Centrify Suite 2012 Express

(1)

Centrify Suite 2012 Express

Administrator’s Guide

November 2011

(2)



Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005.

(3)

3           

About this guide

Centrify Suite 2012 is an integrated suite of products that provide identity and access control for cross-platform data centers using Active Directory. With support for a wide range of operating systems, hypervisors, and applications, Centrify Suite enables organizations to reduce IT expense, improve end-user productivity, strengthen security, and enhance regulatory compliance.

This guide describes the Centrify Express family of products. Centrify Express products provide simplified cross-platform integration with Active Directory, with minimal to no configuration, and are available for free from the Centrify web site.

With Centrify Express, you can easily add computers to Active Directory, authenticate user credentials, and support local and remote cross-platform single sign-on at no cost.

Intended audience

This Centrify Suite Express Administrator’s Guide describes how to install, configure, and use the components in the Centrify Express suite of products. This guide is intended for system and network administrators who are responsible for managing user access to servers,

workstations, and network resources.

This guide assumes you have a working knowledge of Microsoft Active Directory and how to perform common administrative tasks on the platforms you support. This guide also assumes basic, but not expert, knowledge of how to perform common tasks. If you are an experienced administrator, you may be able simplify or automate some tasks described in this guide using platform-specific scripts or other tools.

Using this guide

Depending on your environment and role as an administrator or user, you may want to read portions of this guide selectively. The guide provides the following information:

 Chapter 1, “Introduction,” provides an overview of Centrify Suite Express products, how

Express products compare with other product offerings, and how UNIX user and group profiles are automatically generated for Active Directory users and groups.

 Chapter 2, “Installing Centrify Suite Express,” describes the options available for installing

Centrify Suite Express on computers to be managed.

 Chapter 3, “Using DirectControl Express,” explains how to take advantage of Active

(6)

Conventions used in this guide

 Chapter 4, “Troubleshooting Centrify Suite Express,” describes basic troubleshooting steps

and how to use diagnostic tools and log files to retrieve information about the operation of Centrify Suite Express.

 Chapter 5, “Using command-line programs,” provides reference information for the

command-line programs available for Centrify Suite Express.

 Chapter 6, “Customizing Centrify Suite operations using configuration parameters,”

provides a quick reference for the configuration parameters that you can set to control Centrify Suite Express operations.

In addition to these chapters, an index is provided for your reference.

Conventions used in this guide

The following conventions are used in this guide:

 Fixed-width font is used for sample code, program names, program output, file names,

and commands that you type at the command line. When italicized, the fixed-width

font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

 Bold text is used to emphasize commands, buttons, or user interface text, and to

introduce new terms.

 Italics are used for book titles and to emphasize specific words or terms.

 For simplicity, UNIX is used generally in this guide to refer to all supported versions of the

UNIX, Linux, and Macintosh OS X operating systems unless otherwise noted.

 The variable release is used in place of a specific release number in the file names for

individual Centrify DirectControl software packages. For example, the file name

centrifydc-release-sol8-sparc-local.tgz can be used to refer to a software package that includes a version number such as centrifydc-5.0.1-sol8-sparc-local.tgz.

Where to go for more information

The documentation for Centrify Express products, includes several sources of information. Depending on your interests, you may want to explore some or all of these sources further:

 Release Notes included on the distribution media or in the download package provide the

most up-to-date information about the current release, including system requirements and supported platforms, and any additional information, specific to this release, that may not be included in other documentation.

 Quick Start for Express provides a brief summary of the steps for installing Centrify

(7)

Contacting Centrify

About this guide 7

 Individual UNIX man pages for command reference information for Centrify DirectControl

UNIX command line-programs.

In addition, you may want to consult documentation for the specific version of Windows, Linux, UNIX, or Mac OS X you are using, or the documentation for Microsoft Active Directory. This information can help you get the most out of Centrify DirectControl.

Contacting Centrify

If you have questions or comments, we look forward to hearing from you. For information about contacting Centrify Corporation with questions or suggestions, visit our Web site at

www.centrify.com. From the Web site, you can get the latest news and information about Centrify Corporation products, support, services, and upcoming events. For information about purchasing or evaluating Centrify Corporation products, send email to

(8)

8

Chapter 1

Introduction

This chapter provides an introduction to Centrify Suite Express Edition, including a brief overview of how Centrify Suite can help you leverage your investment in Active Directory. The following topics are covered:

 Understanding Centrify Express

 Understanding user access after you deploy  Understanding Zones and Auto Zone

 Understanding how Centrify Suite generates profile attributes

Understanding Centrify Express

Centrify Suite is an integrated suite of products and features that are bundled in several different editions to address different customer requirements. The most basic set of functionality is Centrify Suite Express Edition.

The Centrify Express family of products enable simplified cross-platform integration with Active Directory. The main components Centrify Suite Express Edition are:

 Centrify DirectManage Express  Centrify DirectControl Express agents

DirectManage Express provides a centralized console for deploying and managing

DirectControl agents from a Window 32-bit or 64-bit computer. It is optional but provides a convenient way to deploy and manage DirectControl Express agents. DirectControl Express agents are platform-specific software packages that enable non-Windows computers to join the Active Directory domain. After you download and install a DirectControl Express agent and specify an Active Directory domain for the agent to join, the agent manages the

authentication of Active Directory users with no further configuration required. Additional Centrify Express offerings provide optimized, Kerberos-enabled OpenSSH, Samba, and PuTTY connections.

Centrify Express enables you to quickly deploy Active Directory authentication and authorizations services on non-Windows computers with minimal configuration. Taken together, Centrify Express products provide a solid foundation of functionality that is suitable on its own for many organizations. If your organization outgrows the basic functionality of Express, you can upgrade to another edition of Centrify Suite to take advantage of additional features. For example, features not available in Centrify Express include:

 Group policies that enable you to manage configuration settings for non-Windows

(9)

Understanding Centrify Express

Introduction 9

 Zones that enable you to manage user identity information, group membership,

computer-based access control, and delegated administration.

