Managing user profiles
This chapter describes how to give Active Directory users access to managed computers in Centrify zones and how to manage user profiles and properties using the Access Manager console.
The following topics are covered:
Understanding user profiles
Adding Active Directory users to zones
Using Zone Provisioning Agent to provision zones Adding users from another trusted forest
Adding multiple profiles for a user to a zone Modifying zone-specific settings for a user profile Modifying the user profile and object properties Working with read-only domain controllers
Applying password policies and changing passwords Working in disconnected mode
Mapping local UNIX accounts to Active Directory Setting a local override account
Customizing other settings for users Assigning users to roles
Setting runtime variables Running reports for users
This chapter focuses on adding and managing UNIX user profiles and performing related tasks. For information about planning the migration of an existing user population and setting up user- or group-based access controls, see the Planning and Deployment Guide.
Understanding user profiles
Understanding user profiles
You can create a UNIX profile for any existing Active Directory user by adding the user to a zone, or to a computer account for the zone. The profile determines how the Active Directory user is identified on a UNIX computer and consists of the same NSS data that is defined for users on UNIX computers in the /etc/passwd file. A complete UNIX profile
includes the following fields:
As explained earlier (see “Understanding identity and access in hierarchical zones” on page 35, a user’s identity is determined by the profile tree, not by a profile in a single zone. By default, a user added to a parent zone inherits the same profile in a child zone so it is not necessary to add users to child zones. However, in a child zone, or in a computer account for the zone, you can add a user and override the definition of any of the profile fields to create a different identity for that user in the child zone or for that computer.
For example, you could set the Shell field for a user to /bin/bash in a zone, but set it to / usr/bin/ksh on an AIX computer that joins the zone; or set the Home directory field to / home in a zone, and set it to /Users on a Mac OS X computer that joins the zone.
It is possible to define a partial profile in a zone by leaving one or more of the NSS fields blank. A complete profile (all profile fields defined) is required to effectively identify a user when a computer joins a zone but a profile in a child zone, or for the joined computer, can complete the missing fields from the parent zone to create a complete profile.
Although a complete profile uniquely identifies a user in a zone, the profile does not give a user access to computers in the zone. To have access to a computer, a user requires at least one role assignment in addition to a complete profile (see Chapter 10, “Authorizing users.”). A user with a complete profile and at least one role is considered an effective user. To see effective user rights:
Select a zone, right-click and click Show Effective UNIX User Rights. Select a computer account, right-click and click Show Effective User Rights.
For more information about effective rights, see “Identifying effective users” on page 113.
Field Value
Login name UNIX login name for this user in the current zone. UID The user identifier (UID) for this user in the current zone. Primary group The UNIX group profile to use as the primary group for this user.
GECOS General information for the user similar to the UNIX /etc/passwd GECOS field. Home directory The default home directory for this user in the current zone.
Adding Active Directory users to zones
Adding Active Directory users to zones
You can enable access to Linux and UNIX computers in any zone for existing Active Directory users by doing the following:
Creating a UNIX profile for the Active Directory user Assigning the user a role
There are several different ways you can add Active Directory users directly to a zone. For example, you can add users to a zone from Access Manager or Active Directory Users and Computers. You can also add users by running commands or executing scripts using the Centrify Access Module for PowerShell on Windows computers or the ADEdit application on Linux or UNIX computers.
The steps in this section explain how to create an identity by adding an Active Directory user directly to a zone from Access Manager. This is a simple way you can create the UNIX profile if UNIX users already have an Active Directory account. For information on assigning a role, see Chapter 10, “Authorizing users.”
To add users to a zone using Access Manager: 1 Open the Access Manager console.
2 Expand the Zones node, and if necessary the Child Zones node until the zone of interest is visible.
3 Expand the zone of interest and UNIX Data. Select Users, right-click and click Add User to Zone.
4 Type a search string to locate the user account, then click Find Now. For example, type “qa” to display the qa1, qa2 and qa3 users.
5 Select one or more users in the results, then click OK.
6 Review the UNIX profile settings for the user and make any changes necessary, then click
Adding Active Directory users to zones
For example:
If you selected more than one user, repeat Step 6 for each user.
Setting the profile attributes
When you add an existing Active Directory to a zone, Access Manager displays a default new user profile. You can accept or change the default values for any of the profile attributes, as needed. The UNIX profile consists of the following attributes you can set.
