Managing computers
This chapter describes how to add UNIX computers to Active Directory domains, manage computer account properties, and leave the domain.
The following topics are covered:
Understanding the join operation
Deciding who can join computers to the domain Preparing computer accounts
Joining a domain interactively or using a script Allowing password resets for computer accounts Designating a computer as a NIS server
Changing the zone for the computer Changing the domain for a computer Leaving a domain
Renaming a server
Customizing configuration settings for a computer Running reports for computers
Understanding the join operation
To begin authenticating users and authorizing access to UNIX resources through Active Directory, UNIX computers must be added to the appropriate Active Directory domains in the Active Directory forest. You do this by using the adjoin command.
When you run adjoin, the program locates the appropriate domain controller for the
domain you specify and contacts Active Directory to add the computer to the domain. By default, the domain controller to contact is determined by the Active Directory site topology or the master domain controller specified for the zone you are joining. If the preferred domain controller is not available, the UNIX agent attempts to connect to the next domain controller. If no domain controller can be contacted or the connection takes too long to complete, the join operation fails.
If the adjoin program can successfully contact Active Directory, it performs a series of key
tasks. For example, when you join the domain, the program does the following:
Synchronizes the local computer’s time with Active Directory to ensure the timestamp
Deciding who can join computers to the domain
Checks whether a computer account already exists for the local computer in Active
Directory. It creates a new Active Directory computer account for the local computer, if needed.
Updates the Kerberos service principal names used by the host computer, generating
new a Kerberos configuration file and krb5.keytab entries, and generating new service
keys for the host and http services.
Sets the password on the Active Directory computer account to a randomly-generated
password. The password is encrypted and stored locally on the UNIX host to ensure that only the Centrify agent has control of the account.
Starts the Centrify UNIX agent adclient.
Once a computer joins the domain, you can use the Access Manager console or Active Directory Users and Computers to manage its properties. By default, the computer will function exactly as it did before joining the domain, allowing local user accounts to log in and existing programs and applications to work as they did previously, but you will have complete control and flexibility to manage access through Active Directory by adding AD users to the zone the computer joined, and defining and assigning roles that determine the access these users have on the UNIX computer.
By default, the password on the computer account is updated with a new, randomly- generated password every seven days to ensure security. You can customize how frequently the password for the account is changed through the Password change interval group policy or by modifying the configuration file, centrifydc.conf, on any managed system.
For more information about defining access to a managed computer, see Chapter 9, “Managing user profiles,” and Chapter 10, “Authorizing users.”
Deciding who can join computers to the domain
Active Directory provides various mechanisms for controlling who is allowed to join computers to the domain. There are two basic scenarios:
Any user with a valid domain account can add a computer to the domain. This is the
default configuration for Windows. It permits any successfully authenticated user to add as many as ten computers to the domain. Many enterprises leave their domains set up this way so that administrative access is not required for a computer to join the domain.
Permission to add a computer to the domain is restricted to a set of privileged users.
When permission to add a computer to the domain is restricted, a user adding the computer must log in with an account that has appropriate administrative rights and provide a password. If your organization restricts who can add computers to the domain, joining the domain might require explicit permission. For example, joining the domain might be restricted to domain administrator accounts or delegated within
Preparing computer accounts
Since who can join a domain depends on your organization’s policies and is enforced through Active Directory, Access Manager applies the same rules for UNIX computers joining the domain as have been defined in Active Directory for adding Windows computers to the domain. For example:
If any user with a valid domain account can add a Windows computer, adding a UNIX
computer does not require an administrative user account and password.
If only administrative or delegated users are allowed to add computers, the user adding
the UNIX computer must supply a valid administrative or delegated user name and password.
Preparing computer accounts
If joining the domain is restricted to privileged users, or if you want to specify computer- level overrides in advance, you may want to prepare (precreate) computer accounts for your UNIX computers before they join the domain. By preparing the computer account before joining the domain, you can:
Specify a particular user or group with permission to join the computer to the domain,
so that users can add their own workstations to the domain without any special rights or permissions.
Create the organizational structure you want to use for UNIX computers in Active
Directory, minimizing the need to move the computer account after joining the domain.
Set other properties for the computer account, such as the delegation properties for the
computer account, so that when the computer joins the domain it is configured appropriately without requiring you to perform additional steps.