 Centrify DirectAuthorize rights and role definitions that enable you to specify and enforce

role-based entitlements for privileged commands and other operations.

 Centrify DirectAudit that enables auditing, logging and real-time monitoring of user

activity.

 Centrify DirectSecure that enables dynamic isolation and end-to-end encryption of data

in motion.

These more advanced featured and products are available in other editions of Centrify Suite, such as Centrify Suite Standard Edition, Centrify Suite Enterprise Edition, and Centrify Suite Platinum Edition.

About DirectControl Express agents

The core component of Centrify Suite Express Edition is the DirectControl Express agent. DirectControl enables non-Windows servers and workstations to participate in an Active Directory domain and function as Active Directory clients. The agent is installed on each computer that you want to make part of the Active Directory domain. After you specify the Active Directory domain to join, the agent manages the connection to Active Directory domain controllers and provides authentication and authorization services to the users and groups who access the computer.

With DirectControl Express, you can:

 Add computers to Active Directory using a predefined Auto Zone and workstation

mode that requires no configuration.

 Authenticate all valid Active Directory users without importing or mapping any

accounts.

 Use Centrify-compiled versions of OpenSSH, Kerberos libraries, and Samba to connect

to additional network resources. Should you use DirectControl Express?

The primary reason to use DirectControl Express is that it enables Active Directory authentication without requiring any configuration or account management. For example, DirectControl Express automatically creates consistent UIDs across the domain for users with access to the computers it manages. In addition, DirectControl Express eliminates the need to create zones and configure zone properties.

(10)

Working with a single zone

DirectControl Express is designed for organizations that don’t require zones to help them manage user profiles, role assignments, or administrative activities. With DirectControl Express, there is only one zone, the Auto Zone for all users, groups, and computers. The Auto Zone requires no configuration or management.

Because DirectControl Express only supports a single predefined zone, however, it is most suitable for organizations:

 that want to add computers to a domain quickly without configuring any zones.  that do not need to maintain or manage existing UIDs and GIDs.

 that have a limited number of users and domains.  that have a relatively flat organizational structure.

If your organization grows in size and complexity, you may find that the limited functionality of DirectControl Express no longer meets your needs. You can upgrade Centrify Suite Express Edition to add the features of another edition at any time. For more information about the features of each edition of Centrify Suite, see “Understanding Zones and Auto Zone” on page 14.

What the DirectControl Express agent does

The DirectControl Express agent makes a computer look and behave like a Windows client computer to Active Directory. The agent performs the following key tasks:

 Joins the computer to an Active Directory domain.

 Communicates with Active Directory to authenticate users when they log on.  Caches users credentials for offline access.

 Enforces Active Directory authentication and password policies.

 Provides a Kerberos environment so that existing Kerberos applications work

transparently with Active Directory.

Agents are platform-specific, but provide an integrated suite of services that enable existing programs and applications to use Active Directory. For example, the core agent service is the adclient process. The adclient process handles all of the direct communication with Active Directory and coordinates with other services to process requests for authentication, authorization, directory assistance, or policy updates.

(11)

Introduction 11

In addition to the core agent services, DirectControl Express also includes

Centrify-compiled versions of standard Kerberos utilities, OpenSSH, and Samba, which are optimized to work with Active Directory.

About DirectManage Express

DirectManage Express is a Windows-based console that enable you to discover and analyze computers on your network; download, deploy, and update software packages; and manage UNIX users, groups, and other information on the computers discovered.

Like DirectControl Express agents, you can download DirectManage Express from the Centrify web site, then use the Windows computer where you install it to remotely identify the computers that you want to manage using DirectControl agents.

Once installed, you can use the DirectManage Express Deployment Manager to:

 Check whether remote computers meet the system requirements for installation or have

an older version of Centrify Suite software installed.

 Analyze the users and groups defined on discovered computers.

 Fix problems that prevent you from deploying Centrify software or joining the Active

Directory.

 Add, modify, and delete local UNIX and Linux users and groups.

 Download the latest versions of Centrify Suite packages directly from the Centrify

Download Center.

 Deploy operating system-specific Centrify Suite packages and join Active Directory

domains.

Should you use Deployment Manager?

Using the DirectManage Express Deployment Manager is optional. You can deploy DirectControl Express agents directly on local computers or using a software delivery program or another file distribution method on remote computers. However, Deployment Manager allows you to perform virtually any administrative task on remote computers from a single Windows console as long as you have account credentials that allow you to log on and perform those administrative tasks on the remote computer. Deployment Manager also enables you to download the latest Centrify Suite packages, install selected Centrify Suite components, periodically check for updated software, and join or leave an Active Directory domain from a single console.

In general, Centrify recommends that you use Deployment Manager if you have a Windows computer with reliable network connectivity between the Windows computer and the computers you want to manage. If you don’t have access to a Windows computer where you can install Deployment Manager or have restricted network connectivity, you can use one of the other options for deploying DirectControl Express agents. For more

(12)

About the Deployment Manager repository

The Deployment Manager includes a Microsoft SQL Server Compact Edition database that stores computer and account information. The minimum disk space required depends on the number of computers and accounts discovered. Because the database stores the account credentials for users and service accounts, including the root password for each computer, in its repository, passwords are encrypted with the access token of the Active Directory user who installs Deployment Manager. Therefore, for security purposes:

 You should not install Deployment Manager on a laptop.

