Windows Security and Directory Services for UNIX using Centrify DirectControl

(1)

S O L U T I O N G U I D E C E N T R I F Y C O R P . S E P T E M B E R 2 0 0 5

Windows Security and Directory

Services for UNIX using Centrify

DirectControl

With Centrify, you can now fully leverage your investment in Active Directory to significantly strengthen security, reduce infrastructure costs, streamline IT operations, and better comply with regulatory requirements.

A B S T R A C T

Most IT environments include a significant number of Windows desktops and servers and typically use Active Directory to manage their Windows

infrastructure. An ideal solution would be to leverage Active Directory for identity, access and policy management beyond Windows and include UNIX, Linux and Mac – the next largest base of systems in most large enterprises.

(2)

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Centrify Corporation.

Centrify may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Centrify, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Centrify and DirectControl are trademarks of Centrify Corporation in the United States and/or other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

(3)

Windows Security and Directory Services

for UNIX using Centrify DirectControl

Introduction

This solution guide is designed to be used by the project team within an end user organization tasked with extending Microsoft® Active Directory® identity, access control and policy management services to UNIX, Linux and Apple Macintosh systems.

Introducing the Final End State

The goal of the guide is to assist the user in building an End State where Active Directory is used to authenticate UNIX clients via Kerberos and authorization and identify

information is accessible via LDAP.

This solution makes use of Active Directory to store both authentication data and authorization data. The centralization of authentication and authorization data storage allows users to log in securely to both UNIX and Windows hosts with a single user name and password. Users may then access applications configured for Kerberized single sign-on without providing a user name or password. Additisign-onally, the centralizatisign-on of

authentication and authorization data storage allows for consolidation of administration functions, eliminating all need for separate administration of authentication and

authorization data on the UNIX side. Systems previously used for authentication and authorization data storage in the UNIX environment can be retired following the centralization of data storage to Active Directory.

This solution is most appropriate for an organization with an existing UNIX infrastructure wanting to provide users with single sign-on to both Windows and UNIX hosts, as well as any Kerberized application, and centralize administration of user data in Active Directory. This solution is a good choice both for organizations that have already implemented Kerberos authentication and for those just starting down the Kerberos path.

Real World Example

An organization uses NIS to store authentication and authorization data for UNIX users. They are looking for ways to centralize administration of user data and retire the existing user data storage systems. They are also interested in providing users with a single user name and password to access both the UNIX and Windows sides of the organization. The added security of Kerberized authentication and the potential for single sign-on to applications using Kerberos credentials also interests them.

Introducing the Centrify DirectControl Solution

The Centrify DirectControl suite uses the Microsoft Windows® Server 2003 Active Directory service to provide secure, centralized management of identities, access control, and policy for computers running UNIX, Linux, or Macintosh operating systems.

Deploying the Centrify DirectControl solution enables you to consolidate all computer, user, and group accounts in Active Directory and use Active Directory for all

authentication, authorization, and directory services.

DirectControl also includes features that extend identity management to include

(7)

DirectControl provides a complete, integrated commercial solution that enables a rapid implementation of the End State—letting you use Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identify information with Lightweight Directory Access Protocol (LDAP). This guide describes how to prepare, develop, deploy, operate, and evolve the DirectControl technical solution to reach this End State goal in an environment that includes Windows and UNIX or Linux computers. This section introduces you to the DirectControl solution and does not cover all aspects of configuring or using this product. Although DirectControl supports multiple UNIX and Linux platforms and Apple Mac OS X, the information and steps in this guide are specific to Red Hat Linux version 9. For more information about Centrify DirectControl, including specific information and steps for other supported operating systems, review the Centrify DirectControl Administrator’s Guide that is included with the product and other

information available on the Centrify Web site at http://www.centrify.com.

Intended Audience

All project team leads should read each section of this guide. Specific sections of this guide should be read by all team members who share a specific role:

• Introduction. All members of the project team should read this section as it provides background information on the Centrify DirectControl solution components.

• Design. The primary audience for the Design section is solution architects and the Development team.

• Development. The primary audience for the Development section is the Development team, but members of the User Experience (documentation and usability) and Test teams are also responsible for specific tasks. For example, some team members set up the environment; others create rollout and site preparation checklists, and updated pilot and rollout plans; and others perform verification testing.

• Test. The primary audience for the Test section is the Test, Development, and Release Management teams.

• Deployment. The primary audience for the Deployment section is the Release Management team. .

• Operations. The audience for the Operations section is systems administrators, computer security personnel, and operators responsible for both UNIX or Linux computers and the Windows environment.

• Evolving. The audience for the Evolving section includes all teams. It is especially appropriate for developers who want to take advantage of Kerberos authentication and directory capabilities in their applications.

Knowledge Prerequisites

Team members should review the following documentation: • Centrify DirectControl Administrator’s Guide

• Centrify DirectControl Evaluation Guide

• Centrify’s technical white paper: “Centrify's Solution for Migrating UNIX Directories to Active Directory: Leveraging Centrify’s DirectControl and Zone Technology to Simplify Migration,” which is available from Centrify Corporation.

(8)

Software Prerequisites

To deploy the Centrify DirectControl solution for the End State, you need access to the DirectControl software. The DirectControl software is available on a single CD-ROM. This CD-ROM includes all of the software and documentation components referred to in this document for both Windows and the various supported UNIX and Linux platforms. You can either request an evaluation copy or purchase Centrify DirectControl licenses directly from Centrify Corporation. The DirectControl evaluation license enables unlimited use of the software for any number of computers and users for a 30-day period.

To contact Centrify, you can:

• Visit the Centrify Web site: http://www.centrify.com. • Send e-mail to Centrify: [email protected].

• Call Centrify: 1-650-961-1100.

In addition to obtaining the DirectControl software, you must have Active Directory configured and deployed to effectively implement this solution. For more information about these prerequisites, see “Preparing Your Environment” later in this guide. For an overview of the DirectControl solution and its components, see the next section, “Overview of Centrify DirectControl Technology.”

Overview of Centrify DirectControl Technology

The Centrify DirectControl solution integrates Windows and UNIX environments in a unique way, giving Active Directory users and groups access to UNIX and Linux resources and allowing UNIX users, groups, and computers to be imported into and managed through Active Directory.

