Centrify Server Suite 2014

(1)

Centrify Server Suite 2014

Administrator’s Guide for Linux and UNIX

June 2014

(2)



Legal notice

This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document “as is” without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means,

electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time.

© 2004-2014 Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and Centrify Server Suite, Centrify User Suite, DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.

Centrify software is protected by U.S. Patents 7,591,005, 8,024,360, and 8,321,523.

The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

(3)

About this guide

The Centrify Server Suite Administrator’s Guide for Linux and UNIX describes how to use Centrify software to manage user and group profiles, role-based access rights, and delegated administrative activity for Linux and UNIX computers. This guide focuses exclusively on the management of identity attributes, rights, roles, role assignments, and privileges that apply to Linux and UNIX computers. If you manage a heterogeneous environment that includes Linux, UNIX, Mac OS X, and Windows computers, you should check for additional information in the other guides that make up the Centrify documentation set.

Intended audience

The Administrator’s Guide for Linux and UNIX is intended for administrators who are responsible for managing user access to servers, workstations, enterprise applications, and network resources. Thisguide focuses on using the Centrify DirectManage Access software components to administer Centrify-managed UNIX and Linux computers, and on deploying the same authentication and policy services deployed you use for Windows computers. You can perform the same administrative tasks described in this guide using a variety of other tools, but you should know how to perform common administrative tasks on the operating systems you support.

You should note that this guide does not cover deployment planning or installation details. For complete information about planning and installing Centrify software, see the Planning and Deployment Guide.

Conventions used in this guide

The following conventions are used in this guide:

 Fixed-width font is used for sample code, program names, program output, file

names, and commands that you type at the command line. When italicized, the

fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.

 Bold text is used to emphasize commands, buttons, or user interface text, and to

introduce new terms.

 Italics are used for book titles and to emphasize specific words or terms.

 For simplicity, UNIX is used generally in this guide to refer to all supported versions of

(10)

Finding information about Centrify products

Finding information about Centrify products

Centrify includes extensive documentation targeted for specific audiences, functional roles, or topics of interest. However, most of the information in the documentation set is intended for administrators, application developers, or security architects after you have purchased the software or licensed specific features. If you want to learn more about Centrify and Centrify products and features, start by visiting the Centrify website. From the Centrify website, you can download data sheets and evaluation software, view video demonstrations and technical presentations about Centrify products, and get the latest news about upcoming events and webinars.

Contacting Centrify

You can contact Centrify by visiting our website, www.centrify.com. On the website, you can find information about Centrify office locations worldwide, email and phone numbers for contacting Centrify sales, and links for following Centrify on social media. If you have questions or comments, we look forward to hearing from you.

Getting customer support

If you have a Centrify account, click Support on the Centrify website to log on and access the

Centrify Customer Support Portal. From the support portal, you can to search knowledge base articles, open and view support cases, connect with other Centrify users on customer forums, and access additional resources—such as online training, how-to videos, and diagnostic tools.

(11)

Chapter 1

Introduction

This chapter provides an introduction to identity, access control, and configuration management and to the main components of Centrify Server Suite, including a brief overview of the ways Centrify software can help organizations leverage their investment in Active Directory.

The following topics are covered:

 Understanding identity and access management  Why integrate with Active Directory?

 What is the Centrify solution?  What does authorization provide?  What can you do after you deploy?

Understanding identity and access management

For most organizations, it is critical to control access to computer and application resources to prevent disruption of service, data tampering, or security breaches. Managing who has access efficiently and securely is especially difficult in heterogeneous environments that may include a combination of Windows, Linux, UNIX, and Mac OS X servers and workstations. In cross-platform environments, securing access to computers and applications typically involves managing multiple identity stores with multiple authentication mechanisms. As the

(12)

Why integrate with Active Directory?

following figure suggests, there are many authentication mechanisms available for UNIX and Linux systems, but they are typically isolated from each other and managed separately.

Users who have access to more than one application or computer platform often have multiple login accounts with conflicting user name or password policy requirements. In addition, individual applications and services may use any of these standard mechanisms or have their own specialized authentication method.

Because managing user accounts and access using all of these different mechanisms across an enterprise is impractical, Centrify provides a way to centralize and simplify the

management of user accounts and access to computers and applications through Active Directory.

Why integrate with Active Directory?

Many organizations already have a significant investment in their Windows infrastructure, with Windows workstations often used as desktop systems and Windows servers handling critical business services such as messaging or database transactions. For Windows workstations and servers, Active Directory is the core technology for managing users, computers, and other resources, and, therefore, is a requirement for any organization that manages Windows resources.

In addition to being a key component of the organization’s infrastructure, Active Directory provides a complete set of tools for authentication, authorization, and directory service, making it an ideal candidate for managing user accounts and access to computer resources. By extending Active Directory to manage Linux, UNIX, and Mac OS X computers, Centrify software provides administrators with a comprehensive identity and access management solution while reducing administrative complexity and overhead.

