Directory. Check
Overwrite existing joined Computer to overwrite the
information stored in Active Directory for an existing computer
6 Type the user name and password for the local Administrator
account.
adjoin acme.com
created zones, you can specify a zone on the command line; for
example, to connect to the Finance zone:
adjoin -z Finance acme.com
You can also choose to run adcheck, enable auditing (if you
installed DirectAudit), and reboot the computer after
installation.
The computer remains joined to the domain you previously
joined and your existing /etc/centrifydc/centrifydc.conf
file is backed up and any modifications you have made to the file
are migrated to the new version of the file.
3 Restart running services, such as login, sshd, or gdm, (if you did
not reboot during installation) or reboot the computer to ensure
all services use the updated configuration. For example, you can
run the following command to stop running sessions:
pkill -1 sshd
When users are defined in a local forest, you can locate them in
Active Directory with any of the user login formats, that is, by their
UNIX profile name, their userPrincipalName, or their
Note that licensed features are disabled and that the zone is Auto
Zone.
Centrify DirectControl Standard Edition uses its zone technology
to provide secure, granular access control and delegated
administration for UNIX computers joined to a domain.
DirectControl Express, on the other hand, does not provide the
ability to create zones. When a computer joins a domain, it is
automatically joined to Auto Zone. This greatly simplifies the
process of joining a domain but does not provide the same granular
access control as defining and using zones does.
Auto Zone essentially is one super zone for the forest. With Auto
Zone, UNIX attributes that would be defined in the zone to which
the UNIX machine is joined (with Centrify DirectControl Standard
Edition) are derived from user attributes in Active Directory, or
from DirectControl configuration parameters.
3 Type the new password for the user specified. Because you are
changing another user’s password, you are not prompted for an
old password. For example:
New password:
For more information about using adpasswd, see the adpasswd man
page or “Using adpasswd” on page 104.
5 Save the changes to the configuration file, then run the adreload
command to reload the configuration file and have the changes
take effect.
You can change the default root override account or add additional
local users by modifying the computer’s Centrify DirectControl
configuration file.
To configure a local override account across multiple computers by
using group policies, upgrade from Express to Centrify
DirectControl Standard or Enterprise Edition.
Using Samba
DirectControl Express includes a special Samba package,
DirectControl-enabled Samba, that combines DirectControl with
Troubleshooting
This chapter describes how to use diagnostic tools and log files to
retrieve information about the operation of Centrify DirectControl
and to identify and correct problems within your environment.
The following topics are covered:
Understanding diagnostic tools and log files
Configuring logging for Centrify DirectControl
Collecting diagnostic information
Working with DNS, Active Directory, and DirectControl
Chapter 4 • Troubleshooting 63
Configuring logging for Centrify DirectControl
Note You must type the full path to the command because
addebug is not included in the path by default.
With this parameter, the log level works as a filter to define the
type of information you are interested in and ensure that only the
messages that meet the criteria are written to the log. For example,
if you want to see warning and error messages but not
informational messages, you can change the log level from INFO to
WARN. By changing the log level, you can reduce the number of
messages included in the log and record only messages that indicate
a problem. Conversely, if you want to see more detail about system
activity, you can change the log level to INFO or DEBUG to log
information about operations that do not generate any warnings or
errors.
You can use the following keywords to specify the type of
information you want to record in the log file:
Chapter 4 • Troubleshooting 65
Configuring logging for Centrify DirectControl
# Add the name of the adclient logical log and specify the
# logging level to use for it and its children:
log.com.centrify.adclient: INFO
Chapter 4 • Troubleshooting 67
Working with DNS, Active Directory, and DirectControl
Chapter 4 • Troubleshooting 69
Working with DNS, Active Directory, and DirectControl
Chapter 4 • Troubleshooting 71
Working with DNS, Active Directory, and DirectControl
Note You must specify the name of the domain controller, not its IP
address. In addition, the domain controller name must be resolvable
using either DNS or in the local /etc/hosts file. Therefore, you
must add entries to the local /etc/hosts for each domain controller
you want to use if you are not using DNS or if the DNS server
cannot locate your domain controllers.
You can add as many domain and domain controller entries to the
Centrify DirectControl configuration file as you need. Because the
entries manually specified in the configuration file override any site
settings for your domain, you can completely control
DirectControl’s binding to the domains in your forest through this
mechanism.