When you use DirectControl to achieve the End State, you can:

• Specify which Active Directory users and groups can log on to a specific UNIX computer or group of computers.

• Control user access to UNIX computers across the entire Active Directory forest, regardless of the organizational structure you use or where users are defined in that structure.

• Map local UNIX accounts, such as the root user, to Active Directory accounts for centralized control over access and passwords.

• Identify specific local UNIX accounts to be authenticated locally rather than through Active Directory.

• Migrate multiple existing UNIX account information stores into Active Directory, as needed.

• Enable authenticated users to connect to Web applications without being prompted to log on again with their Active Directory credentials (single sign-on).

• Take advantage of Microsoft’s Group Policy to apply settings and controls for UNIX users and computers.

(9)

Overview of Software Components for Windows

When you run the Centrify DirectControl setup program on a Windows computer, you can choose which components to install. You can choose from both required and optional components, as follows:

• Required:

• You must install Active Directory property extensions on at least one computer that is joined to an Active Directory domain and has the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in installed. Active Directory Users and Computers is installed in Administrative Tools by default on a Windows domain controller. You can install this snap-in on other computers running Windows Server (see "To add a snap-in to a new MMC console for a local computer" in Help and Support Center for Windows Server 2003). It is also available for Windows XP by installing the Windows Server 2003 Administration Tools Pack, which you can download from the following location:

http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid= c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

• The property extensions update the Active Directory forest to store additional attributes for each user account that uses the native Active Directory schema. • You must install the Centrify DirectControl Administrator Console on at least one

computer that can access Active Directory domains. The Centrify DirectControl Administrator Console provides a central location for managing UNIX users, groups, and computers and for performing administrative tasks, such as importing accounts, running reports, and analyzing account information. • Optional:

• Documentation, release notes, and online help for the Centrify DirectControl Administrator Console are optional. You can install one or more of them on any Windows computer.

• The DirectControl Network Information Service (NIS) Map Extensions component is optional. You can install it on at least one computer if you want to import and manage NIS maps, such as netgroup or auto.master, in Active Directory. • The DirectControl Administrative Template for Group Policy is optional. You can

install it on at least one computer on which the Group Policy Object Editor console is installed.

Overview of Software Components for UNIX

When you run the Centrify DirectControl installation script on a UNIX computer, a core Agent package of services that handles communications between programs on the UNIX platform and Active Directory is installed. You can also install optional components that require additional steps to activate, such as the DirectControl authentication and

(10)

The following figure depicts the components of the DirectControl software that runs on a UNIX computer.

Figure 1.1. Simplified view of the Centrify DirectControl architecture

The following table briefly defines each component shown in the figure.

Table 1.1. Centrify DirectControl Architecture Components

Component Description

Centrify DirectControl daemon (adclient)

The DirectControl Active Directory client daemon (program),

adclient, manages all direct communications with Active

Directory as well as all operations provided through the other DirectControl services.

DirectControl Service Library

Service libraries are included with DirectControl to handle Kerberos, LDAP, and Active Directory–specific calls. These libraries are used by the various DirectControl modules. CLI Tools The DirectControl command-line interface (CLI) programs

enable you to perform common administrative tasks, such as join or leave the Active Directory domain, change user passwords, or collect diagnostic information. You can use these command-line programs interactively or in scripts to automate tasks.

Kerberos Cache Keytab and Configuration

DirectControl automatically sets up and maintains Kerberos system files and services on the UNIX computer.

Offline Cache When a user logs on to the UNIX computer, the user's

credentials are cached locally so that the user can continue to log on to the computer for future sessions, even when a domain controller is not available or the network is offline. Kerberized Apps

(ssh, nfs, …)

(11)

UNIX Login Apps (login, ftp, ssh …)

Standard UNIX applications that use NSS or PAM to locate a name service or an authentication mechanism can use Active Directory for these services through DirectControl.

NSS Module The DirectControl Name Server Switch (NSS) module enables standard operating system services that do not use PAM or Kerberos to look up information in Active Directory. NSS updates the /etc/nsswitch.conf file to use the

DirectControl daemon to access information that is stored in Active Directory through LDAP.

PAM Module The DirectControl Pluggable Authentication Module (PAM) module, pam_centrifydc, works with the adclient daemon to provide a number of services, such as checking for password expiration, filtering for users and groups, and creating the local home directory and default user profile files for new users. The pam_centrifydc module is automatically placed first in the PAM stack in the /etc/pam.d/system-auth file to ensure that it takes precedence over other authentication modules.

Apache The Apache Web server can be configured to use Active Directory for backend directory and authentication services. Apache SPNEGO

Module

The DirectControl Apache SPNEGO Module provides silent authentication services for Apache Web applications using Active Directory as the authentication authority.

SDK The DirectControl Software Development Kit (SDK) can be used to create custom applications and scripts that integrate with Active Directory for authentication and directory services. J2EE Apps

(WebLogic, WebSphere, Tomcat, JBoss)

J2EE application platforms such as BEA’s WebLogic, IBM’s WebSphere, Tomcat, and JBoss (and the applications that run on these platforms) can be configured to use Active Directory for backend directory and authentication services. J2EE JAAS Module Java Authentication and Authorization Service (JAAS) is a

standard Java package that provides interfaces to allow applications to perform silent or prompted authentication of user credentials. Centrify DirectControl includes a customized JAAS realm for J2EE applications that supports using Active Directory for authentication.

J2EE SPNEGO Module The DirectControl J2EE SPNEGO Module uses Active Directory as the authentication authority to provide silent authentication services for J2EE Web applications. Group Policy Service The DirectControl Group Policy service interfaces with the

Group Policy system on the Windows server and ensures that applicable policies are correctly executed on the UNIX

computer.

System Config Files System configuration files can be used to control Group Policy objects that run on the UNIX platform.

(12)

NIS Service (adnisd) The optional DirectControl Network Information Service (NIS) daemon, adnisd, can be installed on at least one computer if you want to store NIS maps in Active Directory and publish the information through DirectControl.

NIS Client Apps Local and remote NIS client systems and applications can use DirectControl NIS to access directory information stored in Active Directory.

