Centrify DirectControl - Cerberis

Centrify DirectControlEvaluation GuideJanuary 2010Centrify Corporation

• • • • • •Legal noticeThis document and the software described in this document are furnished under and are subject tothe terms of a license agreement or a non-disclosure agreement. Except as expressly set forth insuch license agreement or non-disclosure agreement, Centrify Corporation provides thisdocument and the software described in this document “as is” without warranty of any kind, eitherexpress or implied, including, but not limited to, the implied warranties of merchantability orfitness for a particular purpose. Some states do not allow disclaimers of express or impliedwarranties in certain transactions; therefore, this statement may not apply to you.This document and the software described in this document may not be lent, sold, or given awaywithout the prior written permission of Centrify Corporation, except as otherwise permitted bylaw. Except as expressly set forth in such license agreement or non-disclosure agreement, no partof this document or the software described in this document may be reproduced, stored in aretrieval system, or transmitted in any form or by any means, electronic, mechanical, orotherwise, without the prior written consent of Centrify Corporation. Some companies, names,and data in this document are used for illustration purposes and may not represent real companies,individuals, or data.This document could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein. These changes may be incorporated in new editionsof this document. Centrify Corporation may make improvements in or changes to the softwaredescribed in this document at any time.© 2004-2010 Centrify Corporation. All rights reserved. Portions of CentrifyDirectControl are derived from third party or open source software. Copyright and legal noticesfor these sources are listed separately in the Acknowledgements.txt file included with thesoftware.U.S. Government Restricted Rights: If the software and documentation are being acquired by oron behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (atany tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD)acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government’srights in the software and documentation, including its rights to use, modify, reproduce, release,perform, display or disclose the software or documentation, will be subject in all respects to thecommercial license rights and restrictions provided in the license agreement.Centrify, DirectControl, and DirectAudit are registered trademarks and Centrify Suite,DirectAuthorize, and DirectSecure are trademarks of Centrify Corporation in the United Statesand/or other countries. Microsoft, Active Directory, Windows, Windows NT, and WindowsServer are either registered trademarks or trademarks of Microsoft Corporation in the UnitedStates and/or other countries.The names of any other companies and products mentioned in this document may be thetrademarks or registered trademarks of their respective owners. Unless otherwise noted, all of thenames used as examples of companies, organizations, domain names, people and events herein arefictitious. No association with any real company, organization, domain name, person, or event isintended or should be inferred.

• • • • • •Chapter 10 Using DirectControl with Centrify Samba 137About Samba and DirectControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Installing Centrify Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Setting up Centrify Samba and DirectControl . . . . . . . . . . . . . . . . . . . . . 141Testing Samba on UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Testing Samba from a Windows machine. . . . . . . . . . . . . . . . . . . . . . . . . 146Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Chapter 11 Using DirectControl with SSH 149About SSH and DirectControl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Setting up SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Testing SSH on UNIX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Testing SSH from a Windows machine . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Chapter 12 Working with DirectControl reports 153Understanding DirectControl reporting . . . . . . . . . . . . . . . . . . . . . . . . . . 153Running DirectControl reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Creating and modifying report definitions. . . . . . . . . . . . . . . . . . . . . . . . 158Summary of DirectControl reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160Chapter 13 Completing the evaluation 161Using the evaluation checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Index 1694 Evaluation Guide

• • • • • •About this guideCentrify TM DirectControl TM enables centralized, securemanagement of a heterogeneous network through Microsoft ActiveDirectory by extending Active Directory authentication,authorization, directory service, and Group Policy capabilities tomanage access to UNIX, Linux, and Mac OS X computerresources, Web applications and application servers, such asApache, Tomcat, JBoss, and WebLogic, databases such as DB2, andenterprise applications such as SAP.Centrify DirectControl is part of the Centrify DirectControl suite,which includes software for role-based authorization, privilegemanagement, and detailed auditing of user activity.Intended audienceThis Evaluation Guide is intended for system and networkadministrators who will be evaluating the Centrify DirectControlsolution. The Centrify DirectControl suite delivers comprehensiveActive Directory-based identity and policy management forenvironments with a mix of Windows, UNIX, Linux, Mac OS X,and Java/J2EE, as well as popular databases and application servers.This guide assumes you have a working knowledge of Windows andActive Directory and are familiar with Active Directory features,functionality, and terminology. This guide also assumes you arefamiliar with your UNIX-based operating environment and how toperform common administrative tasks.5