Note In most cases, you should use DNS whenever possible to
locate your domain controllers. Using DNS ensures that any
changes to the domain topology are handled automatically through
the DNS lookups. The settings in the configuration file provide a
manual alternative to looking up information through DNS for those
Chapter 4 • Troubleshooting 73
Working with DNS, Active Directory, and DirectControl
For example if you intend to join the domain mytest.lab and the
domain controller for that domain is dc1.mytest.lab and its
address is 172.27.20.1, you would run the following command:
fixdns dc1.mytest.lab 127.27.20.1
The fixdns script will then make the necessary changes to the
/etc/hosts and the DirectControl configuration file.
Note This script does not update the /etc/resolv.conf file. If the
script cannot locate the domain controller using the existing
/etc/resolv.conf settings, it will assume that you want to use
settings from the configuration file.
adleave --help
Using adjoin
The adjoin command adds the local host computer to the specified
Active Directory domain. The basic syntax for the adjoin program
is:
adjoin [options] domain
You are then prompted to provide the password for the user
jeff@acme.com. If the password is correct and the local computer
can successfully connect to Active Directory, a new computer
account is added to Active Directory using the computer name
“orlando” in the “UNIX computers” Organizational Unit.
Note When specifying username@domain to join a domain, you
cannot use an alternative UPN. For example, if your organization
uses an alternate UPN to allow you to log in as garcia@mission.org
but your account is actually defined in the sf.mission.org domain,
you must use that domain when specifying the user account. For
example:
adjoin --workstation --user garcia@sf.mission.org la.mission.org
Solaris /etc/krb5/krb5.conf
Solaris /etc/krb5/krb5.keytab
Name Purpose
daemon This is the pipe which clients open to
communicate to the agent.
dc.cache Cache of objects from the Domain
Controller
gc.cache Cache of objects from the Global Catalog
dcdn.idx Cache index
extmgr.idx Cache index
gcdn.idx Cache index
gid.idx Cache index
gname.idx Cache index
search.idx Cache index
uid.idx Cache index
uname.idx Cache index
kset.domain The domain name
kset.domaincontroller The domain controller host name
kset.host The host name used to join
kset.schema The current schema version
kset.site The preferred site
Using adleave
The adleave command removes the local host computer from its
current Active Directory domain. Once a computer has become a
member of a domain, you must run the adleave command to leave
that domain before you can move a computer to a new domain.
You are then prompted for the password for the user
raj@acme.com.
Using adcheck
The adcheck command can be used to perform operating system,
network, and Active Directory tests to verify that a machine is
ready to join the specified Active Directory domain. The domain
should be a fully-qualified domain name, for example,
sales.acme.com.
Using adlicense
The adlicense command can be used to enable or disable licensed
features on a local computer.
If you execute adlicense with no options, it displays the current
mode, either licensed or express.
In licensed mode, a computer has access to group policies and may
join any existing zones.
In express mode (licensing is disabled) a computer may not
download or execute group policies and cannot join a zone. The
computer is automatically joined to Auto Zone.
To run adlicense you must be logged in as root.
The basic syntax for the adlicense program is:
adlicense [--licensed] [--express] [--verbose] [--version]
Using adpasswd
The adpasswd command changes the password for an Active
Directory user account. It can be used to change the password of
the current user executing the command or to change the password
of another Active Directory user. If you want to change the
password for any Active Directory account other than your own,
the old and new passwords because they aren’t provided in the
command line:
adpasswd
Old password: xxx
New password: xxx
Repeat password: xxx
You are then prompted for the administrator password and the
user’s new password because these values aren’t provided in the
command line.
Administrator password: xxx
New password for jane@acme.com: xxx
Repeat password: xxx
If the user name and password are valid and can be authenticated by
Active Directory, a successful validation message is displayed. If the
user name and password specified cannot be authenticated, the
command displays a message indicating the authentication failure:
Password validate failed for user pablo
Account cannot be accessed at this time
Please contact your system administrator
Using adquery
The adquery command enables you to query Active Directory for
information about users and groups from the command line on a
Centrify DirectControl-managed system. The options you can use
depend on whether you are looking up user information or group
information. You can look up information for a specific user or
group or for all of the users or groups in a zone.
The basic syntax for the adquery program is as follows:
adquery user|group [options] [username|groupname]
You can specify a single option in the command line to have the
information returned as one value per line suitable for use in
scripts. If you specify multiple options in the command line, the
information returned is formatted in a list with field labels
identifying each value.