NIS Cache NIS information is cached locally on a system that runs the DirectControl NIS daemon. This reduces network traffic and load on Active Directory domain controllers.

The following subsections provide more detail about the most important components of the Centrify DirectControl architecture.

Centrify DirectControl Daemon (adclient)

The core component of the Centrify DirectControl Agent is the adclient daemon. The DirectControl adclient daemon handles all direct communications with Active Directory and works in conjunction with all other DirectControl Agent modules to perform the following key activities:

• Locates domain controllers

Locates the appropriate domain controllers for the UNIX or Linux computer based on Active Directory forest and site topology.

• Verifies domain membership

Provides Active Directory with credentials that verify that the computer is a valid member of the domain.

• Manages user credentials

Delivers and stores user credentials so that users can be authenticated by Active Directory and can sign on even when the computer is disconnected from the network. • Caches information to improve performance

Caches query responses and other information to reduce network traffic and the number of connections to Active Directory. The cache contents and all

communications with Active Directory are encrypted to ensure security. The daemon caches positive and negative query results for better performance.

• Manages Kerberos

Creates and maintains the Kerberos configuration and service ticket files so that all existing Kerberized (Kerberos-enabled) applications work with Active Directory without any additional manual configuration.

• Synchronizes clock

Synchronizes the local computer’s time with the clock maintained by Active Directory to ensure the timestamp on Kerberos tickets issued by the Windows Key Distribution Center (KDC) are within a valid range.

• Resets computer password

Resets the password for the local computer account in Active Directory at regular intervals to maintain security for the account’s credentials.

• Provides services to other modules

Provides authentication, authorization, and directory look-up services to the other DirectControl modules, for example, to the PAM or Java modules.

(13)

Centrify DirectControl for PAM-Enabled Services (pam_centrifydc)

The Centrify DirectControl PAM module, pam_centrifydc, provides the interface between the standard UNIX authentication libraries used by most system applications and the DirectControl adclient daemon that manages direct communications between a UNIX or Linux host and Active Directory. The pam_centrifydc module provides the following services:

• Kerberos-based user authentication for PAM-enabled services

Services such as login, sshd, telnetd, and ftpd, that are typically configured to use PAM, can authenticate users that use Kerberos tickets and Active Directory. After the user is authenticated, the DirectControl daemon stores the Kerberos credentials locally in an encrypted cache so that the credentials are available for other applications to use.

• Disconnected authentication

When users log on and are authenticated successfully through Active Directory, the

pam_centrifydc module caches their credentials so that they can log on and be

authenticated when the computer is disconnected from the network or when the Active Directory domain controller is not available.

• Automatic home directory creation

When a new user logs on and is authenticated through Active Directory, the

pam_centrifydc module automatically creates a home directory for the user if the

home directory for the user does not already exist. The path to the home directory corresponds to the home directory attribute for the user stored in Active Directory. • Account conflict checking

When users log on, the pam_centrifydc module checks for user name and user ID (UID) conflicts between users enabled for UNIX or Linux access in Active Directory and local user accounts defined in the /etc/passwd file. If a conflict exists, a warning is displayed to the user upon logon and an event is written to the local UNIX system log.

• User and group filtering for fine-tuned access control

You can use group policy to grant or deny users or groups access to any computer or group of computers managed by DirectControl. Your group policy settings are

enforced through the pam_centrifydc module. • Local override flexibility

DirectControl allows you to enable one or more user accounts that are always authenticated locally by using the /etc/passwd file instead of Active Directory. • Password administration

DirectControl provides a command-line program, adpasswd, that lets UNIX or Linux users change their Active Directory password from the UNIX or Linux computer. The

pam_centrifydc module enforces your Active Directory password policies for length,

complexity, expiration, and history.

Centrify DirectControl Name Server Switch (nss_centrifydc)

The Centrify DirectControl NSS module, nss_centrifydc, performs user and group name lookups and file-based authorization for program and application requests through LDAP. The adclient daemon stores the responses locally in an encrypted cache to ensure faster performance, reduced network traffic, security caching, and disconnected operation. In addition, the DirectControl NSS module provides the following features:

(14)

you might not want to use Active Directory for special system accounts, for groups, or for a specific set of UIDs.

• User and group override controls for fine-tuned access control

Through configuration options or group policy, you can handle override entries in the /etc/passwd file or /etc/group file to provide custom access to local accounts or groups.

• Program filtering to prevent account conflicts with Active Directory

Through configuration options or group policy, you can specify programs that you do not want to look up account information in Active Directory. You can use this feature to ensure that local programs that create, manage, or use local user and group information do not attempt to look up conflicting information in Active Directory.

Storing UNIX User Attributes in Active Directory

UNIX computers use a traditional set of information fields that are associated with a user in the account information store. Regardless of whether the store is local (that is,

/etc/passwd) or in a central directory (for example, NIS or LDAP), these fields must be present in order for a normal UNIX user experience to occur. Some of these information fields have a similar field in Active Directory. For example, the Active Directory Display

Name field is similar to what is typically stored in the Gecos field in an /etc/passwd file –

that is, the full name of the user.

However, a UNIX computer must look up certain fields that do not have an equivalent in the Active Directory system. Some of these fields include User ID (specifies the user's unique numeric ID), Principle Group (specifies the user's principal or primary group ID),

Home Directory (specifies the full path name of the user's home directory), and Shell

(specifies the initial program or shell that is executed after a user invokes the login command or su command). In order to use Active Directory as a directory store for UNIX accounts, some mechanism must be put in place to allow for the storage of these extra information attributes and to tie those attributes to each user account.

Many solutions use the approach of extending the Active Directory schema to

accommodate the storage of additional attributes. For example, Microsoft Services for UNIX (SFU) includes a mechanism to extend the default schema. After the default schema is extended, every user in the domain has extra fields available for storing information associated with accessing UNIX computers. These fields include NIS

Domain, UID, Login Shell, Home Directory, and Primary group name.

DirectControl supports two methods for storing UNIX user attributes in Active Directory – using DirectControl Zones or implementing the Microsoft SFU schema extensions.