• Chapter 4, “Using UNIX authentication services,” shows youhow to enable a user to access the UNIX shell and demonstratesthe range of account policies that DirectControl enforces.• Chapter 5, “Administering zones,” explains how CentrifyDirectControl’s innovative concept of zones can help simplifysystem management and ease the migration of UNIX-basedaccount information into Active Directory. It shows you how tocreate a zone in Active Directory and add users to it.• Chapter 6, “Using the DirectControl Web Console,” describeshow to use the Centrify DirectControl Web Console to manageusers and zones.• Chapter 7, “Using group policies for UNIX users andcomputers,” describes how to apply Centrify DirectControlgroup policies to control configuration settings for UNIX usersand computers.• Chapter 8, “Defining rights and roles,” describes how to useDirectAuthorize to establish role-based access controls on azone-by-zone or computer-by-computer basis.• Chapter 9, “Managing NIS maps in Active Directory,” describeshow to import NIS maps into Active Directory and how to usethe Centrify DirectControl Network Information Service toreceive NIS client requests.• Chapter 10, “Using DirectControl with Centrify Samba,”describes how to install the Centrify version of Samba on yourUNIX machine and how to use Centrify Samba andDirectControl to enable users to create file shares on UNIXcomputers that can be shared to Windows systems.• Chapter 11, “Using DirectControl with SSH,” describes how toinstall OpenSSH on your UNIX machine and how to use SSHand DirectControl to log on to UNIX computers remotelyusing Active Directory credentials.About this guide 7

on SPARC available on the Centrify DirectControl CD or in theCentrify DirectControl download package. On the CD or in thedownload package, the file name indicates the CentrifyDirectControl version number. For example, for a 3.0.0package, the file is centrifydc-3.0.0-sol8-sparc-local.tgz.Where to go for more informationThe Centrify DirectControl documentation set includes severalsources of information. Depending on your interests, you maywant to explore some or all of these sources further:• Centrify DirectControl Release Notes for the most up-to-dateinformation about what’s included in the current release,system requirements and supported platforms, and anyadditional information, specific to this release, that may notincluded in the accompanying Centrify DirectControldocumentation.• Centrify DirectControl Quick Start for a brief summary of the stepsfor installing Centrify DirectControl and getting started so youcan begin working with the product right away. All of the topicsand steps covered in the Quick Start are covered in greater detailin the Administrator’s Guide.• Centrify DirectControl Administrator Console Help for task-based,reference and context-sensitive online help in the CentrifyDirectControl Administrator Console.• Centrify DirectControl Planning and Deployment Guide forguidelines, strategies, and best practices to help you plan forand deploy Centrify DirectControl in a productionenvironment.This guide covers issues you should consider inplanning a Centrify DirectControl deployment project. ThePlanning and Deployment Guide should be used in conjunctionwith the information covered in the Administrator’s Guide.About this guide 9

• • • • • • Where to go for more information• Centrify DirectControl Administrator’s Guide for information onhow to perform administrative tasks using the CentrifyDirectControl Administrator Console and UNIX command lineprograms. The Administrator’s Guide focuses on managing yourenvironment after deployment.• Individual UNIX man pages for command referenceinformation for Centrify DirectControl UNIX command lineprograms.• Centrify DirectControl Group Policy Guide for how to use theCentrify DirectControl group policies to customize user-basedand computer-based configuration settings.• Centrify DirectControl Configuration Parameters Reference Guide forreference information about the Centrify DirectControlconfiguration parameters that enable you to customize yourenvironment. Many of these settings can also be controlledthrough group policies.• Centrify DirectControl Authentication Guide for Apache for how touse Centrify DirectControl with Apache Web servers andapplications to provide authentication and authorization servicesthrough Active Directory. If you are using CentrifyDirectControl with Apache, you should refer to thissupplemental documentation for details about how to configureyour Apache server to use Centrify DirectControl and ActiveDirectory.• Centrify DirectControl Authentication Guide for Java Applications forhow to use Centrify DirectControl with J2EE applications toprovide authentication and authorization services throughActive Directory. If you are using Centrify DirectControl withJava servlets, such as Tomcat, JBoss, WebLogic, or WebSphere,you should refer to this supplemental documentation for detailsabout how to configure your applications to use CentrifyDirectControl and Active Directory.10 Evaluation Guide

• The Centrify Resource Center athttp://www.centrify.com/resources/overview.asp fordocumentation and application notes, including documentationfor SSH and Centrify Samba.In addition to the Centrify DirectControl documentation, you maywant to consult the documentation for your Windows or UNIXoperating system, or the documentation for Microsoft ActiveDirectory.Contacting CentrifyIf you have questions or comments, we look forward to hearingfrom you. For information about contacting Centrify withquestions or suggestions, visit our Web site atwww.centrify.com. From the Web site, you can get the latestnews and information about Centrify products, support, services,and upcoming events.For technical support or to get help installing or using this releaseof Centrify DirectControl, send email tosupport@centrify.com. For information about purchasing orevaluating Centrify products, send email to info@centrify.com.About this guide 11

