Vous êtes sur la page 1sur 170

Centrify Suite 2012

Evaluation Guide
November 2011

Centrify Corporation

Legal notice
This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time. 2004-2011 Centrify Corporation. All rights reserved. Portions of Centrify DirectControl are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the governments rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectAudit, DirectControl and DirectSecure are registered trademarks and DirectAuthorize and DirectManage are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify Suite is protected by U.S. Patents 8,024,360 and 7,591,005. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred.

Contents
About this guide
5

Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Conventions used in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Using this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Where to go for more information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Contacting Centrify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 1

Start Here

11

What is Centrify Suite? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 How Centrify Suite Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 How to deploy Centrify Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 2

Setting up the evaluation environment

29

Windows requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 UNIX requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Site Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Software installation overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Stage 1: Windows system software installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Stage 2: UNIX system(s) software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Reboot UNIX computer(s). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Chapter 3

A&A: Basic Authentication and Authorization

55

Create and delegate OU for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 First time setup with the Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Add UNIX users and create Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Create groups, add users, assign role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Join UNIX computer to a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Log in to the UNIX computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Make machine-level adjustments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Show Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 4

A&A: Just in time provisioning

83

Create admin groups and add users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Create new privileges, roles and assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Create computer role and assign group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Delegating Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Chapter 5

A&A: Administrator Console reports

97

Understanding DirectControl Administrator Console reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Running DirectControl Administrator Console reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Creating and modifying report definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Chapter 6

A&A: DirectManage UNIX adtools

103

Centrify Suite UNIX adtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 ADEdit overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Script Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Inside the script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 7

A&A: Active Directory Group Policy Controls

113

Using AD group policies for UNIX users and computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Understanding Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 Adding Centrify Suite group policies for UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Group Policy Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Chapter 8

Audit: Set up the evaluation environment

123

Evaluation System Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Installing the DirectAudit components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Replay example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Chapter 9

Audit: Session replay and management

133

Enable audit on the UNIX systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Auditor Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Direct Audit UNIX Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Evaluation Guide

Windows Start-menu utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Administrator Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Close sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Where to next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Chapter 10

Completing the evaluation

145

Using the evaluation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Appendix A

Using Centrify Suite with SSH

151

Configuring SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Testing SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Appendix B

DirectControl Network Information Service

155

Creating and importing NIS maps in the default zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Starting the adnisd daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Testing adnisd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Appendix C

Remove Centrify Suite components

159

Remove agents, NIS and OpenSSH from UNIX computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Remove DirectAudit from Windows systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Remove DirectManage components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Index

165

Contents

Evaluation Guide

About this guide


The Centrify Suite 2012 enables centralized, secure management of a heterogeneous network through Microsoft Active Directory. The software extends the Active Directory authentication, authorization, directory service, and Group Policy capabilities to enable a single identity store for managing authentication and authorization to UNIX, Linux, and Mac OS X computer resources

Web applications and application servers, such as Apache, Tomcat, JBoss, and WebLogic databases such as DB2, and enterprise applications such as SAP.

Centrify Suite is composed of an integrated set of software components you install on a Windows workstation and on each UNIX/Mac OS/Linux/AIX/HP UX/... computer. The services and tools automatically route login attempts to the UNIX computers through the Active Directory domain controller and give administrators the ability to create escalated privileges, define roles and provision rights to the UNIX systems. The Centrify Suite provisioning model uses a simple, natural method that simplifies the on-going administration and maintenance and assures highly granular delegate administration. The broad business benefits include: One management framework: Centralizes the administration of complex environments into a well-organized management framework built on Active Directory.

Simplified day-to-day access and privilege administration: Natural integration of the UNIX systems into existing support processes and work flows. Fine security granularity: Enforces a Least Access policy, granting limited access based on business requirements only, to protect sensitive systems and information. Separation of duties: Granular delegation based on Active Directory access control policies and security boundaries. Rapid deployment/integration: Integrated tools that automate UNIX system discovery and analysis, software installation and joining to the Active Directory domain.

Intended audience
This book is intended for system and network administrators tasked with assessing the suitability of the Centrify Suite to their environment. The guide assumes you have a working knowledge of Windows Server and Active Directory and are familiar with Active Directory features, functionality, and terminology. This guide

Conventions used in this guide

also assumes you are familiar with your UNIX-based systems and how to perform common administrative tasks.

Conventions used in this guide


The following conventions are used in this guide: UNIX is used as a generic term to refer to all variants of UNIX. Centrify supports a wide variety of UNIX platforms including, Mac OS X, AIX, HP UX, and many Linux implementations.

font is used for sample code, program names, program output, file names, and commands that you type at the command line. When italicized, the fixed-width font is used to indicate variables. In addition, in command line reference information, square brackets ([ ]) indicate optional arguments.
Fixed-width

Bold text is used to emphasize commands, buttons, or user interface text. The variable release is used in place of the specific release number in the file names for individual Centrify Suite software packages. For example, centrifydc-release-sol8sparc-local.tgz in this guide refers to the specific release of the Centrify Suite Agent for Solaris on SPARC available on the Centrify Suite CD or in the Centrify Suite download package. On the CD or in the download package, the file name indicates the Centrify Suite version number. For example, for a 3.0.0 package, the file is centrifydc-3.0.0-sol8sparc-local.tgz.

Using this guide


The purpose of this book is to give you a hands-on experience with Centrify Suite. The exercises highlight the features designed to simplify the integration of your UNIX systems and user identities into Active Directory, centralize access and privilege management and provide full user session auditing. The chapters cover the complete installation and configuration of the software either in a physical or virtual environment. Step-by-step exercises follow that introduce the key features of the DirectControl, DirectAuthorize and DirectAudit products. This book does NOT take you through every option, nuance and feature. However, by the end, you will have a configuration in place and sufficient understanding to try out scenarios that would more closely mimic your own needs. The chapters are organized as follows: Chapter 1, Start Here: Start with this section to learn about the components and the Centrify model to managing UNIX machines and users in an Active Directory environment.

Evaluation Guide

Using this guide

Chapter 2, Setting up the evaluation environment: Continue with this chapter to install the Centrify Suite software on your Windows workstation and UNIX computer(s). Chapter 3, A&A: Basic Authentication and Authorization: This chapter begins the configuration of the evaluation system. In this chapter, the instructions guide you through several exercise that end with users logging on to the UNIX computer(s) in your network using Active Directory accounts. Chapter 4, A&A: Just in time provisioning: This chapter continues the configuration.The exercises in this chapter demonstrate how to use Active Directory groups and Centrify Suite tools and features to generalize user and group rights and roles where you can and apply them with fine, granular precision where you need to. Chapter 5, A&A: Administrator Console reports: This chapter describes the Administration Console reports available to display and generate hardcopy on your system configuration. Chapter 6, A&A: DirectManage UNIX adtools: Thus far, the exercises used the Windows workstations Active Directory and Centrify Suite console interfaces. This chapter describes the UNIX tools, including a powerful, command-line interface utility, included in the suite. Chapter 7, A&A: Active Directory Group Policy Controls: Centrify Suite supports the use of Active Directory Group Policy objects for the UNIX computers. This chapter shows how to use the Microsoft Management Console Group Policy Object Editor to enable several Centrify Suite policies. Chapter 8, Audit: Set up the evaluation environment: The Centrify Suite Enterprise Edition includes the DirectAudit auditing tool. This chapter introduces the DirectAudit architecture and features and describes how to install the software on the Windows and UNIX nodes you want to monitor. Chapter 9, Audit: Session replay and management: This chapter describes the DirectAudit consoles interfaces and session management tools. Chapter 10, Completing the evaluation: Theres a lot to consider for your evaluation and a lot is offered in Centrify Suite. This chapter helps you approach the analysis systematically. Appendix A, Using Centrify Suite with SSH: Although many UNIX systems have an sshd server installed, many are older implementations that do not support Kerberos. Centrify Suite includes a compiled version of the latest OpenSSH distribution with Kerberos support. This appendix explains how to use it. Appendix B, DirectControl Network Information Service: For computers and applications that submit lookup requests directly to a NIS server listening on the NIS port, Centrify Suite includes its own DirectControl Network Information Service. This appendix tells you how to install and test it.

About this guide

Where to go for more information

Appendix C, Remove Centrify Suite components: This appendix describes how to remove the Centrify Suite components from the Windows and UNIX computers.

Where to go for more information


All the information you need to set up the evaluation system is provided in this book. We expect, though, that some of the exercises will spark your curiosity about specific tools and services. The following books provide the full description of the Centrify Suite software components. Go to the Documentation directory in the DirectManage package for the latest version of these books. Centrify Suite Planning and Deployment Guide (DeploymentGuide.pdf): Provides guidelines, strategies, and best practices to help you plan for and deploy Centrify Suite 2012 in a production environment. This guide covers issues you should consider in planning a Centrify Suite deployment project.

Centrify Suite Administrators Guide (AdminGuide.pdf): Provides information on how to perform administrative tasks using the Centrify Suite Administrator Console and UNIX command line programs. The Administrators Guide focuses on managing your environment after deployment. Centrify Suite ADEdit Programmers Guide (ADEditGuide.pdg): This Evaluation Guide introduces the adedit UNIX command-line tool. Scan through this book to learn about all of adedits features and functions. Centrify DirectAudit Administrator Guide (DA_AdminGuide.pdf) DirectAudit helps you comply with regulatory requirements by collecting detailed audit and log records of user activity on UNIX and Windows systems. This book explains in detail how to install, configure and use DirectAudit. For more information about DirectAudit, you should also visit the Centrify DirectAudit web page: www.Centrify.com/DirectAudit

We also recommend the following books in the Centrify Suite if you have questions or need for a more comprehensive view: Centrify Suite Group Policy Guide (GroupPolicy.pdf): Contains instructions on the use of the Centrify Suite group policies to customize user-based and computer-based configuration settings.

Centrify Suite Configuration Parameters Reference Guide (ConfigParameters.pdf): Provides the reference information about the Centrify DirectControl configuration parameters that enable you to customize your environment. Many of these settings can also be controlled through group policies. DirectControl for Web Applications Authentication Guide for Apache (Web_Apache.pdf): Describes how to use the Centrify Suite with Apache Web servers and applications to provide single sign on authentication and authorization services through Active Directory.

Evaluation Guide

Contacting Centrify

DirectControl for Web Applications Authentication Guide for Java Applications (Web_Java.pdf): Describes how to use Centrify Suite with J2EE applications to provide single sign on authentication and authorization services through Active Directory. If you are using Centrify Suite with Java servlets, such as Tomcat, JBoss, WebLogic, or WebSphere, you should refer to this supplemental documentation for details about how to configure your applications to use Centrify Suite and Active Directory.

A number of other manuals are also provided in the Documentation directory, including release notes and the documentation for the Centrify versions of the Samba and PuTTY programs and Network Information Service (NIS). The UNIX utilities also included comprehensive man pages. In addition, check out the Centrify Resource Center at http://www.centrify.com/ resources/overview.asp helpful technical videos, application notes, white papers and other materials to help you become more familiar with the Centrify Suite solutions.

Contacting Centrify
If you have a problem during Centrify Suite software installation or configuration, need help with Active Directory configuration, or want clarification on best practices contact your Centrify System Engineer or Technical Support. Go to www.centrify.com/support and login for the Technical Support contact information.

About this guide

Contacting Centrify

Evaluation Guide

10

Chapter 1

Start Here
This chapter introduces the Centrify Suite components and methods for managing the UNIX users, tools and machines via Active Directory. The following topics are covered: What is Centrify Suite?

How Centrify Suite Works How to deploy Centrify Suite Next Steps

What is Centrify Suite?


Centrify Suite enables Enterprise IT organizations to centralize the identity, access and privilege management of UNIX, Linux and Mac systems leveraging Active Directory. All of the unique aspects of UNIX user, authentication protocols and access privileges, including UIDs and GIDs, escalated privileges and limited roles, are implemented within the standard Active Directory object classes and attributes. The following figure illustrates the scope of control provided by the Centrify Suite components. UNIX user and group administration is centralized entirely within Active Directory. This enables you to use existing Active Directory management tools or more sophisticated identity management solutions leveraging your existing Active Directory investment.

Centrify Suite includes a Windows-based Administrator Console to create UNIX user, group and computer privileges and roles. UNIX command line tools are also included so that you can create and manage the UNIX users and groups in Active Directory entirely from a UNIX terminal. Centrify Suite uses standard Active Directory objects and their attributes to store UNIX user and group profile data; there are no supplementary ID repositories on any Windows systems or UNIX computers. In addition, Centrify Suite includes comprehensive policy templates that let you use the Microsoft Management Console to set up Group Policy Objects with policies for the UNIX computers.

11

What is Centrify Suite?

Centrify Suite software is available for a wide variety of platforms and supports Active Directory authentication via PAM for userID and password as well as GSSAPI for Kerberos. In addition, it offers options that support single sign on for Web applications, Java and popular databases and access to file shares on a UNIX server using Samba for native Windows SMB protocol support.

The Centrify Suite also pays particular attention to managing the administration complexities that accrete over time on UNIX systems. For example, many of our customers have users with a different user ID on each UNIX computer. It is also common for some users, for example a dba, to have escalated privileges because it was inconvenient to define just the rights required to do the job.

Evaluation Guide

12

What is Centrify Suite?

Once in place, the Centrify Suite provides the following benefits: Simplicity: You have one ID repository for Windows and UNIX users. Using Active Directory for everyone has several big advantages: UNIX users can have a single, globally unique user ID. You adjust UNIX user and group attributes centrally. You use the same every day tools and user and group objects to manage the UNIX and Windows users, groups and machines. Security: The Centrify Suite approach to UNIX user privileges supports granularity, delegation and inheritance so that you can assign access rights broadly as appropriate and finely to enforce a least access policy. Flexibility: The Centrify Suite hierarchical approach to users, computers, groups and roles lets you construct a security model that aligns with your current practices. You will find that your model is easily updated as users change roles, servers are added or repurposed, and re-organizations shift people into new departments and roles. Protection and compliance: The Centrify Suite DirectAudit option captures and stores UNIX user sessions and GUI activity from Windows sessions. Auditors and network administrators can view or replay session activities to spot suspicious behaviors or troubleshoot problems.

Centrify Suite Components


This section introduces the Centrify Suite components and how they work. The Centrify Suite components are installed on a Windows workstation and each UNIX computer in the domain. Broadly, the software on the Windows workstation is used for administration, and the agent on the UNIX computers redirects the login requests to the Active Directory domain controller. The Centrify Suite of solutions helps you improve IT efficiency, strengthen regulatory compliance initiatives, and centrally secure your heterogeneous computing environment. The Centrify Suite is composed of the following products: DirectControl: Centralized authentication and access control Centrify DirectControl delivers secure access control and centralized identity management by seamlessly integrating your UNIX and Mac systems and applications with Microsoft Active Directory. In addition, DirectControl enables you to secure that system using the same authentication and Group Policy services you use for your Windows systems. DirectAuthorize: Role-based authorization and privilege management Centrify DirectAuthorize provides centralized, role-based privilege management features that help you manage and enforce fine-grained control over user access and privileges on UNIX and Linux systems. In many organizations, UNIX systems inherently lack a scalable and simple model for administrative delegation. As a result, administrators

Chapter 1 Start Here

13

What is Centrify Suite?

tend to give too many users root permission, run unnecessary security risks, and invariably fail audits. By controlling how users access systems and what they can do, DirectAuthorize enables you to lock down sensitive systems and eliminate uncontrolled use of root accounts and passwords. DirectManage: Centralized management Centrify DirectManage is an integrated set of tools that centralize the discovery, management and user administration of UNIX and Mac systems through integration into Active Directory-based tools and processes. The tools address both sets of global tasks for managing UNIX users in Active Directory: Migrating identities into Active Directory, managing policies, and generating reports. Deploying, configuring and managing the Centrify Suite solutions. The DirectManage tools also include several utilities you can run from a UNIX computer for querying status and managing Active Directory accounts directly. DirectAudit: Detailed auditing of user activity Centrify DirectAudit helps you comply with regulatory requirements, perform in-depth troubleshooting, and protect against insider threats. DirectAudit's detailed logging strengthens your compliance reporting and helps you spot suspicious activity by showing which users accessed what systems, what commands they executed, and what changes they made to key files and data. With DirectAudit you can also perform immediate, in-depth troubleshooting by replaying and reporting on user activity that may have contributed to system failures. In addition, its real-time monitoring of user sessions enables you to spot suspicious activity. See User session auditing on page 17 for an introduction to DirectAudit. DirectSecure: Secure sensitive information Centrify DirectSecure is a policy-based software solution that secures sensitive information by dynamically isolating and protecting cross-platform systems and enabling optional end-to-end encryption of data in motion. DirectSecure leverages your existing Active Directory infrastructure and the native IPsec support to block untrusted systems from communicating with trusted systems without changing the network or applications.

In this book you install the DirectControl, DirectAuthorize, DirectManage and DirectAudit products. For more information about DirectSecure contact your sales representative. The following figure illustrates where and how the Centrify Suite components fit in your enterprise network.

Evaluation Guide

14

What is Centrify Suite?

On the UNIX computers, the DirectControl Agent redirects login attempts for validation against Active Directory accounts. The DirectManage UNIX tools enable a UNIX user with permissions to query the status and makes changes to the Active Directory user accounts, Centrify Zones, access rights, roles, etc. The DirectAudit Agent gathers comprehensive user session activity. On the Windows system, administrators use the Active Directory tools to manage users and groups on a day to day basis. When they need to update the configuration, they use the Administrator Console to manage users UNIX properties, Centrify Zones, access rights, user roles and user/group assignments and generate reports.

Deployment Manager to manage Centrify Suite software. DirectManage tools to modify group policies.

As needed, auditors use DirectAudit to replay Windows or UNIX user sessions, monitor sessions, troubleshoot, and extract sessions that meet certain criteria.

DirectManage Components
The DirectManage tools for Windows centralize the discovery, management and user administration of the UNIX systems. Once the configuration is complete, however, you

Chapter 1 Start Here

15

What is Centrify Suite?

perform your day-to-day, user and group administrative tasks using the Active Directory Users and Consoles and MMC for account and group policy management. The DirectManage tools for Windows include the following: Administrator Console: Use to create the Centrify global and child zones and computer roles AND the individual rights and logical roles (for example, backup operator, application developer, QA tester) you assign to the Active Directory users and groups. You also use the Administrator Console to configure a users UNIX profile and manage computer properties. You make extensive use of the Administrator Console in Chapter 3, A&A: Basic Authentication and Authorization and Chapter 4, A&A: Just in time provisioning. The Administrator Console is the Windows interface to the services provided by DirectControl and DirectAuthorize. Deployment Manager: Use to discover the UNIX systems on the network, and download and deploy the Centrify Suite packages. You can also use Deployment Manager to join computers to the Active Directory domain controller and manage local accounts and groups. You use the Deployment Manager in Chapter 2, Setting up the evaluation environment.
Note

Zone Provisioning Agent: Use to automatically provision users with their Zone privileges. The Zone Provisioning Agent is a service you install on the Windows system that allows you to set up Active Directory groups that correspond to the set of access rights you want users to have within a Centrify Zone. As you add a user to that Active Directory groups, the Zone Provisioning Agent automates provisioning that users rights. You use the Zone Provisioning Agent in Chapter 3, A&A: Basic Authentication and Authorization. Audit Center: Use to replay, review and query user sessions. The DirectAudit Agent collects detailed logs of user activities on UNIX and Windows systems. The Audit Center provides an interface for auditors to replay individual sessions, catalog sessions for review and analysis, develop queries to filter sessions, etc. The Audit Center also provides an administrator interface for delegating auditor privileges and turning audit sessions on and off. You use the Auditor interface to replay and manage sessions in Chapter 9, Audit: Session replay and management. Group Policy Object Editor: Adds policies you can enable in Group Policy objects to manage the UNIX users and computers. The DirectManage also gives you the ability to create your own policies through standard administrative templates for policy definition and Perl scripts. You add the DirectManage group policies and enable several policies in Chapter 7, A&A: Active Directory Group Policy Controls. Report Center: Use to generate pre-defined reports that answer the most common questions asked by compliance auditors and create custom reports. The Report Center is implemented inside the Administrator Console. It provides detailed, global visibility

Evaluation Guide

16

What is Centrify Suite?

to access rights, privileges, and security policies. You use the Report Center in Chapter 5, A&A: Administrator Console reports.

UNIX command-line tools: A set of tools UNIX administrators can use to view status, join the computer to an Active Directory domain, query Active Directory for UNIX user and group attributes and update records, and make changes to Active Directory accounts. See Chapter 6, A&A: DirectManage UNIX adtools, for the description of the command line tools. Centrify-enabled PuTTY: A popular, open-source client for Windows systems that provides access to remote UNIX machines. Centrify has added robust Kerberos authentication support to PuTTY in order to provide Single Sign-On to UNIX and Linux systems even in complex environments where fully qualified DNS host names may not match the Active Directory computer name. Additionally, Centrify enables GSSAPI Key Exchange to eliminate the need to manage SSH keys across your server population. PuTTY use is demonstrated in Chapter 3, A&A: Basic Authentication and Authorization.

User session auditing


DirectAudit captures privileged user session activity including a full motion video of the user activity and all of the events that occurred including applications launched, text entered and displayed results. The recorded user sessions can be searched to discover policy violations, user errors and to monitor third part access to systems. User sessions of interest can be replayed in high fidelity to discover detailed activity that may have led to a service degradation or outage. The information is collected in real time and then digested and stored in a SQL Server database for query and playback. The data indicates what systems were accessed, what commands were executed, what processes were launched, and what changes were made to key files and data. On UNIX computers you can set up sessions that capture input from all shells on a node or select specific shells,

that filter for the use of specific commands, or capture the activity of a single user.

On Windows servers, the DirectControl Agent captures all user input, activity and output including the resulting GUI display updates and changes. The following figure illustrates the DirectAudit components you would find in a mediumsized installation.