Local accounts stored in local files on individual UNIX servers and workstations

NIS and NIS+ servers and account maps provide a central repository for UNIX accounts

Kerberos realms and Key Distribution Center provide authentication for some users and services

LDAP authentication for LDAP transactions

UNIX and Linux computers

Active Directory forests with Kerberos authentication and LDAP directory service Windows computers

(13)

What is the Centrify solution?

What is the Centrify solution?

As the previous section suggests, Centrify delivers secure access control and centralized identity management by integrating UNIX, Linux, and Mac OS X servers and workstations, and SAP, J2EE, and Web platforms with Microsoft Active Directory.

Through the Centrify UNIX agent, UNIX, Linux, and Mac OS X servers and workstations can become part of an Active Directory domain and act as Active Directory clients. Once part of a domain, you can secure those systems using the same authentication, access control, and group policy services you deploy for Windows computers. Additional modules work with the Centrify UNIX agent to provide services such as single sign-on for Web applications and SAP, and Samba integration. The Centrify tools provide an Access Manager console, extensions for Active Directory Users and Computers, out-of-the-box reporting, and account migration tools.

With Centrify software, organizations with diverse IT environments can leverage their investment in Active Directory to:

 Move to a central directory with a single point of administration for user accounts and

security policy.

 Use Centrify zones to provide secure, granular access control and delegated

administration.

 Extend single sign-on to internal end-users and external business partners and

customers.

 Simplify compliance with regulatory requirements.

 Deploy quickly without intrusive changes to the existing infrastructure.

Moving to a central directory

By consolidating user accounts in Active Directory, organizations can improve IT efficiency and move toward a more secure, connected infrastructure for their heterogeneous

environment. Using Centrify software enables an organization to:

 Strengthen security by consolidating user accounts into Active Directory, making is easy

for IT managers to disable the accounts of departing employees, and locate and eliminate security risks posed by orphan accounts.

 Reduce infrastructure costs by eliminating redundant identity stores, including legacy

directories, un-secured NIS servers, dedicated application databases and locally managed /etc/passwd files.

 Streamline operations by standardizing on a single set of Active Directory-based tools to

simplify administrative training and in-house processes for account provisioning, maintenance, and other tasks.

(14)

 Establish consistent password policies across a heterogeneous environment by enforcing

Active Directory’s rules for password complexity and expiration for all users regardless of where they log in.

 Enforce consistent security and configuration policies across UNIX, Linux, and Mac OS

X servers and workstations by adding Centrify group policy templates for computer- and user-based configuration settings to Windows Group Policy Objects.

 Improve productivity and satisfaction for end-users, who now have only one password to

remember, and make fewer Help Desk calls to reset passwords or update their account information.

Using Centrify zones for granular control

Centrify’s patented zone technology delivers the granular access control that real-world enterprises need to securely manage heterogeneous environments. With Centrify zones, IT managers can:

 Segregate logical collections of UNIX, Linux, or Mac OS X computers into Centrify

zones within Active Directory. Computers can be organized by any grouping that makes sense for a particular organization, including department, geography, function, and system type.

 Use Active Directory’s role-based access model to allow users and groups to log on only

to the systems in the zones for which they are authorized.

 Use Centrify authorization features to grant users roles with the exact rights they need

to access specific computers and accomplish the tasks associated with their job function.

 Grant system administrators the administrative privileges they need only on the zones

where there are computers they need to manage without elevating their privileges for other computers or zones.

 Enforce consistent security and configuration policies that are specific to the computers

within a zone.

A specific, powerful feature of zones is the ability to create a hierarchical structure of parent and child zones that enables rapid and dynamic provisioning of identify and access control. For example, you can define profile and access data at a higher level of the tree that is inherited by child zones at a lower level in the tree. At any level, including an individual computer, you are able to override profile data to fine-tune the identity of users on a joined computer. And at any level you can add access controls specific to that zone or computer that do not apply to computers joined to a zone at a higher level of the tree.

Creating a zone hierarchy provides powerful features, such as the ability to:

 Rapidly provision a domain by adding users in a high level zone, then assigning access in

(15)

 Provide users with different identities for different computers by overriding their

profiles in a child zone or at the computer level — for example, by defining different shells or home directories for different types of computers to which they have access.

 Create roles in a global zone that can be used by multiple child zones.

Extending single sign-on for web applications and SAP

Centrify software provides Active Directory-based single sign-on for intranet and extranet applications running on SAP, Apache, and popular J2EE servers. These add-on modules for SAP, Apache, or J2EE provide:

 Active Directory-based single sign-on (SSO) through Kerberos and LDAP for end-users

accessing intranet applications.

 Federated identity authentication through Microsoft Active Directory Federation

Services (ADFS) for business-to-business and business-to-customer extranet web applications.

 Support for popular application servers running on UNIX, Linux, or Windows.  Mapping between Active Directory users and groups and Web application roles to

leverage the existing Active Directory infrastructure.

Simplify compliance with regulatory requirements

Centrify software simplifies the administrative, reporting, and auditing tasks brought on by Sarbanes-Oxley, PCI, HIPPA and other government and industry regulations. The

combination of Active Directory and Centrify provides the following benefits:

 IT managers can reliably manage user accounts, set access controls, and enforce security

policies across the enterprise from a single point of administration.