• • • • • • Contacting Centrify12 Evaluation Guide

Chapter 1Understanding key concepts forevaluating Centrify DirectControlThis chapter gives you an overview of the Centrify DirectControlsolution, including an introduction to its unique features and adescription of the components and architecture. This chapterexplains the key benefits of Centrify DirectControl that aredemonstrated by the procedures in the following chapters.The following topics are covered:• What is Centrify DirectControl?• What can Centrify DirectControl do for you?• How does Centrify DirectControl work?• Understanding Centrify DirectControl Zones• Using the rest of this guideWhat is Centrify DirectControl?Centrify DirectControl delivers secure access control andcentralized identity management by seamlessly integrating UNIX,Linux, Mac OS X, J2EE, Web platforms, SAP, and databasemanagement systems with Microsoft Active Directory. WithDirectControl, organizations can improve IT efficiency, bettercomply with regulatory requirements, and move toward a moresecure, connected infrastructure for their heterogeneouscomputing environments. Centrify DirectControl is non-intrusive,easy to deploy and manage, and is the only product that enablesfine-grained access control, reporting, and auditing.13

• • • • • • What can Centrify DirectControl do for you?What can Centrify DirectControl do for you?Centrify DirectControl’s core feature is its ability to enable UNIX,Linux, and Mac servers and workstations to participate in an ActiveDirectory domain. The Centrify DirectControl Agent effectivelyturns the host system into an Active Directory client, enabling youto secure that system using the same authentication, access controland Group Policy services currently deployed for your Windowssystems. Additional seamlessly integrated modules snap into theDirectControl Agent to provide services such as Web sign-on andSamba integration. The Centrify DirectControl Management Toolsinclude extensions to standard Microsoft management tools, anadministration console, out-of-the-box reporting, and an accountmigration wizard. An optional Web-based management console isalso available for separate installation and use.With the Centrify DirectControl suite, organizations with diverseIT environments can leverage their investment in Active Directoryto:• Move to a central directory with a point of administration foruser accounts and security policy.• Use DirectControl Zones to provide secure, granular accesscontrol and delegated administration.• Extend Web sign-on to internal end-users and external businesspartners and customers.• Simplify compliance with regulatory requirements.• Deploy quickly without intrusive changes to existinginfrastructure.14 Evaluation Guide

How does Centrify DirectControl work?Centrify DirectControl consists of two main components:• In your UNIX environment, you install the CentrifyDirectControl Agent on each server or workstation youwant to manage through Active Directory.Note In this guide, the term UNIX is used to refer to allsupported versions of the UNIX, Linux, and Macintosh OS Xoperating systems unless otherwise noted.• In your Windows environment, you install the CentrifyDirectControl Management Tools. The CentrifyDirectControl Management Tools include an AdministratorConsole, the Centrify Profile pages for Active Directory Usersand Computers, a wizard for importing NIS and text files intoActive Directory, and reports for viewing all of your UNIXusers, groups, and computers. Centrify DirectControl includesa plug-in extension, DirectAuthorize, that you can use tocentrally manage the operations users can perform onDirectControl-managed computers; see Chapter 8, “Definingrights and roles.”• You may also install the optional Web-based managementconsole, which enables you to manage zones and users frommachines that do not have the Administrator Console installed.Chapter 1 • Understanding key concepts for evaluating Centrify DirectControl 15

• • • • • • How does Centrify DirectControl work?Figure 1. The DirectControl Deployment ArchitectureThe computers where you have installed the CentrifyDirectControl Agent are organized into groups called CentrifyDirectControl Zones, usually referred to simply as zones. Youcan assign a zone when the computer joins the domain and you canmove the computer account to a new zone after joining thedomain.About the Centrify DirectControl AgentOnce installed on a UNIX computer, the Centrify DirectControlAgent makes that computer look and behave like a Windowscomputer to Active Directory.The Centrify DirectControl Agent handles the following key tasks:• Joins UNIX computers to an Active Directory domain.• Communicates with Active Directory to authenticate userslogging on to the UNIX computer, and caches credentials foroffline access.• Enforces Active Directory authentication and password policies.16 Evaluation Guide