DirectControl Zones

As described in the sections about conceptual and logical designs for DirectControl solutions, Centrify DirectControl introduces a new mechanism for storing UNIX user attributes. DirectControl takes advantage of a standard facility within Active Directory that allows applications to store data in Active Directory under the Program Data container hierarchy. In this container, DirectControl can store information in Zones. Each Zone can include information about related computers, users, and groups that are joined to Active Directory.

(15)

Zones are also useful for organizations that want to establish strict role-based access controls for UNIX computers, groups, and users. For example, you can add Active Directory users or groups as members of a Zone if the users or groups have a requirement to access computers in that Zone. Other users or groups who are not members of the Zone cannot access the computers in that Zone.

Microsoft Services for UNIX Schema Extensions

As mentioned earlier, the Microsoft Services for UNIX (SFU) product includes a method for extending the Active Directory schema by adding storage fields for UNIX attributes. DirectControl fully supports using these Microsoft-supported schema extensions. If your organization has deployed the SFU schema extensions, DirectControl can treat them as a separate Zone. Other Zones can be used side-by-side with the SFU Zone, which gives your organization a considerable degree of flexibility for establishing a consolidated identity solution that best meets your needs.

Centrify DirectControl supports the SFU schema extensions because these are the UNIX schema extensions that Microsoft officially supports. Microsoft implemented a new UNIX schema for the 2005 release of Windows Server 2003. Centrify fully supports this new schema and plans to continue to track and support any UNIX schema extensions that Microsoft supports in the future.

Important Extending the Active Directory schema requires care. To reduce the chance that

(16)

The example in the following screenshot displays SFU schema attributes as a DirectControl Zone on the Centrify Profile tab for Jeff Hay. The Centrify Profile tab appears on the user properties page in Active Directory Users and Computers after you run the DirectControl Setup Wizard. You can also view or modify SFU settings by using the UNIX Attributes tab.

Figure 1.2. SFU schema attributes appear as a Centrify Zone on the user properties page in Active Directory Users and Computers

For more information about DirectControl Zones and about how to accommodate legacy UNIX identity stores, see the white paper, “Centrify's Solution for Migrating UNIX

(17)

Designing the Centrify DirectControl Solution

Before beginning development of the solution it is essential to understanding the underlying design of the Centrify DirectControl product and how it can be applied to extending Active Directory services to UNIX systems and applications. This next section reviews the conceptual and logical design of a solution using DirectControl as well as an example of a physical design showing how DirectControl would be deployed in a real-world scenario.

Conceptual Design of Centrify DirectControl Solution

Centrify’s DirectControl solution combines the necessary authentication, authorization and directory services required for the End State into a single integrated solution. Rather than treating each component service as a separate concept that requires individual designs, the design for the single DirectControl service will more than cover the requirements for the End State. In concept, a UNIX or Linux machine with the

DirectControl agent installed is very similar to a Windows XP client from the standpoint of services provided between the Active Directory server and the client system.

(18)

Centrify DirectControl introduces a new concept that needs to be understood and taken into consideration when planning this solution. This new concept is the DirectControl Zones feature. DirectControl Zones is a facility to allow groups of UNIX machines, groups and users to be treated as a distinct identity cluster for the purposes of partitioning off systems that have common identity attributes. Users can be members of more than one Zone and can have different user attributes (e.g. a different username) in each Zone. For example, all machines in the finance department could be grouped into a single Zone called “finance” and the members of that Zone could be restricted to finance employees and all senior managers. This gives the organization better control over access to systems based on well defined roles. Additionally DirectControl Zones can be used to restrict access to certain types of applications running on the UNIX systems.

Zones also become important when dealing with multiple existing UNIX identity systems that are being migrated to Active Directory. For example, most organizations have multiple identity stores in use on their current UNIX platforms including LDAP directories, NIS/NIS+ and local account stores using /etc/passwd. Often a single user can be a member of more than one identity store and may even have a different username, UID or group memberships in each. DirectControl Zones would allow the organization to import the information from their legacy UNIX identity stores into separate Zones without forcing the organization to consolidate the multiple identities that each user might have. The result might be a structure with three Zones in Active Directory – one with the pre-existing UNIX LDAP directory information, one with the imported information from an existing NIS directory and one with the imported contents from an /etc/passwd file from a single UNIX system. If a user has an account in all three systems, these can now be mapped back to a single Active Directory identity, even if the user’s identity attributes were different in each of the legacy directories. This means that the user can now access all of these systems using either their Active Directory credentials or their old credentials from the previous system. Regardless of which credentials they use, the user has only one password across all systems – their existing Active Directory password. More information on DirectControl Zones can be found on: http://www.centrify.com.

Windows Domain Engineering Zone HR Zone

Windows Domain Controller Administrator

Active Directory

Active Directory Account User Name: Fred Thomas

Fred’s Solaris Account

Userid: fthomas UID: 2387 Shell: /bin/csh

Homedir: /nfshome/fthomas

Fred’s Linux Account

Userid: fred UID: 94582 Shell: /bin/bash Homedir: /home/fred

Solaris Host HR App Server

Fred’s Windows Account

Userid: fred.thomas Homedir:

\\server1\users\fred.thomas

Finance Zone

Fred’s HR App Account

Userid: fredt UID: 5381

Linux Workstation Windows XP Laptop

Active Directory Account User Name: Fred Thomas

Userid: fred.thomas Zone: Engineering Userid: fred UID: 94582 Shell: /bin/bash Homedir: /home/fred Zone: Finance Userid: fthomas UID: 2387 Shell: /bin/csh Homedir: /nfshome/fthomas Zone: HR Userid: fredt UID: 5381

(19)

If you choose to use Centrify DirectControl as part of an integrated solution for security and directory services, your conceptual design should address how you want to use Zones, how you will migrate user identities to Active Directory, and how legacy identity stores such as /etc/passwd files and NIS servers fit into your solution.

To develop your conceptual design with Centrify DirectControl in mind, you should consider the following:

• Whether you have multiple UNIX identity stores or a single identity store for all UNIX users.

• Which UNIX computers users log on to locally or remotely and which UNIX

computers are used as application servers that only require infrequent administrative logins.

• The nature of the user community and how and when different users access UNIX resources.