For this property You can do this
Login name Set the UNIX login name for this user in the current zone. By default, it shows the login name of the user you are adding.
UID Set the user identifier (UID) for this user in the current zone.
Primary group Select the primary group for the user from one of the following options: • <auto private group> sets the user’s primary group name and GID to be the
same as the user’s UNIX login name and UID. Private groups are not stored or managed in Active Directory.
• <...> enables you to select a specific Active Directory group with a UNIX group profile.
• <not defined> enables you to type in a group identifier (GID) not associated with any Active Directory group.
GECOS Enter general information for the user similar to the UNIX /etc/passwd GECOS field. You can specify variables in this field; for example:
%{u:samaccountname}
Adding Active Directory users to zones
Defining partial UNIX profiles
Access Manager allows you to create a partial profile by leaving any of the fields blank. However, you must provide a value for at least one of these attributes or the wizard prevents you from going to the next page. If you intend to leave a field blank, leave its check box blank, otherwise, the wizard does not allow you to continue until you provide a value. If a user has an incomplete profile in a zone, any role assignments to that user will not be effective. Keep in mind, however, that a user can have an incomplete profile in a parent zone, and if any missing attributes are defined in a child zone, that user is enabled for role assignments in the child zone.
Defining valid UNIX profile names
User profile names can consist of letters, numbers, hyphens, underscores, periods and dashes. Some operating environments may have additional restrictions. For example, some operating environments do not support user names that are longer than 8 characters or require that the first character of the user name be alphabetic. Because UNIX user names typically use only lowercase characters, the default user profile name displayed follows this convention. If you modify the default profile name and include uppercase characters, keep in mind that the proper case must be used when entering the user name. For compatibility with Samba, the dollar sign ($) can also be used at the end of the user name. In general, other special characters, such as ! and &, are not supported.
If the Windows name includes unsupported special characters, Access Manager replaces them with underscores for the UNIX login name. For example, Access Manager converts a Windows logon name with special characters, such as qa:user2 into a valid UNIX login
name of qa_user2.
Using variables in a profile
You can specify variables in several of the profile attributes. In addition, if default values are defined for users in the current zone, the corresponding values are in the default profile. For more information about using variables, see “Setting runtime variables” on page 128.
Home directory Set the default home directory for this user in the current zone. You can specify variables in this field; for example:
%{home}/%{user}
to set the home directory to the user’s /home/username directory, where %home is set to the default value, /home.
Shell Select the default login shell for this user from the list of shells available. You can specify variables in this field. For example,
%{shell}
to set the user’s shell to the default shell defined for this computer in this zone. For this property You can do this
Adding Active Directory users to zones
In more complex environments where existing legacy accounts must be migrated, more planning is typically required. If you are migrating existing login and service accounts, see the Planning and Deployment Guide. The Planning and Deployment Guide walks you through the complete process of creating a zone structure, importing users and groups, and creating Active Directory identities for them. You should also refer to the Planning and Deployment Guide if you plan to use the Zone Provisioning Agent to automate the process of creating user and group profiles when you add users to a monitored Active Directory group.
Overriding a user profile definition
When you add a user and create a zone profile in a zone, the profile is inherited by any child zones. You can override any of the profile fields to create a new identity for the user in a child zone or for a computer account, by adding the user to a child zone or a computer account.
To override a profile definition
1 Open the Access Manager console. Expand the Zones node, and the Child Zones node until the zone of interest is visible. Or if you are overriding the profile for a computer account, expand the Computers node to see the computer of interest.
2 Expand the zone or computer of interest and expand UNIX Data. Select Users, right- click and click Add User to Zone.
3 Type a search string to locate the user account, then click Find Now. For example, type “rd” to display the user rdavis.
4 Select the user and click OK.
5 The UNIX profile settings show that all fields are inherited from the parent zone.
6 Select one of the fields, Shell, for example, and type /usr/bin/ksh to give the user rdavis a different shell in this zone or for this computer. For example, the shell is now
Adding Active Directory users to zones
7 Click OK to save the profile for this zone.
Identifying effective users
The Console provides a menu command, Show Effective UNIX User Rights, that allows you to see the effective users for any zone. An effective user is one who has a complete profile in a zone and has at least one role assigned for that zone. You cannot look at any particular nodes in a zone to determine effective users because effective users are determined dynamically, through inheritance and child zone and computer-level overrides. When you run Show Effective UNIX User Rights, Access Manager does the following to determine effective users:
Traverses the profile tree from the top down to the selected zone to identify users and
establish their profiles by determining which profile data is inherited from parent zones, and which data, if any, is overridden in a child zone or at the computer level.