• Extends Active Directory Group Policy to manage the UNIXsystems and Java-based Web applications running on the UNIXcomputer.• Provides a Kerberos environment so that existing Kerberosapplications automatically work transparently with ActiveDirectory.• Maintains time synchronization with Active Directory.The Centrify DirectControl Agent includes a daemon, a library ofdynamically-loaded code modules, a set of command-line utilities,and Kerberos services. For detailed information about the CentrifyDirectControl Agent, see the Centrify DirectControl Planning andDeployment Guide.About the Centrify DirectControl Management ToolsThe Centrify DirectControl Management Tools consist of theCentrify DirectControl Administrator Console and the CentrifyDirectControl property extensions for Active Directory Users andComputers. An optional Web-based management console is alsoavailable that provides the ability to manage zones and users frommachines in the Active Directory forest that do not have theCentrify DirectControl Administrator Console installed.Chapter 1 • Understanding key concepts for evaluating Centrify DirectControl 17

• • • • • • How does Centrify DirectControl work?The Centrify DirectControl Administrator Console provides aview of UNIX-enabled users, groups and computers.Figure 2. DirectControl Administrator ConsoleYou can use the Centrify DirectControl Administrator Console tocentrally manage all of your UNIX systems, create and manageCentrify DirectControl Zones, obtain reports about your UNIXsystems, and manage licenses for computers and applications.With the DirectAuthorize plug-in extension you can centrallymanage the operations users can perform on your UNIX systems.Note You may also use the Centrify DirectControl Web Consoleapplication to access a subset of the Administrator Consolefunctionality through a Web browser. The Web Console enablesyou to manage Centrify DirectControl Zones and manage licensesfor computers and applications. See Chapter 6, “Using theDirectControl Web Console.”The Centrify DirectControl property extensions for ActiveDirectory Users and Computers enable you to manage access toUNIX systems from within the native Active Directory interface.18 Evaluation Guide

For example, you can view a user’s properties and enable access toCentrify DirectControl zones:Figure 3. DirectControl Property Page ExtensionWhen a UNIX system joins an Active Directory domain, it isautomatically configured to allow authorized Active Directoryusers to log on.The Centrify DirectControl Management Tools are the onlysoftware you need to install in your Windows environment todeploy DirectControl. Centrify DirectControl does not requireyou to install software on your Windows domain controllers ormodify the Active Directory schema.Understanding Centrify DirectControl ZonesCentrify DirectControl Zones provide the industry’s onlyenterprise-class solution for enforcing granular access control forChapter 1 • Understanding key concepts for evaluating Centrify DirectControl 19

• • • • • • Understanding Centrify DirectControl Zonesboth users and administrators across a heterogeneous environment.You can create logical groupings of mixed UNIX, Linux, andMac OS X computers within Active Directory. Each logicalgrouping you create is a distinct Centrify DirectControl Zone.Each zone can have a unique set of users, a unique set ofadministrators, and a unique set of security policies and accessrights. Regardless of how diverse or distributed your organization’ssystems may be, you can use DirectControl zones to bring UNIXsystems into Active Directory while preserving existing securityboundaries and privileges.Centrify’s zone technology extends the access controls of ActiveDirectory, allowing you to create subsets of users and computersthat have their own access privileges. This allows you to restrictaccess to certain groups of computers to a specific subset of theusers within an Active Directory domain. In addition,DirectControl allows managers to have a centralized view of whohas access to systems in each zone–both through the AdministratorConsole and in several predefined reports.Using Centrify DirectControl Zones, you can migrate existing useraccounts to Active Directory without having to ensure that allUNIX UIDs are unique throughout your organization. You cangroup computers into as many Centrify DirectControl Zones asyou need. Although each user with an Active Directory accountmust have a UID on all of the computers in a CentrifyDirectControl Zone, that user can be authorized to access multiple20 Evaluation Guide

• • • • • • Using the rest of this guide• You can delegate administration of zones. CentrifyDirectControl builds on Active Directory’s delegatedadministration feature to enable administrators to manage theirsystems.• Centrify DirectControl zones make it easy for you to applyconsistent Active Directory Group Policy configuration settingsto groups of computers.• Zones are optional. If you don’t need this level of accesscontrol, all systems can simply be added to the default zone.Using the rest of this guideThe remaining chapters of this Evaluation Guide will help you to setup the evaluation environment and test drive a typical CentrifyDirectControl deployment, illustrating how to install and useDirectControl to manage non-Windows computers, users, andgroups in an Active Directory environment.22 Evaluation Guide