 Zone-based access controls enable IT managers to limit administrative rights and

end-user access to sensitive systems, and the Access Manager console and Centrify utilities and tools make it easy for IT managers to view and change zone-based access controls.

 Out-of-the box reports can be used to satisfy auditing requirements and can identify the

computers any specific user can access, and which users can access any specific computer or application.

 By extending Active Directory’s password requirements and Group Policy features to

UNIX, Linux, and Mac OS X servers and workstations, Centrify software enables IT managers to enforce consistent, enterprise-wide security policies in a manner that can be verified by auditors.

 By ensuring activity on UNIX, Linux, and Mac OS servers and workstations is written

to the proper Active Directory logs, Centrify enables you to verify who has access to computers.

(16)

What does authorization provide?

Deploying without changes to existing infrastructure

Centrify products support open standards and rely on a unified architecture that makes Centrify software easy to deploy without making any changes to your existing Active Directory or network infrastructure. Centrify Server Suite offers the following benefits:

 You do not need to install any software on any domain controllers, or make any changes

to the Active Directory schema to store UNIX identity data.

 You can use any native or custom Active Directory schema, including the Microsoft

Services for UNIX (SFU) schema extension, and the RFC 2307 Active Directory schema.

 You can map multiple UNIX identities to a given Active Directory account, and access

this UNIX data in Active Directory using the tools of your choice, including ADSI or LDAP commands.

 You can rely on the core Centrify UNIX agent to deliver a single comprehensive solution

for identity management, access control, and policy enforcement, with add-on modules to provide single sign-on services and integration.

 Centrify accelerates an organization’s productivity by offering free downloads of open

source tools such as OpenSSH and PuTTY, which have been modified to work seamlessly with Active Directory.

What does authorization provide?

The built-in authorization facility, also known as DirectAuthorize, centrally manages and enforces role-based entitlements for fine-grained control of user access and privileges on UNIX and Linux systems. By controlling how users access systems and what they can do on those computers, DirectAuthorize enables organizations to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords.

With DirectAuthorize you can:

 Meet regulatory compliance requirements with a centralized, role-based model for

fine-grained delegation of administrative rights on UNIX and Linux systems.

 Secure your UNIX and Linux infrastructure by eliminating the need to share the

passwords of root or super-user accounts with privileged access.

 Implement integrated authentication, authorization, and auditing, leveraging the same

underlying architecture at a fraction of the cost of alternative solutions.

 Leverage your existing Active Directory infrastructure for role-based entitlement

management without the need to deploy additional servers or infrastructure.

 Replace sudo or other complex, script-driven products with a modern, role-based

(17)

What can you do after you deploy?

 Deploy a highly available solution for privilege management that works well in a

networked environment and does not require changes to your UNIX systems.

Managed through the Access Manager console, and as part of an integrated suite of tools, DirectAuthorize provides a simple, scalable solution for managing the cross-platform environment.

What can you do after you deploy?

Once the Centrify UNIX agent is deployed on a server or workstation, that computer is considered a managed system.

When a computer is managed by Centrify, an administrator with the proper permissions can perform the following common tasks:

 Discover the computers in your UNIX environment, then rapidly migrate existing

accounts and access rights into Active Directory.

 Specify which Active Directory users and groups can log on to a specific UNIX

computer or group of computers, and define the commands that each user is allowed to execute on those computers.

 Identify groups of dedicated servers and create computer roles that to define a set of

roles that apply to these computers and the user group that executes tasks on them; for example, create a computer role for servers that host a database and apply roles for the DBA group that manages those servers.

 Control user access to UNIX computers across one or more Active Directory forests,

regardless of the organizational structure you use and where users are defined in that structure.

 Map local UNIX accounts, such as service accounts or the root user, to Active Directory

accounts for centralized control over the passwords, or set specific local UNIX accounts to be authenticated locally rather than through Active Directory.

 Define zones and zone properties and delegate the rights necessary to manage UNIX

computer, user, and group accounts in any zones to other users, as needed.

 Configure and apply group policies for UNIX computers and users.

When a computer is managed by Centrify, authorized users can perform the following common tasks:

 Log on to the UNIX shell or desktop program and use standard programs and services

such as telnet, ssh, and ftp.

 Log on to a computer that is disconnected from the network or unable to access Active

Directory, if they have successfully logged on and been authenticated by Active Directory previously.

(18)

What can you do after you deploy?

 Manage their Active Directory passwords directly from the UNIX command line,

(19)

Chapter 2

Architecture and operation

This chapter provides an overview of the Centrify software architecture and the basic flow of operation for a typical log-on session. For more detailed information about the

architecture and the operations handled by different software components, see the Planning and Deployment Guide.

 Understanding the integration of Windows and UNIX  Understanding what’s installed on Windows

 Understanding Centrify UNIX agents  Understanding the log-on process  Understanding “agentless” authentication

Understanding the integration of Windows and UNIX

Because Centrify Server Suite provides an integration layer between Windows and other operating environments, it consists of the following primary components:

 On Windows, the Centrify DirectManage Access Manager console and

property extensions enable you to add and manage UNIX-specific properties in Active Directory.

