Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLTask InstructionRestart the SSH service:For Solaris 10 only:# svcadm restart centrify-sshdFor Solaris 2.6 – 9 Systems Only:# /etc/init.d/centrify-sshdrestartFor Red Hat systems only:# /etc/init.d/centrify-sshdrestartAttempt a SSH connection (not usingKerberos) using PuTTY on your Windows XPlaptop.login as:clyde.baum@illumiclinics.compassword:Exit out of the new ssh connection fromPuTTY.$ exitAttempt a SSH connection using Kerberos(under Connection – SSH – Kerberos) usingPuTTY on your Windows XP laptop.Exit out of the new ssh connection fromPuTTY.$ exitExecute the following command to leave theroot account:# exitExpected ResultStopping centrify-sshd[ok]Starting centrify-sshd[ok]Last login: Wed Mar 2116:47:38 2007 fromcfl173.illumiclinics.comThe PuTTY window will close.Using KeberosauthenticationLogin asclyde.baum@illumiclinics.comGot ticket for servicehost/finserv.illumiclinics.comSuccessful KerberosconnectionLast login: Wed Mar 2116:52:12 2007 fromcfl173.illumiclinics.comThe PuTTY window will close.The root account will be logged out.3.8.1 Solution: firewall portsSome high-security servers at Illumi Clinics have restrictive firewalls. The best practicefor joining firewalled UNIX computers to Active Directory is to open these ports fromUNIX computers to the appropriate Domain Controllers at a minimum:© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 26
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL• LDAP 389/TCP/UDP• LDAP GC 3268/TCP• Kerberos Auth 88/UDP• Kerberos Change Password 464/TCP/UDP• DNS 53/TCP/UDP• SMB 445/TCP/UDPOther possible ports required:• RPC 135/TCP This is ONLY needed if you want to enable joining by nonadministrative users. This traffic is initated by the unix server to contact the activedirectory server.• SNTP (Simple network time protocol) UDP 123. DirectControl must maintaintime sync with the domain controller. You can close this port provided your externalservers can get accurate time updates.Illumi Clinics has chosen to allow members of the “UNIX Operators” Active DirectoryGroup to join computers to Active Directory, and to use Active Directory as the source ofNTP updates. Therefore, Illumi Clinics must open all of the aforementioned portsbetween the UNIX computers and the Active Directory Domain Controllers.3.8.2 Solution: changing file permissionsSome Zone designs will inherently result in changing a user’s primary UID or GID, orthe GID associated with a group. Illumi Clinics, for example, decided to reconcile UIDcollisions within a potential Zone by assigning the user or group the most common UIDor GID, and if that didn’t reconcile the collision, to assign a new UID or GID starting at50000. Each user and group must have a distinct UID and GID within a given Zone.Centrify provides a utility, ‘adfixid’, to reconcile file permissions for users and groups onindividual UNIX computers. It is a best practice to use adfixid to correct file permissionsbefore users log on to computers where their UID or GID has changed.adfixid must be installed and executed as root. As of version 3.0.2, the installation filesare included in the DirectControl installation packages for each platform.Installation:# gunzip -c centrifydc-adfixid--.tgz | ( cd / && tar xf- )By default, adfixid will preview the duplicated users and groups between the individualUNIX computer and the currently joined Zone. For example, Tetsu Ishii runs adfixid onfinserv, which is joined to Zone1:© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 27
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?