You can specify the username in any supported format. If the user
name includes any blank spaces, the name should be enclosed by
quotation marks. For example, if you want to specify an Active
Directory account name consisting of a first name and a last name,
you can type a command similar to the following:
adquery user --samname --enabled "Jae Park"
You must use the canonical format for the group name if specifying
the Active Directory group name. For example, if you want to
specify the Active Directory group name, you can type a command
similar to the following:
adquery group “ajax.org/Users/TestExpert Team”
This command returns the results for the unixdev group in the
following format:
unixname:unixdev
gid:400
required:false
dn:CN=Unix Developers,CN=Users,DC=ajax,DC=org
groupType:global security
samAccountName:Unix Developers
Similarly, if you want to see a complete list of details about the user
jae@ajax.org, you would type:
adquery user --all jae@ajax.org
This command returns the results for the user in the following
format:
unixname:jae
uid:409
gid:400
gecos:Jae Kim
home:/home/jae
shell:/bin/bash
dn:CN=Jae Kim,CN=Users,DC=ajax,DC=org
samAccountName:jae
display:jae
sid:S-1-5-21-3619768212-1024502798-2657341593-1185
userPrincipalName:jae@AJAX.ORG
servicePrincipalName:
canonicalName:ajax.org/Users/Jae Kim
passwordHash:x
accountExpires:Never
passwordExpires:Thu Apr 12 15:21:04 2007
nextPasswordChange:Fri Mar 2 14:21:04 2007
lastPasswordChange:Thu Mar 1 14:21:04 2007
accountLocked:false
accountDisabled:false
zoneEnabled:true
unixGroups:unixdev,testexpe
memberOf:ajax.org/Users/Unix Developers,
ajax.org/Users/Domain Users,ajax.org/Performix/TestExpert
Team
Similarly, if you want to return only the UID for the user
rae@ajax.org, you would type:
adquery user --uid rae@ajax.org
10003
If you want the results to include the UNIX user name or group
name, you can add the --prefix option to the command line. For
example, to include the UNIX group name with a membership list
for the testexp, performx and unixdev groups, you would type:
adquery group --members --prefix testexp performx unixdev
This command returns the group names and GIDs in the following
format:
unixdev:400
oracle:700
qualtrak:800
performi:401
perform2:402
financeu:403
testexpe:404
integrit:405
Similarly, to return a list of UIDs and display names for all of the
users in the current zone, you would type:
adquery user --uid --display
For example:
rae-old:uid:10003
rae-old:displayName:Rae S. Parker
jay:uid:501
jay:displayName:Jay W. Reynolds
zoe:uid:502
zoe:displayName:Zoe Green
ben:uid:503
ben:displayName:Ben Waters
ashish:uid:504
ashish:displayName:Ashish Menendez
fisher:uid:505
fisher:displayName:Monte Fisher
pierre:uid:506
pierre:displayName:Pierre Leroy
lynn:uid:507
lynn:displayName:Lynn Hogan
tess:uid:508
tess:displayName:Tess Adams
jolie:uid:509
jolie:displayName:Jolie Ames-Anderson
jae:uid:510
jae:displayName:Jae Kim
Using adinfo
The adinfo command displays detailed Active Directory, network,
and diagnostic information for a local UNIX computer. Options
control the type of information and level of detail displayed.
The basic syntax for the adinfo program is:
adinfo [option] [--user username[@domain]]
[--password password]
For example:
ajax.org
IP Diagnostics
Local host name: magnolia
FQDN host name: magnolia (domain missing?)
Local IP Address: 192.168.147.135
Domain Diagnostics:
You are then prompted for the Active Directory password for the
user rae account. If Active Directory can authenticate the user, a
confirmation message similar to the following is displayed:
Password for user “rae” is correct
Using addebug
The addebug command is used to start or stop detailed logging
activity for Centrify DirectControl on a local UNIX computer.
The basic syntax for the addebug program is:
addebug [on | off| clear]
Note You must type the full path to the command because addebug
is not included in the path by default.
To display the host name for the global catalog server, type:
adfinddomain $
zen.ajax.org
or:
adfinddomain $ --port
zen.ajax.org:3268
-f, --force Clear the adclient local cache of all data even if
the Centrify DirectControl Agent is currently
disconnected from Active Directory.
-o, --objects Remove only domain controller and global catalog
objects from the cache.
-V, --verbose Display detailed information about the operation.