 On Windows, the DirectManage tools enable you to discover the computers in your

UNIX environment that are available to be managed by Centrify software, and to rapidly migrate existing accounts and access rights from these computers into Active Directory.

 On non-Windows computers, the Centrify UNIX agent enables the local host computer

to join an Active Directory domain.

Once the Centrify UNIX agent is deployed on a server or workstation, that computer is considered a managed system and it can join any Active Directory domain you choose. When a managed system joins an Active Directory domain, it essentially becomes an Active Directory client and relies on Active Directory to provide authentication, authorization, policy management, and directory services. The interaction between the Centrify UNIX agent on the local computer and Active Directory is similar to the interaction between a Windows client computer and its Active Directory domain controller, including failover to a backup domain controller if the UNIX computer is unable to connect to its primary domain controller.

(20)

Understanding what’s installed on Windows

The following figure provides a simplified view of the integration between Active Directory and UNIX through Centrify software.

To centrally manage access across different platforms using Microsoft Active Directory, you need to:

 Prepare the Active Directory environment by installing the Centrify DirectManage

Access Manager console and utilities and tools on at least one Windows computer to update the Active Directory forest with Centrify properties.

 Ensure each UNIX, Linux, or Mac OS X computer can communicate with an Active

Directory domain controller to present valid credentials for authentication. For

successful communication, the managed computer should be able to resolve the address of its Active Directory domain controller through DNS.

 Install the Centrify UNIX agent (adclient) on the UNIX, Linux, or Mac OS X

computers that will be joining an Active Directory domain.

 Run the join command and specify the Active Directory domain to join on each UNIX,

Linux, or Mac OS X computers to be managed.

 Use Active Directory Users and Computers or the Access Manager console to authorize

access to the UNIX, Linux, and Mac OS X computers for specific users and groups. Now that you are familiar with the basics, the next sections provide a closer look at what’s included with Centrify Server Suite, including the Centrify utilities and tools installed on Windows, and the Centrify UNIX agent installed on other platforms.

Understanding what’s installed on Windows

When you install Centrify DirectManage on a Windows computer, you can choose which components you want to install. After you start the setup program, the Setup Wizard lists

Centrify Utilities and Tools

Windows servers and workstations

UNIX, Linux, and Mac OS X servers and workstations

Centrify DirectManage Access Manager console

Active Directory user Account: chris ADUC property extensions

(21)

the components available. Most of the components are optional and can be installed either together or separately.

Choosing a console for managing Centrify properties

From the main Centrify DirectManage Access setup program, you can choose the method you want to use for managing Centrify properties. You do this by selecting one or both of the following components:

 The ADUC property page extension for Active Directory can be installed on any

computer that is joined to an Active Directory domain and has Active Directory Users and Computers installed. The property extension allows you to use Active Directory Users and Computers to store UNIX-specific attributes. You are not required to install the property extension if you do not intend to use Active Directory Users and

Computers to view or manage UNIX-specific attributes.

 The Access Manager console must be installed on at least one computer that can

access domains in Active Directory. The Access Manager console provides a central location for managing UNIX users, groups, and computers and performing

administrative tasks, such as importing accounts, running reports, and analyzing account information. The Access Manager console includes a Setup Wizard that updates the Active Directory forest to include Centrify properties the first time you start the console. The update to the Active Directory forest does not make any changes to the underlying Active Directory schema you have installed.

Note _{Some optional components require the Access Manager console to be installed on the}

same computer. For example, the Extension for NIS Maps can only be installed on a computer where you install the Access Manager console. For more information about installing optional components, see “Choosing optional DirectManage Access components” on page 21.

The Access Manager console is a Microsoft Management Console (MMC) snap-in and is the primary tool for managing Centrify-specific information stored in Active Directory. It provides access to a full spectrum of management activities including the ability to manage UNIX, Linux, Mac OS X, and Windows computers, set and modify user and group properties, create and manage zones, and add Active Directory users and groups to zones. In addition, you can install the DirectManage DeploymentManager console, which enables you to find computers in your UNIX environment, evaluate their readiness for management by Centrify, install the Centrify UNIX agent, and rapidly import user accounts into Active Directory.

Choosing optional DirectManage Access components

(22)

 The NIS Map extension can be installed on any computer where you install the

Access Manager console if you want to import and manage NIS maps for network information, such as netgroup and auto.master, in Active Directory. The extension is

not required for importing users and groups.

 The Documentation and DirectManageHelp for the Access Manager console can

be installed on any Windows computer and are installed by default on the computer where you install the Access Manager console.

 The Group Policy Management Editor Extension can be installed on any

computer where the Group Policy Object Editor is available if you want to apply Centrify group policies to a site, domain, or organizational unit that includes Centrify-managed computers or users.

 The DirectManage Access Utilities include the following:

 DirectManage DeploymentManager console enables you to find computers in

your UNIX environment, evaluate their readiness for management, install the Centrify UNIX agent, and rapidly import user accounts into Active Directory.

 Centrify Zone Provisioning Agent can be installed on any computer where you

install the Direct Manage Access Console. The Zone Provisioning Agent automates the process of adding users to new zones by linking AD groups to Centrify zones.