Chapter 1 Start Here

17

What is Centrify Suite?

DirectAudit Components Audited systems: Any UNIX platform supported by Centrify Suite or Windows-based system that has the DirectAudit Agent installed. All audited systems must be joined to the Active Directory domain controller, in the same forest or a trusted forest.

Collectors: Intermediate services that receive, compress and index the data in real time. Multiple collectors for each audit store are supported to ensure that auditing is always active and provide redundancy that ensures session capture cannot be interrupted. If all collectors are down, data is cached on the audited system until a collector is back on line. Audit Store: Repository for the compressed and indexed session data. Designed to provide massive scalability and efficient use of network resources, Audit Stores help scale session databases to multiple instances on separate hosts. Audit Server: Service that provides central management and enforcement of Audit Roles and execution of distributed queries across the Audit Stores. Audit Servers also centrally control, monitor and report on audit stores, audit collectors and audited systems.

Evaluation Guide

18

What is Centrify Suite?

DirectAudit Console: User interface for searching and replaying captured user sessions and generating reports. Users access the data in the Audit Stores indirectly through the Audit Server. There are two DirectAudit consoles:

Auditor: Enables auditor to search and replay user sessions, retrieve data from captured sessions and generate reports. The administrator can create different auditor roles to limit any one auditors access rights and privileges. Administrator: Enables user to view and administer the configuration of the audited systems, collectors, and audit stores and assign audit roles.

Both consoles (which can be on the same or separate machines) connect to the other installation components through an audit server. Chapter 8, Audit: Set up the evaluation environment describes how to install and configure DirectAudit Agent. For more information go to Chapter 9, Audit: Session replay and management to see what you can do when the system is in place.

Centrify Suite Packaging


Centrify Suite components are available in several packages. The following table lists the options:
Package Options Component DirectManage Centralized management and administration DirectControl Centralized authentication and access control DirectAuthorize Role-based authorization and privilege management Direct Audit Detailed auditing and user activity DirectSecure Server isolation and protections of data-in-motion Express X* Standard X Enterprise X Platinum X

X*

X X

* The Express versions of DirectManage and DirectControl do not support centralized management, Zones, or group policy. Contact your sales representative for more information.

Chapter 1 Start Here

19

How Centrify Suite Works

How Centrify Suite Works


The Centrify Suite standards-based architecture extends your existing Active Directory infrastructure without disrupting existing systems. The DirectManage tools install on a Windows workstation and let you administer all aspects of the UNIX computers user access controls through a single interface. The DirectControl Agent integrates seamlessly with the UNIX authentication processes to redirect login requests to the Active Directory Domain controller.

Administration on Windows and UNIX


The DirectManage Administrator Console is the user interface system administrators use to create and manage the UNIX computers, user identities, and escalated privileges. The graphical interface combines the entire hierarchy of parent and global zones and their UNIX data (users and group identities) and authorizations (right and role definitions and assignments) into a familiar tree structured view.

This view, for example, shows the UNIX user identities in the global Zone. In each Zone tree, you can also see the computers joined and the Zones Authorization rights, roles and assignments that control user access. You use the same window to create Zones, define custom rights, build new roles based on the rights you have created and assign those roles to groups or individual users. Alternatively, Centrify Suite also provides a comprehensive set of UNIX command-line tools designed to enable administrators to manage Active Directory accounts and groups. These command-line tools have also been carefully crafted to support different output options so that they can be integrated with in-house automation or provisioning scripts. For example, you can run the ADEdit Active Directory editing tool from a UNIX computer in the network. ADEdit is designed for administrators who have traditionally administered their systems from UNIX scripts or UNIX CLI and includes a scripting language so administrators can build their own sets of commands.

Evaluation Guide

20

How Centrify Suite Works

UNIX Agent
The DirectControl Agent package is composed of a daemon, a library of dynamicallyloaded code modules, and Kerberos services. After the computer is joined to the domain controller, the Agent handles the following tasks: Communicates with Active Directory to authenticate users logging on to the UNIX computer and caches credentials for offline access.

Enforces Active Directory authentication and password policies. Enforces Active Directory Group Policy to manage UNIX system configuration and security settings. Provides a Kerberos environment so that existing Kerberos applications automatically work transparently with Active Directory. Maintains time synchronization with Active Directory. Supports single sign on through the Active Directory account for Java- and Web-based applications.

Note

The Agent package also includes DirectManage tools you run from a UNIX console. See Chapter 6, A&A: DirectManage UNIX adtools for the description. DirectAuthorize is tightly integrated into DirectControl and Active Directory; no additional servers or infrastructure is required. DirectAuthorize stores its role and rights data securely in Active Directory Authorization Manager's existing rights-based logical model and data storage schema found in Windows 2003 and later. The Active Directory property extensions are displayed in a separate tab when you select user and group properties. No Active Directory schema extensions are made when you install and use DirectAuthorize. DirectAuthorize meets compliance-driven requirements for "least access" management by allowing organizations to centrally define logical roles (backup operator, DBA, web developer, application administrator, etc.) that carry with them a specific set of rights. You use DirectAuthorize to create the rights, define roles and define the rights available for each role.

Rights describe both the access method and privileges, specifically: PAM (Pluggable Authentication Module) identify specific PAM-enabled interfaces and applications the user can access, such as FTP, Telnet, SSH, or Informix.

Privileged commands identify specific commands the user can run and whether those commands can be run under the user's own account or as another user account. Restricted environments provide strictly controlled access to a defined subset of commands in a DirectAuthorize shell (dzsh). In effect, this grants users access to whitelisted applications only, and automatically grants privilege execution where authorized.

Chapter 1 Start Here

21

How Centrify Suite Works

Active Directory users or groups can be assigned to one or more roles. A role assignment can apply to all computers in a Centrify Zone or to just a specific computer. For example, in the Engineering Zone the user Chris could be assigned the system administrator role for all computers, and also be assigned a DBA role for a single database server. Thus, roles are a flexible and scalable method for defining users' access methods and privileges for a specific set of systems.

Administrator Console Elements


This section describes the DirectManage Administrator Console tree structure and explains how you use the elements to manage the Active Directory users UNIX identity and control their access to the UNIX computers.
Hierarchical Zones

Zones enable migration and management of the most complex UNIX environments to a centralized directory. For example, centralizing the management of multiple UNIX identities that a user may have across an environment with multiple UNIX and Linux systems into a common directory is one of the most pressing problem facing organizations. The Centrify hierarchical Zones support for inheritance simplifies the migration process and enables you to setup a sustainable identity and access management framework within Active Directory that supports different user identities, rights and roles on the UNIX computers. This unique approach enables an enterprise to Define a new, rationalized identity namespace for new hires and new systems in a global Zone.

Integrate and centrally manage existing systems supporting legacy, disjointed namespaces through Zone or computer level attribute overrides. Delegating administration with finer granularity, leveraging native Active Directory object and group ACLs. Enforcing a least access rights model where a role assignment via DirectAuthorize is required to grant access or privileges.

Zone inheritance lets you define of a set of user rights once that are available for role assignment on the parent and all child Zones. Separately you assemble different sets of rights into logical roles (for example, DBA, backup operator, or system administrator) that are inherited down the Zone structure; roles defined higher in the tree can be used within the child Zones. Users and groups do not get access until a role assignment is made. As above, assignments made in the parent give the users the access privileges to all the computers in the parent and child Zones.

Evaluation Guide

22

How Centrify Suite Works

The following figure illustrates a Zone tree structure in the Administrator Console. The Zone hierarchy is composed of a single global [Parent] and two child Zones: FIN [Finance department] and MKTG [Marketing department]. Each Zone has its own set of branches for Computers, UNIX Data (User, Groups, and NIS maps) and Authorization (Role Assignments, Computer Roles, Role Definitions, and Right Definitions). The right hand pane in this figure also illustrates some Commands (right definitions) created. This rights are only available within the FIN Zone.

Computers

The Computers branch shows all the computers joined to that Zone. The Zone UNIX data and authorizations only apply to the computers listed here. For example, users in the MKTG Zone, do not have access to the redhat computer. If you wanted users in both FIN and MKTG Zones to have access to redhat, it would have been joined to the global zone.
UNIX Data

This branch shows all of the users and groups in the Zone. Each user has a full UNIX identity: UID, GID, home directory, GECOS, and default shell. Similarly, the groups have a unique GID.
Note

For practical purposes, users are seldom members of a child Zone. Instead, all users are in the global Zone. This makes it easier to view and manage all of the UNIX users. The exercises in the next section illustrate this best practice

The UNIX Data branch also includes NIS maps. See Appendix B, DirectControl Network Information Service for more information.

Chapter 1 Start Here

23

How Centrify Suite Works

Authorization: Right and Role Definitions and Role Assignments

In this branch you define the granular access rights, the user roles, the role assignments and computer roles, which give you another level of precision for assigning rights. You use a right definitions to specify an escalated privilege in the same way you use define rights in a sudoer file in UNIX computers. This feature lets you centralize escalated rights and limit their application to a specific set of computers. For example, rights defined in the FIN Zone are not available in the MKT zone You use roles to assemble a set of rights to support a groups specific access requirements. For example, the above picture as four roles FinDSA, a role created just for the Finance Zone department system administrators

FinWSA, a role created just for the Finance Zone for Web system administrators listed, a default role in all Zones to grants no privileges but allows a user account to remain in the system, for example, after it has been terminated login, a default role provides login privilege

You make the role assignment at the level to which it applies to grant the rights with very granular precision.The following figure illustrates how role assignments limit the users rights.

Evaluation Guide

24

How Centrify Suite Works

Users do not get access to a computer in the Zone until they have their rights assigned. This can be done individually, however, the most common practice is to assign a role to a group. The exercises in the next chapters show you how to define the rights, create roles and assign roles to groups.
Computer Roles

Often, administrators want the ability to create a set of computers within a Zone to which they can define a unique set of access rights. For example, consider a department running an Oracle database: the system administrator wants to grant the Oracle DBAs escalated privileges to just those computers, but they do not want to grant them the same privileges to other computers in the Zone. Computer roles let you assign user and group rights to just the computers in a defined role. You define the computer role, put the member machines in the computer role and then assign the users and groups to the user role. For example, in the following figure the FIN child Zone has the FinApache computer role defined. In that computer role, only members of the FinWeb(@Demo group can use the rights defined in the FinWSA role. How to define rights and roles and assign them in zones and computer roles is described in Chapter 4, A&A: Just in time provisioning.

Machine Zone

A Machine Zone is a set of user, group and role assignments for a specific computer. The main reason behind Machine Zones is the frequent management problem in organizations that have multiple, legacy UNIX computers in which the same user has different UNIX properties (UID, GID, shell, home directory, GECOS) on each UNIX computer. Less

Chapter 1 Start Here

25

How to deploy Centrify Suite

often: you may have a computer or small set of computers, that you cannot assemble into a Computer Role on which you need to have a unique set of rights and roles. You use a machine zone to set user attributes and apply access rights at the machine level. For example, in Make machine-level adjustments on page 79 the instructions show you how to define a new UID for a user that applies to a specific computer; on all other computer the user has the UID assigned at the global level.

How to deploy Centrify Suite


Software deployment is simple and straightforward; you conduct the entire deployment from a single Windows system. First you install the DirectManage tools on a Windows system. To get started, go to Stage 1: Windows system software installation on page 35.

Second, you install the DirectControl Agent on the UNIX computers. The DirectManage package includes the Deployment Manager to automate and manage Agent deployment across your entire network. This tool is useful to deploy the agent in complex environments with many UNIX computers based on multiple operating systems. Go to page 38 to use Deployment Manager. For simple environments with just a few UNIX computers, all with the same operating system, many experienced UNIX administrators find it more convenient to just download the Agent package and install it using UNIX commands. Go to page 51 to install the Agent manually.

After the DirectManage and Agent software are installed, deployment is complete. Once installed, you can begin creating Zones, adding UNIX user identities and centralizing the UNIX users access control in Active Directory. The remainder of this section expands on the Centrify Suite component descriptions and introduces DirectAudit. If you are eager to get started, confirm that your physical or virtual system meet the configuration requirements (see page 30) and proceed to the pages shown above.

Next Steps
The purpose of this book is to install the Centrify Suite software in your evaluation environment and guide you through a series of configuration steps that demonstrate its major features and advantages. There are two parts to this book: Authentication and authorization: The chapter titles in this part are preceded by A&A. These chapters cover the following topics: Software installation on your evaluation system

Evaluation Guide

26

Next Steps

Adding accounts, groups and UNIX computers to the Active Directory and basic authentication Creating rights and roles and assigning roles to groups Generating configuration queries and reports Centrify Suite command-line tools and scripting language Centrify Suite group policy templates and creating Group Policy Objects

Audit: The chapter titles in this part are preceded by Auditing. There are two chapters in this part: Software installation on your evaluation system and component configuration Replaying and managing sessions Proceed to next chapter to install the Centrify Suite software on your Windows systems and UNIX computers.

Chapter 1 Start Here

27

Next Steps

Evaluation Guide

28

Chapter 2

Setting up the evaluation environment


In this chapter you install the Centrify Suite software on the computers in your evaluation environment. The following figure illustrates the minimum components required for the evaluation and the location of the Centrify Suite software.

The following platforms were used to create the screen captures that illustrate the exercises: Windows computer: Windows 7 and Windows XP

Windows Server: Windows Server 2008 UNIX Computer: Red Hat Enterprise Linux

The chapter is organized as follows: Windows requirements

UNIX requirements Site Preparation Software installation overview Stage 1: Windows system software installation Stage 2: UNIX system(s) software installation

29

Windows requirements

Windows requirements
Before installing Centrify Suite in the Windows environment, check the following basic requirements for your Windows workstation and Active Directory server:
For this Windows Server Active Directory domain controller You need this Windows Server 2003 R2 or later. (Active directory must support IETF RFC 2307. This feature was introduced in Windows Server 2003 R2) Windows Server 2008 Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems. Windows system Windows XP Professional Windows Vista Windows 7 Separate versions of the Centrify Suite software are provided for 32- and 64-bit systems. The .NET Framework must be installed on the workstation. If it is not, the Centrify Suite setup program will install it for you.

The Windows workstation should have the following minimum configuration:


For this CPU speed RAM Disk space You need this Minimum 550 MHZ 25MB 1.5GB

UNIX requirements
The Centrify Suite DirectControl Agent needs to be installed on each UNIX computer you want to manage through Active Directory. Centrify Suite is supported on a wide variety of platforms, including the following: AIX Debian Intel architecture 32- and 64-bit HPUX Itanium MacOS Red Hat Enterprise Linux Intel architecture 32- and 64-bit and PowerPC Solaris SPARC and Intel architecture 32-bit SuSE Intel architecture 32- and 64-bit and PowerPC Ubuntu Intel architecture 32- and 64-bit

Evaluation Guide

30

Site Preparation

For the full list, go to the Centrify Download Center and click on the Choose System link at the bottom of the Centrify Suite 2012 options.
Note

You must have an account and password to get access to the Centrify Download Center. If you do not already have any account please talk to your support representative and get one. It, for example, has the most up-to-date, Agent packages available for immediate download and an Evaluation Center to help with installation and assessment.

Site Preparation
Are you going to install the Centrify Suite software in a physical lab or a virtual environment? For the purpose of site preparation, it doesnt matter - the requirements for the virtual machines are the same as physical machines. However, there are some additional considerations for virtual environments. In addition to the following site preparation instructions see Using a virtual environment to evaluate Centrify Suite on page 32. To prepare for the evaluation, you need the following: A Windows Server computer that is an Active Directory domain controller and has been assigned a DNS Server role.

At least one Windows workstation that is already joined to the Active Directory domain. The workstation also must have the following console snap ins: Active Directory Users and Computer (dsa.msc): You use this to add the UNIX users to and create the UNIX groups in Active Directory If dsa.msc is not already installed, it is available free from Microsoft. Download and install it at this time. Microsoft Management Console (mmc): You use this to add the Group Policy Object Editor console snap in, add and remove Centrify Settings, and enable group policies. Confirm that the target domain functional level is at least Windows Server 2003. To determine a domains functional level, launch dsa.msc and select the domain. In the Action menu, click Raise domain functional level ... and select Windows Server 2003 or higher.

An Administrator account and password for the Active Directory forest root domain. The forest root Administrator account is the account created when you installed the first Windows server in a new Active Directory site. If you are setting up a separate Active Directory environment for testing purposes, you should have this account information. If you are using an existing Active Directory forest that was not expressly created for this evaluation, you should identify the forest root domain and ensure you have an account on the Windows workstation that is a member of the Domain Admins group to ensure you have all the permissions you need to perform the tests in this evaluation.
Note

Chapter 2 Setting up the evaluation environment

31

Site Preparation

At least one UNIX or Linux computer connected to the same network as the domain controller.

All of the computers must be able to ping each other.

Checking the DNS environment


Centrify Suite is designed to perform the same set of DNS lookups that a typical Windows workstation performs in order to find the nearest domain controller for the local site. Like a Windows computer, the DirectControl Agent on the UNIX computer looks for service locator (SRV) records in the DNS server to find the appropriate domain controller for the domain it has joined. In most cases, when you configure the DNS Server role on a Windows computer, you configure it to allow dynamic updates for Active Directory services. This ensures that the SRV records published when a domain controller comes online are available in DNS. If your DNS Server is configured to prevent dynamic updates, however, or if you are not using the Window computer as the DNS server, the DirectControl Agent may not be able to locate the domain controller. Do the following to ensure the UNIX computer can look up the SRV records in the DNS server for the evaluation environment: Configure the DNS Server role on the Windows computer to Allow secure dynamic updates.

Make sure that each UNIX or Linux computer you are testing with includes the Windows DNS server as a nameserver in the /etc/resolv.conf file.

When you configure the DNS Server, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.

Using a virtual environment to evaluate Centrify Suite


To simplify the hardware requirements for testing the Centrify DirectControl Suite, you may find it useful to set up your own evaluation environment using either Microsoft Virtual PC or VMware Workstation. By using Virtual PC or VMware, you can create a virtual environment to simulate three physical computers running different operating systems. To set up a virtual environment for evaluating Centrify Suite, you need a computer with enough CPU, RAM, and available disk space to run three virtual machines simultaneously. Centrify recommends the following minimum configuration: CPU: at least 1.70 GHz

RAM: at least 4 GB Available disk space: 15 GB

The virtual environment should also be configured to run as an isolated evaluation environment using Local/Host-only or Shared/NAT networking.

Evaluation Guide

32

Software installation overview

For example, this book was tested using the following virtual environment; this would be a good minimum configuration: One Windows Server 2008 (or Windows Server 2003) virtual machine image with 256384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.

One Windows 7 virtual machine with 1GB RAM, a 60 GB disk image, and using a network address translation (NAT) network connection One Red Hat Enterprise Linux virtual machine image with 256-384 MB RAM, a 4 GB disk image, and using a network address translation (NAT) network connection.

In addition, because the virtual environment runs as an isolated network, each virtual machine should be manually assigned its own static TCP/IP address and host name. After you create the Windows Server virtual machine, you need to configure the server roles for the computer. To evaluate Centrify Suite, the Windows Server virtual machine needs to be configured as: An Active Directory Domain Controller

A DNS master server

When you configure the DNS Server role for the Windows Server virtual machine, you should configure it to perform both forward and reverse lookups and to allow secure dynamic updates.

Software installation overview


You run the installation process from the Windows workstation. Installation is conducted in two stages: Windows system software installation: In this stage, you use the install the DirectManage components on the Windows system.

UNIX system(s) software installation: You can use the Deployment Manager to automatically select the appropriate Agent package and install it on your UNIX computer(s), or you can download the Agent package from the Centrify Customer Download Center, extract the package yourself, and run the install.sh script from the UNIX console. Both methods are described below.

Note

This chapter describes installing the DirectManage components only. The Direct Audit installation steps are done separately in Chapter 8, Audit: Set up the evaluation environment. The process begins from the Centrify Suite DVD or iso image. If you do not have the Centrify DVD, go to the Centrify Customer Download Center. You get to the Customer Download Center from the home page. You enter through the Support tab. Select the Customer Support Portal.

Chapter 2 Setting up the evaluation environment

33

Software installation overview

You are immediately prompted to enter the email address and a password for your account. After your credential are validated you get to the portal page. Select the Customer Download Center link.

The following figure illustrates the Customer Download Center page.

Two areas on this page are for people building an evaluation system: Evaluating Centrify Solutions: This page offers step-by-step download and installation instructions that parallel this book. (Use one or the other, do not try to use both.) If you need to download the Centrify Suite DirectManage package, start here. Go to Step 2. Download Centrify Suite 2012 and select the iso or zip file for your 32- or 64-bit Windows platform. This page does not, however, offer the Agent packages you install on your UNIX computer(s).

Evaluation Guide

34

Stage 1: Windows system software installation

Centrify Suite 2012: This page offers for download the same Centrify Suite DirectManage packages available from the Evaluating Centrify Solutions page. For the evaluation system be sure to download the DirectManage Enterprise Edition, rather than the Standard Edition. As above, click on the link corresponding to your Windows platform processor architecture. In addition, use the links at the bottom of the box to get the Agent package. Choose Agents Disk to download a zip file/iso image that contains all of the Agent packages. Alternatively, click Choose System to just download the package for a single UNIX platform. You will need to install the package manually on each UNIX computer if you choose this option.

Notes

If you are installing on a Windows workstation running in a virtual machine, it is handy to download the iso image file and then use it as a virtual CD/DVD drive. For example, in VMware go to the Virtual Machine Settings. In the Hardware tab select the CD/ DVD (IDE) device and select the Use ISO image file radio button and browse for the iso file you downloaded. Be sure to check the Device status boxes too. During the installation, you are prompted to enter your license key. A 30-day license option is available free as a part of the installation program. Alternatively, a Centrify representative may have emailed a license key separately. When prompted, cut and paste the license key from the email into the form.