As an example, if you have multiple identity stores, your conceptual design should define how those identity stores should map to Centrify DirectControl Zones. If you already group users in NIS domains, you can keep this structure by mapping each NIS domain to a Zone. If you have a more ad-hoc environment, you should identify the computers that form a natural administrative set. For example, you may want to use Zones to group computers based on specific criteria, such as computers managed by the same security group, located in the same area, or used by the same department. In your conceptual design, you should also determine how various computers are used. For example, you should determine which computers users log on to directly and which computers are used as application servers that only require administrative access for housekeeping purposes. You should consider how many users log on to different computers and the tasks different sets of users perform on those computers.

If all of your UNIX user identities (UIDs) and group identities (GIDs) are unique for all of the computers you want to bring into the Active Directory forest, you can use a single Zone.

For simplicity or migrating in phases, you can start with a single Zone and add Zones over time, but your conceptual design should take into account this migration strategy and Zone design.

Logical Design of Centrify DirectControl Solution

With Centrify DirectControl, many of the logical design considerations that were required for a pure Kerberos / LDAP solution are no longer applicable. This is because

DirectControl automatically handles the configuration of many of the supporting services that are required to reach the End State. For example, when DirectControl gets installed, the time service and time synchronization elements that are required for proper Kerberos operation are automatically setup correctly without the need for user intervention.

Likewise, the configuration of UNIX components such as PAM and NSS are also automatically configured when DirectControl is installed.

Another logical design consideration highlighted in other solutions is the strategy for handling Active Directory schema extensions for storing UNIX user attributes such as a UID or home directory. DirectControl simplifies the whole schema extension issue by simply eliminating the need for any schema extensions. Instead, DirectControl

(20)

Figure 1.5. An example of the internal Active Directory storage hierarchy for a DirectControl Zone

Since DirectControl Zones add numerous possibilities for dealing with better role-based access control and enabling the easy migration from existing UNIX directories, the organization should evaluate and create a logical design and plan for how Zones are used. This of course only applies if DirectControl is selected as the method for reaching the End State. Some of the considerations for how to apply Zones in the logical design include:

• Using Zones to address multiple legacy UIDs and enable rapid migration to

For existing UNIX systems that have LDAP, NIS or /etc/passwd based directories, the user information in these directories can be directly imported into multiple DirectControl Zones. Typically the design would call for one Zone for each substantially distinct legacy directory store. Usernames in each Zone are then mapped to existing Active Directory user accounts. This allows the UNIX identity system to be immediately moved to Active Directory without forcing a change of UIDs on the legacy UNIX system. Having the option to retain legacy usernames and UIDs is a major design consideration since the alternative of manually changing UID ownerships and name-associated files on the UNIX system, for every user, could be an enormous task and an obstacle to a successful migration.

• Using Zones and Services for UNIX to address other UNIX services tied to

For organizations that have deployed Services for UNIX and are using the SFU NIS Server or NFS services, it is likely that they have extended the Active Directory schema using SFU. If this is the case, the logical design should include reserving a Zone for the SFU-enabled user accounts, since the UNIX attributes stored with each account will continue to be used once this new project is completed. DirectControl fully supports mapping the SFU user attributes into a DirectControl Zone.

• Using Zones, Group Policy and other methods for enabling true role-based

access control

(21)

organizations disposal as they create their logical plan for mapping user and group identities to intended resource use and data access.

• Multi-phase migrations of UNIX identities and UNIX identity consolidation using

Zones

Migrations are rarely completed in a single step. Due to schedules, system retirements, complexity and identity conflicts, an organization may chose to move some or all of the UNIX identity systems to Active Directory in phases. For example, the logical design may call for moving a NIS directory user account store into Active Directory without any modifications to the existing UNIX user attributes. This

requirement may be called for if the UNIX systems have a large number of files with complex user and group ownership relationships and there is a desire to move quickly to Active Directory but have no disruption for users during the migration. Once the former NIS services have been transparently migrated to Active Directory, the IT organization may want to create a plan to eventually consolidate the multiple UNIX UIDs that each end user has. With DirectControl, this can be done in a number of ways based on the requirements and complexity of the organization.

• Complex designs incorporating some or all of the above elements

Typically when migrating from one system to another there is seldom a single method or process that can be applied to all cases. The logical design of the identity

(22)

Figure 1.6 is a representation of a potential logical design for achieving the End State using Centrify’s DirectControl solution.

Active Directory User Accounts Windows Server 2003 Active Directory Windows Client UNIX/Linux Client In ZoneA AuthZ, AuthN Account Info

Centrify Solution

AuthZ, AuthN Account Info Time Service LDAP Kerberos KDC Services Existing schema or SFU schema

Kerberized and Directory-aware Logins and Applications

DNS Service Windows Server 2003 Active Directory LDAP Kerberos KDC Services example.com dept.example.com Domain Trust PAM / NSS DirectControl Agent UNIX/Linux Client In ZoneB UNIX/Linux Client In ZoneC PAM / NSS DirectControl Agent PAM / NSS DirectControl Agent DirectControl Admin Console AD Users & Computers MMC Centrify ZoneA Maps & Store Centrify ZoneB Maps & Store Centrify ZoneC Maps & Store

Figure 1.6. Overview of a logical design for authentication, authorization and directory services using Centrify DirectControl

For more information on how to use Zones to enable rapid migration to Active Directory, see the White Paper, “Centrify's Solution for Migrating UNIX Directories to Active Directory”.

Physical Design of Centrify DirectControl Solution

The physical design for authentication and authorization using Centrify DirectControl involves selecting the physical computers where you will install the Centrify DirectControl Windows components, the physical UNIX and Linux computers where you will install Centrify DirectControl Agents, and how you will monitor connectivity and bandwidth usage to verify performance, availability and access control goals.

(23)

If you have a large UNIX environment, you should consider the number and locations of your Active Directory domain controllers. Your physical design should address the domain controllers different sets of UNIX computers should use and whether additional domain controllers should be added to handle the increased demand from UNIX computers and users. Planning should be made for addressing network bandwidth and latency as well as provisions for uninterrupted service in the event of the unplanned failure of a local domain controller. Since DirectControl supports the caching of user credentials, users will be able to continue to securely access systems that they have previously accessed even if the domain controller is not available. This is consistent with the behavior of a Windows XP system that has been joined to the domain and accessed by a domain user at least once. This new capability should be taken into consideration when building the physical design and location of domain controllers.