 Password Synchronization extension installs the Password Synchronization

service.

 Centrify (Kerberized) PuTTY installs Centrify PuTTy, a terminal emulator that is

optimized to work with Centrify software and Active Directory. The following figure provides a simplified view of the architecture.

Active Directory Domain Controller

adclient DirectManage Access

Manager console Centrify UNIX agents

adclient

adclient UNIX environment Windows environment

DirectManage Access Property Extensions

Active Directory Users and Computers Centrify Utilities and Tools

(23)

Understanding Centrify UNIX agents

Understanding Centrify UNIX agents

The Centrify UNIX agent makes a UNIX, Linux, or Mac OS X computer look and behave like a Windows client computer to Active Directory. The Centrify UNIX agent performs the following key tasks:

 Joins the UNIX, Linux, or Mac OS X computer to an Active Directory domain.

 Communicates with Active Directory to authenticate users when they log on and caches

credentials for offline access.

 Enforces Active Directory authentication and password policies.

 Extends Active Directory group policies to manage configuration settings for UNIX

users and computers.

 Provides a Kerberos environment so that existing Kerberos applications work

transparently with Active Directory.

Although the individual agents you install are platform-specific, the Centrify UNIX agent is a tightly integrated suite of services that work together to ensure seamless operation between existing UNIX programs and applications and Active Directory authentication, authorization, and directory service.

The following figure provides a closer look at the services provided through the Centrify UNIX agent:

As this figure suggests, the Centrify UNIX agent includes the following core components:

 The core Centrify UNIX agent is the adclient process that handles all of the direct

communication with Active Directory. The agent contacts Active Directory when there are requests for authentication, authorization, directory assistance, or policy updates then passes valid credentials or other requested information along to the programs or applications that need this information.

Centrify UNIX agent

Centrify adclient Service Library

Cached credentials and search results Centrify adclient

Kerberos environment Core services for UNIX shell programs

and applications

Kerberos-enabled applications

PAM module NSS module

Command line programs Other add-on modules: Apache JAAS realm SPNEGO NIS

(24)

Understanding the log-on process

 The Centrify Pluggable Authentication Module (PAM), pam_centrifydc,

enables any PAM-enabled program, such as ftpd, telnetd, login, and sshd, to

authenticate using Active Directory.

 The Centrify NSS module is added to the nsswitch.conf so that system look-up

requests use the Centrify UNIX agent to look up and validate information using Active Directory through LDAP.

 The Centrify command line programs (CLI) enable you to perform common

administrative tasks, such as join and leave the Active Directory domain or change user passwords for Active Directory accounts from the UNIX command prompt. These command line programs can be used interactively or in scripts to automate tasks.

 The Centrify Kerberosenvironment generates a Kerberos configuration file (etc/ krb5.conf) and a default key table (krb5.keytab) to enable your Kerberos-enabled

applications to authenticate through Active Directory. These files are maintained by the Centrify UNIX agent and are updated to reflect any changes in the Active Directory forest configuration.

 The Centrify local cache stores user credentials and other information for offline

access and network efficiency.

In addition to these core components, the Centrify UNIX agent can also be extended with the following add-on modules:

 The Centrify libraries for Apache, Tomcat, JBoss, WebLogic, or WebSphere

plug in to the native authentication mechanisms for each Web server to enable you to configure Web applications to use Active Directory for authentication.

 The Centrify libraries for SAP plug in to the native authentication mechanisms for

each SAP server to enable you to configure SAP applications to use Active Directory for authentication.

 The Centrify Network Information Service (adnisd) is a separate service that

works in conjunction with the Centrify UNIX agent to enable you to store NIS maps in Active Directory and publish that information to NIS clients through the Centrify agent.

 Optional utilities and programs, such as updated Kerberos, OpenSSH, Samba, or

PuTTY utilities, that have been optimized to work with Centrify software and Active Directory.

Understanding the log-on process

The core Centrify UNIX agent components work together to identify and authenticate the user any time a user logs on to a computer using any UNIX command that requires the user to enter credentials. The following steps summarize the interaction to help you understand the process for a typical log on request. The process is similar for UNIX commands that need to get information about the current user or group.

(25)

Note _{The following steps focus on the operation of the Centrify UNIX agent rather than the}

interaction between the Centrify UNIX agent and Active Directory. In addition, these steps are intended to provide a general understanding of the operations performed through the Centrify UNIX agent and do not provide a detailed analysis of a typical log-on session. When a user starts the UNIX computer, the following takes place:

1 A login process starts and prompts the user to supply a user name. 2 The user responds by entering a valid local or Active Directory user name.

3 The login process, which is a PAM-enabled program, then reads the PAM configuration

file, /etc/pam.conf, and determines that it should use the Centrify PAM service, pam_centrifydc, for identification. The UNIX login process then passes the log-in

request and the user name to the Centrify Pluggable Authentication Module (PAM) service for processing.

4 The PAM service checks parameters in the centrifydc.conf configuration file to see if

the user name entered is an account that should be authenticated locally.

 If the user should be authenticated locally, the PAM service passes the log-in request

to the next PAM module in the PAM configuration file, for example, to the local configuration file /etc/passwd.