 You should not use a shared account for managing access to Deployment Manager.  You should use a strong password and password enforcement policies for the account

used to install Deployment Manager. Network connectivity requirements

Deployment Manager requires network connectivity between the Windows computer where it is installed and the UNIX computers where you want to deploy the agent. It also requires the ability to use outbound ssh or telnet connections from the Windows computer to the managed UNIX computers. or an Internet connection. If possible, you should install Deployment Manager on a computer that allows outbound connections to the Internet. If the computer has Internet access, you can connect directly to the Centrify Download Center to download software for the platforms you support.

If you install Deployment Manager on a computer that does not allow outbound Internet connections, you should identify another computer for connecting to the Centrify

Download Center and a network share for transferring the files between the computer that has Internet access and the computer where Deployment Manager is installed.

Comparing Centrify Suite Express Edition to other editions

(13)

Introduction 13

advantage of additional features or products. The descriptions below provide a brief summary of what is included in each edition.

Product offering Description

Centrify Suite Express Edition Free software that provides basic integration with Active Directory. The main features are:

• DirectControl Express to join computers to the domain and to automatically generate user profiles.

• DirectManage Express Deployment Manager to discover and manage remote computers on the network and deploy software.

• Centrify-compiled versions of OpenSSH, Samba, and standard Kerberos utilities to enable those programs to use Active Directory credentials. Centrify Suite Standard Edition Commercial offering that provides the full complement of DirectControl features

and functionality. The main features are:

• Zones to ease the migration of existing users and groups into Active Directory, manage access to computers, and allow delegated management.

• Policy-based enforcement of computer and user configuration settings. • Support for NIS map integration and migration.

• Standard out-of-the-box reports and a report creation wizard. • Deployment Manager to centrally discover computers, check remote

computers for potential issues, deploy new or updated software, run scripts, and manage user and group accounts.

• Rights and role-based entitlements for user accounts and privileged commands.

• Centrify-compiled versions of OpenSSH, Samba, and standard Kerberos utilities to enable those programs to use Active Directory credentials. • Advanced command line programs and configuration parameters for tuning

operations.

• For Mac OS X users, the ability to use PIV or CAC smart cards for authentication and single sign-on.

Centrify Suite Enterprise Edition Commercial offering that provides the full complement of features and functionality included in Centrify Suite Standard Edition plus:

• DirectAudit for real-time auditing of user sessions and record and playback features for analyzing and troubleshooting user activity.

• Centrify Suite Network Information Service (adnisd) to enable the servicing

of NIS client requests using the information stored in Active Directory and replace legacy NIS servers.

Centrify Suite Platinum Edition Commercial offering that provides the full complement of features and functionality included in Centrify Suite Enterprise Edition plus:

• DirectSecure to secure sensitive information by dynamically isolating cross-platform systems and encrypting data in motion.

Centrify Suite Application Edition Commercial offering that provides the full complement of features and functionality included in Centrify Suite Enterprise Edition plus:

• Authentication and authorization services for Apache and J2EE application servers Tomcat, JBoss, WebSphere, and WebLogic.

(14)

Understanding user access after you deploy

Understanding user access after you deploy

When you install Centrify Suite Express on a computer and join an Active Directory domain, all of the users and groups in the Active Directory forest automatically become valid users and groups for the joined computer. In addition, all Active Directory users defined in any forest with a two-way trust relationship with the forest of the joined domain, are valid users for the joined computer.

By default, all valid users can perform the following tasks:

 Log on interactively to the shell or a desktop program and use standard programs such as

telnet, ssh, and ftp.

 Log on to a computer that is disconnected from the network or unable to access Active

Directory, if they have successfully logged on and been authenticated by Active Directory previously.

 Manage their Active Directory passwords directly from the command line, provided

they can connect to Active Directory.

You can explicitly configure any computer to deny or allow specific users or groups. For information about using configuration parameters to control access, see pam.deny.users

|pam.allow.users and pam.deny.groups |pam.allow.groups.

Understanding Zones and Auto Zone

One of the most important aspects of DirectControl is the ability to organize computers and user’s access to those computers using zones. Zone are similar to Active Directory organizational units or NIS domains. They allow you to organize computers, user profiles, and role assignments to manage access to network resources.

With Centrify Suite Express Edition, however, you cannot create zones or manage zone properties. Instead, Centrify Suite Express uses a single zone, configured automatically, called Auto Zone. When you use Centrify Suite Express, computers always connect to the domain through Auto Zone. Only one Auto Zone is defined for the entire Active Directory forest.

With Centrify Suite Express and Auto Zone, user profile attributes, such as the UID, default shell, and home directory are automatically derived from user attributes in Active Directory or from DirectControl configuration parameters. Local account information is not used or migrated into Active Directory.

(15)

Understanding how Centrify Suite generates profile attributes

Introduction 15

Note _{If a computer joins a domain through Auto Zone, and the domain has a one-way trust}

relationship with another domain, users and groups in the trusted domain do not become valid users and groups on the computer.

You can selectively control access to computers that are joined to Auto Zone by setting configuration parameters, such as pam.deny.users and pam.deny.groups, in the

ctrifydc.conf configuration file. For more information about setting these configuration parameters, see “Auto Zone configuration parameters” on page 48.

Understanding how Centrify Suite generates profile attributes

In Centrify Suite Express, when an Active Directory user logs on to a UNIX computer for the first time, DirectControl automatically creates a 31-bit UID for the user and a 31-bit GID for any groups to which the user belongs. To create these GIDs and UIDs

DirectControl creates a prefix from the last 9 bits of the user or group Security Identifier and combines it with the lower 22 bits of the user or group RID (relative identifier). Although DirectControl Express caches these UIDs and GIDs, they are not stored in Active Directory. You cannot edit or change them in any way with Active Directory Users and Computers (ADUC). If the cache expires, DirectControl uses the same algorithm to create the same UID and GID the next time the user logs on so you are guaranteed consistent ownership for files and resources. In addition, users who log on to more than one computer will have the same DirectControl-generated UID on each computer.