-v, --version Display version information for the installed
software.
Using adid
The adid command can be used to display the real and effective
UIDs and GIDs for the current user or a specified user.
The basic syntax for the adid program is:
adid [option] [username|uid]
To display the user ID and group ID for a specific user name, you
can type:
adid alan
uid=505(alan) gid=100(users)
To display the user ID and group ID for a specific user ID, you can
type:
adid 505
uid=505(alan) gid=100(users)
To display only the user ID for a specific user name, you can type:
adid --user sloane
506
Using adclient
Most Centrify DirectControl operations are managed by the
central daemon process adclient. This daemon is automatically
started when the system is first booted. The daemon generally
remains running as long as the computer is powered up so that it
can handle all of the authentication and authorization interaction
between Active Directory and the UNIX shell programs or Web
applications that need this information.
Notes Although you can run adclient directly from the command
line to control the operation of the Centrify DirectControl Agent on
a local computer, it is recommended that you do so only under the
direction of Centrify support. Typically, you should start and stop
adclient from a startup script; see “Using the startup script” on
page 139.
On AIX computers, you cannot start adclient directly from the
command line. On AIX, you should use the centrifydc startup
script or the system resource controller commands, such as
startsrc, stopsrc, and lssrc. For example, to start adclient
with the -d and -F options on AIX, you can use a command such as:
The basic syntax for running adclient at the command line is:
adclient [-x] [-d] [-F]
Using adcache
The adcache command enables you to manually clear the local
Centrify DirectControl cache on a computer. You can use this
command to dump all cache files or a specific cache file. You can
also use the command to check a cache file for a specific key value
and to reclaim disk space. By default, the program dumps all cache
files.
Before running adcache, you should stop the adclient process
using the following command:
/usr/share/centrifydc/bin/centrifydc stop
153,
_PwSync(s):altSecurityIdentities,
_SID(s):S-1-5-21-3619768212-1024502798-2657341593-1153,
_ShellEnabled(s):True,
_Uid(s):504,
_UnixName(s):andre,
_dn(s):CN=Andre Garcia,CN=Users,DC=ajax,DC=org,
_extendedObjUSN(s):127065,
_groupGuidList(s):<GUID=1271604159a73a49b251b156fae5d6fb>,
<GUID=2d7305a27dfc884eb95ed5d4404a9016>,<GUID=d663e7d2088e
6c4d8d89c0919f4a2b6e>,
_hashTimestamp(s):1190416207,
_maxPwdAge(s):-1,
_minPwdAge(s):128323800679025000,
_objectCategory(s):Person,
_pacGroups(s):0105000000000005150000009447c1d70eac103d99d0
639e94040000,0105000000000005150000009447c1d70eac103d99d06
39e00020000,0105000000000005150000009447c1d70eac103d99d063
9e01020000,
_passwordHash(s):b450a7940716ea44d980322df1773b10,
_passwordSalt(s):$1$wJkhxUEB$,
_server(s):ginger.ajax.org,
_userPrincipalName(s):andre@AJAX.ORG,
accountExpires(s):9223372036854775807,
cn(s):Andre Garcia,
displayName(s):Andre Garcia,
msDS-KeyVersionNumber(s):3,
name(s):Andre Garcia,
objectCategory(s):CN=Person,CN=Schema,CN=Configuration,DC=
ajax,DC=org,
objectClass(s):top,person,organizationalPerson,user,
primaryGroupID(s):513,
pwdLastSet(s):-1,
sAMAccountName(s):andre,
uSNChanged(s):1,
userAccountControl(s):512,
userPrincipalName(s):andre@ajax.org,
----------------------------------------------------------
Using adreload
The adreload command enables you to force the Centrify
DirectControl Agent (adclient) to reload configuration properties
in the /etc/centrifydc.conf file and in other files in the
/etc/centrifydc directory. Running this command enables
changes made to the configuration properties to take effect without
restarting the adclient process. Running adreload, however, does
not reload the properties set with the following configuration
parameters:
adclient.ldap.timeout
adclient.ldap.socket.timeout
adclient.udp.timeout
adclient.clients.threads
adclient.clients.threads.max
adclient.use.all.cpus
adclient.clients.listen.backlog
adclient.dumpcore
For the configuration parameters listed above, you must restart the
adclient process for changes to take effect.
auto.schema.primary.gid
This configuration parameter specifies the primary GID for the
user. The auto.schema.private.group parameter must be set to
false (the default) to use this parameter.