 If the user is not set to be authenticated locally, the PAM service checks to see if the

Centrify UNIX agent process, adclient, is running. If it is, the PAM service passes the

log-in request and user name to adclient for processing.

5 The adclient process connects to Active Directory and queries the Active Directory

domain controller to determine whether the user name included in the request is a Centrify user who has access to computers in the current computer’s zone.

 If adclient is unable to connect to Active Directory, it queries the local cache to

determine whether the user name has been successfully authenticated before.

 If adclient can connect to Active Directory but the user account does not have access

to computers in the current zone or if the user can’t be found in Active Directory or the local cache, adclient checks the centrifydc.conf configuration file to see if the

user name is mapped to a different Active Directory user account.

 If the user name is mapped to another Active Directory account in the configuration

file, adclient queries the Active Directory domain controller or local cache to

determine whether the mapped user name has access to computers in the current computer’s zone.

6 If the user has a UNIX profile for the current zone, adclient receives the zone-specific

information for the user, such as the user’s UID, the user’s local UNIX name, the user’s global Active Directory user name, the groups of which the user is a member, the user’s home directory, and the user’s default shell.

(26)

7 The adclient process checks the Centrify zone’s authorization store to determine

whether the system right for password login is enabled. If so, adclient goes to the next

step to query NSS.

8 The adclient process queries through the NSS service to determine whether there are

any users logged in with same UID. If there are no conflicts, the log-in request continues and adclient passes the request to the PAM service to have the UNIX login process

prompt for a password.

9 The UNIX login process prompts the user to provide a password and returns the

password to the PAM service.

10 The PAM service checks the Centrify authorization store to verify that the user has access to the PAM login application.

11 If the current user account is not prevented from logging on by lack of a PAM-access right, the PAM service queries adclient to see if the user is authorized to log on. 12 The adclient process queries the Active Directory domain controller through Kerberos

to determine whether the user is authorized to log on to the current computer at the current time.

13 The adclient process receives the results of its authorization request from Active

Directory and passes the reply to the PAM service.

 If the user is not authorized to use the current computer or to log in at the current

time, the PAM service denies the user’s request to log on through the UNIX login

process.

 If the user’s password has expired, the PAM service sends a request through the UNIX login process asking the user to change the password. After the user supplies the

password, log-in succeeds.

 If the user’s password is about to expire, the PAM service notifies the user of

impending expiration through the UNIX login process.

 If the user is authorized to log on and has a current password, the login process

completes successfully. If this is the first time the user has logged on to the computer through the agent, the PAM service creates a new home directory on the computer in the location specified in the centrifydc.conf configuration file by the parameter pam.homeskel.dir.

(27)

Understanding “agentless” authentication

The following figure provides a simplified view of a typical log-on process when using Centrify software.

Understanding “agentless” authentication

The previous section described a typical log-on session for a Centrify-managed computer where the Centrify UNIX agent is installed. For computers and devices where you cannot install a Centrify UNIX agent, you may still be able to provide Active Directory

authentication by using the Centrify Network Information Service (adnisd). The Centrify

Network Information Service provides “agentless” authentication from Active Directory for computers that have older or unsupported operating systems but that can be, or already are, configured as NIS clients.

The following figure provides a simplified view of this environment. UNIX look-up requests PAM-enabled services Kerberos applications

Kerberos keytab and configuration file Cached credentials and search results pam_centrifydc

adclient

User starts a UNIX log on process using a command such as login, telnet, ssh

Check /etc/centrifydc.conf settings for override, allow, deny, password expiration Check /etc/pam.conf Check /etc/nsswitch.conf nss_centrifydc xxxxx xxxxx xxxxx Centrify Agent Local cache Active Directory Domain Controller Zone: ConsumerDivision

Computers with older, unsupported operating systems (“agentless” systems)

NIS client request submitted to the NIS listening port

adnisd adclient

xxxxx xxxxx xxxxx

NIS maps generated from information in Active Directory and served by adnisd in response to NIS client requests Centrify-managed system

(28)

Understanding “agentless” authentication

In this scenario, the Centrify zone acts as the NIS domain for a group of computers or devices that are configured as NIS clients. Those clients submit requests to the Centrify Network Information Service, adnisd, listening on the NIS port.

The Centrify Network Information Service periodically contacts the Centrify UNIX agent,

adclient, to get updated information from Active Directory and generates a set of “maps”

that it stores locally. The Centrify Network Information Service can then use the information in these maps to respond to NIS client requests for authentication or other services.

(29)

Chapter 3

Installing and starting Access Manager

This chapter provides a brief summary of the steps for installing Centrify software on Windows and UNIX computers and starting Access Manager for the first time. For more information about preparing for deployment and installing Centrify software, see the

Planning and Deployment Guide. The following topics are covered:

 Preparing for installation

 Installing Centrify software on Windows  Starting DirectManage for the first time  Installing the Centrify UNIX agent

Preparing for installation

Before installing Centrify software:

1 Verify that you have Active Directory installed and have access to at least one Windows computer acting as a domain controller.