Stage 1: Windows system software installation


In this step you install the DirectManage software on the Windows system from the DVD or the file you downloaded from the Centrify Customer Download Center. The file name is one of the following :
Centrify-Suite-2012-mgmt-ent-win32 Centrify-Suite-2012-mgmt-ent-win64

If you have not already done so, extract the files from the .zip version, burn a DVD from the iso image, or mount the iso image file as a virtual disk on your virtual machine.

Chapter 2 Setting up the evaluation environment

35

Stage 1: Windows system software installation

1 To begin, launch autorun from the DVD/iso..

2 Click the Centrify DirectManage (nn-bit) icon.

3 Centrify DirectManage: Click Next to proceed. 4 Review License Agreement: Click the I agree to these term radio button and

Next to accept the licensing terms.


5 User Registration: Enter your User Name (note that it defaults to the current account

name) and Company Name and click Next.


6 Select Components: For the evaluation configuration select all of the components.

Evaluation Guide

36

Stage 1: Windows system software installation

Click Next.

7 Choose Destination Folder: For the evaluation system, use the default. Click Next. 8 Disable Publisher Evidence Verification: For convenience, leave the default

setting (disable verification). Click Next.


9 Confirm Installation Settings: Click Next. 10 Click Finish to end the setup.

The installation takes a couple of minutes and adds two icons to your desktop: Centrify DirectControl: The DirectManage Administrator Console

Deployment Manager: The program you use to manage the Centrify Suite software in the UNIX systems on the network.

11 Click Exit to close DirectManage installation. You will install the DirectAudit software

in Chapter 8, Audit: Set up the evaluation environment. This completes the Windows system DirectManage components installation stage. Do not start up the Administrator Console right now. Instead, proceed to Stage 2.

Chapter 2 Setting up the evaluation environment

37

Stage 2: UNIX system(s) software installation

Stage 2: UNIX system(s) software installation


In this section, you install the Centrify Suite DirectControl Agent, DirectAudit Agent and DirectManage UNIX tools on the UNIX computer(s). There are two alternative paths to complete this stage: Use the Deployment Manager to automatically find your UNIX computers on the network, determine which Agent to install, download the software and install the Agents and tools. The instructions follow immediately below.

Manually, download the Agent package from the Centrify Customer Download Center, copy the file to your UNIX computer(s) and run the install.sh script. Go to page 51 for the instructions.

If you are installing the Agent software on a single UNIX computer, the manual method can be more expeditious, especially for UNIX administrators. The result is the same to both procedures.

Deployment Manager path


The just-installed Deployment Manager does the complete installation from identifying the UNIX computers on the network and the platform and processor in each one to installing the appropriate Agent. Deployment Manager can also join each computer to the Active Directory domain, however, you should skip that step at this time. Before you run Deployment Manager, confirm that all of the UNIX computers you want to use in the evaluation can be pinged. In addition, if you are running the installation from the Internet (rather than a DVD), be sure your computer is on-line. This stage is composed of several phases, all performed by Deployment Manager: Build computer list: During this step you specify upon which computers to load the software. You can either specify the computers directly or let Deployment Manager discover and build a list of prospective targets. From that list, you then select which UNIX computers to use in the evaluation.

Download Centrify Software: In this step you either download the platform packages from the Internet or specify the DVD source to your system. Analyze Your Environment: In this step, Deployment Manager analyzes your target computer environment(s) to confirm that they are Centrify Suite-ready and determine which package to use. Deploy Centrify Software: In this step, Deployment Manager installs the Centrify Suite package on your selected platforms

Evaluation Guide

38

Stage 2: UNIX system(s) software installation

To load Deployment Manager double click on the icon.

The Deployment Manager Welcome window displays the four deployment phases.
Note The Deployment Manager is designed as a production system tool to help administrators with the ongoing maintenance and update of their Centrify-enabled UNIX systems. This eliminates the complexity for large scale systems but adds a few more steps to the evaluation system deployment process.

Step 1. Build computer list

In this phase, you select the target UNIX computers.


1 In Build Computer List, click the Add Computers ... button.

Chapter 2 Setting up the evaluation environment

39

Stage 2: UNIX system(s) software installation

2 The program asks you to specify a list or have Deployment Manager find them for you.

Click the Discover computers from the network radio button and Next to have DirectManage identify all of the prospective UNIX computers in your environment. Alternatively, click the Add a single computer radio button to enter each computer individually.
3 The next screen lets you define the scope of the search.

By default, the program selects the subnet based on the Windows workstations IP address for the search. Click the other radio buttons to use different criteria.
4 It takes a couple of minutes (depending upon the size of your network) to discover the

computers. The program lists the UNIX computers it found (those it could ping) with the range of addresses you selected. (In my case, I have just one.)

Check the box for each UNIX computer upon which you want to install the Centrify Suite software.

Evaluation Guide

40

Stage 2: UNIX system(s) software installation

5 The next window lists any other computers it found in the subnet. Scan the list to see if

there were any other UNIX computers found. (Disregard any Windows computers it found; the sole purpose of the Deployment Manager is to identify and service the UNIX computers.) If other UNIX computers were found and you want to include them in the evaluation system, check the corresponding box. This window also lists all of the IP addresses in the subnet. If you know of any UNIX computers in the subnet that were not found (most often the cause is the machine is offline or turned off) AND you want to install the Centrify Suite package, check the corresponding IP address box to register each one in Deployment Manager. Deployment Manager only services the registered UNIX computers. You can run Deployment Manager at any time to find UNIX computers and deploy the Centrify Suite package. You do not need to install them all at this time.
Note

Click Next to proceed.

6 The program prompts you to specify the name of an account on the target computer(s)

that has sufficient privilege to make system changes. If that account does not have root privileges, check the box to specify a privilege command (see figure for an example), select su from the drop down menu, and enter the root password. In the next window, enter the password for the user name you specified. Click Next to finish each window.

Chapter 2 Setting up the evaluation environment

41

Stage 2: UNIX system(s) software installation

If you specify multiple computers, Deployment Manager prompts you for the user name, privilege command, root password and user password separately for each computer. Deployment Manager then finishes its interrogation of the machine and updates the home page with the list of computers found. It takes a couple of minutes to finish. During the operation, Deployment Manager covers the affected icon with an hour glass; this is your indication that the procedure has not finished. For example, in this instance the hour glass is imposed upon the Computer icon (see the following figure.) Deployment Manager uses the same icon during the other phases. Click Finish when prompted.

Deployment Manager updates the Computer Statistics pane with an icon representing each UNIX computer and its operating system. Double-click on the icon to get the full information found. Deployment Manager also updates the All Computers branch with the host name (Redhat in my case). If you have more then one UNIX computer, double-click All Computers for the full list along with their information.

Evaluation Guide

42

Stage 2: UNIX system(s) software installation

Deployment Manager also looks in Active Directory for the users and groups in the computer and other UNIX properties. There are none at this point, but as you go through the exercises, open Deployment Manager to see how the tree is filled out. In a production system, Deployment Manager is a convenient tool to get a configuration summary from a variety of perspectives. This concludes the Build Computer List phase.

Chapter 2 Setting up the evaluation environment

43

Stage 2: UNIX system(s) software installation

Step 2. Download Centrify software

In this phase, you load the following Centrify Suite components into Deployment Manager. The DirectControl Agent: There is a separate Agent package for each combination of platform (for example, Red Hat Enterprise Linux, AIX, HP UX, etc) and processor architecture (x86 32-bit, x86 64-bit, PPC, SPARC, etc.).

The Analysis Tool (adcheck): You use adcheck from a UNIX console to perform operating system, network, and Active Directory tests to verify that a machine is ready to join the specified Active Directory domain. The output from adcheck includes, notes, warnings, and fatal errors, including suggestions on how to fix them.
Note

This book does not illustrate use of adcheck. See the Administrators Guide for the description or just try it out after you have installed the software on the UNIX computer.

The Agent packages are not included in the Centrify-Suite-2012-mgmt-ent-Win... file you installed earlier. They are provided separately. The Deployment Manager gives you two options for loading the packages: Customer Download Center: The Deployment Manager prompts you to enter your account and password. Then it looks at the UNIX computers found in Step 1 and automatically downloads the corresponding Agent and Analysis Tool. If you plan to use this option go right to step 1 on the next page.

Agents DVD: Deployment Manager prompts you to enter the location (directory or drive) that has the full catalog of the Agent and Analysis Tool packages for every combination of UNIX platform and processor. If you plan to use the Agents DVD option AND you do not have the physical disk, download the iso image or a zip file from the Centrify Customer Download Center before you begin Step 2. Use the following procedure to download the file and import the catalog. a Go to the Customer Download Center (from the Centrify home page click on the Support tab, select Customer Support Portal and then click the Customer Download Center link) and select AgentsDisk.

Evaluation Guide

44

Stage 2: UNIX system(s) software installation

b Click the blue download button to select either the zip or iso package. c Copy the zip file to the Windows system on which you are running Deployment Manager and extract the files or map the iso file to a logical disk accessible by the Deployment Manager. d Import the catalog of files into Deployment Manager. In the Deployment Manager window, right-click the Centrify Deployment Manager node in the left hand pane and select Import Centrify Product Catalog ... from the menu.

Change directories to the drive (logical or physical) or directory that has the unzipped files or virtual drive with the iso file, select the file centrify-productcatalog-offline and click Open. The import process begins immediately. It takes several minutes. When it is complete, a window pops up indicating Centrify Product Catalog imported. Click OK. Use the following instructions to load the Agent package(s) and Analysis Tool(s) into Deployment Manager.
1 In the Deployment Manager home screen, click the Step 2: Download Software ...

button.
2 The first window gives you the following options:

Download from the Centrify Download Center: To use this option, enter the email address and password for support center account. Then click Next>. The rest is automatic. Deployment Manager downloads just the Agent package and Analysis Tool corresponding to your UNIX computer(s) platform and processor. Copy from network or local drive: To use this option click the radio button and browse to the DVD drive (physical or logical) or directory with the unzipped files and click Next. The next window displays all the files that will be copied. Click Finish. Deployment Manager loads the Analysis Tools and Centrify Suite software for all of the options in the catalog onto your Windows system and updates the Download Centrify Software pane to show the software downloaded and platforms supported.

This concludes software download. You can see a list of the files downloaded by expanding the Software node in the left hand pane.

Chapter 2 Setting up the evaluation environment

45

Stage 2: UNIX system(s) software installation

Step 3: Analyze your environment

In this phase, Deployment Manager analyzes the selected UNIX computers to ensure it has the privileges to install software and determine if there is already any Centrify software installed. The following figure illustrates the state of my machine at this point. My Redhat computer is listed in Computers Not Analyzed.Unless you have Centrify software already installed (for example, you are upgrading from a previous version), your UNIX computers should be listed in this category.

Note

Recall that Deployment Manager is a system administrator tool. In production environment, the categories, fields and messages become quite useful for understanding and managing the state of systems. Click the Analyze ... button to proceed. Enter the Active Directory domain name and click OK.(You can ignore the Number of domain controllers to analyze to set up the evaluation system, it will not affect performance.)

Evaluation Guide

46

Stage 2: UNIX system(s) software installation

This takes a minute or two. The hour glasses covering the All Computers and RedHat in the Computers branch tell you that Deployment Manager is analyzing.

When Deployment Manager is done it updates the home page with the results of the analysis. Your results should look similar to the following figure with the exception your computers are more likely listed under Ready to Install rather than Ready to Install with Warnings.

Chapter 2 Setting up the evaluation environment

47

Stage 2: UNIX system(s) software installation

You can continue to install the software on computers that are Ready to Install with Warnings. If you are curious about the warnings, click the chevron to list the candidate computers warning issue(s) and double click the issues to find out whats wrong.
Note

If the Analysis does NOT update the display, click on the History node in the tree for a list of the analysis sessions and right click on the most recent. Click the Trace tab for the details. This completes the Analysis phase.
Step 4: Deploy Centrify Software

In this phase, Deployment Manager deploys the Centrify Suite packages to the selected UNIX computers and installs the DirectControl Agent.
1 Check the UNIX computers listed under Ready to Install you want to use in the

evaluation system.
2 Deployment Manager displays a series of windows to refine which software to deploy. In

the first window, select the Centrify Suite Enterprise Edition. Take the defaults in the next two. HOWEVER, when prompted to Join Computer to Zone After Install UNCHECK the box. You join the UNIX computers in another exercise.
3 Click Next to proceed through the Select Edition and Select Suite windows.

4 In the Select Components window, you want Centrify DirectControl and Centrify

DirectAudit checked. The other boxes are optional:

Evaluation Guide

48

Stage 2: UNIX system(s) software installation

OpenSSH: The package includes a compiled version of the latest OpenSSH distribution to make it easy for you to install and use SSH with Centrify Suite for secured authentication to Active Directory using Kerberos. This option is selected by default. It is, however, optional. If you do select it, the installation process configures the computer to use the Centrify OpenSSH in place of any existing OpenSSH already installed on the computer. See Appendix A, Using Centrify Suite with SSH for the configuration and testing instructions. If you do NOT want to install the Centrify OpenSSH, uncheck the box. Centrify NIS: The DirectControl Network Information Service is an optional addition to the DirectControl Agent. Once installed and running, it functions just like a standard NIS server, however it responds to NIS client lookup requests using the information stored in Active Directory. This option is NOT checked by default. If you want to evaluate the NIS support, check this box and see the instructions in Appendix B, DirectControl Network Information Service.

Click Next after you have made your selections to proceed.


5 In the Join Computer to Zone After Install window UNCHECK the Add the

computers into Active Directory after install. You add the computer(s) later in the exercises.

During deployment, Deployment Manager updates the window to show activity. Notice that the hour glass covers the Computers branch and affected nodes.

Chapter 2 Setting up the evaluation environment

49

Stage 2: UNIX system(s) software installation

When its done, Deployment Manager show a check mark next to the host name

At this point the DirectControl Agent and UNIX command line tools have been installed on each UNIX computer selected. In addition, since you selected the Enterprise Administrator suite option, the DirectAudit Agent and its UNIX command line tools are also installed. However, the UNIX computer is not joined to Active Directory.

Evaluation Guide

50

Stage 2: UNIX system(s) software installation

Manual deployment path


In this path, you download the Agent package for your platform from the Centrify Customer Download Center, copy it to the UNIX system, unpack it and run the installation script. This installs both the Agent and the Analysis Tool on the UNIX system
Download Agent package

Go to the download center (from the Centrify home page by clicking on the Support tab and selecting Customer Support Portal. From that page click the Customer Download Center link and enter your account and password).
1 To download your agent select the Choose System link at the bottom of the Centrify

Suite 2012 options.

2 In the next window scroll down to your platform and select the option corresponding to

your processor. Notice that there are separate versions for Intel 32- and 64-bit processors. For example, the following picture shows the Red Hat Enterprise Linux options. The option for 32-bit Intel processors has x86 at the end of the file name; for 64bit processors the file name ends with x86_64.

Chapter 2 Setting up the evaluation environment

51

Stage 2: UNIX system(s) software installation

3 In the next window, scroll down to the Centrify Agent Installer and click on the tgz file

listed in the Download column.This file contains both the Agent and the Analysis Tool for this platform.

Save the file.


4 Copy the file to the UNIX computer. 5 Unzip and tar the file. For example, the following picture illustrates the use of gunzip and

tar on a Red Hat Enterprise Linux-based computer. The tgz file was copied to a directory named cs2012agent.

Evaluation Guide

52

Stage 2: UNIX system(s) software installation

Run install script


1 Enter the following command to run the install script. You need to be logged in with an

account that has root privileges to run this command.


/bin/sh ./install.sh

If the computer already has an Agent installed (for example, a previous version) use the script to remove it. After the script completes the Agent removal, reboot the computer and run the same install.sh script again to install the new version.
Note

2 The script runs the adcheck command to confirm that the Agent can be installed. For

your evaluation system, you can ignore warnings. Failures need to be fixed before the script can complete the installation. To proceed with the installation, enter E to install the Enterprise Edition.
3 Enter Y to run adcheck to verify your AD environment.

Then enter the domain name on the Active Directory domain controller.
4 Enter N when prompted, Join
the Active Directory domain (Q|Y|N) [Y]:

Do NOT join the domain at this time. Be careful too, the default is Y.
5 The script displays the list of components that will be installed.The following figure

illustrates the prompts and the default selections. For most cases, enter Y to proceed.

The ONLY exception is if you plan to test the Centrify Network Information Service (NIS). See Appendix B, DirectControl Network Information Service for the description of the NIS option. If you want to install the NIS option, Enter N and then select each option individually.
Note

Chapter 2 Setting up the evaluation environment

53

Reboot UNIX computer(s)

The script proceeds to run adcheck again, this time adding an analysis of the connection to the Active Directory domain controller, and then installs the components selected. This concludes the manual installation process on this UNIX computer. If your evaluation system has other UNIX computers, repeat this procedure on each one.

Reboot UNIX computer(s)


Before you proceed with the authentication chapters, reboot each UNIX computer to which you installed the Agent. This concludes installing the Centrify Suite on the UNIX computes. Proceed to the next chapter to integrate it and the UNIX users into Active Directory.

Evaluation Guide

54

Chapter 3

A&A: Basic Authentication and Authorization


In this chapter and the next you create your environment of UNIX users and groups in Active Directory and set up some basic roles for group authorization. When you are done the environment will look like this:

In the process, all of the UNIX users will have standard Active Directory accounts and the security groups will be standard Active Directory groups. In the exercises that follows, the UNIX computer is based on RedHat Enterprise Linux and named redhat and the Active Directory domain is named demo. It doesnt matter what brand of UNIX you are using or the domain name; just substitute your systems properties. IMPORTANT: The purpose of this exercise is to quickly illustrate the concepts and features you use to manage and provision your UNIX users. There are many more features and best practices that decrease your effort and simplify on-going maintenance that are not covered here. Please set aside some time to explore after you have completed the exercises in this chapter and the next. In this chapter you build the basic infrastructure: create an Organizational Unit for the UNIX users, groups and computers, create Zones, add users and assign rights for a subset of those users. In addition, you join the UNIX node to the Active Directory domain controller and login.

55

Create and delegate OU for UNIX

At this point you should have at least deployed the DirectControl Agent to your UNIX computer(s) and have the DirectControl Administrator Console installed on the Windows workstation. You do not need to have created any Zones or joined the UNIX computer to the Active Directory domain controller yet. The exercises are broken down into the follow sections: Create and delegate OU for UNIX

First time setup with the Administrator Console Add UNIX users and create Zones Create groups, add users, assign role Join UNIX computer to a Zone Log in to the UNIX computer Make machine-level adjustments Show Users

Whenever the instructions refer to Active Directory Users and Computers, this refers to the dsa.msc command on the Windows workstation. If you are running the exercise from the Windows Server rather than a workstation, this utility is available in the Administrative Tools menu.
Note

Create and delegate OU for UNIX


The goal is to set up a container that can be delegated to give the set of UNIX system administrators the access and rights they need to perform their duties. At the same time, you want to limit their capabilities to just the UNIX computers. To set up this environment you begin by creating a separate organizational unit for the UNIX computers, groups and service accounts (for example, for root, Oracle and other application and batch job accounts) in Active Directory Users and Computers. You must have administrator rights to perform these steps
1 Launch Active Directory Users and Computers (dsa.msc on Windows workstation). 2 Right click the domain, expand New and select Organizational Unit. 3 Enter UNIX and, because this is an evaluation environment, uncheck Protect container

from accidental deletion and click OK. In the next steps, you create the organizational units for the service accounts, UNIX groups and UNIX servers. (The UNIX user accounts are in the domain Users container.)
4 Right click the UNIX organizational unit you just created (see picture), expand New and

select Organizational Unit.

Evaluation Guide

56

First time setup with the Administrator Console

Enter Service and click OK.

Accounts,

uncheck Protect container from accidental deletion

5 Right click the UNIX organizational unit again, expand New and select Organizational

Unit. Enter UNIX and click OK. Unit. Enter UNIX and click OK.

Groups, uncheck

Protect container from accidental deletion

6 Right click the UNIX organizational unit again, expand New and select Organizational
Servers, uncheck Protect container from accidental deletion

Your domain tree should appear similar to the following:

First time setup with the Administrator Console


Every time you launch the DirectControl Administrator Console you are prompted to specify the domain controller and, if necessary, the user name and password for an account with administrator privileges on the domain controller. (This is necessary when the logged

Chapter 3 A&A: Basic Authentication and Authorization

57

First time setup with the Administrator Console

in account on the Windows workstation does not have an administrator level account in the Active Directory.) For example, double click on the DirectControl Administrator Console. The program displays the prompt on the left. When you specify the domain controller precede the domain name with the computer name.For example, in the image on the right the Windows Server computer name is win08 and the domain name is demo.com. In this case, the user is logging on using the Windows Server administrator account

The first time you connect to the Active Directory domain controller the DirectControl Administrator Console prompts you to perform some housekeeping chores, for example, set up the license repository and define some global Active Directory properties. This procedure is run just once: the next time you launch the Administrator Console you will not be prompted again; nor will you be prompted if you install the Administrator Console on additional workstations. In this series of steps you perform the one-time configuration setup.
1 If you have not already done so, double click on the DirectControl Administrator Console

and specify the Active Directory domain controller and the user account/password as illustrated above.
2 Welcome to the Centrify DirectControl Setup Wizard: Click Next. 3 User Credentials: Click the Specify alternate user credentials radio button only

if the Active Directory account you used to connect to the forest does NOT have enhanced rights. Then enter the user name and password for an account with root domain administrator or enterprise administrator privileges. Click Next to proceed.
4 Install Licenses: This window prompts you to specify the location for the license keys.

In this step you create the container in the UNIX organization unit for easy reference To see the Licenses container after you create it, checked the Advanced Features option in the Active Directory Users and Computers View menu.
Note

Do not use the default. Instead, click Browse, select the UNIX organization unit and click the Create... button.

Evaluation Guide

58

First time setup with the Administrator Console

In the next window, keep the container as the Type and enter Licenses for the Name. Click OK.