DirectControl supports the secure exchange of Active Directory credentials in cross domain trusts and forests with multiple domains. This capability for example will enable planners to securely share application servers across multiple domains in the

organization with the result of potentially reducing the number of physical servers. Finally, the DirectControl credential caching capability enables some new potential scenarios for the physical design of the network. The possibility now exists to have roaming Linux or UNIX users that are now able to securely log into the domain accounts on their systems, even if they are not on the same network as the domain controller. Figure 1.7 is an example of a physical design that leverages DirectControl for providing security and directory services to UNIX and Linux systems in a multi-domain

environment.

dept.example.com example.com

WAN / VPN

Windows Client UNIX/Linux Client with DirectControl Agent

Centrify Solution

Single Username and Password for Windows, UNIX and Linux Clients Transparent Single Sign-On Access to

Windows, UNIX and Linux apps

Windows Server 2003 Domain Controller Windows app server

Corporate LAN Windows Server 2003 Domain Controller with DirectControl Windows Server 2003 Domain Controller Windows app server Sun Solaris Server

J2EE app server with DirectControl Branch LAN Windows Client UNIX/Linux Client with DirectControl Agent Replication Cross domain trust

Active Directory AuthZ, AuthN

Roaming UNIX/Linux Client with DirectControl Agent

Single Username and Password and cached AuthZ and AuthN for

disconnected UNIX and Linux Clients Windows Client

with DirectControl Admin Console and ADUC MMC

(24)

Developing the Centrify DirectControl Solution

This section describes the tasks that are required to use the Centrify DirectControl suite to implement the End State—that is, using Active Directory to authenticate UNIX clients with Kerberos and to access UNIX authorization and identity information with LDAP. Although authentication and authorization services are treated separately in many parts of this guide, the DirectControl solution delivers a user experience for UNIX users that works seamlessly – much like the user experience on Windows clients. After you install DirectControl, when a user attempts to log on to a UNIX computer, the user enters a username and password that is then validated by Active Directory through the underlying Kerberos authentication system. After the user is authenticated, Active Directory

determines how the user can use the UNIX computer based on authorization properties associated with that user's account, the computer the user is logging on to, and the groups to which the user belongs. For example, a setting might be configured in Active Directory to prevent access to the computer at the time of day when the user attempts to log on. Even though the user is authenticated, the log on session fails because the user is not authorized to use the computer at that time.

In addition, other properties associated with the user account are now stored in Active Directory and can be used to establish the user’s session on the UNIX computer or used by applications on the UNIX computer. For example, the user’s UNIX home directory is stored in Active Directory. After the user is successfully authenticated and authorized, this attribute is used to establish the user’s home directory, which is then used during the log on session on the UNIX computer.

DirectControl includes capabilities well beyond the scope of the End State solution described in this guide. For example, DirectControl includes a component for using Microsoft Group Policy to manage computer and user policies on UNIX and Linux computers. DirectControl also provides capabilities for seamless file sharing, a NIS pass-through server, and authentication modules for Web and application platforms. For more information related to capabilities in DirectControl that go beyond the End State, see “Evolving the Centrify DirectControl Solution” later in this guide, and see the Centrify Web site at http://www.centrify.com.

Introduction and Goals

The development information provided here focuses only on the aspects of DirectControl that directly support achieving the End State.

Major Tasks and Deliverables

This section describes the installation and configuration of DirectControl that you need to perform in order to develop the End State solution. The following list summarizes the major tasks required to install and configure DirectControl for this solution:

• Preparing your environment

Install a domain controller, configure DNS, create test users and groups, and verify time synchronization.

• Choose DirectControl Zones or Active Directory schema extensions

Decide whether to use DirectControl Zones, Active Directory schema extensions for SFU, or both, for storing UNIX user data.

• Install Centrify DirectControl on a Windows Server 2003 computer

(25)

• Configure Active Directory with the first DirectControl Zone

Use the Centrify DirectControl Setup Wizard to update Active Directory and to configure the default Zone.

• Enable Active Directory groups and users for UNIX

Use the Centrify DirectControl Setup Wizard to update Active Directory and to configure the default Zone.

• Install the Centrify DirectControl Agent on UNIX or Linux

Run the installation script and select the tasks to perform for the specific UNIX or Linux computer on which you want to install DirectControl.

• Join the Active Directory Domain

Run the adjoin command to add a selected UNIX or Linux computer to the Active Directory domain.

• Restart running services

Restart specific services on UNIX computers, or reboot to restart all services.

Preparing Your Environment

The following sections describe how to prepare your environment for this security and directory services solution for the End State. This development environment serves as a proof-of-concept for this solution.

Preparing your environment requires the following tasks: • Install and Configure Active Directory Domain Controllers • Configure the DNS Server

• Create Test Users and Groups • Verify time synchronization

Installing and Configuring Active Directory Domain Controllers

An Active Directory domain controller provides authentication and authorization data, serving as both the Kerberos Key Distribution Center (KDC) and as the authorization data store. These instructions call for installation and configuration of two domain controllers to allow for testing of UNIX authentication and authorization under failover conditions. Optionally, you can skip installation of the second domain controller for the initial configuration and install it at a later time.

To install and configure Active Directory and DNS

1. Install the Windows Server 2003 Standard Edition operating system on a computer. 2. Use the Active Directory Installation Wizard (dcpromo) to install and configure the

server as an Active Directory domain controller. Use the default values supplied by the installation wizard.

3. Configure a Domain Name System (DNS) server role on the domain controller: • Create both forward and reverse lookup zones.

• Select the option Allow both nonsecure and secure dynamic updates. Make sure that both the forward and reverse lookup zones use Active Directory– integrated DNS.

• Configure DNS for the server’s local network connection. 4. Install the Support Tools from the Windows 2003 Server CD.

(26)

• Select the option Allow both nonsecure and secure dynamic updates. With this configuration, the DNS data from the first DNS server automatically replicates to the second DNS server.

For information about installing, configuring, and securing Active Directory, see the documentation that comes with Microsoft Windows Server 2003.