Specify a particular user or group with permission to manage computer overrides for
the computer, which allows the specified user or group to add user profiles or make role assignments for the computer, ahead of time, that will take effect when the computer joins the domain.
You can use Active Directory Users and Computers, the Access Manager console, or ADEdit to prepare and create computer accounts. If you use Active Directory Users and Computers to create the account, however, you need to modify the permissions for the account as described in “Allowing password resets for computer accounts” on page 80
before joining the domain.
When you prepare a computer account by using the Access Manager console, you are presented options (in Step 3) to specify the following:
Whether to prepare for joining the domain
Whether to delegate permissions for managing machine-level overrides
In general, it makes sense to select both options as it allows administrators, besides the administrator creating the computer account, to manage these two aspects of the computer
Preparing computer accounts
account. Depending on how you delegate permissions in your organization, you may assign different users or groups to each of these functions.
However, it is possible to create a computer account and not delegate permission for machine overrides. In this case, the administrator who created the computer account is the only one who can make machine-level overrides, that is, add users and make role
assignments for the computer. The console will show User and Role Assignment nodes for the computer, but no one other than the computer account creator can add users or make role assignments.
Likewise, it is possible to delegate permissions for machine overrides without preparing the computer to join the domain. In this case, the computer icon appears in the zone, but an AD object and service connection point are not created. The designated administrator may add users and make role assignments for the computer. Who can add this computer to the domain depends on how permissions are set up for your domain (as described in the previous section, Deciding who can join computers to the domain). If any user with a valid domain account can add computers to the domain, then any user can, otherwise, only the administrator who created the computer may join it to Active Directory.
To prepare a computer account using the Access Manager console:
1 In the console tree, select Zones and if necessary, Child Zones, to display the list of zones, then select the specific zone to which you want to add the computer account.
2 Select Computers, right-click, then click Prepare UNIX Computer.
3 Select one or both of the following options to specify the type of preparation to do:
Prepare computer for adjoin to create or select a computer account to add to the
selected zone. On a later screen, you may delegate permission to join a zone to a specific user or group.
Delegate permission for machine overrides to delegate permission to manage
machine overrides to a different user or group. The specified user or members of the specified group will be able to create user profiles and make role assignments that are specific to this computer.
Click Next.
4 Choose whether to create a new computer object or select an existing one, by selecting one of the following objects:
Create new computer object to create a new computer account in the domain,
then click Next.
Select existing computer object if the computer account already exists in the
same domain or a different domain, but you want to add a zone profile and delegate permission to join the a domain and manage computer overrides. Click Browse to search for the existing computer object. After selecting an existing computer account, click Next to continue to Step 7 to select the user or group that should be allowed to join the computer to the domain.
Preparing computer accounts
5 If you are creating a new computer object, type the computer name to use for the new computer account and specify a location for the computer account object in Active Directory, then click Next. For example:
6 Define service principal names for the specified computer. You can click Next to accept the list of default service principal names, or do one of the following (Press F1 to get help with any of the procedures for adding, removing, or modifying service principal names):
Click Add to add a service type or add a new service name to an existing service type. Select a service principal name and click Edit to change the name.
Select a service principal name and click Remove to delete the name.
Click Default SPN to return the list to the default names. Clicking this button
restores any service principal names that you removed and removes any service principal names that you added.
7 Select whether to allow a specific user or group to join the computer to the domain or use the precreated computer account and password to join the domain, then click Next.
Select Allow this user, group, or computer to join the computer to the
zone to delegate the permission to join the domain to a specific user, group, or computer account. If you select this option, you can click Next to give the permission to the default Domain Admins group, or click Browse to search for another user or group that you want to give permission to join the computer to the domain.
Select Allow the computer to join itself to the zone to generate an automatic
password reset on the computer account that allows the precreated computer’s account and password to be used to perform a “self-service” join. This option is selected by default because it allows you to automate the join operation so that a user name and password are not required to join the domain.
For this Do this
Computer name Type the host name to use for the computer account in Active Directory.
Domain Verify the domain name displayed is the appropriate domain for the computer account to join.