Note _{In other editions of Centrify Suite, DirectControl stores UIDs and GIDs in Active}

Directory. In those other editions, you can migrate and manipulate UID and GID properties. You can also map multiple UIDs to a single Active Directory account to allow different UIDs settings on different computers for the same user account. This is not possible when using Auto Zone and Centrify Suite Express.

In addition to the UID and GID, DirectControl creates a home directory for the user with all the associated profile and configuration files. The location for the home directory is:

 Linux: /home/username  Mac OS X: /Users/username

(16)

16

Chapter 2

Installing Centrify Suite Express

This chapter provides step-by-step instructions for installing the Centrify Suite Express agent on a computer and joining the computer to the Active Directory domain.

The following topics are covered:

 Selecting a deployment option

 Installing and using DirectManage Express

 Other options for deploying Centrify Suite packages  Verifying the installation

 Upgrading Centrify Suite Express to include licensed features  Removing Centrify DirectControl

Selecting a deployment option

The Centrify DirectControl Agent must be installed on each computer you want to manage using Centrify Suite Express and Active Directory. After the agent files are installed or during the installation process, you must also specify an Active Directory domain for the agent to join. Depending on your environment and preferences, you can:

 Use DirectManage Express to centrally manage the complete deployment process from

a single console running on a Windows computer (Recommended).

 Install and manage agent packages independently by running an installation script,

package management program, or software distribution tool locally or remotely on individual computers.

In most cases, Centrify recommends you download DirectManage Express and use its Deployment Manager to simplify the deployment of the agent on remote computers. If you don’t have access to a Windows computer where you can install Deployment Manager or have restricted network connectivity that does not allow communication between Windows and UNIX computers, use one of the other options for deploying Centrify Suite packages. For more information, see “Other options for deploying Centrify Suite packages” on page 23.

Installing and using DirectManage Express

(17)

Installing and using DirectManage Express

Installing Centrify Suite Express 17

discovered on the network. After you install, Deployment Manager provides an intuitive four-step process for:

 Discovering non-Windows computers on your network.  Retrieving the appropriate Centrify Suite packages to install.  Checking for issues that might prevent a successful deployment.

 Installing DirectControl agents and joining an Active Directory domain.

Check the minimum system requirements

Before you install, you should check that you have a computer that meets the minimum system requirements and all of the appropriate information to ensure a successful deployment.

Computer requirements

Typically, you install DirectManage Express on a single Windows computer with a 32-bit or 64-bit operating system that is Windows XP or higher:

 Windows XP (SP2 and higher)  Windows Vista

 Windows 7

 Windows Server 2003 or 2008

The Deployment Manager includes a Microsoft SQL Server Compact Edition database that stores computers and account information. The minimum disk space required depends on the number of computers and accounts discovered. In general, Centrify recommends the following minimum hardware configuration:

 2 GB RAM

 1 GB free disc space  2 GHz processor

Network connectivity requirements

(18)

Account credential requirements

To install software on remote computers and join Active Directory domains, you must have access to an account with appropriate permissions:

 To run privileged commands, you should have access to the root account, the local

Administrator account, or an account that has been granted escalated privileges using su or sudo and settings in a sudoers configuration file.

 To join a domain, you need an Active Directory account and password that has

permission to add computers to the domain.

Depending on your organization, the Active Directory account may be required to be a member of the Domain Admins group. If you are not sure whether you have permission to add computers to the domain using your own Active Directory account, check with the Active Directory administrator for your site.

Download the software and run the setup program

If you have a computer that meets the requirements and the appropriate account information, you can download DirectManage Express to install Deployment Manager. To download DirectManage Express and install Deployment Manager:

1 Go to the Centrify web site and download DirectManage Express for Windows 32-bit or 64-bit operating system.

2 Register an account with Centrify, if you have not previously registered, then click Download Now.

3 Open the downloaded file to start the setup program. For example, double-click CentrifyDM-version-win32.exe or CentrifyDM-version-win64.exe to start the setup program.

4 Follow the prompts displayed to accept the license agreement, select a location for program files, and launch Deployment Manager.

The Deployment Manager Welcome page displays the steps to follow complete the successful deployment of Centrify Suite software:

 Step 1 Building a computer list

You specify how to find computers, for example, by specifying a subnet or IP-address range, and Deployment Manager gathers information, such as the host name and operating system, about the computers it finds.

 Step 2 Downloading Centrify Suite software

(19)

 Step 3 Analyzing your environment

You select the computers discovered, and Deployment Manager analyzes the computers to determine whether they are ready for deployment or have potential issues.

 Step 4 Deploying Centrify Suite software

You select the computers that are ready to have the software installed or upgraded and deploy Centrify Suite to those computers. Optionally, you can join an Active Directory domain during deployment or perform this step later after the files are installed on target computers.

After you complete a step, Deployment Manager displays the results on the Welcome page and adds an appropriate node to the console tree in the left pane. For example, after you add computers, Deployment Manager includes a Computers node.

Step 1 Building a computer list

The first step in the deployment process is to identify the computers on which to deploy Centrify Suite software. You identify the target set of computers by specifying criteria, such as a subnet address or a file name location, in the Add Computers wizard. The Add Computers wizard checks for computers matching the criteria you specify and returns the discovered computers in a list. You can then choose which computers to keep.

To build a list of computers from a network:

1 In Deployment Manager, select the Centrify Deployment Manager node.

2 Click Add Computers.

3 Select the method for discovering the computers to add, then click Next.

 Discover computers from the network  Discover computers from a cloud service  Import a computer list from a text file  Add a single computer

4 Follow the prompts displayed to specify a subnet address and mask, the cloud service provider, the location of the text file to import, or the individual computer name or IP address, then click Next.

5 Check the list of computers displayed, and decide whether any found computers should be removed or inaccessible computers should be added to the repository, then click Next.