For information about installing and configuring DNS, see "Deploying Domain Name System (DNS)" in the Windows Server 2003 Deployment Guide at:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepKit/7f6df44 c-06c3-4b92-ba32-63d895a7924b.mspx.

Configuring the DNS Server

The preceding section describes how to configure the DNS server role on the Active Directory domain controllers for your test environment.

If you do not use the Windows Server 2003 Active Directory domain controller as the DNS server or if you do not allow dynamic updates, additional configuration steps are necessary. This guide assumes that you use the same Windows 2003 DNS server that your Active Directory server uses. For information about other configuration options, see the Centrify DirectControl Administrator’s Guide.

Creating Test Users and Groups

It is recommended that you add all UNIX users, computers, and groups under a separate Active Directory organizational unit (OU). Using a separate container lets you apply unique group policies to the objects used by UNIX.

To create OUs, users, and groups for UNIX objects

1. Log on to a Windows computer on which Active Directory Users and Computers is installed with an account that has privileges for adding new users and groups. 2. Open Active Directory Users and Computers.

3. Create a new OU for testing UNIX users and groups. For example, create a new OU under the domain called MyUNIXTest:

a. In the console tree, right-click the domain name, point to New, and then click

Organizational Unit.

b. In New Object – Organizational Unit, type MyUNIXTest under Name, and then click OK.

4. Create OUs for testing UNIX users, groups, and computers. For example, create OUs named UNIXUsers, UNIXGroups, and UNIXComputers under MyUNIXTest: a. Right-click MyUNIXTest, point to New, and then click Organizational Unit.

b. In New Object – Organizational Unit, type UNIXUsers under Name, and then click OK.

c. Repeat steps a and b to create OUs for UNIXGroups and UNIXComputers.

5. Create two test user accounts under the UNIXUsers OU. For example, create

testuser and testadmin:

a. Right-click UNIXUsers, point to New, and then click User.

b. In New Object - User, in Full name type testuser, in User logon name, type testuser, and then click Next.

c. Type and confirm a password, clear User must change password at next

logon, select Password never expires, and then click Next.

CAUTION In a test environment, you might want to choose these options. In a

production environment, choose more secure options. d. Click Finish.

(27)

6. Create two test group accounts under the UNIXGroups OU. For example, create

FinanceUsers and FinanceAdmins:

a. Right-click UNIXGroups, point to New, and then click Group.

b. In New Object - Group, in Group name, type FinanceUsers, and then click OK. c. Repeat steps a and b to create another test group account called

FinanceAdmins.

You can use these user and group accounts to perform a quick validation of the DirectControl solution and to verify authentication and authorization during the testing and stabilization phase. For more information, see “Performing Quick Validation Tests” later in this section, and see “Testing and Stabilizing Authentication and Authorization” later in this guide.

Verifying Time Synchronization

Check that all system clocks on the computers that you use in the test environment are synchronized and use the Network Time Protocol or other mechanism to stay closely synchronized. This is a Kerberos requirement. All Kerberos tickets are time-stamped, and the Kerberos protocol has a narrow tolerance for discrepancies between system clocks. By default, the join Active Directory (adjoin) command (described later) performs this synchronization between the UNIX host and Active Directory when you join the domain.

Developing the Components of the Solution

The following subsections provide detailed instructions for performing the major development tasks. You can find additional information about installing and configuring DirectControl in the documentation that accompanies the product, including the Centrify DirectControl Administrator’s Guide.

Choosing DirectControl Zones or Active Directory Schema

Extensions

As mentioned earlier, DirectControl supports both the use of DirectControl Zones and the use of SFU schema extensions for storing UNIX user attributes in Active Directory. Before installing DirectControl, you should evaluate whether to use SFU extensions, DirectControl Zones, or both mechanisms for storing UNIX user data.

For example, if SFU is already in use in your organization and UNIX user information is already stored in Active Directory by using the SFU extensions, it might be appropriate to use the SFU Active Directory extensions and the existing user account information. If your organization has no plans to use SFU, the most appropriate choice might be to use DirectControl Zones. If you currently use SFU but also need to migrate other UNIX directory stores to Active Directory, the best approach might be to implement a solution that uses both SFU extensions and DirectControl Zones.

Important Extending the Active Directory schema requires care. To reduce the chance that

problems might arise during the schema extension process, the recommended practice is to select extension mechanisms that Microsoft supports. Before you extend the schema, see "Extending the schema" in the Windows Server 2003 Help and Support Center.

Installing Centrify DirectControl on Windows

(28)

Managing DirectControl Licenses

Centrify DirectControl is commercially licensed software. A valid license key is required for extended use of the software. If you want to evaluate the software, you can opt to choose a 30-day trial license at the time that you install the software on a Windows computer. If, after the evaluation, you choose to purchase a license key, you can easily upgrade the product to a full commercial license through the Centrify DirectControl Administrator Console that you install in “Configuring Active Directory with the First DirectControl Zone” later in this section.

You can find information about licensing, prices and evaluation copies of DirectControl through the Centrify Web site at http://www.centrify.com or by calling the Centrify sales line at 1-650-961-1100.

Installing Centrify DirectControl Management Tools on Windows

Before you can add UNIX computers to Active Directory, you must use the setup program to install the Centrify DirectControl Management Tools on a Windows computer in the Active Directory forest. The setup program copies the necessary DirectControl files to the local Windows computer. You do not need any special permissions to run the setup program other than permission to install files on the local computer.

To install the Centrify DirectControl Management Tools on Windows

1. On a Windows-based computer onto which you want to install the DirectControl Management Tools, locate the Windows folder on the Centrify DirectControl CD or in the folders extracted from a Centrify DirectControl zip file.

2. Double-click Setup.exe to start the setup program.

3. At the Welcome page, click Next.

4. Review the terms of the license agreement. If you accept the license agreement, select I agree to these terms, and then click Next.

5. Type your name and company name, select who can use this application on the computer, and then click Next.

6. Select the components that you want to install, and then click Next.

Note Typically, the first time you run the setup program, you accept the default option to

install all components. However, you can choose a custom installation if you prefer to do so. 7. Click Next to install components in the default location, or click Browse to choose a

different location, and then click Next.