When the program returns the Browse for Container window, expand the UNIX node and select Licenses and click OK.

Click Next to proceed. Click Yes to acknowledge the notification, All the user accounts in this AD forest will be granted ....
5 Install License Keys: If you did not receive either a license key or file by email from

Centrify, select the Install 30-day evaluation license key radio button. Otherwise, copy and paste the license key from the email or import the license file.

Chapter 3 A&A: Basic Authentication and Authorization

59

First time setup with the Administrator Console

Click Next to proceed.

6 Default Container for Zones: This window selects the location for the default

container for the Zone data. Do NOT select the default. Instead, create a container in the UNIX organizational unit. This makes it much more convenient to manage the Zone information. Just as you did for the License container, click the Browse button to start. Next, select UNIX and then click the Create ... button. In Create New Object, keep the Type as container and enter Zones as the Name. Click OK.

When the program returns the Browse for Container window, expand the UNIX node and select Zones and click OK.

Click Next to proceed.


7 Delegate Permission: For the evaluation system, take the default. Click Next to

proceed.

Evaluation Guide

60

Add UNIX users and create Zones

8 Register the AD Administrative Notification Handler: As a convenience during

the evaluation check the box. Click Next to proceed.

9 Setup Property Pages: As a convenience during the evaluation check the box. Click

Next to proceed

10 Summary: Click Next to proceed. 11 Completing the Centrify DirectControl Setup Wizard: Click Finish to proceed.

This concludes the one-time set up of the Zone data in Active Directory. Subsequently, when you launch DirectControl Administration Console, you will only be prompted to enter the domain controller and account information. Leave the DirectControl Administrator Console open for the time being. In the next steps you use Active Directory Users and Computers, however, after that you return to the Administrator Console.

Add UNIX users and create Zones


To begin, you need to be logged in on the Windows workstation with an Active Directory account that has administrator privileges on the Windows Server or logged in as and administrator to the Windows server. In these steps you add the sample users to Active Directory.
1 Launch dsa.msc from the Windows workstation or open Active Directory User and

Computers from the Start > Administrative Tools menu on Windows Server.
2 Add sample users: Right click the demo > Users organization unit, select New and

User and add the following users. (In a production environment, you would likely already have Active Directory accounts for your UNIX users.) For this exercise, enter them individually using the following names: Adam Avery

Brenda Butler Chris Carter Fred Thomas George Griffin Nina Norris

Chapter 3 A&A: Basic Authentication and Authorization

61

Add UNIX users and create Zones

Simon Schuster

This process is more hands-on than you would use in your production environment. When you are ready to deploy, tools are available to import user and group information from your UNIX systems. You are prompted to enter the Full name and logon name. Use the following model:

For each user, enter the User logon name in the form first.last. In the next window, enter a password for the user. IMPORTANT: For convenience, Uncheck the User must change password at next logon box and check the Password never expires box.
3 Create an AD group for the UNIX users.

To simplify immediate and on-going user provisioning, you should create a separate AD group for the UNIX users in the UNIX Groups organization unit you created earlier.

Evaluation Guide

62

Add UNIX users and create Zones

If its not open, launch Active Directory Users and Computer. Expand the UNIX organizational unit and right click UNIX Groups. Select New and Group.

Enter UNIX group... .

Users

for the Group Name and click OK.

4 Select all of the users you added above, go to the Action menu and select Add to a

Enter UN and click Check Names to select the UNIX Users group and click OK. Open UNIX Groups organizational unit, right click the UNIX Users and select Properties. All of the UNIX users should be listed in the Members tab. In the next set of steps you create the Global parent and a child Zone and give the sample Active Directory users you create their UNIX identities.
1 If you closed the DirectControl Administrator Console after the forest

configuration, launch it again.

Chapter 3 A&A: Basic Authentication and Authorization

63

Add UNIX users and create Zones

The program prompts you to specify a domain controller in the Active Directory forest.

How you respond to depends upon whether you are logged in to the Windows workstation using a local account or a domain (Active Directory) account.

Local account: Specify the domain controller using the form


computer.domain

where computer is the domain controllers computer name and domain is the domain name. After you enter the domain controller, check the Connect as another user box and enter the administrator (or equally privileged account name) and password. Domain account: Specify just the domain name (the computer name is not required). If this domain account has administrator privileges on the Active Directory server click OK. Otherwise, check the Connect as another user box and enter the administrator (or equally privileged account name) and password.

2 Create the Global Zone.

Fill in the Zone name (Global) and Description (Parent used in this example). Leave the Container radio button selected and click Next.

Evaluation Guide

64

Add UNIX users and create Zones

In the following windows select the defaults: I want a hierarchical zone and Standard Zone. Click Finish to complete the process.
3 Create the FIN child Zone.

In DirectControl Administrator Console right click Zones > Global. Select Create Child Zone ... and enter a FIN for the Zone name and Finance Department for Description. Thats all you need for the evaluation. Click Next and then Finish in the next window. Expand the FIN Zone. Notice that, except for NIS Maps (see Appendix B, DirectControl Network Information Service for the description of NIS Maps) child Zones have the same Computer, UNIX Data and Authorization categories as the Global Zone.

4 Add the UNIX users to the Global Zone.

In this step, you use the Centrify Zone Provisioning Agent (ZPA) to create the UNIX identities for the UNIX users in the Active Directory accounts. ZPA automates provisioning and makes it easier on a day-to-day basis to incorporate new employees with the UNIX identities using your existing Active Directory management tools and provisioning process. To begin, you need to set up the default UNIX properties ZPA uses to provision each user. The default properties are set in the Zone properties. In Centrify DirectControl Administrator Console right click on Zones > Global and select properties.

Chapter 3 A&A: Basic Authentication and Authorization

65

Add UNIX users and create Zones

Select the Provisioning Tab and check the Enable auto-provisioning for user profiles box. For the evaluation system, set the values as shown in the following figure.

Click OK to set the defaults. The following table explains each property:
Label Source group Value UNIX Users@ centrify.demo Description This property tells ZPA where to look for the accounts to provision. Going forward, you just need to add new employees to this group to automate provisioning. To select the group, click the find icon. Enter UN and click Find Now to list the objects. Select UNIX Users from the list.

Evaluation Guide

66

Add UNIX users and create Zones

UID

<Generate from user SID>

ZPA defines a unique identity number for each user based on the factor you select (see menu). Use the default value for the evaluation system. ZPA uses the option selected to define the UNIX account name. Note that users can login with the AD login name too. Use the default value. Replace the default property with this entry. In this case the entry lets the DirectControl Agent to define the default shell. (Since the default shell can be defined differently for each UNIX host its inconvenient to have to define it at the user properties level. When you use this entry the DirectControl Agent defines the default shell corresponding to the local host. You can modify this value if necessary in the DirectControl Agent configuration file.) Replace the default property with this entry. In this case the entry lets the DirectControl Agent to define the default home directory. (The reasoning behind this is the same as the shells: the home directory is platform dependent, and its easier to let the DirectControl Agent set it. Use the default value. ZPA assigns the users group ID based on the UID. Replace the default with this entry. In many cases the GECOS field is simply a comment field used to provide more information about the user. In this case, the entry illustrates another, common use: setting account values so that the UNIX finger command displays the users full name, department and office phone number in the Office field.

Login name

<SamAccountName attribute>

Shell

%{shell}

Home directory

%{home}/%{user}

Primary group GECOS

<Private group> %{u:displayname},%u:department}, %{u:telephonenumber}

You can override any users property if you need to. To conclude, you configure the ZPA and start the services. Once started ZPA automatically provisions users in the Global Zone upon periodic inspection.

Chapter 3 A&A: Basic Authentication and Authorization

67

Add UNIX users and create Zones

Click on Start > All Programs > Centrify > Zone Provisioning Agent > Zone Provisioning Agent Configuration Panel to begin.

For the evaluation system set the values as follows:

Settings: Domain: Confirm that the proper domain is displayed. Polling interval: Set to 10 Event log: Click the Write the UNIX profiles for the provisioned... radio button. Troubleshooting: Do not check. Service account: Enter Administrator and the administrators password. (In a production environment, you would set this to a service account which has delegated

Evaluation Guide

68

Create groups, add users, assign role

permissions to run as a service and has appropriate permissions to create and delete UNIX profiles in the Global Zone.) Click the Apply and then the Start button. The account you choose may not have Log on as a server rights. If you get the following error message, following the instructions to add the Administrator account to the Log on as a service properties.
Note

To see the results, in the DirectControl Administrator Console open Zones > Global > UNIX Data > Users. The right hand pane should have all the members of the UNIX Users group listed. If it does not, re open the ZPA and click the Restart button. (The members may not have appeared because the polling period had not ended. Restart forces a polling cycle.) In addition, right click in the pane and select Refresh.

Create groups, add users, assign role


At this point you have a Global Zone, all of the UNIX users in the Global Zone and a FIN child Zone. Users do not have roles yet so they cannot login to the UNIX computer. Nor has the UNIX computer joined the network. In this section, you create groups, add the users to the groups and assign the roles that give the group members access to the UNIX computer. UNIX users should have an account in the Global Zone only. There are exceptions, but they are few. You would not, for example, add a UNIX user at the child Zone level. This would make account management more complicated than it needs to be. There are reasons to have additional account information in child and machine Zones, however. See Make machine-level adjustments on page 79, for an example.
Note

1 Create the EntSA (enterprise system admins) and FinUser groups (Finance department

users). Open Active Directory Users and Computers. Expand to demo > UNIX > UNIX Groups and right click. Select New and the Group.

Chapter 3 A&A: Basic Authentication and Authorization

69

Create groups, add users, assign role

Enter EntSA as the Group name. Theres no need to change the pre-Windows 2000 Group name. Use the default Global Group Scope and Security Group type radio buttons settings.
2 Create the FinUser group.

Repeat the previous step, this time create the FinUser group.
3 Add users to groups.

Right click on the EntSA and select Properties.

Click the Members tab and then the Add button at the bottom of the page. For EntSA theres just one member - Fred Thomas. Enter Fred as the object name and click Check Names. Select Fred Thomas from the list and click OK and then OK again. Fred Thomas is now in the EntSA group. Click OK to exit. Right click on the FinUser group and repeat the process to add Brenda Butler, Chris Carter, and George Griffin to the group.

Evaluation Guide

70

Create groups, add users, assign role

Both groups are now staffed but the users have no rights yet.
4 Add UNIX properties to Active Directory groups.

This step serves two purposes: first you select the Zone in which that groups privileges apply and second you give the group its UNIX properties. Open the Centrify DirectControl Administrator Console. First, put the EntSA group in the Global Zone. Right click Global > UNIX Data > Groups and click Create UNIX Group. Enter E and click Find Now. EntSA should appear in the list. Select it and click OK. You are prompted to enter the group ID: enter 80000 and click OK.

For FinUser, the process is the same except you want to define the identity of the group in the FIN Zone, limiting the groups access controls to the UNIX systems joined to the FIN Zone only. Therefore, right click Global > Child Zones > FIN > UNIX Data > Groups and repeat the process to find and assign the GID 50000 to the FinUser group

5 Assign roles to UNIX groups.

The groups are staffed and in their Zones but the member still do not have any access rights. In this step, you grant access rights for the first time by assigning a role to a group. Begin with the EntSA role: In the Centrify DirectControl Administrator Console, expand Global > Authorization and right click on Role Assignments and select Add Group ....

Chapter 3 A&A: Basic Authentication and Authorization

71

Create groups, add users, assign role

As above, enter E in the Name field and click Find Now. Select EntSA from the list and click OK. Click Browse to get the list of available roles. There are two default roles:

login: gives the group members login rights to the computers in the Zone and listed: gives users no rights; however, it lets the user remain in the Zone for historical records

The next chapter illustrates how you create additional roles. Select login.

Notice in the next window that the role includes the scope of the access rights - Global in this case - and allows you to set a Start time and End time and other properties to customize the privileges. Use the defaults for the evaluation and click OK. This completes the role assignment for the EntSA group. Repeat to assign the FinUser group the login role. The process is the same except you start the process in Global > Child Zones > FIN > Authorization > Role Assignments. The following figure shows you the result. Notice that the Role scope is

Evaluation Guide

72

Join UNIX computer to a Zone

limited to FIN. Click OK.

Join UNIX computer to a Zone


The EntSA and FinUser group members can now login. However, the UNIX computer has not joined the Active Directory domain yet. In this section, you join the UNIX computer to the Active Directory domain and then the EntSA and FinUser group members login. There are two ways to join a UNIX computer to the Active Directory domain: Use the Deployment Manager: You run this option from your Windows system.

Run the adjoin command: You run this option from a console on the UNIX computer. See Run adjoin from the UNIX computer on page 76 for the instructions.

Use Deployment Manager


Once you have the container and Zone defined, you can use Deployment Manager to join any UNIX computer listed in Deployment Manager to the Active Directory Domain. When you join, Deployment Manager lets you specify the Zone and container.
Notes

This procedure only works if you used Deployment Manager to deploy the Agent and Analysis Tools to the UNIX computer in Chapter 2, Setting up the evaluation environment (see Deployment Manager path on page 38). (If you manually installed the software on the UNIX computer, Deployment Manager does not yet know about that computer.)

If you did not use Deployment Manager to install the Agent and Analysis software on the UNIX computer, skip to Run adjoin from the UNIX computer below. Use the following steps to join your UNIX computer using Deployment Manager. You must be logged in with administrator privileges to use this command. Alternatively, you can specify another Active Directory account.
1 Start Deployment Manager. 2 In the left pane, expand the Computers node and select the computer you want to join

Chapter 3 A&A: Basic Authentication and Authorization

73

Join UNIX computer to a Zone

to Active Directory.
3 Right click and select Manage Zone ... .

4 In the Manage Zones elect Join Computers to Zone. 5 In the Active Directory Administrative Account window, if you are not logged in with

account with administrator privileges, click the Use another user radio button and enter the account name and password. Click Next>.
6 The Provide Join Options window lets you specify the Zone to join (a computer can join

only one Zone at a time) and the container for the information. For the eval system, you want to join the UNIX computer to the FIN Zone and First, select the Zone: Click the Zoned Mode radio button. Click the Browse button and, in the next window the Find Now button. This lists all of the Zones you have created so faronly Global and FIN in our case. Select FIN and click OK.

Next, select the Container:

Evaluation Guide

74

Join UNIX computer to a Zone

Check the Container: box and the Change .. button.

Expand the UNIX container you created and select UNIX Servers. Click OK. Your Provide Join Options window should look similar to the following where demo is the name of your domain.Click Next>.

The next window prompts you again to enter another Active Directory account name and password. This time, however, it is only pertinent to those cases where the Group Policy set in Active Directory locks down use of the UNIX computer root account. This policy has not been set in the evaluation system so you can ignore this window. (See Set user mapping on page 116 for more about locking down a root user.) Click Next>. The last window summarizes your selections. Click Finish.

Deployment Manager attempts to join the computer. An hour glass is displayed over the Computers, All Computers, and selected computer while the join is in progress. When its done, you can confirm the join by selecting the Computers node to see the list of UNIX computers. Scroll to the right; the Domain and Zone data is now filled in. Repeat for all of the other UNIX computers you want to join.

Chapter 3 A&A: Basic Authentication and Authorization

75

Join UNIX computer to a Zone

Run adjoin from the UNIX computer


To join with adjoin, you must know the Windows Server Administrator password. Before you join, ping the Windows Server to confirm that the UNIX computer can find it on the network.
Note

When the UNIX computers join, they must specify the Zone. In this demo the Zone is

fin.
1 Join the UNIX computer

Login the UNIX computer using the root account or a named account and then switch to the root account. You use the Centrify Suite adjoin command to join. Its in /usr/sbin on the UNIX node. The adjoin command format to join a Zone is:
adjoin windowsdomain -z zonename -c container -u accountname

where

the name of the Active Directory domain on the Windows server zonename is the name of Centrify Zone container is the fully qualified name of the AD container in which you want the computer listed (recall that you created a separate organizational unit, UNIX Servers, for the UNIX computers). accountname is the AD account with root privileges.

windowsdomain is

For example, in this book, the domain is named demo, so the adjoin command would be as follows
adjoin demo -z FIN -c "demo/UNIX/UNIX Servers" -u Administrator

adjoin prompts you to enter the Windows Server Administrator password. adjoin displays the success message that indicates the Active Directory domain and the Zone. For our purposes, you can disregard the restart other services message. Open the DirectControl Administrator Console. Notice that your UNIX computer is now listed in the FIN child Zone. For example, in this figure the computer is named redhat.

Evaluation Guide

76

Log in to the UNIX computer

Log in to the UNIX computer


Four people can log in to the joined computer: Fred Thomas (EntSA member) and the FinUser members (Brenda et al). There are two ways to login Login from the joined UNIX computer console. The DirectControl Agent routes login requests entered from the prompt to the Active Directory domain controller (the installation modifies the nsswitch configuration file). This approach is sometimes easier when you are working in a virtual machine where you have an open UNIX console right next to the Windows console. This interface is described in immediately below.

PuTTY remote session: PuTTY is a utility included in the Centrify Suite DirectManage package. (Its in C:\Program Files\Centrify\Centrify PuTTY.) You can use PuTTY to login to any joined UNIX computer from a joined Windows computer. Go to Login from Windows computer with PuTTY on page 78 for the PuTTY instructions.

Login from UNIX system console


When EntSA and FinUser group members login from the UNIX console, the DirectControl Agent uses their Active Directory account to authenticate them. Open a session on the UNIX computer and respond to the login prompt with any of the EntSA or FinUser

Chapter 3 A&A: Basic Authentication and Authorization

77

Log in to the UNIX computer

members full Active Directory name; for example, login as Fred.Thomas (Freds full Active Directory name).

Enter the password and This demonstrates that the account authentication was in fact done on the Active Directory account rather than the localhost. Subsequently the user can use either the full Active Directory name or the UNIX name. (Try if out: logout and then login using the UNIX name you created for Fred.) All of the members of EntSA and FinUser groups (Fred Thomas, Brenda Butler, Chris Carter and George Griffin) can login because, as members of the group, they have login rights. However, the other UNIX users cannot login because they do not have login rights assigned yet. For example, log out from fredt and try to login as Adam Avery.

Login from Windows computer with PuTTY


Double-click on C:\Program Files\Centrify\Centrify PuTTY\putty to start a session. The following window is displayed.

Enter the full Host Name for your UNIX computer beginning with the Active Directory domain; for example, Demo.redhat in this exercise. (For convenience, enter a name for this

Evaluation Guide

78

Make machine-level adjustments

node in Saved Sessions and click Save so you can just double click on the name to begin subsequent sessions on this computer.) PuTTY opens a session and displays the login prompt. To start, login as brenda butler using her full, Active Directory name. Then enter her password. Notice that you entered the full Active Directory name. This demonstrates that the account authentication was in fact done on the Active Directory account rather than the localhost. Subsequently the user can use either the full Active Directory name or the UNIX name. (Try it out: logout and then login using the UNIX name you created for Brenda.)

Make machine-level adjustments


In Active Directory Users and Computers, display Brenda Butlers account properties. From the General tab, select the DirectControl Profile tab. Your display should look similar to the following (although your UID is likely different):

For our example, lets say that Brenda already has an account on the UNIX computer under the user ID 33445. This means that when she logs on using her Active Directory account (which has her new UID), all of the files associated with her old ID will not be accessible. In this section, you modify Brendas account at the machine level to accommodate local requirements.
1 From the Centrify DirectControl Administrator Console, right click Global >

Child Zones > FIN > Computers > computername > UNIX Data > Users and select Add User to Zone ... .
2 Enter b and click Find Now to retrieve Brendas account info and click OK. 3 The program prompts you with Brendas UNIX attributes. Click all of the boxes. 4 Enter 33445 as the replacement UID.

The following figure illustrates the form after you update UID (notice that Primary group is automatically updated.

Chapter 3 A&A: Basic Authentication and Authorization

79

Show Users

After this change is made, when Brenda logs in to this computer she has the UID and Primary Group 33445; but only on this computer. On all other computers in the Zone, Brenda has her Global Active Directory UNIX attributes. If you did not check the other boxes (GECOS, Home directory, etc.) the account inherits the properties from the parent Zone.

Show Users
Use Centrify DirectControl Administrator Console to display the effective users in a Zone or for a computer. For example, right click on your UNIX computer (redhat in the exercise) and select Show Effective Users. Centrify DirectControl Administrator Console searches the Active Directory for the users with log in permissions to log into the selected in the selected Zone. The tabs in the lower window show you the selected users UNIX profile, role assignment and rights.

You can display the effective users for Zones and computers.

Evaluation Guide

80

Summary

Summary
In this chapter you created users and groups in Active Directory and then added UNIX properties, roles and rights using the Centrify DirectControl Administrator Console. In addition, you saw how to adjust a users UNIX attributes to accommodate machine-level differences. All-in-all, these rights granted are broad though and wouldnt work in a production environment. In the next chapter, you learn how to create new rights and roles and assign them to groups to give you the access rights precision you need.

Chapter 3 A&A: Basic Authentication and Authorization

81

Summary

Evaluation Guide

82

Chapter 4

A&A: Just in time provisioning


In this chapter, you expand upon the configuration started in the previous chapter to add more groups, define new rights, create roles from those rights, and assign roles to a group so that the members have special privileges but only on a clearly defined scope. The procedures is composed of the follow sections:
1 Create admin groups and add users 2 Create new privileges, roles and assignments 3 Create computer role and assign group 4 Delegating Control 5 Making Changes
Note Whenever the instructions refer to Active Directory Users and Computers, this refers to the dsa.msc command on the Windows workstation. If you are running the exercise from the Windows Server instead, this utility is available in the Administrative Tools menu.