6 Type account information that will enable you to log on to each computer, then click Next.

(20)

8 Click Finish to exit the wizard and retrieve information for the specified computers. Completing this step adds the Computers and History, and potentially, Open Issues nodes to Deployment Manager’s console tree.

Step 2 Downloading Centrify Suite software

Deployment Manager enables you to download the Centrify Analysis Tools and

Centrify Suite agent software directly from the Centrify Download Center. Connecting to the Centrify Download Center directly guarantees that you are getting the latest packages for the computer platforms you manage. However, if you are working within an isolated network, you can copy the packages to a network location beforehand, then download them to Deployment Manager from that location.

To download Centrify Suite software:

1 In Deployment Manager, select the Centrify Deployment Manager node. 2 Click Download Software.

3 Select Download from the Centrify Download Center and specify the email address and password that you used to register for a Centrify account, then click Next. 4 Select Analysis Tools and Centrify Suite for the platforms you support, then click

Next.

By default, only the latest packages for the platforms that have been previously discovered are displayed. You can turn these filters off to select additional packages.

5 Confirm the list of packages to be downloaded, then click Finish to begin downloading the packages.

Completing this step adds the Software node and updates the History node in Deployment Manager’s console tree.

Step 3 Analyzing your environment

You can use Deployment Manager analyze computers before you install using the Centrify Suite Analysis Tools. The Analysis Tools check that each computer where you plan to install has a supported version of the operating system and meets other requirements such as disk space, DNS resolution, and required libraries.

To analyze the computers in your environment:

1 In Deployment Manager, select the Centrify Deployment Manager node.

2 Select the computers that are in the Identified but Not Analyzed category, then click Analyze.

(21)

This is the domain you intend to join for the selected computers. Optionally, you can also change the number of domain controllers to check. The default limit is 10.

4 Click OK to begin analysis.

Deployment Manager displays the results of the analysis by listing computers in different categories. For example, computers that do not have Centrify Suite installed are listed under the Computers with No Centrify Software category as Ready to Install, Ready to Install with Warnings, or Not Ready to Install.

5 Restart computers that are reported as Not Ready to Install or Not Ready to Update to ensure that the operating system boots properly before making any changes to those systems.

Review and resolve open issues

There are many common problems that the Analysis Tools can report that will require you to make changes before installing Centrify Suite software. For example, if the analysis finds there’s not enough disk space available on a particular computer, it reports this information as an open issue for that computer. You can then view the details about that open issue to see more detailed information how much more disk space is required. The options available for resolving open issues from Deployment Manager depend on the type of issue reported. To resolve the errors and warnings that were found:

1 Expand one of the categories with errors or warnings. For example, click the expansion arrow for computers listed as Ready to install with Warnings.

2 Click on the warning or error message link to display details about the issue found for the selected computer.

3 Right-click an open issue to select an option for resolving the issue or to open a connection on the remote computer.

For example, if the user name or password provided for a computer is not valid or has not been specified, you can right-click that open issue, and select the Set user name and password option to update the user name and password. If a computer displays the Check clock synchronization issue, the right-click menu allows you to select Synchronize Clock to correct the issue.

Re-analyzing target computers after resolving open issues

You should always re-run the analysis of your environment after resolving issues to verify your changes fixed the problem and that no new issues have been introduced. You can re-run the Analyze command for all or selected computers in selected categories at any time. You can also select individual computers, right-click, then select Analyze

(22)

Step 4 Deploying Centrify Suite software

After you have analyzed computers and resolved any open issues, such as installing patches or rebooting computers that were unreachable, you should see computers listed as Ready to Install.

Deployment Manager determines the correct version of the Centrify Suite to install on each computer and records details about the installation and other activities under the History node.

To deploy Centrify Suite on the computers that are ready:

1 In Deployment Manager, select the Centrify Deployment Manager node. 2 Select one or more computers that are in the Ready to Install or Ready to Update

category, then click Deploy.

You can click the check box for a category to select all computers in that category, or expand a category to select computers individually.

3 Select Centrify Suite Express Edition, then click Next.

4 Confirm the Centrify Suite edition you have selected and the version available in the Deployment Manager repository, then click Next.

5 Select the components to install, then click Next.

Depending on the Centrify Suite you have selected, some or all components are selected by default. You can deselect any component you do not want to install. If you deselect a component on which other components depend, DirectControl deselects the dependent components.

6 Select Add the computers into Active Directory after install if you want to join the domain automatically after installing the software on selected computers, then click Next.

For Centrify DirectControl Express, you should leave the Add the computers into Active Directory after install option selected because you are not migrating existing user and group accounts with existing profiles.

7 Use the current Active Directory login credentials or specify a different user name and password, then click Next.

8 Check that Auto Zone is selected, then click Next.

For Centrify DirectControl Express, you can typically use the default join options. However, you can change the following options, if needed, then click Next:

 Select the Computer name and Computer alias options if you have disjointed

(23)

Other options for deploying Centrify Suite packages

 Click Container, then click Change to navigate to and select an organizational unit

for the computer account, then click OK to continue selecting join options.

 Click Domain controller, then type the fully-qualified domain name for a specific

domain controller to ensure that the UNIX computer connects to the domain controller you designate even if Deployment Manager connects to a different domain controller.

 Select Trusted for delegation if you want users to be able to forward their Kerberos

ticket-granting ticket to other UNIX computers as they move around the network. This is useful option if users typically use SSH to a gateway UNIX computer, then use SSH to access other UNIX computers from that computer.

9 Specify whether to use the current credentials or another administrative account after joining the domain, then click Next. If group policies lock down the use of the root account, you should specify an alternate account with appropriate permissions to perform administrative functions after the computer has joined Active Directory. If you are not keeping the current credentials, type the user name and password for an Active Directory account. You can also select whether to use the su command or sudo and the sudoers file to run privileged commands that require root permissions. If you select the su command, you must type the password for the local root user on the computer joining the domain.