Chapter 2Setting up the evaluation environmentIn this chapter you will learn how to set up your Windows andUNIX network environment in order to conduct an effectiveevaluation of Centrify DirectControl. It also provides hardware andsoftware requirements and prerequisites.The following topics are covered:• Preparing your environment• Checking Windows requirements• Checking UNIX, Linux, and Mac OS requirements• Using a virtual environment to evaluate DirectControl• Summary of the evaluation environmentPreparing your environmentBefore installing Centrify DirectControl for evaluation, you shoulddetermine whether to install components in a physical lab or in avirtual environment. If you are working with physical computers ina lab, you should verify that the lab includes both Windows andUNIX computers and that there is a working Active Directoryenvironment with at least one domain controller and DNS service.You should also check that the computers where you are planningto install Centrify DirectControl components meet all of thesystem requirements and prerequisites.If you are installing Centrify DirectControl in a virtualenvironment, you configure the virtual machines and test thevirtual network connections before installing CentrifyDirectControl. For information about configuring a virtual23

• • • • • • Preparing your environmentenvironment, see “Using a virtual environment to evaluateDirectControl” on page 32.To prepare for the evaluation, you need:• At least one Windows server that is an Active DirectoryDomain Controller and has been assigned a DNS Server role.• The Administrator account password for the forest rootdomain.Note The forest root Administrator account is the accountcreated when you install the first Windows server in a newActive Directory site. If you are setting up a separate ActiveDirectory environment for testing purposes, you should havethis account information. If you are using an existing ActiveDirectory forest that was not expressly created for thisevaluation, you should identify the forest root domain andensure you have an account that is a member of the DomainAdmins group to ensure you have all the permissions you needto perform the tests in this evaluation.• At least one Windows workstation that belongs to the ActiveDirectory domain.• At least one UNIX or Linux computer connected to the samenetwork as the domain controller.Regardless of whether you are installing Centrify DirectControl ata physical computer or using a virtual computer image, you shouldverify that the system meets the minimum configuration requiredand you have the information you need to complete the installation.For a review of the requirements for Windows, see “CheckingWindows requirements” on page 25.For a review of the requirement for UNIX, Linux, and Mac OS X,see “Checking UNIX, Linux, and Mac OS requirements” onpage 26.24 Evaluation Guide

Checking Windows requirementsBefore installing Centrify DirectControl in the Windowsenvironment, check the following basic requirements that apply toboth the Centrify DirectControl property extensions for ActiveDirectory and the Centrify DirectControl Administrator Console:For thisOperating system.NET FrameworkActive Directory accessYou need thisOne of the supported versions of the Windows operatingenvironment product families:• Windows Server 2008• Windows Server 2003 (including R2 and x64 Editions)• Windows 2000 Professional and Server• Windows XP Professional (including x64 Edition)• Windows Vista (including x64 Edition)If the .NET Framework is not installed, the CentrifyDirectControl setup program will install it for you.The computer must be able to connect to ActiveDirectoryFor the sake of this evaluation, Centrify recommends you useWindows Server 2003 Standard Edition, Windows Server 2003Enterprise Edition, or Windows Server 2008 as the ActiveDirectory Domain Controller, because Windows Server 2003 andWindows Server 2008 include all of the required services bydefault.In addition, some scenarios in this Evaluation Guide use a separateWindows XP workstation joined to the test domain to illustratelogging on as a domain user and accessing applications running onUNIX.Chapter 2 • Setting up the evaluation environment 25

• • • • • • Checking UNIX, Linux, and Mac OS requirementsIf you are installing the Centrify DirectControlAdministrator Console, you should check the followingadditional requirements:For thisCPU speedRAMDisk spaceYou need thisMinimum 550 MHZ25MB1.5GBNote You can install Centrify DirectControl Management Tools onany Windows computer in the forest. You may want to install themon the same computer where you installed the Windows Server2003 Administration Tools Pack, but this is not required.Centrify DirectControl has been tested using the Windows Server2003 Standard Edition system requirements described on theMicrosoft Web site athttp://www.microsoft.com/windowsserver2003/evaluation/sysreqs/default.mspx.You can use this information as a guideline to the minimum systemconfiguration required.Checking UNIX, Linux, and Mac OS requirementsThe Centrify DirectControl Agent needs to be installed on eachUNIX computer you want to manage through CentrifyDirectControl and Active Directory. Therefore, to evaluateCentrify DirectControl, you should check that any computer youplan to use for testing is running a supported version of one of thefollowing operating systems:• CentOS Linux• Citrix XenServer• Debian Linux• Hewlett-Packard HP-UX26 Evaluation Guide