Specify the GID for an existing group. To find the GID for a group,
you can use the adquery command. For example, to find the GID
for the group Support, open a terminal session and type:
>adquery group --gid Support
1003
If you do not set this parameter, the value defaults to the following:
On Mac OS X: 20.
On Linux: 65534
auto.schema.private.group
This configuration parameter specifies whether to use dynamic
private groups.
Specify true to create dynamic private groups. In this case, the
primary GID is set to the user's UID and a group is automatically
created with a single member.
Specify false (the default) to not create private groups. In this
case, the primary GID is set to the value of
auto.schema.primary.gid, which defaults to 20.
auto.schema.shell
This configuration parameter specifies the default shell for the
logged in user. The default value is /bin/bash on Mac OS X and
Linux systems and /bin/sh on all other systems.
auto.schema.use.adhomedir
Note This configuration parameter applies to Mac OS X computers
only.
auto.schema.remote.file.service
Note This configuration parameter applies to Mac OS X computers
only.
auto.schema.name.format
This configuration parameter specifies how the Active Directory
username is transformed into a UNIX name (short name in
Mac OS X). The options are
SAM (default)
An example SAM name is joe
SAM@domainName
An example SAM@domainName is joe@acme.com
NTLM
An example NTLM name is acme.com-joe
auto.schema.domain.prefix
This configuration parameter specifies a unique prefix for a trusted
domain. You must specify a whole number in the range of 0 - 511.
Centrify DirectControl combines the prefix with the lower 22 bits
of each user or group RID (relative identifier) to create unique
UNIX user (UID) and group (GID) IDs for each user and group in
the forest and in any two-way trusted forests.
Ordinarily, you do not need to set this parameter because Centrify
DirectControl automatically generates the domain prefix from the
user or group Security Identifier (SID). However, in a forest with a
large number of domains, domain prefix conflicts are possible.
When you join a machine to a domain, if Centrify DirectControl
detects any conflicting domain prefixes, the join fails with a
warning message. You can then set a unique prefix for the
conflicting domains.
To set this parameter, append the domain name and specify a prefix
in the range 0 - 511. For example:
auto.schema.domain.prefix.acme.com:3
auto.schema.domain.prefix.finance.com:4
auto.schema.domain.prefix.corp.com:5
auto.schema.search.return.max
This configuration parameter specifies the number of users that will
be returned for searches by utilities such as dscl and the
Workgroup Manager application. Because Auto Zone enables
access to all users in a domain, a search could potentially return
tens of thousands of users. This parameter causes the search to
truncate after the specified number of users.
The default is 1000 entries.
auto.schema.name.lower
This configuration parameter converts all usernames and home
directory names to lower case in Active Directory.
Set to true to convert usernames and home directory names to
lowercase.
Set to false to leave usernames and home directories in their
original case, upper, lower, or mixed.
The default for a new installation is true. The default for an
upgrade installation is false.
auto.schema.iterate.cache
This parameter, specifies that user and group iteration take place
only over cached users and groups.
Set the value for auto.schema.iterate.cache to true to restrict
iteration to cached users and groups.
adclient.ntlm.separators
This configuration parameter specifies the separators that may be
used between the domain name and the user name when NTLM
format is used. For example, the following setting:
adclient.ntlm.separators: +/\\
pam.password.old.mesg
Note On AIX, the PAM configuration parameters described in this
section may apply to interfaces in the AIX Loadable Authentication
Module (LAM) or PAM, depending on the configuration of the local
operating environment. If you have configured AIX to use PAM, the
configuration parameters apply to PAM settings. If AIX is
configured to use LAM, parameters in this section configure LAM
settings where applicable.
pam.allow.groups
This configuration parameter specifies the groups allowed to access
PAM-enabled applications. When this parameter is defined, only
the listed groups are allowed access. All other groups are denied
access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not have to
be enabled for UNIX. Local group membership and invalid Active
Directory group names are ignored.
If you use this parameter to control access by group name, Centrify
DirectControl checks the Active Directory group membership for
every user who attempts to use PAM-enabled applications on the
host computer.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks with Active Directory to see
what groups the user belongs to. If the user is a member of any
Active Directory group specified by this parameter, the user is
accepted and authentication proceeds. If the user is not a member
of any group specified by this parameter, authentication fails and
the user is rejected.