10 Review your selections, then click Finish to install Centrify Suite on the selected computers and join the domain.

When the deployment of software packages is complete, the Welcome page displays a check mark for each computer on which software was successfully deployed.

Other options for deploying Centrify Suite packages

Using Deployment Manager is optional. If you can’t or don’t want to use Deployment Manager to manage information on your UNIX, Linux, and Mac OS X computers, you can download individual Centrify agent packages for the platforms you support and install the software in one of the following ways:

 Run the Centrify Suite installation script (install.sh) locally on any computer and

respond to the prompts displayed.

 Create a configuration file and run the installation script remotely on any computer in

silent mode.

 Use the install or update operations in the native package installer for your operating

environment.

(24)

use the installation script (install-express.sh on any platform or centrifydc-version-mac10.n.dmg on Mac OS X computers).

Install interactively on a computer

You must install a platform-specific agent on each computer you want to manage through Active Directory.

The Centrify Suite installation script automatically checks the operating system, disk space, DNS resolution, network connectivity, and other requirements on a target computer before installing. You can run this script interactively on any supported UNIX, Linux, or

Mac OS X computer and respond to the prompts displayed. To install Centrify Suite packages on a computer interactively:

1 Go to the Centrify web site and download Centrify DirectControl Express Agent Installer for the platforms you want to support.

2 Select the file you downloaded and unzip and extract the contents using the appropriate operating system commands. For example:

gunzip -d centrify-suite-2011-platform-arch.tgz

tar -xf centrify-suite-2011-platform-arch.tar

3 Run the install-express.sh script to start the installation of the Centrify Suite on the local computer. For example:

./install-express.sh

4 Follow the prompts displayed to check the computer for potential issues, install the Centrify Suite Express Edition, and join a domain automatically at the conclusion of the installation.

If the adcheck program finds potential issues, you may see warning or error messages. Depending on the issue reported, you may have to make changes to the computer before continuing or after installation.

For most prompts, you can accept the default by pressing Enter. When prompted for the Active Directory domain, type the fully qualified name of the Active Directory domain to join.

You must also type the user name and password for an Active Directory user with permission to add computers to the domain.

5 After you have responded to all of the prompts displayed, review your selections, then enter Y to continue with the installation and reboot the computer.

To install interactively on a Mac OS X computer: 1 Close the Apple Directory Access utility.

(25)

3 Double-click ADCheck to open the ADCheck utility to check the operating system, network connections, and other system requirements.

4 Enter the domain you intend to join with the Mac OS X computer and click AD Check. 5 Review the results of the checks performed. If the target computer, DNS environment, and Active Directory configuration pass all checks with no warnings or errors, you should be able to perform a successful installation and join.

6 Double-click CentrifyDC.pkg to open the Centrify Express Installer.

7 Follow the prompts displayed to review and agree to the terms of the license agreement and select a volume for installing the agent, then click Install to begin the installation. 8 If prompted, enter the administrator name and password.

9 Type the domain name. then click Join Domain.

Note _{You can click Show Advanced Options if you want to specify additional options}

when joining a domain.

10 Click Join Domain and enter the Active Directory user (defaults to Administrator) and password for the domain when prompted. The ADjoin dialog is configured to join in Express Mode.

11 Click Close to close the installer.

12 (Optionally) Reboot the computer to stop and restart all services.

Using other programs to install

If you want to manually install a software package using a native installation program instead of the installation script, you can follow the instructions in the release-notes text file for the package or use another native installation mechanism appropriate for the local operating environment. For example, if your operating environment supports another mechanism for installing and managing software packages, such as Red Hat Package Manager (rpm), SMIT or YAST programs, you can use those programs to install Centrify Express Agent packages.

Note _{Centrify highly recommends that you use the installation script to install Centrify Suite}

Express because the installation automatically joins the computer to a domain, sets the agent to Express Mode, runs operating system, network, and Active Directory tests to verify your environment.

To install Centrify DirectControl using a native installation program: 1 Log on as or switch to the root user.

2 the software package is a compressed file, unzip and extract the contents. For example, on Red Hat Linux:

(26)

Verifying the installation

3 Run the appropriate command for installing the package based on the local computer’s operating system or package manager you want to use. For example, on Red Hat Linux:

rpm -Uvh centrifydc-release-rhel3-i386.rpm

4 Disable licensed features by running the adlicense --express command:

adlicense --express

Note _{You must run the}adlicense command to change to Express Mode.

5 Join the domain by running the adjoin --workstation command, which connects you to Auto Zone:

adjoin --workstation domainName

Note _{If you do not specify the}--workstation option, the join will fail because adjoin will attempt to connect you to a specific zone rather than Auto Zone.

Verifying the installation

When a computer is joined to Active Directory, all Active Directory users and groups defined for the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined computer. Therefore, after running the agent and joining the computer to a domain, you can log on as any Active Directory user.

1 Log on using an Active Directory user account.

When a user logs in for the first time, the system creates a /home/userName directory.

2 Run the adinfo command to see information about the Active Directory configuration for the local computer. You should see output similar to the following:

Local host name: QA1

Joined to domain: sales.acme.com Joined as: QA1.sales.acme.com Pre-win2K name: QA1

Current DC: acme-dc1.sales.acme.com Preferred site: Default-First-Site Zone: Auto Zone

Last password set: 2009-11-12 12:01:31 PST CentrifyDC mode: connected

Licensed Features: Disabled

Note that licensed features are disabled and that the zone is Auto Zone. Creating actual zones requires a licensed copy of Centrify DirectControl.

Troubleshooting adcheck errors

You can run adcheck before, during, or after installation to verify that your system is configured properly for Centrify Suite. This utility performs three sets of checks that are controlled by the following options:

(27)

Troubleshooting adcheck errors

 -t net checks DNS to verify that the local system is configured correctly and that the

DNS server is available and healthy.