2 Verify that the domain controller or another computer you can access is the primary DNS server.

3 Check whether the Windows computer where you intend to install Access Manager has Active Directory Users and Computers installed.

You can perform many administrative tasks for Linux and UNIX computers and users using Active Directory Users and Computers instead of Access Manager, if you choose to do so.

4 Verify that you have root level access for installing the Centrify UNIX agent on

non-Windows computers.

5 Verify that you have an Active Directory account with sufficient rights to add containers and objects to the Active Directory domain.

6 Verify that all of the computers where you are planning to install Centrify software meet the basic system requirements.

(30)

Installing Centrify software on Windows

Installing Centrify software on Windows

To install the Centrify Server Suite on Windows:

1 Log in to the Windows computer and locate the Centrify software package for the Windows 32-bit or Windows 64-bit architecture.

2 Open the autorun.exe file to display the suite installer Getting Started page if it is not

displayed automatically.

3 On the Getting Started page, click Access to start the setup program for DirectManage Access components.

If any programs must be updated before installing, the setup program displays the updates required and allows you to install them. After updates are complete, you can restart the setup program.

4 At the Welcome page, click Next.

5 Review the terms of the license agreement, click I agree to these terms, then click

Next.

6 Type your name and organization, then click Next.

7 Expand and select the DirectManage Access - Administration components you want to install, then click Next.

You can choose to install components separately on different computers or at a later time, if needed. At a minimum, you should install ADUC property page extensions

and Access Manager.

8 Accept the default location for installing DirectManage Access components, or click

Browse to select a different location, then click Next.

9 Specify whether you want to disable the publisher verification, then click Next. Selecting this option skips the verification to provide better startup performance. Deselect this option to force verification when applications are started.

10 Review the components you have selected, then click Next.

11 When setup is complete, click Finish to close the setup program.

Starting DirectManage for the first time

When you start the Access Manager console for the first time, the Setup Wizard is displayed to configure the Active Directory forest and set the default properties for your first Centrify Zone.

(31)

Starting DirectManage for the first time

1 Log onto the computer where you installed the Access Manager console and click Start > All Programs > Centrify Server Suite version > Access > Access Manager. 2 Verify the name of the domain controller displayed is a member of the Active Directory forest you want to update or type the name of a different domain controller if you want to connect to a different forest, then click OK.

3 At the Welcome page, click Next.

4 Select Use currently connected user credentials to use your current log on account or select Specify alternate user credentials and type a user name and password, then click Next.

5 Select a location for installing license keys in Active Directory, then click Next. The default container for license keys is domain_name/Program Data/Centrify/ Licenses. To create or select a container object in a different location, select Change

default zone container and click Browse. You can also add other License containers in other locations later using the Manage Licenses dialog box.

6 Review the permission requirements for the container, then click Yes to confirm your selection.

7 Type the license key you received, then click Add or click Import to import the keys directly from a file, then click Next.

8 Select Create default zone container and specify a location for the Zones container, then click Next.

The default container location for zones is domain_name/Program Data/Centrify/ Zones.

Any zones you create are placed in this container location by default. You can create a new container object or select an existing container object.

9 Check the Grant computer accounts in the Computers container permission to update their own account information option to give each UNIX computer account permission to manage its own account password, then click Next.

10 Select Register administrative notification handler for Microsoft Active Directory Users and Computers snap-in if you want to automatically maintain the integrity of the data stored in Centrify UNIX profiles, then click Next.

11 Select Activate Centrify Corporation profile property pages if you want to be able to display the properties in Centrify profiles in any Active Directory context, then click Next.

This setting is not required to display the Centrify property pages when using Active Directory Users and Computers or the Access Manager console. If you only need to access Centrify properties from Active Directory Users and Computers or the Access Manager console, leave this option unchecked and click Next.

(32)

Installing the Centrify UNIX agent

12 Review and confirm your configuration settings, click Next, then click Finish. For information about modifying zone properties after configuring the first zone, see

“Setting zone properties” on page 44.

Installing the Centrify UNIX agent

Depending on your environment, you may have several options for installing the Centrify UNIX agent. The instructions summarized here assume you are using the standard agent installation script, install.sh. For information about the other options available or more

detailed information about any step, see the Planning and Deployment Guide.

To install the Centrify UNIX agent on a computer

1 Download the Centrify software package for your target platform from the Centrify Customer Support Portal Customer Download Center.

2 Log on or switch to the root user if you are installing on a computer running Linux or

UNIX, or log on with a valid user account if you are installing on a computer with the Mac OS X operating system.

Note _{You are not required to log on as the}root user on Mac OS X computers, but you must know the password for the Administrator account to complete the installation.

3 Copy the tgz (or dmg) file to a directory on your UNIX computer and unzip the file and then unpack the archive file.

4 Run the install.sh script to install the Centrify agent package on the computer. For example, on a Red Hat Enterprise Linux computer you would enter the following /bin/sh ./install.sh

The script runs the Centrify adcheck command and then prompts you to select the

following tasks:

 Run adcheck: At this point in the procedure, adcheck has already run. Run it again if

you select to join a domain (see next prompt) to see if your join was successful.