The parameter’s value can be one or more group names, separated
by commas, or the file: keyword and a file location. For example,
NotesYou can use the short format of the group name or the full
canonical name of the group.
To enter group names with spaces, enclose them in double quotes;
for example:
pam.allow.groups: "domain admins",sales,"domain users"
pam.allow.override
This configuration parameter is used to override authentication
through Active Directory to ensure the root user or another local
account has permission to log on when authentication through
Active Directory is not possible, when there are problems running
the Centrify DirectControl daemon, or when there are network
communication issues.
When you specify a user account for this parameter, authentication
is passed on to a legacy authentication mechanism, such as
/etc/passwd. You can use this parameter to specify an account that
you want to ensure always has access, even if communication with
Active Directory or the Centrify DirectControl daemon fails. For
example, to ensure the local root user always has access to a system
even in an environment where you have enabled root mapping, you
can specify:
pam.allow.override: root
To log in locally with the override account, you must specify the
local user name and password. However, because the account is
mapped to an Active Directory account, you must append
@localhost to the user name. For example, if you have specified
root as the override account and are using root mapping, you
would type root@localhost when prompted for the user name.
You can then type the local password for the root account and log
in without being authenticated through Active Directory.
Note If you are mapping the root user to an Active Directory
account and password, you should set this parameter to root or to
a local user account with root-level permissions (UID 0), so that you
always have at least one local account with permission to access
system files and perform privileged tasks on the computer even if
there are problems with the network connection, Active Directory,
or the Centrify DirectControl daemon.
pam.allow.password.change
This configuration parameter specifies whether users who log in
with an expired password should be allowed to change their
password. You can set this parameter to true or false and use it in
conjunction with the pam.allow.password.expired.access
parameter to control access for users who attempt to log on with
an expired password.
If both this parameter and pam.allow.password.expired.access
are set to true, users logging on with an expired password are
allowed to log on and are prompted to change their password.
If the pam.allow.password.expired.access parameter is set to
true, but this parameter is set to false, users logging on with an
expired password are allowed to log on but are not prompted to
pam.allow.password.change.mesg
This configuration parameter specifies the message displayed when
users are not permitted to change their expired password because
the pam.allow.password.change parameter is set to false.
For example:
pam.allow.password.change.mesg: Password change not permitted
pam.allow.password.expired.access
This configuration parameter specifies whether users who log in
with an expired password should be allowed access. You can set this
parameter to true or false and use it in conjunction with the
pam.allow.password.change parameter to control access for users
who attempt to log on with an expired password.
If this parameter is set to true, users logging on with an expired
password are allowed to log on, and either prompted to change
their password if the pam.allow.password.change parameter is set
to true, or notified that they are not allowed to change their
expired password if the pam.allow.password.change parameter is
set to false.
If this parameter is set to false, users logging on with an expired
password are not allowed to log on and the message defined for the
pam.allow.password.expired.access.mesg parameter is
displayed.
For example, to allow users with expired passwords to log on:
pam.allow.password.expired.access: true
pam.allow.password.expired.access.mesg
This configuration parameter specifies the message displayed when
users are not permitted to log on with an expired password because
the pam.allow.password.expired.access parameter is set to
false.
For example:
pam.allow.password.expired.access.mesg: Password expired - access
denied
pam.allow.users
This configuration parameter specifies the users who are allowed to
access PAM-enabled applications. When this parameter is defined,
only the listed users are allowed access. All other users are denied
access.
If you want to use this parameter to control which users can log in,
the users you specify should be valid Active Directory users that
have a valid UNIX profile for the local computer’s zone. If you
specify local user accounts or invalid Active Directory user names,
these entries are ignored.
If you specify one or more users with this parameter, user filtering
is performed for all PAM-enabled applications on the host
computer.
When a user attempts to log on or access a PAM-enabled service,
the pam_centrifydc module checks the users specified by this
parameter to see if the user is listed there. If the user is included in
NotesYou can use the short format of the user name or the full
canonical name of the user.
To enter user names with spaces, enclose them in double quotes; for
example:
pam.allow.users: "sp1 user@acme.com",joan@acme.com,"sp2
user@acme.com"
To specify a file that contains a list of the users allowed access, type
the path to the file:
pam.allow.users: file:/etc/centrifydc/users.allow
pam.deny.groups
This configuration parameter specifies the groups that should be
denied access to PAM-enabled applications. When this parameter is
defined, only the listed groups are denied access. All other groups
are allowed access.