 -t ad includes the -t net checks and verifies that the domain has a valid domain

controller.

Correcting errors for the operating system check

The -t os option performs a series of checks that verify operating-system basics for the computer on which you are installing Centrify DirectControl. This option performs the following specific checks:

OSCHK : Verify that this is a supported OS PATCH : Linux patch check Pass

PERL : Verify perl is present and is a good version Pass SAMBA : Inspecting samba installation

SPACECHK : Check if has enough disk space in /var /usr /tmp

The operating system checks are self-explanatory. If your computer fails one of these checks, you need to upgrade the computer with a new operating system version or patch, a new Perl or Samba version, or free up sufficient disk space.

Note _{If you get a warning about your Samba installation, you can install Centrify-enabled}

Samba as part of the DirectControl Express installation.

Correcting warnings and errors for the net check

The -t net option performs a series of checks that verify DNS is correctly configured on your local computer and that the DNS server is running properly. There is also a check to verify that you are running a supported version of OpenSSH.

Note _{A supported version of OpenSSH is automatically installed by the installation script. If}

you get a warning about your OpenSSH version before installation, you can ignore it. This option performs the following specific checks:

NSHOSTS : Check hosts line in /etc/nsswitch.conf DNSPROBE : Probe DNS server 192.168.43.130 DNSCHECK : Analyze basic health of DNS servers

WHATSSH : Is this an SSH that DirectControl works well with SSH : SSHD version and configuration

Because Centrify DirectControl uses DNS to locate the domain controllers for the Active Directory forest, the appropriate DNS nameservers need to be specified in the local /etc/ resolv.conf file on each UNIX computer before the computer can join the domain. If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Correcting errors for the ad check

(28)

Joining an Active Directory domain after installation

clock and domain synchronization. The specific checks performed by this option are as follows:

Note _The-t ad option runs the -t net checks as well as the -t ad checks.

DOMNAME : Check that the domain name is reasonable ADDC : Find domain controllers in DNS

ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local ADPORT : Port scan of DC centrify-mkdaze.mkline.local ADDNS : DNS lookup of DC centrify-mkdaze.mkline.local

GCPORT : Port scan of GC centrify-mkdaze.mkline.local DCUP : Check DCs in mkline.local SITEUP : Check DCs for mkline.local in our site DNSSYM : Check DNS server symmetry ADSITE : Check that this machine's subnet is in a site known by AD GSITE : See if we think this is the correct site TIME : Check clock synchronization ADSYNC : Check domains all synchronized

If you receive errors or warnings from these checks, you need to correct them before joining a domain. Each warning or error message provides some help to resolve the problem.

Joining an Active Directory domain after installation

When you install the Centrify DirectControl Agent using the installation script, install-express.sh, you can automatically join that computer to an Active Directory domain. If you don’t join the domain when you run the installation script, or if you leave a domain and want to rejoin, you can manually join a domain by using the adjoin command. To manually join a domain when you are using Centrify Suite Express, you must use the adjoin --workstation option to connect to Auto Zone.

To join an Active Directory domain manually on a Linux or UNIX computer: 1 Log in as or switch to the root user.

2 Run adjoin to join an existing Active Directory domain. You should join the domain using a fully-qualified domain name. You must specify the --workstation option. For example, to join the sales.acme.com domain with the user account dylan:

adjoin --user dylan --workstation sales.acme.com

The user account you specify must have permission to add computers to the specified domain. In some organizations, this account must be a member of the Domain Admins group. In other organizations, the account simply needs to be a valid domain user account. If you don’t specify a user with the --user option, the Administrator account is used by default.

3 Type the password for the specified user account.

(29)

Joining an Active Directory domain after installation

forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined computer.

To join or leave a domain manually on Mac OS X computers: 1 Click Applications > Utilities > Centrify > Adjoin. 2 Double-click Adjoin to open it.

3 Type the name of the Active Directory domain you want to join and select Auto Zone. You can also type a different computer name if you want to use a different name for the local host in Active Directory. Check Overwrite existing joined Computer to overwrite the information stored in Active Directory for an existing computer account with the same name as the local computer. This is the same as running the adjoin command with the --force option.

If you want to use the default settings for joining the domain, you can continue to the next step. If you want to specify additional options, click Show advanced options to display the additional options:

4 Click Disable Licensed Features. 5 Click Join Domain.

6 Type the Active Directory user name and password for a user with permission to join the local computer to the Active Directory domain, then click OK.

7 Type the user name and password for the local Administrator account.

Restarting services after installing or joining the domain

You may need to restart some services on UNIX computers where you have installed the Centrify DirectControl Agent so that those services will reread the name switch

configuration file. For example, if you typically log on to the UNIX computer through a graphical desktop manager such as gdm, you need to either restart the gdm service or reboot the workstation to force the service to read the updated configuration before Active Directory users can log on. The most common services that need to be restarted are sshd and gdm. If you are using these services, you should restart them. For example, to restart sshd:

/etc/init.d/sshd restart

As an alternative to restarting individual services, you may want to reboot the system to restart all services.

Note _{Because the applications and services on different servers may vary, Centrify}

(30)

Upgrading Centrify Suite Express to include licensed features

Upgrading Centrify Suite Express to include licensed features

To take full advantage of all Centrify Suite features, including the ability to create zones and apply group policies, you must upgrade from Centrify Suite Express to a licensed copy of Centrify Suite Standard Edition, Centrify Suite Enterprise Edition, or Centrify Suite Platinum Edition. Upgrading to a licensed version of the product is a three-stage process that involves:

 Installing and upgrading components on Windows.  Licensing additional features on UNIX computers.

 Adding optional packages that are not included in Centrify Suite Express.

