Centrify DirectControl Best Practices - Cerberis

More documents

Recommendations

Info

CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROL[root@finserv root]# adfixid6 user-id conflicts were found.Local UID Zone UID User--------- -------- --------10021 50000 justino10023 10016 clyde10026 10013 tdeshay10027 10019 alyssia10031 10008 enerio10033 10006 acolliga1 group-id conflict was found.Local GID Zone GID User--------- -------- --------10009 50000 controlIt is a best practice with adfixid to limit the scope of adfixid to only mount points anddirectories that contain files and directories that belong to users and groups you havemigrated to Active Directory. These typically include:• /var/tmp• /tmp/• /home• /exportadfixid examines the permissions of every file and directory. Starting at / may seemcomprehensive but it will take substantially longer amounts of time, particularly onUNIX computers with remote mounted file systems, RAID disk arrays, external storage,etc.For example, Tetsu Ishii runs adfixid as root against /var/tmp/ on finserv, which is joinedto Zone 1:# adfixid --commit --verbose /tmpchecking /tmp/krb5cc_10016checking /tmp/krb5cc_50000checking /tmp/10577changed ownership of /tmp/10577checking /tmp/7408changed ownership of /tmp/7408checking /tmp/11639changed ownership of /tmp/11639checking /tmp/12676changed ownership of /tmp/12676checking /tmp/krb5cc_100194 file(s) changedRunning adfixid against the /home mount point produces the following results:# adfixid --commit /home10879 files changedadfixid can potentially affect tens or hundreds of thousands of files on each UNIXcomputer where it is executed. The primary performance limitation of adfixid is the speed© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 28
CENTRIFY WHITE PAPERCENTRALIZED MANAGEMENT FOR UNIX, LINUX, MAC AND JAVA WITH ACTIVE DIRECTORY AND DIRECTCONTROLof the underlying disks, and, in the case of remote storage (NAS, NFS, etc) the speed ofthe connection. It is a best practice to estimate the time required for adfixid verypessimistically, particularly for purposes of scheduling outage or change windows.Once all users have been migrated to Active Directory and adfixid has been executed,there is no additional benefit to running adfixid again. It is a best practice to keep amaster list of all machines where adfixid has been executed and to require all personnelto update that list once adfixid has been executed.Finally, adfixid has a rollback option that will undo all changes since the beginning of thelog file. By default, the log file is /etc/centrifydc/adfixid.log. It is a best practice to gzipthis log file (thereby manually check-pointing the log) upon the successful completion ofeach UNIX computer. For example, if Clyde Baum runs adfixid against the /var, /tmp,and /home directories on medcalc.illumiclinics.com, he should gzip/etc/centrifydc/adfixid.log once all three mount points have been processed.3.8.3 Solution: removing duplicate users and groupsMultiple auditing and compliance standards require the removal of local users once thoseusers have been migrated to Active Directory. There are three possible methods ofremoving local users and groups from UNIX computers:1. Use the included ‘adrmlocal’ utility that is included with <strong>Centrify</strong> <strong>DirectControl</strong>; or,2. Use the native platform tools for that version of UNIX; or,3. Use a text editor to manually edit the appropriate files.The method of removing local users and groups largely depends upon the migrationstatus of groups to Active Directory.If there no Active Directory Users are defined in local UNIX groups, then use‘adrmlocal’. The adrmlocal utility will leverage the platform-native utilities to remove thelocal users and groups. If the native platform tools make backups of the files beingmodified, then adrmlocal will inherently make backups of those files (it does not,however, make additional backups). adrmlocal does not take additional backups.If there are Active Directory Users defined in local UNIX groups (such as the ‘opsteam’group in Figure 3-3), then manually edit the files. This is because all native platform toolsare greedy when they remove user accounts, removing both the local user account andalso removing that username from all local groups. In cases where a local group has notbeen migrated to Active Directory, the local files must be manually edited.For example, group ‘dba’ has a GID of 10001 and is defined as a local group on dbserver(see section Error! Reference source not found. for details).dba::10001:rcranfil,hgarry,acolliga,enerio,sramnari,tetsu,mysql© CENTRIFY CORPORATION 2004-2007. ALL RIGHTS RESERVED. PAGE 29
Page 1 and 2: WHITE PAPERCENTRIFY CORP.Centrify D
Page 3 and 4: CENTRIFY WHITE PAPERCENTRALIZED MAN

Centrify DirectControl Best Practices - Cerberis

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?