If you want to use this parameter to control which users can log in
based on group membership, the groups you specify should be valid
Active Directory groups, but the groups you specify do not need to
NotesYou can use the short format of the group name or the full
canonical name of the group.
To enter group names with spaces, enclose them in double quotes;
for example:
pam.deny.groups: "domain admins",sales,"domain users"
NotesYou can use the short format of the user name or the full
canonical name of the user.
To enter user names with spaces, enclose them in double quotes; for
example:
pam.deny.users: "sp1 user@acme.com",joan@acme.com,"sp2
user@acme.com"
pam.ignore.users
This configuration parameter specifies one or more users that
Centrify DirectControl will ignore for lookup in Active Directory.
Because this parameter allows you to intentionally skip looking up
an account in Active Directory, it allows faster lookup for system
accounts such as tty, root, and bin and local login accounts.
Note This configuration parameter ignores listed users for
authentication and NSS lookups.
If you later decide you want to migrate the local user account to use
Active Directory, you can run the following command for the user
to reset the default authentication:
chuser SYSTEM= username
pam.mapuser.username
This configuration parameter maps a local UNIX user account to an
Active Directory account. Local user mapping allows you to set
password policies in Active Directory even when a local UNIX
account is used to log in. This parameter is most commonly used to
map local system or application service accounts to an Active
Directory account and password, but it can be used for any local
user account. For more information about mapping local accounts
to Active Directory users, see “Mapping local UNIX accounts to
Active Directory” on page 57.
If you are manually setting this parameter, you should note that the
local account name you want to map to Active Directory is
specified as the last portion of the configuration parameter name.
The parameter value is the Active Directory account name for the
specified local user. For example, the following parameter maps the
You can specify the user name in the configuration file with any of
the following valid formats:
Standard Windows format: domain\user_name
Universal Principal Name (UPN): user_name@domain
Alternate UPN: alt_user_name@alt_domain
UNIX user name: user
You must include the domain name in the format if the user
account is not in the local computer’s current Active Directory
domain.
If this parameter is not defined in the configuration file, no local
UNIX user accounts are mapped to Active Directory accounts.
pam.password.change.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to change a
password.
The parameter value must be an ASCII string. UNIX special
characters and environment variables are allowed. For example:
pam.password.change.mesg: Changing Active Directory password for\
pam.password.change.required.mesg
This configuration parameter specifies the message displayed if the
user enters the correct password, but the password must be
changed immediately.
For example:
pam.password.change.required.mesg: \
pam.password.confirm.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to confirm his
new password by entering it again.
The parameter value must be an ASCII string. UNIX special
characters and environment variables are allowed. For example:
pam.password.confirm.mesg: Confirm new Active Directory password:\
pam.password.empty.mesg
This configuration parameter specifies the message displayed if the
user to enter an empty password.
For example:
pam.password.empty.mesg: Empty password not allowed
pam.password.enter.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to enter his
password.
The parameter value must be an ASCII string. UNIX special
characters and environment variables are allowed. For example:
pam.password.enter.mesg: Active Directory password:\
pam.password.expiry.warn.mesg
This configuration parameter specifies how many days before a
password is due to expire PAM-enabled applications should issue a
warning to the user.
The parameter value must be a positive integer. For example, to
issue a password expiration warning 10 days before a password is
set to expire:
pam.password.expiry.warn: 10
pam.password.new.mesg
This configuration parameter specifies the text displayed by a
PAM-enabled application when it requests a user to enter his new
password during a password change.
The parameter value must be an ASCII string. UNIX special
characters and environment variables are allowed. For example:
pam.password.new.mesg: Enter new Active Directory password:\
pam.password.new.mismatch.mesg
This configuration parameter specifies the message displayed
during password change when the two new passwords do not
match each other.
For example:
pam.password.new.mismatch.mesg: New passwords don't match
pam.policy.violation.mesg
This configuration parameter specifies the message displayed
during password change if the operation fails because of a domain
password policy violation. For example, if the user attempts to
enter a password that doesn’t contain the minimum number of
characters or doesn’t meet complexity requirements, this message
is displayed.
For example:
pam.policy.violation.mesg: \
The password change operation failed due to a policy restriction set
by the\nActive Directory administrator. This may be due to the new
password length,\nlack of complexity or a minimum age for the current
password.