Upgrading on Window

The licensed version of Centrify Suite on Windows includes several DirectManage components that are not part of Centrify Suite Express. In addition to Deployment Manager, which is available in the Express product family, other editions of Centrify Suite provide an Administrator Console, Group Policy Editor Extension, NIS Map Extension, and other optional components.

To install and upgrade licensed components on Windows:

1 Obtain a license key and media for the Centrify Suite of your choice from Centrify. You can also download an evaluation copy directly from the Centrify web site, but you must have a license key to use the software for more than a limited period of time. 2 On the Windows computer where you installed Deployment Manager or another

Windows computer that is joined to the Active Directory domain, run the Centrify Suite setup program to install the Centrify DirectManage for Windows 32-bit or

Windows 64-bit.

If you received the software on a CD, the Getting Started page is displayed automatically or when tou double-click the autorun.exe program. On the Getting Started page, click Centrify DirectManage to start the appropriate setup.exe program for the Windows 32-bit or Windows 64-bit operating system.

3 Follow the prompts displayed to accept the license agreement, select the components to install, and a location for files.

4 When setup is complete for the selected packages, click Finish to close the Centrify Suite setup program.

Upgrading on UNIX, Linux, and Mac OS X

(31)

Upgrading Centrify Suite Express to include licensed features

To enable licensed features on UNIX, Linux, and Mac OS X computers: 1 Log on to the computer that is running Centrify Suite Express. 2 Run the following command to enable licensed features:

adlicense --licensed

3 Verify the command displays a message indicating that group policies will be initialized:

Group policies will be initialized on background

4 Run the following command to verify that licensing has been enabled:

adinfo

Local host name: qa1 Joined to domain: acme.com Joined as: qa1.acme.com Pre-win2K name: qa1

Current DC: acme-dc1.acme.com Preferred site: Default-First-Site Zone: Auto Zone

Last password set: 2009-11-12 12:01:31 PST CentrifyDC mode: connected

Licensed Features: Enabled

Note _{After enabling licensed features, the computer is still connected to Auto Zone. If}

you are not using zone to migrate existing user populations or define role-based access controls, you can leave the computer in Auto Zone. If you want to take advantage of zones, you must:

 Create at least one zone using the Centrify DirectControl Administrator Console,

adedit, or another tool.

 Run adleave to leave the Active Directory domain and Auto Zone.  Run adjoin to rejoin the Active Directory domain and a specified zone.

For information about creating and managing zones, using group policy, and other Centrify DirectControl features, see the Centrify DirectControl Administrator’s Guide and the Planning and Deployment Guide.

Adding optional Centrify Suite packages after installation

Depending on the edition of Centrify Suite you choose, there are several optional packages that may be available for you to use but not installed when you run the Centrify Express installation. To add these packages, you must rerun the installation script for Centrify Suite Standard Edition or Centrify Suite Enterprise Edition and select which packages to install. To add optional packages on computers where the agent is install:

1 Change to the appropriate directory on the CD or to the directory where you have copied or downloaded the Centrify DirectControl Agent package.

2 Run the standard installation script for the agent and follow the prompts displayed:

(32)

Removing Centrify DirectControl

3 When you are prompted whether to keep, erase, or reinstall the currently installed packages:

 Accept the default (K, keep) for the currently installed packages.  Type Y (Y, yes) for each packages you want to add.

4 When prompted to enable licensed features, type Y and press Enter.

The script will also prompt you with other choices, such as the option to run adcheck and reboot the computer after installation.

The computer remains joined to the domain you previously joined and your existing / etc/centrifydc/centrifydc.conf file is backed up and any modifications you have made to the file are migrated to the new version of the file.

5 Restart running services, such as login, sshd, or gdm, or reboot the computer to ensure all services use the updated configuration.

Removing Centrify DirectControl

On most Centrify DirectControl-managed systems, you can remove the Centrify DirectControl Agent and related files by running the uninstall.sh script. The

uninstall.sh script is installed by default in the /usr/share/centrifydc/bin directory on each managed computer.

To remove Centrify DirectControl on a Linux, UNIX, or Mac OS X computer: 1 Log on to the computer where the Centrify DirectControl Agent is installed. 2 Run the uninstall.sh script. For example:

/bin/sh /usr/share/centrifydc/bin/uninstall.sh

The uninstall.sh script will detect whether the Centrify DirectControl Agent is currently installed on the local computer and will ask you whether you want to uninstall your current Centrify DirectControl installation.

3 To uninstall Centrify DirectControl, enter Y when prompted.

If you cannot locate or are unable to run the uninstall.sh script, you can use the

(33)

33

Chapter 3

Using DirectControl Express

This chapter explains how to perform basic administrative tasks with DirectControl Express.

The following topics are covered:

 Logging on to your computer

 Getting information about the Active Directory configuration  Applying password policies and changing passwords

 Working in disconnected mode

 Mapping local accounts to Active Directory  Setting a local override account

 Using standard programs such as telnet, ssh, and ftp  Using Samba

 Setting Auto Zone configuration parameters

Logging on to your computer

You log on to a joined computer in the same way you log on locally. For example, you type a user name and password to start a console session, remote shell session, or a desktop manager. In most cases, you do not have to specify the domain name when you log on. However, you do need to type the Active Directory password for your account and the password must conform to the password policies defined for the domain.

You can use any of the following formats for the user name when you log on:

 Active Directory samAccountName or Mac OS X short name (jcool)  Active Directory userPrincipalName ([email protected])

 Windows NTLM format for domain and user name (acme.com\jcool)

You can also use any of these formats to locate users in Active Directory.

By default, Centrify Suite Express uses the Active Directory samAccountName attribute or the Mac OS X short name for the UNIX profile user name. You can specify a different form for the UNIX name by setting the value of the auto.schema.name.format parameter in the

Centrify Suite 2012 Express