• IBM AIX• Mac OS X• Oracle Enterprise Linux• Red Hat Linux• Scientific Linux• SGI IRIX• Sun Solaris• SuSE Linux• Ubuntu Linux• VMware ESX ServerTo check specific platform requirements, do one of the following:• Check requirements online; see “Checking for updates online”on page 28.• Run the adcheck tool on a target system; see “Checkingrequirements on a target computer with adcheck” on page 28.Evaluating Centrify DirectControl for Web applicationsIf you want to evaluate Centrify DirectControl for Web applicationauthorization, you should have one of the following Webapplication servers running in your environment:For Web applications onYou need thisApache Apache HTTP Server v1.3 or v2.0TomcatJBossTomcat version 4.1.x or laterJBoss Application Server version 3.2.xWebLogic WebLogic Server version 8.1Be sure to check online for the latest information on supportedWeb applications; see “Checking for updates online” on page 28.Chapter 2 • Setting up the evaluation environment 27

• • • • • • Checking UNIX, Linux, and Mac OS requirementsFor information about installing and evaluating CentrifyDirectControl for Apache, see the Centrify DirectControlAuthentication Guide for Apache. For information about installing andevaluating Centrify DirectControl for J2EE application servers, seethe Centrify DirectControl Authentication Guide forNo Java Applications.For information about installing and evaluating CentrifyDirectControl with Active Directory Federation Services, see UsingCentrify DirectControl with Active Directory Federation Services.Note To evaluate Centrify DirectControl for Web applications,you must have the Sun Java development environment (Sun JavaJ2SE SDK) installed. You can download it from the Sun Web site.For more information, see http://java.sun.com/j2se/downloads/.Checking for updates onlineThe list of operating systems, Web application servers, anddatabase management systems that Centrify DirectControl workswith can change frequently. For the most up-to-date informationabout the platforms and versions supported in any given release,you should check the Centrify DirectControl Release Notes. In addition,you can find information about which versions of each operatingsystem, Web application server, and database that CentrifyDirectControl supports online athttp://www.centrify.com/directcontrol/platforms.asp.This Web page is updated periodically to include the latestinformation on supported platforms and versions.Checking requirements on a target computer with adcheckYou can check operating system, disk space, DNS resolution,network connectivity, and other requirements on a targetcomputer before installing by running the optional adcheckprogram. The adcheck program is a separate command line utilitythat can be run independent of the install.sh program to checkwhether a target computer meets the system requirementsnecessary to install the Centrify DirectControl Agent and join an28 Evaluation Guide

Active Directory domain. For example, you can run the adcheckprogram before attempting to install to verify the target computer:• Has a supported operating system at an appropriate patch level.• Has a supported version of Perl installed.• Has enough available disk space to complete the installation.• Can locate and contact its DNS server.• Can identify configuration details of the Active Directorydomain controller, site, and forest.Most of the preinstallation checks are also performed when yourun the install.sh script. Running the adcheck program as aseparate program is optional but allows you to check for andresolve issues on target computers prior to attempting to install.Using this program independently before running install.sh isespecially useful if you intend to perform non-interactiveinstallations.Note Because the install.sh program executes adcheck toperform preinstallation tasks, the adcheck program is automaticallyinstalled in the /usr/share/centrifydc/bin directory on targetcomputers when you run the install.sh program.To run the adcheck program on a target computer:1 Copy or download the appropriate platform-specific version ofthe program to the target system. For example, copy theadcheck-linux-i386 program if you are installing on aLinux-based i386 computer. For example:cp adcheck-linux-i386 /tmp2 Run the adcheck program on the target computer by specifyingthe Active Directory domain you intend to join and any other theappropriate options. The basic syntax for the program is:adcheck-platform domain [options]For example:./adcheck-rh9-i386 arcade.net --verboseChapter 2 • Setting up the evaluation environment 29

• • • • • • Checking UNIX, Linux, and Mac OS requirementsSee the adcheck man page or usage message for informationabout the options you can use with this program. By default, theprogram writes output to stdout. You can redirect the outputto a standard text file or to an XML-formatted file, if desired.3 Review the results of the checks performed. If the targetcomputer, DNS environment, and Active Directoryconfiguration pass all checks with no warnings or errors, youshould be able to perform a successful installation and join.Checking memory and disk requirementsThe memory and disk requirements for Centrify DirectControl areminimal because the agent has been optimized to consume as fewresources as possible. As an example, a computer with Red HatEnterprise Linux Workstation 3.0 will use approximately 10MB ofRAM and an additional 100MB of disk space beyond therecommended system configuration. Therefore, in most cases, youcan use the vendor’s minimum system configuration guidelineswith an additional overhead of approximately 10MB of RAM and100MB of disk space as ample memory and disk for the CentrifyDirectControl Agent.Note You can run the adcheck tool to perform a simple check toverify that the system has enough disk space for DirectControl. See“Checking requirements on a target computer with adcheck” onpage 28.For information about the underlying system requirements foroperating environment you use, you should refer to the vendor’sWeb site. For the scenarios described in this guide, DirectControlwas tested on computers running Red Hat Enterprise LinuxWorkstation 3.0 with the system requirements described on RedHat’s Web site.30 Evaluation Guide