Create admin groups and add users


In a complex network of UNIX and Windows systems, there are different kinds of admins who need different kinds of privileges. For example, many of our customers have database administrators who need access to databases and applications running on the UNIX computers and department system admins responsible for the maintenance of those computers. However, you dont want the dba and the department sysadmin to have more rights than they need nor access to computers outside their responsibilities. This chapter illustrates how you can create rights and roles for groups and limit the group members administrative reach.
1 Create admin groups in Active Directory.

In Active Directory Users and Computers, create two groups in the UNIX Groups organizational unit: FinWeb: Finance department administrators for an Apache Web server running on our redhat server. FinSA: Finance department administrator for the UNIX computers running Red Hat Enterprise Linux You use the same procedure to create these groups as you did to create EntSA and

83

Create new privileges, roles and assignments

FinUser (see page 69)


2 Add the following users to the groups. You use the same procedure to add these users to

these groups as you did to add users to EntSA and FinUser (see page 70): FinWeb: Add Nina Norris

FinSA: Add Adam Avery

This completes the Active Directory portion of the configuration.


3 Open the DirectControl Administrator Console and add UNIX properties to the FinWeb

and FinSA groups (see page 71). For FinWeb use GID 40000 and FinSA use GID 60000.

Create new privileges, roles and assignments


These groups are going to require special rights to do their job; but these are rights you dont want to give to other admins. In this section you create a new right and define a new role for the FinSA group. You create new rights using the Centrify DirectControl Administrator Console Commands option. Each Zone has its own category for creating commands so you can limit the scope to just the Zone and its children.In this example, the rights will apply in the FIN Zone only.
Note Recall that you can use these commands definitions to replace the sudo commands you have in your sudoer files. Building the collection of privilege commands in the Zone centralizes commands management and makes it easier to manage user rights.

Expand Global > Child Zones > FIN > Authorization > Right Definitions and right click on Commands. Select the New Command ... option.

Evaluation Guide

84

Create new privileges, roles and assignments

See Script Example in Chapter 6, A&A: DirectManage UNIX adtools, for more examples of rights and how they are used in roles.
Note

1 Create new right.

Occasionally the department sysadmin needs to update configuration files on the UNIX machines, for example, the Centrify Suite configuration file - centrifydc.conf. Another example: an Apache server web administrator occasionally needs to modify the httpd daemon configuration file. In this step, you create commands that give users very specific privileges. In subsequent steps you see how to control where those privileges are exercised. To give, for example a sysadmin the ability to edit centrifydc.conf use the New Command form to specify the command name, description, form and other attributes. The following figure illustrates the first form.

Fill in the fields as shown above. Take a look at the Run As, Environment and Attributes tabs. These give you further controls over the use of the command. For this example, take the defaults and click OK. Right click Command to create two more rights (these two will be used in later steps to create the web administrator role):
Name httpd stop-start vi httpd Description stop and restart the httpd daemon Edit httpd conf file Command /sbin/service httpd* vi /etc/httpd/conf/*

Once you have your set of rights defined, you assemble them into roles.

Chapter 4 A&A: Just in time provisioning

85

Create new privileges, roles and assignments

In the next steps, you create a new role - FinDSA - and then define the rights available to users in that role. In this example, you assign the login (which gives you access to the PAM interface and vi httpd (one of the rights you just created).
2 Create new role

You start by creating the role. In this example you create the new role in the FIN Zone. This means this role is only available for assignment to users and groups in the FIN and its child Zones.To create a role in FIN expand Global > Child Zones > FIN > Authorization and right click Role Definitions. Select Add Role.

Enter FinDSA for the name and Finance Department system administrator for the description. Notice that you can set available times to limit the roles access to, for example, working hours only. Click the System Rights tab and, for convenience in the evaluation system, check all the boxes and click OK. In this step, you just created the role. The rights are attached in the next step.
3 Assign rights to role.

To assign the set of rights to a role right click on role under Role Definition and select Add Right ... .

Evaluation Guide

86

Create new privileges, roles and assignments

All of the rights available in this Zone are listed. For the evaluation system, select the login/FIN and the new commands you just created.

4 You now have a role with rights that you can assign to a user or group. In this step you

assign the role to the FinSA group (Finance department system administrators) Select Child Zones > FIN > Authorization > Role Assignments and right click. Select Add Group .... In name, enter f and click the Find Now to list just the users and groups that begin with F. Select FinSA from the list and click OK.

The program prompts you to enter the Role. Click the Browse button to display the roles available and select FinDSA, the role you just created. Click OK to select FinDSA and OK to finish. The members of the FinSA group now have the rights defined in FinDSA. To see the

Chapter 4 A&A: Just in time provisioning

87

Create computer role and assign group

change, click Show Effective Users in the FIN Zone. The FinSA member (Adam Avery) now appears in the list. Select Adam Avery and click the Role Assignment and Rights tabs for more detail.

Create computer role and assign group


Computer roles are the efficient way to assign a group role to a set of computers. This gives you fine granularity to access right provisioning without bother and administrative overhead. You can define the set of computers in the role by any parameters, and they can span Zones or exist in a single Zone. This example shows how you create the computer role, add member computers to the role and assign the group privileges. In these steps, you create a new Active Directory group for the computer role and then create the role and repeat the new rights/role/group assignment you did for FinDSA group to give the FinWSA group custom rights across all of the machines in the computer role.
1 Create FinApache group.

In Active Directory Users and Computers right click UNIX Groups and create a new group called FinApache.
2 Create computer role.

Computer roles are created out of the Authorization category. In Centrify DirectControl Administrator Console expand Global > Child Zones > FIN > Authorization and right click on Computer Roles. Select Create Computer Role .... .

Enter the name FinApache and the Description as shown in the following figure. Click the down arrow and select <...> to pick the Active Directory group for this computer role. Enter f and click Find Now to filter the object search and select FinApache from

Evaluation Guide

88

Create computer role and assign group

the list. Click OK to select FinApache and OK again to finish.

Now you have the Computer role. However, within the role you do not have any group role assignments or member computers
3 Make FinWSA role definition.

In this step, you define a new user role and system rights to assign to the FinWeb group you created in the beginning of this chapter. In the DirectControl Administrator Console, select Global > Child Zones > FIN > Authorization > Role Definitions. Right click and select the Add Role... option. Enter FinWSA and add the description Finance department web system administrator. In the System Rights tabs, check all of the boxes. Back in the General tab click the Available Times button. This is how you would limit the hours in which the role is available. Try settings some times or click Cancel. Click OK and you are done with this step.
4 Add rights to FinWSA role.

You just created a new user role; in this step you assign the rights to the role. Select the new FinWSA Role Definition. Right click and select Add Right ... . In the Add Rights window use Ctrl-click to select the three commands illustrated in the following figure. (Recall that you added two of those commands earlier.) These rights let group members logon UNIX machines in the FIN Zone only, stop and start the httpd daemon and edit the httpd configuration file.

Chapter 4 A&A: Just in time provisioning

89

Create computer role and assign group

Click OK and you are done defining the rights for this user role.

5 Make Role Assignment.

In this step you select the FinWeb group and assign the FinWSA role to define a set of users and a precise set of rights for all member computers in the FinApache computer role. Select the Role Assignments option in the FinApache computer role. Right click and select Add Group ....

Click Find Now and select FinWeb and click OK. In the Add Access Group window, click Browse and select FinWSA.

Evaluation Guide

90

Create computer role and assign group

6 Add Member Computers.

The only thing missing from the computer role are the member computers. In this exercise, you only add one. But in production, this is where you would add, for example, all of the computers that have an Apache server. This time, click Members under the FinApache role. Right click and select Add Computer ....

Enter the first letter of your UNIX computers name (for example, r for redhat) and click Find Now.Select your computer from the list and click OK. This concludes defining a computer role and a set of users and rights that apply just to the computers in that role. To demonstrate just in time provisioning, take a look at the FIN Zone effective users. First, select Global > Child Zones > FIN, right click and select Show Effective Users. Your window should look similar to the following:

Chapter 4 A&A: Just in time provisioning

91

Delegating Control

This shows the users with rights across all computers in the Zone. What you see are the members of the FinUser (Brenda, Chris, and George), EntSA (Fred) and FinSA (Adam) groups. Now, click the Computer drop down menu and select your UNIX computer (in this case redhat).

Notice a couple of differences: Another user is listed: Nina Norris. Thats because when you show the effective users for this machine only, it includes everyone in the Zone PLUS members of groups in the machine Zone. These users do NOT, however, have any access privileges outside the machine Zone.

Brenda has a different UID. Thats because you changed it in the machine Zone. This means that on all computers in the Zone other than this machine she is knows as UID 10002. But on this machine shes 33445.

You have now provisioned two groups to perform very different administration roles on the same computer, FinSA who can login and do the UNIX maintenance chores and FinWEB who can do the Apache server maintenance chores. Thats all their privileges allow. Try it out. For example, logon on to your UNIX computer as Nina Norris and edit the centrifydc.conf file. Go back to steps Step 1 on page 85 to create a new right and add it to the FINSA role. Logout Nina and login again and try the command.

Delegating Control
So far you have been the person creating Zones, groups, commands, roles, etc. However, in production you would want to delegate the functions to a group. You can delegate control at the global, child and machine levels. For example, select Global, right click and select Delegate Zone Control ....

Evaluation Guide

92

Delegating Control

In the Zone Delegation Wizard, click the Add... button. In the next window, instead of User, select Group from the Find: drop down menu.

Enter e in the Name: field and click Find Now. Select EntSA - the enterprise sysadmin group - and click OK. Click Next> and the wizard displays the set of tasks that control who can do what in the Global Zone. (You can do the same to delegate tasks separately in that Zone.) Take a look at the list. You can give one set of tasks to one group and different set to another. For example, the EntSA members can join a computer to a Zone, and add and remove users; however, the FinSA (finance department sysadmin) members can only add and remove users.

Click Cancel to proceed. You can also delegate control at the machine level. For example, right click on the computer in the FIN Zone and follow the forms to select a group (for example FinSA). After you click Next> notice that you have fewer tasks to delegate. Again, you can delegate different sets of tasks to different groups at this level.

Chapter 4 A&A: Just in time provisioning

93

Making Changes

Making Changes
You make account, access rights, and computer changes at the Active Directory administration level, not on the computers themselves.

Accounts
Adding and deleting users and placing users in groups can all be done within Active Directory. These are the sort of tasks more efficiently done by a helpdesk clerk using commercial GUI than your UNIX sysadmins. For example, to add a new administrator to the FinSA group with Active Directory Users and Computers, the clerk just selects the FinSA group, clicks Properties and clicks the Members tab. Similarly, it is easy changing a users privileges when they change jobs: when the authorization ticket reaches the helpdesk, the clerk just removes that person from one group and puts him in the new one. At no time in either step does the clerk need to modify or assign that users rights. When you delete a user, it is often desirable to keep the account around but remove all privileges. In this case, you would create a group, FormerEmployees, and give it the role assignment listed. This way, the user account properties are preserved and available for reports, but the user cannot do anything.

Rights
Rights are changed at the role level in DirectControl Administrator Console. After you create the new right, you select the role under Role Definitions and simply Add Right.... As soon as the right has been added, it is available to all users who are members of groups with that role assignment. Theres no need to make any changes at the account level.

Computer
Centrify Suite Zones and computer roles dramatically simplify the configuration and repurposing of UNIX computers. For example, when a new computer with the DirectControl Agent is joined to a Zone, group members with privileges in that Zone can access it without the tedium and potential mistakes of creating new accounts and assigning rights on the machine itself. If you need to constrain the rights of some users when they access the machine (for example, the FinSA admins described earlier), add the computer as a member to a Computer Role. Now, those group members with access assignments in that role can access it too. Repurposing a machine is similarly straightforward. To change Zones: adleave and then adjoin the other Zone

Evaluation Guide

94

Where to next

To change computer roles: remove it as a member from one and add it as a member the other.

You do not need to change the user accounts or access rights on the machine.

Where to next
You should proceed to the next chapter for the description of the DirectManage Report Center. However, if you use either any of the following for authentication and authorization there is additional information in the appendixes. Do you use a Kerberized OpenSSH the Suite for authentication? If soCentrify Suite includes a compiled version of the latest OpenSSH distribution to make it easy for you to install and continue to use SSH for secured authentication to Active Directory using Kerberos. See Appendix A, Using Centrify Suite with SSH.

Do your UNIX computers and applications submit lookup requests directly to a NIS server listening on the NIS port? Centrify Suite includes its own Network Information Service and daemon process to receive and respond to NIS client requests. See Appendix B, DirectControl Network Information Service to set up the daemon on a 98-managed computer to enable the local UNIX operating system to access NIS maps that are managed and securely distributed from Active Directory.oi

Chapter 4 A&A: Just in time provisioning

95

Where to next

Evaluation Guide

96

Chapter 5

A&A: Administrator Console reports


In this chapter, we highlight the reports available from the DirectControl Administrator Console Report Center.

The following topics are covered: Understanding DirectControl Administrator Console reporting

Running DirectControl Administrator Console reports Creating and modifying report definitions

Understanding DirectControl Administrator Console reporting


Reports provide you with information about the users, groups, computers, and Zones you are managing and the properties associated with them. They can be useful for auditing who has access to different systems, the availability of licenses, and the current status of accounts. Reports can also be used as a way to periodically check the integrity of Zones across the Active Directory forest and to verify which users have permission to perform specific tasks. Pre-built reports are provided for Users, Groups, Computers, Zones, and Centrify licenses for two Centrify Suite architectures: Classic Zone: These reports are for Zones created under Centrify Suite 2011 and earlier.

97

Running DirectControl Administrator Console reports

Hierarchical Zone: These reports are for Zones created using Centrify Suite 2012. Use this series for all examples below.

You can customize the stock reports by filtering, grouping, sorting, and formatting the information included for the objects being reported on. You can also use the New Report Wizard to create your own custom reports. The results from any report can be exported in a variety of popular formats such as PDF, HTML, XML, and Excel.

Running DirectControl Administrator Console reports


Each report definition can be used to retrieve a current report of live data at any point of time. You can also use the report definition to a take a snapshot of the live data to save the result retrieved in a dated report for later use. For example, you may want to take a weekly or monthly snapshot of data to compare the results of a specific report over time. Centrify Suite retrieves the current results the first time you click the Current node for any report definition. When you click Current the first time, Centrify Suite retrieves the appropriate information from Active Directory as it exists at that moment. The results are not updated continuously, however. You can refresh the current results at any time by selecting Current, right-clicking, then clicking Refresh. To retrieve the current results for an existing report definition:
1 Open the DirectContol Administrator Console. 2 In the console tree, click the Report Center. 3 Expand the report definition name for which you want to retrieve results, then click

Current. For example, to retrieve the current information for the Group Report, expand the Groups Report report definition, then click Current.

The first time you open a report the data is not fleshed out. Instead, the folders are listed. Double click on each result to load the item, in this case groups, in the Zone. After you have opened each item, it is added to the tree on the left.

Evaluation Guide

98

Running DirectControl Administrator Console reports

The results data is live allowing you to perform actions on it. For example, you can select an individual group in the results pane and right click to get the Zone properties.

Take a snapshot of the current values


The current data changes as you add or delete accounts or change account properties. You can take and save snapshots for archiving. To take a snapshot for a report definition:
1 From the DirectControl Administrator Console Report Center, select the report

definition you want to snapshot. For example, right-click on Groups Report and select Take a Snapshot. The report is saved under the tree and in the results pane. Double click on that to see the report.

Generating a static report


You can also generate a static report of the results in a more formal format, suitable for printing. For example, right click Current and select Display Report ... . The following figure illustrates the results.

Chapter 5 A&A: Administrator Console reports

99

Creating and modifying report definitions

This figure showed the default report format. Click Report menu and then select Format ... to reformat the display. The following figure illustrates your formatting options. You can print from this window.

Creating and modifying report definitions


Report definitions define the content and format of reports. The report definition describes the informationthe objects and their properties and relationshipsto retrieve, and how the information retrieved should be grouped and sorted in report output. You can delete, modify, or rename any existing report definition, including the default report definitions, using the Report Wizard. You can also create your own custom report definitions. The following procedure steps you through the process of creating a report definition to report on users for the Finance Zone. The report is modeled on the Users Report but will return data for the Finance Zone only. To create a new report definition:
1 From the DirectControl Administrator Console console tree, select then right-click the

Report Center.
2 Click New Report Wizard.

3 Enter a name and optional description for the report. For example, User Report Finance

Zone. Then click Next.

Evaluation Guide

100

Creating and modifying report definitions

4 The drop down menu lets you select, at the highest level the basis for the report. For our

example, scroll down and select Zones. Typically, reports retrieve data for opened Zones because reporting on all Zones can drastically impact performance. However, later on in the wizard you will filter the report to retrieve data for a Zone only, so you do not need to worry about performance. By selecting Zones rather than Opened Zones, you can report on the Finance Zone whether its open in the console or not.
Note

Click Next.
5 Select Yes to relate the Zone to other objects. In the drop down menu scroll down and

select (Yes, Zones that:) contain Zone Users from the pull-down menu. Then click Next.

6 Select No, then click Next. 7 Select the properties to display:

Select Zones in the Objects box, then select Name in the Properties box (it should already be selected). Select Zone Users, then select AD User, Name, and UID. Then click Next.

8 You can create a filter in the next window. However, since you dont have many users

in the Zones, just click Next.


9 Review the report definition you have created, then click Finish.

The program adds the new report to the Report Center tree. In the Console tree, expand User Report Finance Zone, then right click Current and select Display Report.
Notes

If you see a report with headings but no data, it means there are no users in the Zone. (Recall, for example, that all of the users are in the global Zone.)

Chapter 5 A&A: Administrator Console reports

101

Creating and modifying report definitions

If you need to add a user to a Zone, you can do it from the Report Center. Right click the object in the results pane and follow the by now familiar procedure to select the domain, filter for a particular user and select the user. This option also gives you the opportunity to define/modify the users UNIX profile and assign them a role.

If you make changes, click Report Center, right-click User Report Finance Zone, and select Refresh. Then double-click the Finance object to see the report with the newly added users.

Evaluation Guide

102

Chapter 6

A&A: DirectManage UNIX adtools


Centrify Suite includes a set of DirectManage tools that are installed on the UNIX computer along with the DirectControl Agent.You have already used one of the tools, adjoin, to join the UNIX computer to a Zone. In addition, there are some other commands you can invoke from the UNIX computer to query and modify Active Directory (rather than using Active Directory Users and Computers or the DirectControl Administrator Console).

Centrify Suite UNIX adtools


The adtools are in /usr/bin and /usr/sbin. Some of the more useful commands are as follows: adjoin: Join the UNIX computer to an Active Directory domain, organizational unit and Zone.

adquery user:

List the UNIX users in the Active Directory Zone. List all of the UNIX groups in the Zone.

adquery group: adinfo:

Display join attributes. Change an Active Directory accounts; for example, delete a user or group.

adleave: Unjoin the computer.


adupdate: adgpupdate:

Deploy immediately any changes you have made to a Group Policy Object (see Chapter 7, A&A: Active Directory Group Policy Controls to learn how to change Active Directory group policies).
adpasswd:

Change the account password

In addition, the Centrify Suite installation package includes two other useful commands: dzinfo: Use this command to display the current logged in users attributes: user name role name and effective rights PAM application any privileged commands whether she is forced into a restricted environment dzdo: Use this instead of sudo when you enter the privileged commands.

See the Centrify Suite, Standard Administration Guide for the full explanation of the ad commands.

103

ADEdit overview

In addition, Centrify Suite includes ADEdit, an Active Directory editing tool you run from a UNIX computer in the network. ADEdit is designed for administrators who have traditionally administered their systems from UNIX scripts or UNIX CLI and includes a scripting language so administrators can build their own sets of commands. The rest of this chapter introduces ADEdit and describes its major features. We also include a ADEdit script that replicates and expands upon the configuration of UNIX users, groups, roles, etc. you created in the earlier chapters. For the full description of the ADEdit commands and library, see the Centrify Suite ADEdit Programmers Guide provided in the distribution package Document folder.

ADEdit overview
ADEdit provides a command-line interface from a UNIX computer that gives you complete control of Active Directory objects based on the rights of the users account in Active Directory who is running the ADEdit command. You can modify every aspect of operation that the DirectControl console offers and build scripts that automate the maintenance functions. A knowledgable UNIX administrator can use ADEdit alone for complete DC administration. ADEdit has two basic components: the ADEdit application

the ade_lib Tcl library

ADEdit accepts and executes Tcl script files that include the ADEdit commands (see the ade-lib library description). You can run the script from the adedit command interface or as an executable file on the UNIX platform ADEdit binds to one or more Active Directory domain controllers. ADEdit can query AD for data within bound domains, retrieve AD objects, modify those objects, create new objects, and delete existing objects. Those objects include all DirectControl-specific objects such as Zone objects, Zone user objects, role objects, and more.

Evaluation Guide

104

ADEdit overview

The following figure illustrates the components:

ADEdit application
ADEdit uses Tcl as its scripting language. Tcl is a long-established extensible scripting language that offers standard programming features and an extension named Tk that creates GUIs simply and quickly. The Tcl scripting language includes full programming logic with variables, logical operators, branching, functions (called procedures in Tcl), and other useful program-flow features. ADEdit includes a Tcl interpreter and the Tcl core commands, which allow it to execute standard Tcl scripts. ADEdit also includes a comprehensive set of its own commands designed to manage DirectControl, DirectAuthorize, and Active Directory. ADEdit will execute individual commands in a CLI (in interactive mode) or sets of commands as an ADEdit script.

ade_lib Tcl library


The ade_lib Tcl library is a collection of Tcl procedures that provide helper functions for common DirectControl management tasks such as listing Zone information for a domain or creating an Active Directory user. You can include ade_lib in other ADEdit scripts to use its commands.