Setting up SSH
All configuration of the SSH server is taken care of for you by the
installation. The only thing left to do is to start the server and test
connectivity to the sshd server process.
The first time the server starts, it tries to find the current set of
host keys in /etc/ssh and import them. If it doesn’t find the keys,
it generates new keys and stores them in /etc/centrifydc/ssh.
To start the server, run the following command (Red Hat Linux
only):
service centrify-sshd start
You can test the server by connecting to the local host to make sure
that SSH is running and accepting connections. The following
command should result in a local connection to the SSH server:
/usr/share/centrifydc/bin/ssh root@localhost
• Index 173
displaying help 77 command line programs
Auto Zone 20 to 21 basic usage 76
configuration parameters 145 to 151 displaying help 77
auto.schema.domain.prefix 149 location 76
auto.schema.homedir 147 man pages 77
auto.schema.iterate.cache 150 configuration file (centrifydc.conf)
auto.schema.name.format 148 Auto Zone parameters 145 to 151
auto.schema.name.lower 150 PAM parameters 153 to 167
auto.schema.primary.gid 146 conventions, documentation 9
auto.schema.private.group 146
auto.schema.remote.file.service 148 D
auto.schema.search.return.max 150 daemon
auto.schema.separator 149 enabling logging 63
auto.schema.shell 146 introduction 138
auto.schema.use.adhomedir 147 Debian Linux
removing DirectControl 50
C diagnostic information 67, 128
Centrify DirectControl DirectControl
access control summary 15, 59 integration with Samba 60
command line programs 76 disconnected operation
daemon 138 account changes 56
diagnostic information 67 credential storage 56
documentation 11 documentation
joining the domain 41 additional 11
log files 64 audience 8
managed system 15 conventions 9
package location 31 summary of contents 8 to 9
password enforcement 54 domain controllers
removing the software 49 adding DNS server role 71
solution overview 14 to 16 setting manually 72
support for UNIX services 16 testing connectivity 69
technical support 12 Domain Name Server (DNS)
troubleshooting issues 63 manual setting 70
Unix installation 27 nameserver entry 69
UNIX requirements 26 server role 68, 71
Centrify DirectControl Agent services provided 68
architecture 17 testing connectivity 69
key tasks 16 Unix configuration 39
Centrify web site 12 using a forwarder 70
L P
LAM configuration PAM configuration
local authentication 162 account mapping 163
Linux agent component 17
joining the domain 41 group filtering 154, 159
naming convention 10 ignore authentication 155
log files messages displayed 164 to 166
adinfo output 67 parameter settings 153 to 167
enabling 64 user filtering 158, 161
location 64, 131 pam.allow.groups 154, 159
performance impact 64 pam.allow.override 155
pam.allow.password.change 156
• Index 175
pam.allow.password.change.mesg 157 join operation 80
pam.allow.password.expired.access 157 local override account 59
pam.allow.password.expired.access.mesg override account 155
158 running native installers 35
pam.allow.users 158, 161
pam.deny.users 161 S
pam.ignore.users 162 Samba 59
pam.mapuser.username 163 integration with DirectControl 60
pam.password.change.mesg 164 SSH 59, 169 to 172
pam.password.change.required.mesg 164 about 170
pam.password.confirm.mesg 165 installing 170
pam.password.empty.mesg 165 setting up 171
pam.password.enter.mesg 165 testing on UNIX 171
pam.password.expiry.warn 166 testing on Windows 172
pam.password.new.mesg 166 SuSE Linux
pam.password.new.mismatch.mesg 166 removing DirectControl 50
pam.password.old.mesg 167
pam.policy.violation.mesg 167 T
pam.user.ignore 162 technical support 12
password management telnet 59
changing your own 54 troubleshooting
disconnected mode 56 daemon operation 63
expired passwords 156 to 158 enabling logging 64
messages displayed 164 to 166 using adinfo 67
policy definition 54
policy enforcement 16
U
resetting for other users 55
UNIX
command line programs 76
Q man pages 77
Quick Start 11 naming convention 10
Unix
R DNS configuration 39
Red Hat Linux files and directories 38
removing DirectControl 50 installing DirectControl 27
root user restarting services 46
adinfo options 67 system requirements 26
adleave operation 96 UNIX users
enabling logging 64 local account mapping 57
installation requirement 28 users
W
Windows
knowledge of 8
Z
zones
understanding the use of 20
• Index 177
178 DirectControl Express Edition Administrator’s Guide