 Join an Active Directory domain: Join the domain if you have the organizational unit,

containers, and zone already set up on the domain controller for this computer. Otherwise, do not join at this time.

The script then prompts you to select the services you want to install. In the enterprise edition, the follow services are installed by default:

 CentrifyDC: the agent, tools (adinfo, adquery, etc.) and configuration files (for

example, centrifydc.conf)

 CentrifyDC-openssh: a Centrify-compiled version of the openSSH program.  Centrify DirectAudit

(33)

Installing the Centrify UNIX agent

 Optionally, you can select the CentrifyDC-nis.

 If you want a different configuration, respond N to the prompt

Do you want to continue (Y) or re-enter information? (Q|Y|N)

Note _{These instructions describe use of the install.sh script in interactive mode. The}

script also offers command line options that let you run it in non-interactive mode. In addition, there are other options available only in non-interactive mode. Enter /bin/sh ./install.sh -h

to display the options.

Joining an Active Directory domain

If you do not join the domain when you run the installation script, you can do so manually using the adjoin command on any computer where the Centrify UNIX agent is installed or

by selecting Applications > Utilities > Directory Access and configuring the

adclient service on Mac OS X computers.

For more information about running adjoin, see “Using adjoin” on page 233 or the adjoin

man page. For information about configuring the adclient service on Mac OS X

computers, see the Mac-specific information in the Administrator’s Guide for Mac OS X.

Restarting UNIX services after joining the domain

You may need to restart some services on UNIX computers where you have installed the Centrify UNIX agent so that those services will reread the name switch configuration file. As an alternative to restarting individual services, you may want to reboot the system to restart all services.

Note _{Because the applications and services on different servers may vary, Centrify}

Corporation recommends you reboot each system to ensure all of the applications and services on the system read the Centrify configuration changes at your earliest convenience.

(34)

Chapter 4

Managing zones

Zones are the key component for organizing identity attributes, access rights and role assignments, and delegated administrative activity for Linux and UNIX computers. This chapter describes how to use Access Manager to create zones and manage zone properties and explains the advantages of using hierarchical zones. It also shows how to manage without zones by using Auto Zone.

 Understanding Centrify zones

 Using the Access Manager Setup Wizard  Creating a new parent zone

 Creating a child zone  Opening and closing zones

 Delegating control of administrative tasks  Setting zone properties

 Renaming a zone

 Changing the master domain controller  Adding a computer to a zone

 Changing the location of a zone in Active Directory  Provisioning user and group profiles automatically  Running reports for zones

 Searching for profiles in a domain  Connect to a domain using Auto Zone

For more detailed information about zone types, different strategies for using zones, and planning the migration of existing users and groups to zones, see the Planning and Deployment Guide.

Understanding Centrify zones

A Centrify zone is similar to an Active Directory organizational unit (OU) or Network Information Service (NIS) domain. Zones allow you to organize the computers in your organization in meaningful ways to simplify account and access management and the migration of information from existing sources to Active Directory.

(35)

Understanding Centrify zones

How you use zones, depends primarily on the needs of your organization. In some

organizations, a single zone is sufficient. In other organizations, using multiple zones might be a necessity.

Although using multiple zones can provide flexibility for managing user accounts and computer access, you are not required to do so. Creating a single zone, or for that matter, multiple zones, can be done simply through the Administrator’s Console or by using ADEdit. You only need to be concerned with planning and populating additional zones if multiple zones would be useful for your organization. You can then create the additional Centrify zones as you need them.

On the other hand, you may choose to define no zones at all by connecting to a domain through Auto Zone. With Auto Zone, every Active Directory user and group defined in the forest, as well as any users defined in a two-way trusted forest are valid users or groups for the joined computer.

Understanding identity and access in hierarchical zones

Centrify supports the creation of a hierarchical zone structure of parent and child zones that allows for the inheritance of data from the top to the bottom of the tree. This section explains how you can use this hierarchical structure to maintain identity and control access to a UNIX environment through Active Directory, but it begins from the perspective of a single, self-contained zone, then expands to include how user management works in a hierarchical structure.

After you create a zone you can add any of your AD users to it and define their identity in UNIX for any computer that joins the zone. To define an AD user’s UNIX identity, you create an NSS profile that contains the same data as the /etc/passwd file on a UNIX

computer: login name, UID, primary group, etc.

In addition, you can control access to computers in a zone by assigning roles to AD users, either individually or through AD groups. In fact, you must assign roles to users for them to have access to Centrify-managed computers. A user with an identity, and a role assignment in a zone, is considered an effective user for that zone. Users with an identity but without a role, have no access to a managed computer.

The ability to define identity separately from access is one of the key features provided by hierarchical zones. Its utility is not immediately obvious in a flat zone structure, but as you will see, it is a powerful feature in a tree structure.

Hierarchical zones

In a hierarchical-zone structure, identity and access are determined in much the same way as for a single zone, except the zone tree determines who users are and what access they have. When a computer joins a domain, the profile and access settings (role assignments) in effect for the zone determine who can access the computer and their identities on the computer. In a zone hierarchy, the profiles and access definitions may be defined in the

Centrify Server Suite 2014