8. Verify your installation settings, and then click Next. 9. Click Finish to complete the installation.

When you run the setup program the first time with the default components selected, the setup program installs the Centrify DirectControl Management Tools, which include: • The Centrify DirectControl property extensions for Active Directory Users and

Computers.

• The Centrify DirectControl Administrator Console and extensions for managing NIS maps in Active Directory.

• The Centrify DirectControl Administrative Templates for configuring UNIX group policies.

• The Centrify DirectControl Administrator Console Help and other documentation. • The Centrify DirectControl API packaged in a dynamic link library (DLL). The Centrify

DirectControl API provides the Component Object Model (COM) objects that convert Active Directory application objects into Centrify-enabled UNIX user, group,

(29)

Configuring Active Directory with the First DirectControl Zone

When you start the Centrify DirectControl Administrator Console for the first time on the Windows computer onto which you installed the DirectControl Management Tools, a Setup Wizard is displayed. The wizard helps you configure the default properties for your first Centrify DirectControl Zone.

In addition, the Setup Wizard makes it easier for you to control where Centrify

DirectControl container objects are placed and who has permission to modify the objects within those containers. Because the Centrify DirectControl Zone Setup Wizard creates container objects, however, you might need to log on with an account that has Enterprise Administrator privileges. This requirement depends on the specific permissions your organization has configured for different classes of users. For example, if your

organization permits accounts with membership in the Domain Admins group, or other types of accounts, to create parent objects in Active Directory, membership in the Enterprise Admins group is not required.

You must complete all of the configuration steps, including those that set up the default Zone, before you begin adding computers to the domain. For more information about any configuration step, see the Centrify DirectControl Administrator’s Guide.

To start the Setup Wizard and update the Active Directory forest

1. On a Windows-based computer onto which you installed the DirectControl Management Tools, open the Centrify DirectControl Administrator Console. 2. At the Welcome page, click Next.

3. Select Use currently connected user credentials to use your current log on

account, or select Specify another user’s credentials and type a user name and password, and then click Next.

4. Click Next to accept the default container location for license keys.

5. Select Install the 30 day evaluation license keys, and then click Next.

6. Select Create private group container, and then click Next.

7. Click Next to accept the default container location for private groups.

8. Select Create default Zone container, and then click Next.

9. Click Next to accept the default container location for Zones.

10. Select Create default Zone, and then click Next to configure the default Zone. 11. Click Next to accept the default location for the default Zone.

12. Click Next to accept the default numeric user identifier (UID) to start with for new UNIX users in the default Zone.

13. Click Next to accept the default numeric group identifier (GID) to start with for new UNIX groups in the default Zone.

14. Click Next to accept the default home directory path for creating new UNIX home directories in the default Zone.

15. Select the type of UNIX shell to use by default for users in the default Zone (for example, select /bin/sh or /bin/bash), click Set as default, and then click Next. 16. Select Private group as the default primary group for users in the default Zone, and

then click Next.

Note This option allows each UNIX user to have a private Active Directory group as the

primary group. If you select this option, private Active Directory groups are created automatically when you add UNIX users.

17. Select Set up property pages to allow the Centrify Profile properties to be displayed in Active Directory Users and Computers, and then click Next.

(30)

Zones UNIX Attribute Storage in Active Directory

After you run the DirectControl Setup Wizard, Centrify DirectControl information is stored in Active Directory and is visible in the Program Data folder in the Active Directory Users and Computers console tree. This structured area, which is the standard area used to store application-related information, includes centralized Centrify license information and structures for each Zone that is created. Each Zone area contains information about the UNIX computers that are members of the Zone as well as information about users and groups that have access to the Zone. Optionally, you can also store data under each Zone structure that describes the NIS maps that apply to the Zone.

Typically, you do not view or modify any of the Zone information in the Program Data folder in Active Directory Users and Computers directly. Instead, use the Centrify DirectControl Administrator Console or Active Directory Users and Computers user, group, or computer property pages to make additions or changes to DirectControl data. The following screenshot shows Centrify information stored in Active Directory Users and Computers under the Program Data folder. To display the Program Data folder, you must select Advanced Features from the View menu in Active Directory Users and Computer. This example shows a typical Zone structure.

(31)

Centrify DirectControl Administrator Console Includes MMC interface

The Centrify DirectControl Administrator Console is the main tool for managing all aspects of the DirectControl product. This tool uses the same interface that is used by Microsoft MMC tools and therefore can run side-by-side with Microsoft tools that you use to manage the Active Directory environment, such as Active Directory Users and

Computers. The following screenshot shows the top-level task screen for the DirectControl Administrator Console.

Figure 1.9. The Centrify DirectControl Administrator Console

You can install the Centrify DirectControl Administrator Console on any Windows-based computer that is joined to the Active Directory forest. The Console includes a

comprehensive online help system that is installed with the Console. Multiple consoles can be installed on computers across the forest. Because the information used by the console is stored centrally in Active Directory, a consistent view of the data is provided across multiple running instances of the Console.

Modifications to Active Directory Users and Computers

Windows Security and Directory Services for UNIX using Centrify DirectControl

Windows Security and Directory

Services for UNIX using Centrify

DirectControl

Contents

Windows Security and Directory Services

for UNIX using Centrify DirectControl

Introduction

Introducing the Final End State

Real World Example

Introducing the Centrify DirectControl Solution

Intended Audience

Knowledge Prerequisites

Software Prerequisites

Overview of Centrify DirectControl Technology

Overview of Software Components for Windows

Overview of Software Components for UNIX

Storing UNIX User Attributes in Active Directory

Designing the Centrify DirectControl Solution

Conceptual Design of Centrify DirectControl Solution

Logical Design of Centrify DirectControl Solution

Centrify Solution

Physical Design of Centrify DirectControl Solution

Developing the Centrify DirectControl Solution

Introduction and Goals

Major Tasks and Deliverables

Preparing Your Environment

Installing and Configuring Active Directory Domain Controllers

Configuring the DNS Server

Creating Test Users and Groups

Verifying Time Synchronization

Developing the Components of the Solution

Choosing DirectControl Zones or Active Directory Schema

Extensions

Installing Centrify DirectControl on Windows

Configuring Active Directory with the First DirectControl Zone