ADEdit commands
ADEdit offers a comprehensive set of commands, grouped into the following categories:

Chapter 6 A&A: DirectManage UNIX adtools

105

ADEdit overview

General-purpose commands

ADEdits general-purpose commands control ADEdits overall operation and provide information about ADEdit: they provide help text for commands, set the LDAP query time-out interval and quit ADEdit.
Context commands

Context commands set up and control the ADEdit domain context. You bind to a domain to set the context for subsequent object management commands. The other context commands report current bindings, show current bindings and selected objects, and push and pop contexts off the ADEdit context stack.
Object-management commands

Object management commands are the core of ADEdit. They let you do all of the operations performed in Active Directory Users and Computers and the DirectControl Administrator Console via command entries from the ADEdit prompt. The following list summarizes the commands by object: Zones: Create, select and delete Zones. Additional commands in this category let you list child Zones, display and set Zone field values and assign Zone rights to a user or group.

Computer roles: Create, select and delete computer roles in the selected Zone. Additional commands in this category let you examine and modify computer roles and associate computer roles with role assignments. Zone users, groups and computers: Create, select, and delete user(s), group(s) and computer(s) in the selected Zone. Additional commands in this category let you examine and modify the user, group or computer attributes. Commands, User Roles and Role Assignments: Create, select and delete rights (commands), roles and role assignments. Additional commands in these categories let you assemble a set of commands into a role and assign a role to a user or group. Use these commands list rights, roles and assignments and modify existing definitions too. PAM applications: Create, select and delete PAM application objects. Additional commands in this category list the PAM applications in the Zone and let you view and set PAM application fields. NIS maps: Create, select and delete NIS map objects in the selected Zone. Use other commands in the category to list and examine map entries. Generic Active Directory objects: Create, select or delete Active directory containers, users and groups Use the other commands in this group to view and modify object attributes.

Evaluation Guide

106

Script Example

Utility commands

Utility commands perform useful data retrieval and data conversion tasks. They convert domain names and security principal names from format to format and they manipulate distinguished names. They check with Active Directory to convert between user principal names (UPNs) and distinguished names. They query Active Directory for local users, look up users by UNIX name, look up security principals by security IDs (SIDs), and convert SIDs to escaped strings. They also return information about users, groups, and group membership and set user passwords.
Security descriptor commands

Security descriptor commands modify security descriptors and make them readable by humans.

Script Example
You could have used an ADEdit script to create the environment described in the A&A chapters. The Centrify forum has an ADEdit script you can download that shows how to create the Zones, users, groups, roles, rights, etc. you created earlier. In addition, the sample expands upon the elements to give you a richer environment to continue your evaluation. To get the script, link to the following url
http://www.centrify.com/evalsetup

and download the tgz file. Copy the file to any UNIX node that has the DirectControl UNIX tools and use the hosts commands to unpack it. For example, if the UNIX host is running Red Hat you would use the following commands
#gunzip Centrify-Suite-Eval-Script.tgz #tar xvf Centrify-Suite-Eval-Script.tar

This extracts the file adsetup-evalguide.sh from the tar-file. The remainder of this section describes how to run this script. We strongly recommend using this script as a part of your evaluation. See Inside the script on page 111 for a description of the scripts elements.
Note The script is updated often. Some elements, such as users or groups, may not match exactly the description that follows.

Run script

If you have any open instances of Active Directory User and Computers and the DirectControl Administrator Console you do not need to close them. However, be sure to refresh after running the script to update the display
Note

Chapter 6 A&A: DirectManage UNIX adtools

107

Script Example

To run the script, change to the directory in which you unpacked the file and enter the following command. You will need the Windows Server Administrators password to complete the operation.
-./adsetup-evalguide.sh -d [your domain] -o [ou=baseOU] -u [Administrator or

privileged account]

where -d is the domain name

-o is the base organizational unit; enter the base name in the form ou=name -u is the account name

For example, the following picture shows the command you enter based on the exercises so far (domain = demo, base ou = UNIX, and user = the Windows Server Administrator). The picture also shows the messages displayed by the script. (These messages may change with new releases of the script.)

The following figure illustrates the Zones, users, and groups created by the script. Its an expansion upon the users and groups created in the exercises. To see the additions, open Active Directory Users and Computers: the new groups are in domain > UNIX > UNIX Groups and the new users are in domain > Users and domain > UNIX > UNIX Groups > UNIX Users.
Note Since the script adds the users to the UNIX Users group, the Zone Provisioning Agent automatically assigns the UNIX properties to each account.

Now, open the DirectControl Administrator Console. Notice that the new Marketing groups (for example, MktgSA, MktgUser and MktgWA) do not appear in the mktg child Zone Groups, only in Role Assignments. This is because you need to add the UNIX attributes to Active Directory groups ONLY if you are going to use the UNIX group ID for access controls on the UNIX file system. If you are not using the UNIX GID for access controls on the UNIX file system, you do not need to add the UNIX properties to an Active Directory group. Instead, all you need to do to define group members access rights is make the Role Assignment in the DirectControl Administrator Console directly to the Active Directory group. In addition, notice that there is a EntApache computer role in the Global Zone. This was added to demonstrate how the hierarchical model applies to computer roles. For example, the EntApache computer role would include as it members all of the computers in the

Evaluation Guide

108

Script Example

FinApache and MktgApache roles. This grants the EntSA group members access rights to all computers in both of the roles. However, FinWeb members can only access the computers in FinApache. This also makes adding a machine to a computer role easy: After it has joined the finance Zone, just add it as a member to the FinApache group. Instantly, all members of the EntWA and FinWA have their group access rights.

The example script expands on the foundation created in the earlier chapters in two basic areas: Adds the mktg Zone

Expands on the rights and roles in the Global Zone.

Chapter 6 A&A: DirectManage UNIX adtools

109

Script Example

For example, expand Global > Authorization > Right Definitions > Commands. These commands were created in the script in the Global Zone so that they would be available for role definitions in the Global and any child Zones.

Alternatively, if you wanted commands that were just available within a specific Zone, you would define them in that Zone alone. Similarly, the script added several PAM access applications to the global Zone. The users in each Zone may need only one of them, but it is convenient to have them all in one place.

This Zone also demonstrates how precisely you can define a role. For example, click on the WebAdmin role.

Evaluation Guide

110

Inside the script

The purpose of a role is to define very precisely what users can do; in this case, users and groups with the WebAdmin role can only do the commands listed in this figure. The script makes the role assignment to the MktgSA group in the MktgApache computer role.

This limits the computers on which the group members have the authorization to use these commands to just the MktgApache role member computers. You can use the same rights and roles for other groups too. For example, you could assign the WebAdmin role to the FinWeb group in the FinApache computer role. This would give FinWeb group members the same privileges, however, they would only be able to exercise those privileges on the computers in the FinApache computer role.

Inside the script


Open the script adsetup-evalguide.sh file to see how the script is organized. See the Centrify Suite ADEdit Programmers Guide for a thorough explanation of the command syntax and available commands. The rest of this chapter provides broad overview of the scripts contents. The picture at the beginning of this chapter illustrates the Zone elements created. The script has the following segments. The number in the parenthesis is the approximate line number.
Note

The script anticipates that you have already created the UNIX, UNIX Groups and Service Accounts organization units and the UNIX User group. Create Zone structure (76): Creates the Global, FIN and mktg Zones. In this example, however, the create commands for Global and FIN are commented out since they already exist.

Chapter 6 A&A: DirectManage UNIX adtools

111

Inside the script

Create AD users (91): Creates the Active Directory accounts for all of the users. In the DirectControl Administrator Console, see Global > UNIX Data > Users for the fill list of users. If you want to try logging in as one of these users, all accounts are assigned the same password, testTEST1234.

Add all users to out Global Zone (123): Adds each user to the Active Directory UNIX User group. Because the Zone Provisioning Agent service is running, the names are automatically provisioned and added to the Global Zone. Creating Groups for the users (150): Creates the Active Directory Groups and adds the user(s) to the group. Notice in the commands that the groups are added to the UNIX Groups organization unit. Create Computer roles (201): Creates a new Active Directory group (in this case in the UNIX Groups OU) and then creates the computer role in the target Zones. Create command rights in the Global Zone (232): Creates each of the command rights in the Global Zone. You can create rights in any Zone; however, they are only available to roles in that Zone or lower. Create PAM rights (289): Creates each of the PAM application rights. Create user roles (314): Creates the WebAdmin, and SysAdmin roles and adds the rights associated with each role. Perform the Role Assignments (349): Assigns the roles just created to the groups created earlier.

For more information on the commands and syntax, see the Centrify Suite ADEdit Programmers Guide.

Evaluation Guide

112

Chapter 7

A&A: Active Directory Group Policy Controls


Using AD group policies for UNIX users and computers
Centrify Suite 2012 secures your UNIX platforms using the same authentication and group policy services used for your Windows environment. In this chapter, you modify the Active Directory Group Policies for the UNIX groups in Centrify Zones. The following topics are covered: Understanding Group Policy

Adding Centrify Suite group policies for UNIX Group Policy Examples

The examples demonstrate the following: Set user mapping

SSH settings Firewall rules

Understanding Group Policy


Group policies allow you to specify a variety of configuration options in Active Directory and apply those settings to specific groups of computers and users. In a standard Windows environment, these configuration settings control many aspects of computer operation and the user experience, including the users desktop environment, startup and shutdown scripts, local security enforcement, user- and computer-based registry settings, and software installation and maintenance services. When you define policy settings, they are stored in a Group Policy Object (GPO). Each Group Policy Object can consist of configuration information that applies to computers, configuration information that applies to users, or sections of policy specifically devoted to each. Because configuration details on Windows computers are primarily controlled through registry settings, group policies are designed to enable an administrator to centrally define those registry settings and propagate them to specific sets of computers on the network through Active Directory. The scope of any policy is defined by the specific site, domain, or organizational unit to which the Group Policy Object is applied. Centrify Suite 2012 provides a group policy framework that integrates UNIX systems into the Active Directory group policy management environment. This enables you to centrally define configuration settings that can then be applied to specific groups on the UNIX

113

Adding Centrify Suite group policies for UNIX

computers. These group policies are then enforced any time a computer with a policy applied starts up, at a policy-defined periodic interval, on-demand when you run an update command, and when users log on. Centrify DirectControl provides its own administrative template for UNIX-specific group policies to complement the limited number of Windows group policies that can be applied to UNIX users and computers.

Adding Centrify Suite group policies for UNIX


Group policies for UNIX are managed using the same tools you use to manage Windows group policies. With Windows Server 2003 and Windows Server 2008, there are two snapins for managing group policies: The Group Policy Object Editor allows you to enable, disable, and edit the configuration settings within any Group Policy Object. You use the Group Policy Object Editor to set the configuration options you want to use and to assign values to configuration settings.

The Group Policy Management Console allows you to create new Group Policy Objects, link Group Policy Objects to sites, domains, and organizational units, delegate group policy permissions to specific users and groups, and perform other tasks.

Make sure you have the Microsoft Standard Suite console or at least the Group Policy Object Editor snap in installed on the Windows workstation. The examples below illustrate use of the Group Policy Object Editor. To use the Centrify Suite group policies for UNIX, you must add the Centrify Suite Administrative Templates to the Group Policy Object you want to work with. To add the Centrify Suite Administrative Templates to the Default Domain Policy:
1 Log in as an administrator on a Windows computer where you can perform

administrative functions.
2 Start the Group Policy Object Editor by clicking Start > Run and typing gpmc.msc.

In this step you create a new Group Policy Object to link to the demo domain. Expand Domains and right click the domain you are using for your evaluation system (demo if you have used our domain name). Select the Create a GPO in this domain ... option.

Enter Eval

system

and click OK.

Evaluation Guide

114

Adding Centrify Suite group policies for UNIX

3 Right click the Eval system policy you just created and click the Edit... option.

4 In the Group Policy Management Editor window, expand the Policies node and right

click Centrify Settings. Select the Add/Remove Templates... options.

5 In the Add/Remove Templates window, click Add.

The Open window lists a set of templates. First, select centrifydc_settings and click Open.

6 Repeat Step 5 and this time select centrify_unix_settings and click Open. 7 Repeat Step 5 and this time select centrify_linux_settings and click Open.

These are the only templates used in this exercise. If you would like to see the other policies (for example, there are extensive settings for Mac OS) click Add again to select more templates for review.
8 Click OK.

Chapter 7 A&A: Active Directory Group Policy Controls

115

Group Policy Examples

These steps added a comprehensive set of DirectControl policy settings you can apply with the Group Policy Management Editor. The following figure illustrates the window with the DirectControl options. The remainder of this chapter illustrates how to set several common policies

Group Policy Examples


The following illustrate some of the Centrify policies popular with many of our customers. To set these examples you must be logged in as an administrator.

Set user mapping


In this example, you set a policy to map the UNIX user root to the Active Directory user Administrator. Subsequently, root on the UNIX computer is controlled from within Active Directory.
1 Click on DirectControl Settings and double click Set User Mapping. 2 Check the Enabled radio button and then the Add button. 3 Enter root (or whatever account you want to map) as the UNIX User and click

Browse ... to select the Active Directory user


4 In the Find Objects window, enter a for the Name: and click Find Now to get the

Administrator in the current domain.

Evaluation Guide

116

Group Policy Examples

5 Select the Administrator and click OK. (You can leave In zone: blank in this exercise.).

6 Click OK to complete the mapping.

Chapter 7 A&A: Active Directory Group Policy Controls

117

Group Policy Examples

The Set user mapping policy is now enabled, and the root account for the UNIX nodes is mapped to the Active Directory domain controllers administrator account. Double-click on Set user mapping to view the new properties or add more user mappings.

Set the login password prompt


You can customize the text displayed when an Active Directory user logs in. Select Password Prompt under DirectControl Settings, double click Set login password prompt, click Enabled and enter the password prompt you want to display.

Prevalidate users or groups


You can specify users and groups who are prevalidated to access the local UNIX computer using their Active Directory credentials when the computer is offline.

Evaluation Guide

118

Group Policy Examples

SSH settings
The Centrify Settings is also a convenient way to enable SSH settings. For example, expand the SSH Settings tab and click on the following policies to enable or disable. Click the Explain tab for more details on each option Prevent root login: This policy lets you prevent the UNIX computers root user from logging in. The following figure illustrates how to enable the Permit root login policy to prevent root login.

When you enable the Permit root login policy, you can control the roots access method, including preventing access entirely. However, enabling this option may complicate your evaluation. Leave it for another time. Enable PAM authentication: Set this policy to enable PAM authentication, account processing and session processing. Allow GSSAPI authentication: Specifies whether authentication based on GSSAPI may be used, either using the result of a successful key exchange, or using GSSAPI user authentication. Allows GSSAPI key exchange: Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key exchange does not rely on ssh keys to verify host identity. Specify client alive interval: Set a timeout interval in seconds after which, if no data has been received from the client, sshd sends a message through the encrypted channel to request a response from the client (see figure). Specify maximum client alive count: Sets the number of client alive messages which may be sent.If no response is received by the count sets, sshd terminates the session (see figure).

Chapter 7 A&A: Active Directory Group Policy Controls

119

Group Policy Examples

Note

Use the Specify client alive interval and Specify maximum alive count to set the inactivity timer. For example, in this illustration the inactivity time is set to 15 minutes.

Firewall rules
Another useful policy is Linux Settings > Specify basic firewall settings. Enable this policy to define a set of rules for a simple exclusionary firewall.

When you enable the policy you are prompted to enter rules that control input and output. The rule format is
Name:Type:Protocol:Port:Action

where

Name

is just an identifying string.

Evaluation Guide

120

Group Policy Examples

Type

is either INPUT or OUTPUT. Use INPUT to block the incoming port and OUTPUT to block the computer from sending on that port. should be one of tcp, udp, icmp, or all. is the port number. is either ACCEPT or DROP.

Protocol Port

Action

If you just enable but do not specify a rule, the firewall default allows all outgoing traffic but blocks all inbound traffic except ssh and ping. The following figure illustrates the firewall settings with the default set and a rule that allows web server connections to the machine.

This concludes the introduction to the Centrify Suite authentication and authorization components and services. Continue your introduction with the DirectAudit installation and introduction in the next chapter.

Chapter 7 A&A: Active Directory Group Policy Controls

121

Group Policy Examples

Evaluation Guide

122

Chapter 8

Audit: Set up the evaluation environment


This chapter explains how to install the remainder of the DirectAudit software and configure the components on your evaluation system. Recall that the DirectAudit Agent and UNIX command line tools were already installed in Chapter 2, Setting up the evaluation environment because you selected the Enterprise Administrator suite type.

Evaluation System Configuration


The following figure illustrates the DirectAudit components.

These components are introduced in Chapter 1, Start Here (see DirectAudit Components on page 18). For expediency, the installation process described below installs all of these components on the Windows system. This includes a copy of SQL Server Express used for the Audit Store and Audit Server. In a production environment, these would be distributed across different nodes and have redundant elements.For more in-depth descriptions of the components and your configuration options, see the Centrify DirectAudit Administrators Guide.

123

Installing the DirectAudit components

Note The DirectAudit package includes SQL Server Express and, for convenience only, the instructions tell you to install it. If you already have SQL Server installed on one of your systems you can specify that instead. Alternatively, the installation process includes a link to the Centrify website from which you can download other SQL server options

Installing the DirectAudit components


In this section, you run the DirectAudit setup option in the Centrify-Suite-2012-mgmtent-win DVD/iso (the Centrify Suite Enterprise Edition). The following set up instructions install all of the DirectAudit components on the Windows system to which you are logged in. More precisely, the setup wizard: Installs and starts the DirectAudit Agent.

Installs SQL Server Express and creates the DirectAudit Audit Server and Audit Store databases. Installs and configures the collector. Installs the Auditor and Administrator consoles.

In a production system, you would install each component on a different computer.


Notes

Part of the DirectAudit installation is already complete. When you selected the DirectAudit components in the Suite installer, the Deployment Manager installed the DirectAudit Agent and UNIX command line tools on the UNIX computer(s) selected. This procedure automatically installs SQL Server Express and creates new Audit Server and Audit Store databases as a convenience to those who do not already have a SQL Server on their network. If you want to use an existing SQL Server, see the DirectAudit Administrator Guide for

Evaluation Guide

124

Installing the DirectAudit components

the instructions. Also note that if you use an existing SQL Server to create the Audit Server and Audit Store databases DirectAudit uses TCP port 1433 (the default) for communications. If you use an existing SQL Server and it uses a different port, see the DirectAudit Administrator Guide for the configuration instructions. Before you begin the installation, make sure your Windows system and UNIX computer(s) are joined to the Active Directory domain controller and you are logged on to a domain account.

Install Windows system components


In this section, you install the Centrify Common Component, DirectAudit Auditor and Administrator consoles, Collector, and Agent on the Windows system.
1 Go back to your Centrify Suite DVD/iso and launch autorun again.

Chapter 8 Audit: Set up the evaluation environment

125

Installing the DirectAudit components

2 This time click Centrify DirectAudit.

3 Click Next from the Centrify DirectAudit Setup window and accept the terms. 4 In the Select Components window, select all of the components (the default).

5 Choose Destination Folder: Use the default. Click Next.

And, click Next to Confirm the Installation Settings.


6 Setup takes a couple of minutes to install the software. The final window in the process

looks like this. Scroll through the summary to see the results. Make sure the box Launch Configuration Wizard (circled in figure) is checked. Click Finish.

Evaluation Guide

126

Installing the DirectAudit components

Then click Exit in the Getting Started window to close it. You are done with that part of the installation. This concludes the installation; however, configuration is not yet complete.

Configuration
The Welcome ... reminds you about the privileges you will need to have. Click Next in the Welcome window.

The following steps complete DirectAudit configuration.


1 Enter Installation Name: This has no significance in the evaluation scenario. It becomes

important when you have multiple installations (separate sets of audited systems collectors, audit servers, etc.) For this exercise, enter Evaluation (case sensitive).

Chapter 8 Audit: Set up the evaluation environment

127

Installing the DirectAudit components

2 Specify database: Unless you have a database already installed and want to use it as a part

of the evaluation click Next to use the default, Install a new SQL Server Express .... If you want to use an existing database, check the other button and browse for it.

3 Select SQL Server package: The default Setup package is the SQL Server Express

included in the distribution. Click Next to accept the default. If you have another package you would prefer. Browse for it. For a production system, you can also download SQL servers from the link shown.

4 Open port in firewall: The Collectors use TCP port 5063 to get the data from the audited

terminals. Normally, this port is not open. Click Yes to open it. The program proceeds to set up the configuration. This can take a few minutes, especially if you are installing the database.

Evaluation Guide

128

Installing the DirectAudit components

Click Finish when prompted to exit the installation. The installation creates a service connection point in Active Directory. (In Active Directory Users and Computers, select View > Advanced Settings and expand Program Data.) It displays a Summary window that lists the properties. This concludes the DirectAudit installation and configuration on the host Windows workstation(s). Proceed to the next section if you want to audit more Windows workstations. Otherwise, skip to Replay example for audit session example

Audit more Windows systems


Do you have any additional Windows computers you want to audit? Each Windows computer you want to audit requires just the DirectAudit Agent. (It does not require the DirectControl Agent.) You must be logged in to the computer with a domain account that has local administrator privileges to install and configure the DirectAudit Agent. The DirectAudit Agent installation program is on the Centrify-Suite Enterprise Edition distribution CD in the DirectAudit > Centrify DirectAudit Agent Msi directory.
Note

The DirectAudit Agent is different for 32- and 64-bit systems. If your target Windows DirectAudit Agent computer has a different processor architecture, download the other Enterprise edition from the Centrify Download Center and use the DirectAudit Agent from that package.

To install the DirectAudit Agent go to Centrify-Suite > DirectAudit >Centrify DirectAudit Agent Msi and launch Centrify DirectAudit Agent.msi. Or copy the file to the target Windows system and launch it. When prompted, accept the terms and enter another directory if the default does not work for you. The wizard installs the DirectAudit Agent software and, by default, launches the Agent Configuration Wizard (see the Run Agent Configuration Wizard checkbox in the Wizards Finish window.) The configuration Wizard prompts you for three properties: Color quality: Choose a lower color quality to use less space per session.