Click Browse to navigate to a different Active Directory domain. DNS name Verify the DNS name for the computer account. You can modify the
DNS name for the computer, if needed. For example, if computer names in DNS use a different suffix than the Active Directory domain, you may need to modify the default value displayed. Create the computer object in the
container
Specify the parent container for the new computer account in Active Directory. In most cases, you should use the default parent container object:
domain_name/Computers
Click Change to navigate to a different container object for the computer account.
Joining a domain interactively or using a script
8 You can click Next to give permission to manage computer-level overrides to the default Domain Admins group, or click Browse to search for another user or group.
Note This page only appears if you selected Delegate permission for machine
overrides in Step 3.
9 Review your configuration settings, then click Next.
10 Review the confirmation of the operation performed, then click Finish.
The computer account is created in Active Directory and a zone profile for the computer is added to the Access Manager console in the zone’s Computers container. The user or group you have designated as the trustee can now join this computer to the domain using the
adjoin --selfserve command line option, and the group you designated for machine-
level overrides can add users and role assignments to the computer.
Joining a domain interactively or using a script
As described in “Understanding the join operation” on page 74, you join a computer to the domain by running the adjoin command directly on a computer. You run this command
once for each UNIX computer you want to add to a domain in the forest.
In most cases, the administrator or a designated user runs the command interactively at the command line, but the command can be included in a script to automate joining a domain. Whether you join the domain interactively from the command line or using a script, you must specify the zone the computer should be part of (--zone zoneName) — unless you are
using the self service option (--selfserve), in which case the computer is made a member
of the zone where the precreated object was created. There are several additional arguments that you can use when joining a domain to specify information such as a user name and password for an account with permission to join the domain, or the
Organizational Unit you want to place the computer in.
For example, the following command connects to Active Directory as the user
[email protected] to add the local computer to the LinuxDev zone and the sales.acme.com
domain:
adjoin --user [email protected] --zone LinuxDev sales.acme.com
The adjoin program then prompts for the Active Directory password for the [email protected] account:
Active Directory password: xxx
In this example, the user shea is a member of the acme.com domain rather than the sales.acme.com domain this computer is joining. Therefore, the user account must be
specified in the user_name@domain_name format. In addition, this example places the local
UNIX computer account in a specific, previously-created zone called LinuxDev. This is
most common format for the adjoin command line.
Although you can specify the password for an account as part of the adjoin command line
Allowing password resets for computer accounts
reasons. If you are using adjoin in a script, however, you may need to include the -- password option or provide another mechanism for inputting a valid password. For more
information about using the adjoin command line options, see Appendix A, “Using Centrify UNIX commands.”
If the adclient process is able to connect to Active Directory and the join is successful, a
confirmation message is displayed. If the connection to Active Directory fails, a warning message is displayed and the join operation fails.
If you did not pre-configure a computer account for the local computer in another container, the join operation adds a new computer account to Active Directory in the
domain_name/Computers container.
If the computer has a precreated computer account in Active Directory, you can run a command similar to the following to join the domain:
adjoin --selfserve domain
For example:
adjoin --selfserve cendura.org
Note that you must specify the domain to join but not the zone — the computer is automatically joined to the domain in which the computer object was pre-created. See “Preparing computer accounts” on page 76 for information about preparing computer accounts.
Allowing password resets for computer accounts
By default, most computer accounts do not have permission to reset their own account password. This prevents the delegation of administrative rights for the computer to the local computer account. If you want to give a computer account administrative rights in a zone, you need to modify the computer account to allow password resets. In addition, allowing a computer account to update its own properties enables DirectManage Access to display the agent version and maintain operating system information for the computer account.
Note You should use the Prepare UNIX Computer wizard and select the Allow the
computer to join itself to the zone option to allow a computer to manage its own account.
Checking for the appropriate permissions
To check whether a computer account allows password resets, you need to view the permission settings for the account.
To check and modify the permissions for a computer account:
1 Open Active Directory Users and Computers, expand the domain, and select Computers to find the computer account to which you want to assign administrative rights.
Allowing password resets for computer accounts
2 Select the computer account, right click, then select AD Properties.
3 Click the Security tab, scroll down the list of group or user names and select SELF.
4 In the list of Permissions for SELF, scroll to the Reset Password permission, click
Allow, then click OK.
5 Select the computer account, right-click and select Reset Account, then click Yes. When the account is reset, click OK.
Assigning administrative rights to computer accounts
After you have checked the Active Directory permissions for a managed computer account