Checking the DNS environmentCentrify DirectControl is designed to perform the same set of DNSlookups that a typical Windows workstation will perform in orderto find the nearest domain controller for the local site. Like aWindows computer, the Centrify DirectControl Agent on theUNIX computer looks for service locator (SRV) records in theDNS server to find the appropriate domain controller for thedomain it has joined.Note You can run the adcheck tool to perform a few simple checksto verify that DNS is configured properly to work withDirectControl. See “Checking requirements on a target computerwith adcheck” on page 28.In most cases, when you configure the DNS Server role on aWindows computer, you configure it to allow dynamic updates forActive Directory services. This ensures that the SRV recordspublished when a domain controller comes online are available inDNS. If your DNS Server is configured to prevent dynamicupdates, however, or if you are not using the Window computer asthe DNS server, the Centrify DirectControl Agent may not be ableto locate the domain controller.To ensure the UNIX or Linux computer can look up the SRVrecords in the DNS server for the evaluation environment, youshould:• Configure the DNS Server role on the Windows computer toAllow secure dynamic updates.• Make sure that each UNIX or Linux computer you are testingwith includes the Windows DNS server as a nameserver in the/etc/resolv.conf file.If you do not allow dynamic updates in the evaluation environment,you can manually specify the IP addresses for your domaincontrollers in the Centrify DirectControl configuration file. Formore information about configuring DNS, see the CentrifyDirectControl Release Notes.Chapter 2 • Setting up the evaluation environment 31

• • • • • • Using a virtual environment to evaluate DirectControlUsing a virtual environment to evaluate DirectControlTo simplify the hardware requirements for testing the CentrifyDirectControl Suite, you may find it useful to set up your ownevaluation environment using either Microsoft Virtual PC orVMware Workstation. By using Virtual PC or VMware, you cancreate a virtual environment to simulate three physical computersrunning different operating systems.To set up a virtual environment for evaluating CentrifyDirectControl, you need a computer with enough CPU, RAM, andavailable disk space to run three virtual machines simultaneously.Centrify recommends the following minimum configuration:• CPU: 1.70 GHz• RAM: 1.5 GB• Available disk space: 15 GBThe virtual environment should also be configured to run as anisolated evaluation environment using Local/Host-only orShared/NAT networking.To set up the virtual environment for evaluating CentrifyDirectControl, configure three virtual machine instances asfollows:• Create one Windows Server 2003 or Windows Server2008 virtual machine image with 256-384 MB RAM, a 4 GBdisk image, and using a network address translation (NAT)network connection.• Create one Windows XP virtual machine image with 128-256MB RAM, a 4 GB disk image, and using a network addresstranslation (NAT) network connection• Create one Red Hat Linux virtual machine image with256-384 MB RAM, a 4 GB disk image, and using a networkaddress translation (NAT) network connection.32 Evaluation Guide

In addition, because the virtual environment runs as an isolatednetwork, each virtual machine should be manually assigned its ownstatic TCP/IP address and host name.After you create the Windows Server virtual machine, you need toconfigure the server roles for the computer. To evaluate CentrifyDirectControl, the Windows Server virtual machine needs to beconfigured as:• An Active Directory Domain Controller• A DNS master serverWhen you configure the DNS Server role for the Windows Servervirtual machine, you should configure it to perform both forwardand reverse lookups and to allow secure dynamic updates.Chapter 2 • Setting up the evaluation environment 33

• • • • • • Using a virtual environment to evaluate DirectControlThe following figure illustrates setting up a virtual environment forthe evaluation.Figure 4. Sample virtual environment configuration34 Evaluation Guide

Summary of the evaluation environmentIn this chapter, you learned how to set up your Windows andUNIX network environment in order to conduct an effectiveevaluation of Centrify DirectControl. Before proceeding toChapter 3, “Installing Centrify DirectControl,” make sure you havechecked all of the hardware and software requirements andprerequisites provided in this chapter. Taking sufficient time toprepare will ensure that the evaluation proceeds smoothly.Chapter 2 • Setting up the evaluation environment 35