Offline location: The folder the Agent uses to store session data when the Collector is offline. Setup DirectAudit Installation: The Wizard queries the Audit Server for all existing DirectAudit Installations. At this juncture, you have just the one you created above; select it.

When its done, the Wizard starts capturing the session activity immediately. Repeat the DirectAudit Agent installation on all of the Windows systems you want to audit.

Chapter 8 Audit: Set up the evaluation environment

129

Replay example

Replay example
The DirectAudit Agent on the Windows computer(s) captures session activity from the time of installation. You can replay your session activity to see how DirectAudit works on Windows computers. Double-click on the DirectAudit Auditor 2012 Console on the desktop. The sessions are organized by when the session occurred (for example, Today, Yesterday, This Week or This Month) and other properties. The next chapter describes the different categories. The Windows workstation session is in two places: Today and Active. Click on Today. Your display should look similar to the following (you have different Today sessions).

Evaluation Guide

130

Replay example

Double click on the session. It takes a couple of seconds for the session to be retrieved from the database. Your display will be similar to the following:

The play bar along the bottom shows the progress through the events. You can also click on the events to jump to that sequence. The next chapter explains more about the replay controls. This concludes the installation chapter. The next chapter describes how to set up sessions, the replay controls, and managing the sessions.

Chapter 8 Audit: Set up the evaluation environment

131

Replay example

Evaluation Guide

132

Chapter 9

Audit: Session replay and management


At this point, the evaluation system is set up with at least one audited Windows workstation and UNIX computer. You have more audited Windows workstations if you ran the Agent installation software (see Audit more Windows systems on page 129) and more UNIX workstations if they were found and targeted during the deployment described in Chapter 2, Setting up the evaluation environment,. This chapter describes how to view audited sessions, define review status and other criteria to organize the sessions, develop queries for building your own lists of sessions and the session commands you use on the Windows and UNIX computers. The following topics are covered: Enable audit on the UNIX systems

Auditor Console Direct Audit UNIX Utilities Queries Windows Start-menu utilities Administrator Console Close sessions Where to next

Enable audit on the UNIX systems


In this sequence of steps, you start tracing on the UNIX system(s). The root user must manually enable auditing on each UNIX audited systems.
1 Log on to the UNIX computer as root. (You can use PuTTY or log on from the console

directly.)
2 Configure computer for the installation: Enter the following command to configure the

Centrify Suite installation:


# dacontrol -i Evaluation

where Evaluation is the installation name you entered during set up in the previous chapter. If you entered a different installation name, enter that instead.
3 Start session: Run the following command to enable (-e) auditing on all shells (-a) on this

machine:
# dacontrol -e -a

133

Auditor Console

This command captures the input and output for all shells available on the machine. There are other commands that for example, set the trace on specific commands only or on specific users. See Direct Audit UNIX Utilities on page 139 below for an introduction to these commands.
4 Run the dacontrol command to verify that auditing is enabled for all shells. You should

see output similar to the following:

Note When you enable auditing, Centrify Suite links each audited shell to the cdash shell, which is a wrapper that enables Centrify Suite to record activity on the shell.

5 Logoff and then login to the computer. The session does not start until the user logs in.

Auditor Console
You use the Auditor console to view and manage recording sessions.

Evaluation Guide

134

Auditor Console

At this point, DirectAudit is monitoring at least two systems: the Windows workstation (win7.test.co)and the UNIX computer (redhat.test.co above). Your display likely has different computers and sessions. In this figure, the Today search is selected - a list of all the sessions that were initiated and continue or ended since midnight. The Yesterday, This Week, and This Month searches accumulate the sessions as time goes by. IMPORTANT: Right click in the view and choose Refresh every time you change views. This forces a query to the data base to update the data displayed. Click the Active Sessions to see the current, on-going sessions. (This view eliminates the Today sessions that have closed.)

Mark Sessions for Review or Action


You use the Sessions to be Reviewed and Sessions Pending for Action to distinguish them from other sessions. You control which list to use by updating the sessions review status. For example, to mark a session in Today for review, select a Windows workstation session in your Today view, right click and in Update Review Status select To be reviewed.

You are prompted to enter a comment and click OK. Now, click Sessions to be Reviewed, right click inside the pane and choose Refresh. Select the session and right click. Your options are as follows: Replay: Opens a new window that shows event list and reproduces the corresponding display.

Indexed event list...: Opens a window with the just the session events. Use this window to start the replay at a specific event. Properties: Opens a window with the sessions properties: General, Review Status and Comments. The Review Status tab shows the most recent status change. The Comments tab shows you all comments already entered and lets you make additional entries.

Chapter 9 Audit: Session replay and management

135

Auditor Console

Update Review Status: Displays a menu (the same one as in the above figure) of the Status options.

None: The session is not review- or action-worthy. Pending for Action: Route this session to the Session Pending for Action list rather than the Sessions to be Reviewed list. Reviewed: The session has been reviewed. To be Reviewed: The session is open for review.

The status you select is shown in the Review Status field in the line item display. (Scroll to the right to see the Review Status field. You can re-arrange the columns to make them more convenient too; just click then drag to the preferred location.) Help: Displays help for the current session.

To complete this exercise, select the session in Sessions to be Reviewed, click Update Review Status and this time select Pending for Action. Right click in the pane and select Refresh. The session is no longer listed in this set. Select Sessions Pending for Action, right click in the pane and select Refresh. The session now appears in this list. Subsequently, if you changed the sessions Review Status to Reviewed to indicate that the action had been completed, the session would be removed from this list and listed solely in Today, This Week, or This Month. Where the session resides depends only upon the Review Status you assign.
Note

Use Refresh often to make sure the information is up to date.

Replay options
This section describes how you control the playback. The following figure illustrates a Windows replay session with the magnifier on. The basic controls described next are the same for a UNIX session, however, the information above the controls in the left pane is different. The Play button changes to a Pause button when the session is playing, and vice versa.

Click the Speed button to fast forward at different rates. The dark blue time bar across the bottom of the window represents the total session time line. The Timepoint needle shows you the current location in the session. You can drag the needle to any point in the session. The light blue shading in the time bar indicates the segment of the session that is currently in memory.

Evaluation Guide

136

Queries

The Real-time icon to the right of the time bar indicates that the session plays in a smooth time sequence. If you want to play back the session moving swiftly from one user action to the next, click the icon to gray it out. The Session point indicates the date and time of the Timepoint needle.

The magnifier appears as a magnifying-glass pointer in the replay pane. You click to magnify and click again to revert to the pointer.

Queries
Today, Yesterday, This Week, UNIX Password Access, Windows MMC tools, etc. are just a set of predefined queries. Each query searches the Auditor database for sessions that meet the criteria. Right click on any of a query and select the Properties. To see the search criteria, open the Definition tab. You can write your own queries to specify the criteria that sessions must meet to be returned by the Auditor console. This section takes you through the steps to create some custom queries.

Find sessions based on current status


In this example, you build a query to find all sessions with a status of None (which in a typical situation means no one has looked at it yet).
1 On the Centrify Suite Auditor node right click All Shared Queries and select New

Query.
2 In the query builder, type Unclassified
sessions

for the query (for example, All

sessions marked

for the name and enter a description as None).

Chapter 9 Audit: Session replay and management

137

Queries

3 Keep the default for type of session (both UNIX and Windows). 4 Since you do not have many sessions yet leave Group by: and Order by: boxes

unchecked.
5 Click Add to add criteria. Select review from the Attribute drop-down menu, highlight
None,

and click OK.

Notice that review

= None

appears in the Criteria field of the New Query dialog box.


in,

6 Click Add again. This time select time, select the bottom radio button, Is

and in

the drop down menu select this

week.

7 The Criteria pane should show both rules. Click OK to complete the query build.

In a moment or two, your query appears as a node under the All Shared Queries node.Click the Unclassified sessions to get the results.

Creating a quick query


You can perform quick searches by selecting Quick Query from the context menu of the Auditor console node and typing keywords like in a Google search. Click Find. The query is added in-line with the predefined queries in the left pane, with the query string acting as the name of the query. The query results appear in the right pane (give it a couple of seconds to search the database). Some examples for the user criterion are: jean return any data fields that contain the string jean

jean john

return any data fields that contain the string jean and the string john return any data fields that contain the string jean or the string john return any data fields that contain the exact string jean john

jean OR john "jean john"

Evaluation Guide

138

Direct Audit UNIX Utilities

DirectAudit examines user, machine, time, module, and text for a match with the quick query string you typed. You can later edit a quick query by highlighting its node in the left pane and selecting Properties from the context menu. You can change the name and add a description on the General tab. The Definition tab already includes the query type, group, order and criteria you defined in your query text. You can edit these using check boxes and lists, just as you do with private and shared queries.

Direct Audit UNIX Utilities


You used the dacontrol on the UNIX computer earlier in this chapter to start the audit session on the UNIX computer. DirectAudit includes several other command line utilities you run from the UNIX console for monitoring the connection and managing the DirectAudit Agent. Login as root on the UNIX computer and try them out. dacontrol: enable and disable shell sessions and configure sessions to audit specific commands or users.

dad: start or stop the DirectAudit daemon (dad) directly dadebug: enables/disables debug logging for dad. dareload: forces dad to reload configuration properties from the DirectAudit configuration file on the UNIX computer and apply changes without restarting dad. dadiag: displays detailed information about the configuration and current auditing status. dainfo: also displays detailed information about the configuration and current auditing status. For example, to get in-depth information about the session: enter dainfo -d. Your display will have similar contents to the following. The significant lines are highlighted and explained below.
# dainfo -d Establishing connection with dad: Success (1) Dad's online status: Running (2) Dad's current Installation: 'DefaultInstallation213' (configured locally) Dad's current Audit Store: Default-First-Site-Name@jeff.domain.test3AuditStore Dad's current Collector: WIN7PRO64.jeff.domain.test3:5063:HOST/ win7pro64.jeff.domain.test3@JEFF.DOMAIN.TEST3 Dad's offline db size: 86.00 Bytes Getting offline database information: Size on disk: 8.00 KB Database filesystem usage: 4.16 GB used, 7.34 GB total, 3.17 GB free Machine IP address: 172.27.14.228 Machine is joined to jeff.domain.test3 Machine is in site 'Default-First-Site-Name'

Chapter 9 Audit: Session replay and management

139

Direct Audit UNIX Utilities

Pinging adclient: Available (3) Installations: DefaultInstallation213 Active Directory Object: jeff.domain.test3/Program Data/Centrify/ DirectAudit/Vegas-Installation-85adf0a1-6b88-4f3f-8796-e34d165d96d5 Object GUID: 3526c3a2-c565-4923-ab0c-1d0c73cc8254 Installation Id: 4b779baa-cea8-4dee-8fb1-cc5291d26691 Audit Stores: Default-First-Site-Name@jeff.domain.test3-AuditStore Site(s): Default-First-Site-Name@jeff.domain.test3 Subnet(s): None configured Trusted Agents: All Trusted Collectors: All Audit Store Active Database: Data Source=win2k3-dc1.jeff.domain.test3 Initial Catalog=Default-First-Site-Name@jeff.domain.test3AuditStore-2011-05-17 Machine's Installation: 'DefaultInstallation213' (configured via Group Policy) Machine's Audit Store is 'Default-First-Site-Name@jeff.domain.test3AuditStore' because it services site 'Default-First-Site-Name' Collectors servicing Audit Store 'Default-First-SiteName@jeff.domain.test3-AuditStore': win2k3-dc1.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win2k3-dc1.jeff.domain.test3@JEFF.DOMAIN.TEST3 WIN7PRO64.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win7pro64.jeff.domain.test3@JEFF.DOMAIN.TEST3 WIN7X86.jeff.domain.test3 (4) Port: 5063 SPN: HOST/win7x86.jeff.domain.test3@JEFF.DOMAIN.TEST3 Attempting to connect to Collectors: Host: win2k3-dc1.jeff.domain.test3 - Success (5) Host: WIN7PRO64.jeff.domain.test3 - Success (5)

1: Whether the collector has established a connection with the Centrify Suite daemon (dad) on the UNIX machine 2: The status of dad on the UNIX audited machine (Online or Offline; in this example) 3: Whether CentrifyDC, the adclient program, is running

Evaluation Guide

140

Windows Start-menu utilities

4: The name of the Centrify Suite collectors 5: Whether a connection has been made

Note

Collectors are stored in a serviceConnectionPoint (SCP) in Active Directory. The command verifies that the collector SCPs have been found.

For the full description of these commands see the Centrify DirectAudit Administrators Guide.

Windows Start-menu utilities


Windows computers that have the DirectAudit Agent installed have an Agent Control Panel utility. You invoke it from All Programs > Centrify > DirectAudit 2012. You use this utility to get status, configure the Agent, and, only if you have administrator privileges, start and stop the session.
Note

On your evaluation system, you also have several other utilities: Collector Control Panel and the two consoles. The following figure illustrates the Agent Control Panel.

Administrator Console
The Administrator Console can only be invoked on workstations on which the Administrator Console was installed (see Installing the DirectAudit components on page 124 for example). When it is installed, the Administrator Console provides a view of

Chapter 9 Audit: Session replay and management

141

Close sessions

all the audited systems, collectors, audit stores and roles in the domain. In addition, you use the Administrator console to create audit roles and assign users to the audit roles.

The administrator console is primarily for viewing the organization and status of audited systems, collectors and audit stores. However, the Master auditor has Audit Roles permission on the installation. Users in this role can manage and control all audit roles can create and remove them, or change target sessions, role membership and permissions (Read, Replay and Update Status). When an installation is set up, the role of Master Auditor (with all permissions) is created, as well as an auditor for each audit store (with the name audit_store_x Auditor). These predefined roles cannot be modified or removed.
Note

To view a list of audit roles, expand the Audit Role node in the left pane of the Administrator console. To see a list of members of an audit role in the right pane, highlight an audit role in the left pane. The audit team leader can assign or remove members for the audit role. To add new audit role, highlight the Audit Roles node in the left pane, right-click and choose Add Audit Role from context menu. Take a look at the options, especially the role criteria, including time, state, review, and machine, you can set to constrain the roles rights and privileges. To add a user or group to the role, select the role, right click and follow the instructions.

Close sessions
The sessions run on the Windows and UNIX computers until you stop them. To stop auditing on a Windows system, start the Agent Control Panel and click the Stop button. To start again after you have stopped it, click the Start button.
Note

Only users with the Master Auditor privileges can start and stop a session. Other users and auditors get an error message if they open the Agent Control Panel and try to stop or start the session.

Evaluation Guide

142

Where to next

To stop auditing on a UNIX workstation, use the dacontrol -d command. For example, to stop auditing shell entries and sessions that audit just a specific command, you enter the following:
dacontrol -d -a

Where to next
This concludes the DirectAudit exercises. If you have followed the exercises from the beginning you have now been introduced to all of the Centrify Suite components except DirectSecure and are prepared to pursue your selfguided analysis. If you need more detail, be sure to look through the two Administrators Guides included in the package. If your environment uses SSH, NIS or Samba, be sure to read through the appendixes too. Finally, after you have completed your extended analysis run through the checklist in Chapter 10, Completing the evaluation. This should be a useful tool to help you assess how well Centrify Suite meets your needs.

Chapter 9 Audit: Session replay and management

143

Where to next

Evaluation Guide

144

Chapter 10

Completing the evaluation


During this evaluation, you installed the Centrify Suite and learned how to manage accounts for non-Windows workstations and servers in an Active Directory environment. You experienced working with the product as an end-user and managing the Centrify Suite environment as an administrator. Using the test scenarios and examples, you had the opportunity to see many of Centrify Suites features highlighted. Although this guide provides a good starting point for understanding how to use Centrify Suite software, you may want to explore further. If you want to conduct a more in-depth analysis of any product features or learn more about how Centrify Suite works, you should review the Centrify Suite Administrators Guide and Centrify DirectAudit Administrators Guide, which provide more detailed information about configuring, managing, and using the Centrify Suite software. We value the time you spent evaluating Centrify Suite and look forward to hearing from you. For any questions or comments you may have about this evaluation, please contact your Systems Engineer or go to the Centrify Support web page www.centrify.com/support and login for Technical Support contact information.

Using the evaluation checklist


The Centrify Suite Evaluation Checklist is designed to help you evaluate Centrify Suite as a complete solution that integrates your UNIX, Linux, Mac OS X, Web applications, and database servers with Active Directory for authentication, authorization, and access control, as well as audit and policy enforcement. You can also use this checklist to see how Centrify Suite matches your specific needs and compares with other products. To use the checklist:
1 Rank the significance of each of the listed features for your organization. 2 For each feature, determine a score (0 to 5) for DirectControl and for the other product

that you are evaluating.


3 Multiply the Rank by the Score for each product to come up with the Weighted score. 4 Add up the Weighted scores to determine the Total Weighted Score.

145

Using the evaluation checklist

Centrify Suite Evaluation Checklist

Rank Item Description (0-5)

DirectControl Score

Other product Weighted

Weighted Score

Active Directory Integration (ADI) ADI 1 Active Directory "client" for UNIX, Linux and Mac (includes ability to "join" non-Microsoft system to AD domain); fully supports Kerberos and offers broad platform support (e.g. 280+ platforms) Virtualization support: Supports zLinux, AIX WPAR/LPAR, HP-UX vPars, Solaris Containers/LDOM/xVM, Citrix Xen and VMware Works with existing Active Directory schema; i.e. does not require schema extensions Supports RFC 2307 without need for additional proprietary schema extensions Cross-forest / one-way trust support Intelligent Domain Controller discovery and dynamic selection via Site awareness. Authenticated update of DNS entries for systems with dynamically assigned IP addresses. Supports Linux systems running SE Linux and AppArmor (i.e. does not require you to disable SE Linux/AppArmor) Provides optional technical support and tested executables for open source products such as Samba, OpenSSH and PuTTY Microsoft Windows 2003, Windows 2008, Red Hat and SUSE Certifications

ADI 2 ADI 3 ADI 4 ADI 5 ADI 6 ADI 7 ADI 8 ADI 9 ADI 10

Identity Management and Authentication (AU) AU 1 AU 2 Globally unique identity namespace established for new users and new systems, that is used across the environment unless overridden. Individual computers and groups of computers support centralized management of overrides in order to support migration and centralization of complex Support for multiple UNIX identities tied to a single AD Account, i.e. does not force UID rationalization NSS support for all NIS maps managed in Active Directory. NIS Support: Offers NIS Server integrated with Active Directory, allowing for centralized NIS settings includes support for "agentless mode" Support for local caching of credentials (enables offline login) Supports pre-population of offline cache (for specific users or groups of users)

AU 3 AU 4 AU 5

AU 6 AU 7

Evaluation Guide

146

Using the evaluation checklist

Rank Item AU 8 AU 9 Description Supports Mac smartcard login to Active Directory for SSO to Windows Integrated services and applications. WebApp Support: Supports AD- and ADFS-based authentication for Java- and J2EE-based applications running on both UNIX/Linux *and* Windows systems DB/ERP Support: Supports AD-based authentication for DB2, Informix, Oracle and SAP R/3 Storage support: Supports AD-based identity mapping for NetApp Filers and EMC Celerra Provides a LDAP Proxy to enable LDAP-aware apps to securely integrate with AD (e.g. encrypted communication) (0-5)

DirectControl Score

Other product Weighted

Weighted Score

AU 10 AU 11 AU 12

Access Control (AC) AC 1 Provides interface to enable administrators to easily "see" and restrict computer access to selected groups of users across individual computers or groups of computers Ability to grant temporary access rights based on user Role assignment to individual computers or groups of computers. Ability to report on and easily view resulting set of user access for a given computer (or group of computers) Ability to delegate different admin rights to different administrators for each secure Zone Does not force delegation of administrative privileges along OU boundaries Can also enforce access control locally and via group policy

AC 2 AC 3 AC 4 AC 5 AC 6

Authorization (AZ) AZ 1 AZ 2 Grant users rights to execute commands with elevated privileges to eliminate need for access to privileged accounts and passwords Ability to grant Privileges for a User Role to an individual computer, Group of Computers in a Role or all computers that share a namespace. Ability to grant Privileges for a User Role to an individual computer, Group of Computers in a Role or all computers that share a namespace. Ability to control how a user accesses a system via PAM-enabled apps and interfaces (e.g. ssh, telnet, etc.) Set time periods when a role can access a system Ability to grant UNIX entitlements directly to an AD user and/or group

AZ 3

AZ 4 AZ 5 AZ 6

Chapter 10 Completing the evaluation

147

Using the evaluation checklist

Rank Item AZ 7 Description Stores roles and rights inside Active Directory thus eliminating need for additional servers and infrastructure (0-5)

DirectControl Score

Other product Weighted

Weighted Score

Group Policy (GP GP 1 GP 2 GP 3 GP 4 GP 5 Provides large number of AD-based Group Policy objects for UNIX/ Linux *and* Mac Delivers group policies specific to managing SSH deployments Delivers User group policies in addition to Computer group policies Supports advanced group policy capabilities such as filtering and loopback processing Offers Group Policy editor that delivers free-form editing, a syntax checker and the ability to insert standard commands (e.g. for the sudo policy)

Server Protection (SP) SP 1 SP 2 SP 3 SP 4 SP 5 SP 6 SP 7 Blocks untrusted systems from communicating with trusted systems Delivers tiered network access by further isolating specific groups of servers Enables optional end-to-end encryption of data in motion Software and policy based solution; no hardware required Requires no changes to network topology or applications Automates provisioning of certificates on UNIX systems Supports DirectAccess, Active Directory and the native IPsec support in modern operating systems

Manageability (MA) MA 1 MA 2 MA 3 MA 4 MA 5 MA 6 Provides centralized pre-installation check capability Provides centralized push technology of software and/or updates Simple licensing; does not require per-user licensing for UNIX systems Centralized license management; does not require reinstall or license key deployment on each system Single product architecture for authentication + group policy + authorization + auditing + app support Single, integrated Windows MMC console for all user, group and computer management as well as migration and reporting (beyond delivering ADUC extension)

Evaluation Guide

148

Using the evaluation checklist

Rank Item MA 7 MA 8 MA 9 MA 10 MA 11 MA 12 MA 13 MA 14 MA 15 Description Provisioning agent that allows AD group membership to control which users can access which groups of systems Integrates with existing provisioning systems such as Microsoft FIM Pre-packaged and customizable reports that provide filtering and grouping and can be saved to Word, Excel, etc. Reporting enables snapshots for comparison purposes Provides migration tools and utilities included at no charge Tools or easy methods for resolving import conflicts (e.g., UIDs) and UID rationalization Support for deployment via 3rd party solutions such as Apple Remote Desktop or Absolute Manage Offers Planning and Deployment Guide Vendor provides pre-packaged service and training offerings to assist in deployments (0-5)

DirectControl Score

Other product Weighted

Weighted Score

Auditing* (AD) AD 1 AD 2 AD 3 AD 4 AD 5 AD 6 AD 7 AD 8 AD 9 AD 10 AD 11 AD 12 Detailed, non-intrusive capture of user sessions on UNIX/Linux AND Microsoft Windows systems Comprehensive, easy-to-use search and query capabilities of user session activity Role-based access to query and replay user sessions, managed by AD groups Summary list of all events, commands and applications in user session Visual replay of user sessions through an easy-to-use replay tool High fidelity replay of Windows GUI sessions without just screenshots or slides Interactive replay of user sessions to skip over non-activity or to specific events of interest Session events are selectable, filterable and sortable for easy navigation Export of user sessions to a text transcript or movie file for sharing or reuse Real-time monitoring with an at-a-glance view of all current user activity Command line access to replay a single session or query across sessions Selective auditing based on users, groups or machines

Chapter 10 Completing the evaluation

149

Using the evaluation checklist

Rank Item AD 13 AD 14 AD 15 AD 16 AD 17 AD 18 AD 19 AD 20 AD 21 AD 22 AD 23 Description Administrative delegation of management tasks based on Active Directory users or groups Central view of all component status including remote access to individual component systems Zero-config deployment of audit agent through auto discovery of session collection and storage components Supports broad set of UNIX and Linux platforms Fault-tolerant and load balanced collection of data Stores detailed user-level audit data in a SQL database for ease of reporting and archiving Supports use of multiple audit databases for scaling and security Click-button and scriptable support for rolling, archiving or deleting old session data Fast installer for single system install including database Generates DBA scripts for any DB action Secure install of each component and secure transmission and storage of session data (0-5)

DirectControl Score

Other product Weighted

Weighted Score

*. Auditing provided by DirectAudit

If you would like a spreadsheet version of this table to make calculation of the weighted scores easier, contact your System Engineer.