Traverses the access tree from the top down to the selected zone to determine the
accumulated list of role assignments and rights for each user.
Correlates the profile and access results to identify the users who have a complete
profile for the current zone and computer, and determine their accumulated role assignments and rights.
To show effective users for a zone or computer:
1 Open the Access Manager console. Expand the Zones node, and if necessary the Child Zones node until the zone of interest is visible.
Adding Active Directory users to zones
2 Select the zone of interest, right-click and click Show Effective UNIX User Rights.
Note Access Manager shows the effective users for the zone in general — it does not take
into account role assignments that may have been added for a particular computer — users in those roles will not be shown. To see effective users for a particular computer in the zone, select it from the drop-down list in Computer.
3 (Optionally) Select Show omitted users to include users who have an incomplete profile or do not have a role assignment. Users with an incomplete profile are shown in red. Select the user and the Zone tab to see which profile fields are missing.
4 Select a user and the following tabs to see information for the user for the selected zone or computer:
Zone Profile lists the values for all UNIX user profile fields and the location in which
they are defined.
Role Assignments lists the user’s role assignments for the selected zone or
Adding Active Directory users to zones
(user@domain) or from an assignment to a group to which the user belongs
(group@domain). Location of Assignment is the zone or computer role in which the
assignment was made.
PAM Access lists the PAM access (log on) rights granted by the roles to which the
user belongs for the selected zone or computer. It shows the name of the right, the specific PAM applications that are allowed (* indicates all PAM applications), where it
is defined, and to which role it belongs.
Commands lists the command rights granted by the roles to which the user belongs
for the selected zone or computer. It shows the name of the command, the path to the UNIX command defined for the command right, where it is defined, and to which role it belongs.
Using Zone Provisioning Agent to provision zones
SSH Rights lists the SSH rights granted by the roles to which the user belongs for the
selected zone or computer. It shows the name of the SSH right, the SSH applications that are allowed, where it is defined, and to which role it belongs.
Viewing audit sessions
If you are running DirectManage Audit, you can audit any zoned users. One way to automate this is to assign the Audit right, Audit if possible, or Audit required, to a role. Audit if possible is applied by default to all roles.
You can view audit sessions in the Access Manager console if you want.
To view audit sessions
1 On a Windows computer, open the DirectManage Access console.
2 Expand a zone, then expand UNIX Data > Users, then select a user, right-click and select View DirectAuditSessions.
Using Zone Provisioning Agent to provision zones
The Zone Provisioning Agent is a separate tool that enables automated provisioning of user and group accounts into Centrify zones. You configure the Zone Provisioning Agent to monitor specific Active Directory groups that are linked to a zone. When you add or remove users or groups from the monitored groups, the Zone Provisioning Agent adds or removes corresponding users or groups in the zone. You can configure the business rules for adding and removing groups and how the attributes associated with a user profile or a group profile are generated.
See “Provisioning user and group profiles automatically” on page 50 for more information The Zone Provisioning Agent is also explained in detail in the Planning and Deployment Guide.
Adding users from another trusted forest
In most cases, when you add a user profile to a zone, the Active Directory user already exists in the local Active Directory forest. You can, however, add remote users to a zone without adding them to the local forest. If you have established a one- or two-way trust relationship with a remote or external Active Directory forest, you can add users from that
Adding users from another trusted forest
remote forest to Centrify zones. You add remote user accounts to the zone in the same way you add profiles for local Active Directory users except that you must select the remote forest or domain before searching for the user account.
To add users from another trusted forest to a Centrify zone: 1 Open the Access Manager console.
2 In the console tree, click Zones and select the zone name to which you want to add the Active Directory user. If necessary, expand Child Zones until you see the zone of interest.
3 Expand UNIX Data, then select Users, right-click and click Add User to Zone.
4 In the Find Users dialog box, click Browse, then select the remote trusted forest or a specific domain in the trusted forest, then click OK. For example, if there is a one- or two-way forest trust between the local wonder.land forest and the remote w2k3r2.dev
forest, you can select the remote forest, then click OK to add users from the w2k3r2.dev
forest to a current zone in the local forest:
5 Type a search string to locate the user in the selected forest or domain, then click Find