Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLThe alternative to using this script would be to manually add each Active Directory Userto each Active Directory Group under “OU=Groups,OU=UNIX”. For example, considerthe Edge group (GID 10015). The following Active Directory Users would need tomanually be added to the “cn=Edge,OU=Groups,OU=UNIX” Active Directory Group:• Alyssia Osteen• Clyde Baum• Peter Engelkes• Rasheeda Cranfill• Salley Debruin• Tenisha DeshayZone#1 for Illumi Clinics has 19 groups that contain 79 users, and Zone #1 is a typicalZone. Illumi Clinics has 80 Zones and several hundred distinct UNIX groups. AddingActive Directory Users to Active Directory Groups solely for the purposes of UNIX filepermissions is tedious. It is recommended to use the AddUsersToGroups.vbs script toautomate this one-time import process.3.8 Solution: Joining UNIX computers to Active DirectoryThe best practice for joining UNIX computers to Active Directory is to produce a briefdocument with clearly written instructions. This document can be used by personnelunfamiliar with the operation of DirectControl and also ensures a consistent deployment.The best practice is to include at least the following steps in the instructions:• Disable user logins• Open firewall ports if required• Disable local ntpd process so that DirectControl manages time on the UNIXcomputers• Disable local telnetd, ftpd, and tftpd processed (though not required forDirectControl, disabling insecure protocols is a security best practice)• Join computer to Active Directory• Restart all PAM-dependent services such as ftpd and sshd• Enable user logins• If necessary, execute ‘adfixid’ to fix file permissions• If feasible, use ‘adrmlocal’ to remove duplicated users from /etc/passwd,/etc/shadow, and /etc/group© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 24
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLHere is a sample excerpt from the checklist prepared for use by Illumi Clinics UNIXoperations team.Task InstructionExpected ResultLog on or switch (su) to the root user on thecomputer. If possible, use the console headserver or the local console.The root prompt “#” will bedisplayed.Disable user logins:# touch /etc/nologinDisable the NTP service.For Solaris 10 Systems Only:# svcadm disable network/ntpFor Solaris 2.6 – 9 Systems Only:# /etc/rc2.d/S74xntpd stop# mv /etc/rc2.d/S74xntpd/etc/rc2.d/K74xntpdFor Red Hat Systems Only:# /sbin/chkconfig ntpd off# /sbin/service ntpd stopType the following command to join thedomain:# adjoin –u username -c“container or OU DN” –z zoneillumiclinics.comThe correct values for username, container,and zone can be found in section 3.1 of thisdocument.Note: Only use the partial DN for the OUpath. Do not include the domain name.Example:“cn=zone34,ou=computers,ou=unix”.Sample output:Centrify DirectControlstarted.You have successfullyjoined the ActiveDirectory domain:illumiclinics.comIn the CentrifyDirectControl zone:CN=ZONENAME,CN=Zones,OU=UNIX,DC=Illumiclinics,DC=COMYou may need to restartother services that relyupon PAM and NSS or simplyreboot the computer forproper operation. Failureto do so may result inlogin problems for ADusers.Enable user logins:# touch /etc/nologin© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 25
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

Create successful ePaper yourself

Delete template?

Save as template?