Evaluation Guide

150

Appendix A

Using Centrify Suite with SSH


Although many UNIX systems have an sshd server installed, most are older implementations that do not support Kerberos. Centrify provides a compiled version of the latest OpenSSH distribution to make it easy for you to install and use SSH with Centrify Suite for secured authentication to Active Directory using Kerberos. This compiled version of OpenSSH was automatically installed when you installed the Centrify Suite software. Centrify compiled the standard OpenSSH distribution unmodified and, in the compile process, linked OpenSSH with the DirectControl Kerberos libraries to ensure that sign-on works as expected in an Active Directory environment. This provides several advantages, including: The DirectControl Agent will accept connections to any of the computer's valid host names, either fully qualified or not, because all combinations are registered with Active Directory. This reduces Kerberos dependency on accurate DNS entries.

The installation process makes direct access to the Kerberos tools possible by automatically sharing /usr/share/centrifydc/bin for all users and /usr/share/centrifydc/sbin for administrators and super users to the $PATH environment.

The Centrify Suite software automatically stops the default sshd and starts the Centrify version. The Centrify version is stored in /usr/share/centrifydc/sbin. This preserves the default sshd and its configuration files. The first time you start the server, sshd looks for the current sets of host keys in /etc/ssh and imports them. If it does not find the keys, it generates new keys and stores them in /etc/centrifydc/ssh. If you ever need to restart the Centrify version (for example, if you modified the UNIX computers configuration file), use the commands in your shell to stop and then start sshd. For example, the following command works for Red Hat Enterprise Linux and Solaris:
/etc/init.d/centrify-sshd start

The following topics are covered in this chapter: Configuring SSH

Testing SSH

Appendix A Using Centrify Suite with SSH

151

Configuring SSH

Configuring SSH
Chapter 7, A&A: Active Directory Group Policy Controls shows you how to use the Group Policy Object Editor to enable several SSH policies. The following figure illustrates the policy sets.

You can also modify the SSH configuration directly on a node by node basis. The configuration information is stored on each UNIX computer in the following directory. /etc/centrifydc/ssh/sshd_config
Note The policies enabled in the UNIX sshd_config file are overruled by the ones set in Group Policy Objects. This feature is available for those users who do not use Group Policy Objects.

Testing SSH
You can test the server by connecting to the local host to make sure that SSH is running and accepting connections. For example, the following command should result in a local connection to the SSH server:
/usr/share/centrifydc/bin/ssh root@localhost

When prompted, enter the root password. (Note that this command would NOT work if you had enabled the Permit root login policy to prevent root login - see page 120) On a Windows computer joined to the same Active Directory domain, you can now use the PuTTY program distributed in the Centrify Suite package or any other SSH solution that supports Kerberos to login. To use the Kerberos option you need to have two conditions set: First, you must log in to the Windows workstation using the same account name as the UNIX computer user. (You cannot, for example, log in to the UNIX computer under a different account name in this case.)

You enable Kerberos authentication in PuTTY. To configure PuTTY for SSH login using Kerberos: a Open PuTTY.

Evaluation Guide

152

Testing SSH

b In the Category pane, expand Connection > SSH > Kerberos. c Select Attempt Kerberos auth (SSH2).

d Return to the Session window, enter the host name and click Open. If you want to preserve this option, enter a name in Saved Sessions and click Save. Otherwise, you will have to check this box every time. Subsequently, just click on the session name. The result should look similar to the following figure. (In this case, the user is Fred Thomas from the script.)

Appendix A Using Centrify Suite with SSH

153

Testing SSH

Evaluation Guide

154

Appendix B

DirectControl Network Information Service


The DirectControl Network Information Service is an optional addition to the DirectControl Agent. Once installed and running, the DirectControl Network Information Service functions just like a standard NIS server, however it responds to NIS client lookup requests using the information stored in Active Directory. For computers and applications that submit lookup requests directly to a NIS server listening on the NIS port, Centrify Suite includes its own DirectControl Network Information Service. This service has its own daemon process, adnisd, to receive and respond to NIS client requests. This appendix describes how to set up the Centrify Suite adnisd daemon to access NIS maps that are managed and securely distributed from Active Directory.

Creating and importing NIS maps in the default zone


To try this feature, you first need a set of NIS maps to import. You can either copy a set of maps from an existing NIS master server or create a set of sample text files for testing. The following steps create a sample NIS map text file. To create a set of NIS maps using the sample maps on an Active Directory server:
1 Create a text file named netgroup.txt to store the sample netgroup NIS map entries to

import. You can create the file on either the Windows computer or the UNIX computer, but the file must be accessible from the Windows computer for you to import it into Active Directory. Add the following to the netgroup.txt file to simulate a sample netgroup NIS map for import:
clients (sparrow,,birds) (sparrow.mynet.home,,birds) \ (chicken,,birds) (chicken.mynet.home,,birds) \ (parrot,,birds) (parrot.mynet.home,,birds) servers (eagles,,birds)(eagle.mynet.home,,birds) nodes servers clients

2 Create a text file named auto.master.txt to store the sample auto.master NIS map

entries to import. Add an entry similar to the following to the auto.master.txt file to simulate a sample auto.master NIS map for import: /tools /etc/auto.tools
3 Create a text file named auto.tools.txt to store the sample auto.tools NIS map entries

to import. Add an entry similar to the following to the auto.tools.txt file to simulate a

155

Starting the adnisd daemon

sample auto.tools NIS map for import:


Centrify testlab-rhel3:/usr/share/centrifydc/bin

4 For each of the NIS maps you created, select NIS Maps under the eval-global zone

created by the adedit script, right-click, then select Import Maps.


5 Select the UNIX NIS map source file option, click Browse to locate the netgroup.txt

file, then click Next.


6 Take the default values for Field
contains ... separator, Key field, Comments ..., and The file

and then click Next. Click Finish at the next window.

7 Repeat these steps to add auto.master.txt and auto.tools.txt to NIS Maps.

The following figure illustrates the results. Subsequently, you can use Centrify Suite Administrator Console to add new entries to any map or edit any existing entries.

Starting the adnisd daemon


The Centrify Suite Network Information Service, adnisd, is installed as a separate Centrify Suite component and needs to be started in order to serve NIS maps for the zone that the computer has joined. The adnisd daemon is put in the /usr/sbin directory when the Centrify Suite software is installed. You start the daemon at the command line by typing the appropriate start command for your local operating environment. For example, on Red Hat Enterprise Linux, you would type the following command:
/sbin/service adnisd start

Evaluation Guide

156

Testing adnisd

Testing adnisd
To test the NIS service that Centrify Suite provides, you need to configure your UNIX computer to be a NIS client to its own locally running NIS server, adnisd. To do this, you first need to set up the NIS client, then you can access the NIS maps hosted in Active Directory. To set up the local NIS client on a computer:
1 Set the zone to support an agentless client.

You must be logged in with administrator privileges to the domain controller to change this property.
Note

Open the zone in which you created the NIS maps and select the properties. Check the box for Support agentless client.

2 Set the NIS domain name for the UNIX computer to be the same as the name of the zone

in which you stored the maps. For example, in enter the following from the UNIX command line to configure the domain name for the eval-global zone from our exercise:
domainname eval-global

3 Edit the NIS configuration file to specify the Centrify Suite zone and the local host name of

the UNIX computer and bind the NIS. The location or name of the NIS configuration file may vary depending on the clients operating system. The most common location for this file is /etc/yp.conf. Add the following two lines to yp.conf:
domain zone server.domain localhostname ypserver 127.0.0.1

In the first line enter the zone in which you added the maps, the Active Directory server.domain name and the name of the UNIX computer. For example, using the zone, server and UNIX computer in our exercise the first line would look like this:
domain eval-global win08.demo redhat

(where win08 is the Windows Server computer name and demo is the domain name).

Appendix B DirectControl Network Information Service

157

Testing adnisd

If your NIS clients are configured for broadcast discovery, you can typically skip this step. For example, on Solaris, ypbind uses broadcast to locate its NIS server and does not use a NIS configuration file, so you can skip this step if the client is a Solaris computer.
Note

4 Edit the /etc/hosts and add the following lines


127.0.0.1 localhostname lpaddress localhostname

where hostname is the name of the UNIX computer. For example, using the computer in the exercise, you would add the following
127.0.0.1 redhat lpaddress redhat

5 Start the ypbind service to enable the local computer to look up information in the NIS

maps served by the local adnisd daemon. For example, on Red Hat Linux:
/sbin/service ypbind start

You should be able to test that the maps that you imported earlier are visible to the local computer by using the following NIS commands:
/usr/sbin/yptest -m netgroup ypcat -m auto.master ypcat -M auto.tools

You should now be able to try other operations that require the use of NIS maps such as automounting remote file systems.

Evaluation Guide

158

Appendix C

Remove Centrify Suite components


This appendix describes how to remove the DirectManage and DirectAudit components from your Windows systems and the DirectControl and DirectAudit agents and commands from your UNIX computer(s).

Remove agents, NIS and OpenSSH from UNIX computer(s)


There are two ways to remove the Centrify Suite agents from your UNIX computers: Use the Deployment Manager on your Windows system

Run the install.sh script from a console on the UNIX system

Both procedures render the same results: Both remove the DirectControl and DirectAudit agents and Centrify Suite tools (for example, adinfo, adjoin, and dzinfo); however the software distribution packages (for example, the agents .rpm files) and installation scripts are left intact so you can re-install. (If you used Deployment Manager to install the packages they are in the /tmp/CentrifyInstall directory.)

Using Deployment Manager


Start the Deployment Manager from your Windows system. Right-click the computer and select Remove installed components.

Deployment Manager analyzes the selected computer and displays a list of the Centrify software found. For example, in the following figure the DirectControl Agent, Centrify-

159

Remove agents, NIS and OpenSSH from UNIX computer(s)

enabled OpenSSH and the DirectAudit Agent were installed on the machine. If you had also installed NIS, it would appear in the list too.
Note If you remove the DirectControl Agent, OpenSSH and the DirectAudit Agent are automatically removed. If you want to leave the DirectControl Agent on the UNIX computer, you can remove OpenSSH and the DirectAudit Agent individually.

Click Next > to proceed. This takes a few minutes. Progress is indicated on the Deployment Manager Welcome page. Scroll down to the bottom of the page. The spinning, busy cursor is displayed as the software is removed. When Deployment Manager is done, it shows that the Centrify software is ready to install.

If you just need to remove the Centrify from the selected UNIX computer you are done. Exit Deployment Manager. It too is removed when you remove the DirectManage components.

Using install.sh
You can also remove the Centrify Suite agents and tools from a UNIX console. You use the same install.sh script you used to install the software.
Note

Before you remove the DirectControl Agent, run adleave to unjoin the computer from the domain controller. If you are joined, the script prompts you to enter an authorized user and password before removing the Centrify software. Change to the directory with the distribution packages and enter

Evaluation Guide

160

Remove DirectAudit from Windows systems

/bin/sh install.sh

The script determines which software you have installed and displays the following:

Note

The script finds all Centrify software you have installed on the computer. For example, this picture shows other Centrify products, including Centrify-enabled Samba and DirectControl for Web applications. Enter E to proceed

The script gives you another chance to exit. Enter Y to proceed. The script then asks if you want to reboot after the uninstall. Enter Y to proceed.

Remove DirectAudit from Windows systems


You remove the DirectAudit consoles and Windows Agent separately from the DirectManage Windows components. In this section, you remove the DirectAudit components.
Notes

This procedure removes just the DirectAudit components. This includes the Auditor and Administrator console, the Windows agent, the Collector and the Audit store. It does not remove the Audit Store database. In addition, if you installed SQL Server Express with the DirectAudit package, it too remains on the system To begin, go back to your Centrify Suite DVD/iso and launch autorun. Select Centrify DirectAudit. This time the installation prompt offers a different set of options. Select Uninstall and click Next >.

Appendix C Remove Centrify Suite components

161

Remove DirectManage components

Notes

One you click Next > you cannot cancel. The uninstall process invokes the Microsoft Management Console. If you get a prompt that says it has stopped working, select Close the program to proceed. Click Finish to exit. The DirectAudit components have now been removed.

Remove DirectManage components


In this section you remove the Deployment Manager, the DirectControl Administrator Console, the Active Directory Users and Computers property page extension and other Centrify components you installed. This concludes the Centrify Suite software removal. To begin, go back to your Centrify Suite DVD/iso and launch autorun. Select Centrify DirectManage. Click Next > to proceed from the welcome window. Select Uninstall and click Next >. The next window lists the software that will be removed. Click Next > to proceed.
Notes

You can cancel an uninstall but it has unpredictable results. Do not click the Cancel button once the uninstallation process has started. If you inadvertently selected, let it complete and then launch autorun again to reinstall the software.

Evaluation Guide

162

Remove DirectManage components

The uninstall process invokes the Microsoft Management Console. If you get a prompt that says it has stopped working, select Close the program to proceed.

This concludes Centrify Suite software removal. The uninstallation removed the Centrify software and the Active Directory users UNIX properties. (For example, launch Active Directory Users and Computers, select an AD user and show her properties. The DirectControl Profile tab is no longer displayed.) The Centrify-related containers (for example, the UNIX OU and the Licenses, Service Accounts, UNIX Groups, UNIX Servers, and Zones nodes you created) remain in Active Directory. To restore your configuration install the DirectManage software again, launch the DirectControl Administrator Console, right-clock on the Zones node and open your parent zone (Global in the demo).

Appendix C Remove Centrify Suite components

163

Remove DirectManage components

Evaluation Guide

164

Index
A
account lockout policies 116 Adding Centrify group policies 114 ade_lib Tcl library 105 ADEdit 104 ade_lib Tcl library 105 commands 105 context commands 106 general-purpose commands 105 Inside the script 111 object-management commands 106 run script 107 script example 107 script name 107 script unpack 107 script user password 112 script zones, groups, roles, and computer roles
109

dzdo 103 dzinfo 103 adupdate 103 agentless client 157 Analyze your environment 46 Assign rights to a role 86 Audit Server 18 Audit Store 18

B
Build computer list 39

C
Centrify DirectControl UNIX requirements 30 Centrify Suite Deployment Manager 33 DirectManage 33 Installation 33 iso image filename 33 UNIX installation 38 centrify_gnome_settings 115 centrify_linux_settings 115 centrify_mac_settings 115 centrify_unix_settings 115 centrifydc_settings 115 Computer role create 88 introduction 25 Computer roles FinApache 88 conventions, documentation 6 Create groups 69 Create new right 85 Create new role 86 Create rights DirectControl Administrator Console create rights 84

security descriptor commands 107 utility commands 107 adgpupdate 103 adinfo 103 adjoin 76, 103 adleave 103 Administrator Console Reports 97 adnisd starting 156 testing 157 adpasswd 103 adquery 103 adsetup-evalguide.sh 107 adtools 103 ADEdit 104 adgpupdate 103 adinfo 103 adjoin 103 adleave 103 adpasswd 103 adquery 103 adupdate 103

D
dacontrol 139

165

dad 139 dadebug 139 dadiag 139 dainfo 139 dareload 139 Default zone container 60 Delegating Control 92 Deploy 48 Deployment Manager 33 Analyze your environment 46 build computer list 39 Deploy Centrify software 48 Download Centrify software 44 instructions 39 phases 38 remove 162 remove agents 159 DirectAudit 17 Administrator 19 Administrator Console 141 Administrator console 141 Agent Control Panel 141 Agent installation 38 Agent removal 159 Audit Server 18 Audit Store 18 Auditor 19 close sessions 142 Collectors 18 Console 19 custom query 137 dacontrol 139 dad 139 dadebug 139 dadiag 139 dainfo 139 dareload 139 quick query 138 remove Windows components 161 UNIX utilities 139 DirectControl Agent removal 159 DirectControl Administrator Console Add UNIX users 61 add UNIX users to Global zone 65 Assign rights to a role 86 connect to forest 57

create computer role 88 Create new right 85 Create role 86 create zones 63 default container for zones 60 Delegate Zone Control 92 install licenses 58 license container 58 Provision tab 65 remove 162 setup wizard 57 show users 80 user credential 58 DirectControl Agent 13 installation 38 removal 159 DirectManage 33 instructions 36 launch 36 remove Windows components 162 DNS environment 32 DNS Server 31 documentation additional 8 conventions 6 Download Centrify software 44 dzdo 103 dzinfo 103

E
EntSA add members 70 create 70 etc/ssh 151 etc/yp.conf 157 evaluation checklist 145

F
Failed to start service 69 FIN zone, create 65 FinApache create 88 role assignment 90 FinDSA 86, 87 FinSA add UNIX properties 84

Evaluation Guide

166

add user 84 create 83 rights 87 FinUser add members 70 assign role 72 create 70 FinWeb 90 add UNIX properties 84 add user 84 create 83 FinWSA 89, 90 Firewall rules 120

J
join adjoin command 76 Join UNIX computer 73

L
License container 58 Log in 77 Log on as a service access rights 69 Login from UNIX system consol 77 using PuTTY 78

G
Global zone, create 64 Group Policies firewall rules 120 Group policies centrify_linux_settings 115 centrify_mac_settings 115 centrify_unix_settings 115 centrifydc_settings 115 prevalidate users or groups 118 set the login password prompt 118 SSH settings 118 group policies about 113 adding 114 Group Policy set user mapping 116 Group Policy Object Editor 114 Groups, add UNIX properties 71

M
Machine Zone introduction 25 Machine-level adjustments 79 Macintosh naming convention 6 Management Tools 14

N
Network Information Service see NIS NIS 155 about 155 agentless client 157 creating maps 155 importing maps 155 installation 49 removal 159 starting the adnisd daemon 156 testing 157

H
heterogeneous environments centralized management 5

O
OpenSSH installation 49 removal 159 Organization Units create UNIX ou 56 Organizational Units 56 create 56 create Service Accounts 56 create UNIX Groups 57 for UNIX users, groups and computers 56 Organziational Units create UNIX Servers 57

I
Install script 53 install.sh install agents 53 remove agents 160 installation Windows prerequisites 30 iso image filename 33

Index

167

P
Prevalidate users or groups 118 Provisioning tab 66 GECOS 67 Home directory 67 Login name 67 Primary group 67 shell 67 Source group 66 UID 67 PuTTY log in to UNIX computer 78 overview 17

Download Centrify software 44 find in network 39 reboot 54 UNIX tools installation 38 UNIX users add 61 add to Global zone 65 change ID 79

V
virtual environment configuring DNS 33 machine instances 33 recommended configuration 32

R
Report Center 97 Report Wizard 100 Reports Classic Zone 97 create 100 Hierarchical Zone 98 modify 100 New Report Wizard 100 purpose of 97 snapshot 99 static report 99 Rights assign to a role 86 create new 85 Role assign rights 86 Roles create new 86

W
Windows system requirements 30 Windows Server DNS Server 31

Y
ypbind service 158

Z
Zone Delegation Wizard 93 Zone Provisioning Agent configure 67 create UNIX identities 65 default UNIX properties 65 default values 66 Event log 68 Failed to start service 69 introduction 17 Log on as a service access rights instructions 69 Service account 68 Settings 68 Zones create 63

S
Set the login password prompt 118 Set user mapping 116 Show users 80 SSH settings 118

U
UNIX system requirements 30 UNIX system analyze your environment 46 UNIX systems Deploy Centrify software 48

Evaluation Guide

168