• • • • • • Summary of the evaluation environment36 Evaluation Guide

Chapter 3Installing Centrify DirectControlThis chapter describes how to install Centrify DirectControlcomponents on Windows and on supported UNIX operatingsystems. For the purposes of this evaluation, the primarycomponents of DirectControl you need to install are the CentrifyDirectControl Administrator Console, the Centrify DirectControlAgent on a supported UNIX platform, and Centrify DirectControlfor Tomcat.The following topics are covered:• Step 1: Install DirectControl Management Tools• Step 2: Configure the default zone• Step 3: Install DirectControl on Linux, UNIX or Mac OS• Step 4: Join the Active Directory domain on UNIX• Step 5: Add a workstation to the domain (optional)• Step 6: Run adcheck on Linux, UNIX or Mac OS (Optional)• Step 7: Create a snapshot or backup copy (optional)• Summary of Centrify DirectControl installationStep 1: Install DirectControl Management ToolsTo start the evaluation, you first need to install CentrifyDirectControl on a Windows computer in an Active Directoryforest using the setup program. The setup program simply copiesthe necessary Centrify DirectControl files to the local Windowscomputer. There are no special permissions required to run thesetup program other than permission to install files on the localcomputer.37

• • • • • •To reduce the number of computers required for the evaluation, werecommend that you install the Centrify DirectControlManagement Tools on the Windows server you are using as thedomain controller for the evaluation environment.To install the Centrify DirectControl Management Tools onWindows:1 Log on to the Windows computer and do one of the following:• If you are installing from a CD, launch the autorun program,then go to Step 2.• If you are not using autorun on the CD, browse to locate theAdmin_Tools directory in the Centrify DirectControldistribution media (either on the CD or in the extractedfolders from the zip file). Then double-clickCentrifyDC_Console-release-win#.exe (for example,CentrifyDC_Console-4.2.0-win32.exe) to start the setupprogram. Go to Step 4.2 After launching autorun, click Administrator Consoles &Other Admin Tools:38 Evaluation Guide

3 Click the appropriate Administrator Console link, for example,Administrator Console (32-bit), to launch the setupprogram:4 At the Welcome page, click Next.5 On the Review License Agreement page, select I agree tothese terms, then click Next.6 Type your name and company, then click Next.7 Click Next to install components in the default location.8 Select all the components, then click Next.9 Verify your installation settings, then click Next.10 Click Finish to complete the installation.When you run the setup program the first time with the defaultcomponents selected, the setup program installs CentrifyDirectControl Management Tools, which include:• The Centrify DirectControl property extensions for ActiveDirectory Users and Computers.Chapter 3 • Installing Centrify DirectControl 39

• • • • • •• The Centrify DirectControl Administrator Console andextensions for managing NIS maps in Active Directory.• The DirectAuthorize plug-in extension for managing theoperations users can perform on DirectControl-managedcomputers.• The Centrify DirectControl Administrative Templates forconfiguring UNIX group policies.• The Centrify DirectControl Administrator Console Help andother documentation.• The Centrify DirectControl API packaged in the dynamic linklibrary (DLL). The Centrify DirectControl API provides theCOM objects that convert Active Directory application objectsinto Centrify-enabled UNIX user, group, computer, and zoneobjects.• The Centrify Tools, including Centrify Zone Generator,Centrify Map Generator, and Centrify Zone Conversion.Step 2: Configure the default zoneWhen you start the Centrify DirectControl Administrator Consolefor the first time, the Setup Wizard is displayed to help youconfigure the Active Directory forest and the default properties foryour first Centrify DirectControl Zone. Zone properties areimportant because they allow you to control the default settings forusers and groups in the zone, greatly simplifying the task of addingnew UNIX users and groups to Active Directory.In addition, the Setup Wizard makes it easier for you to controlwhere Centrify DirectControl container objects should be placedand who will have permission to modify the objects within thosecontainers. Because the Centrify DirectControl Zone SetupWizard creates container objects, you may need to log on with anaccount that has Domain Administrator privileges. Thisrequirement depends on the specific permissions your organization40 Evaluation Guide

has configured for different classes of users. For example, if yourorganization only permits Domain Admins to create parent andchild objects in Active Directory, you should use a Domain Adminaccount to run the Setup Wizard. For information about thespecific rights required to perform tasks in the Setup Wizard, seethe Centrify DirectControl Administrator’s Guide.Understanding Zone TypesCentrify DirectControl enables you to create individual zones aseither container objects or as organizational units. For a productionenvironment, which of these to use is an important decision,especially if you plan to attach one or more Group Policy objects tothe organizational units you have defined in Active Directory,because you cannot create container objects inside of organizationalunits or link Group Policy Objects to container objects. However,in this evaluation, you will apply group policies at the domain level(see Chapter 7, “Using group policies for UNIX users andcomputers”), not at an OU-level, so you can accept the default,which is to create zones as container objects. See the CentrifyDirectControl Planning and Deployment Guide for information aboutintegrating zones into your organizational structure and usinggroup policies at a finer level of granularity.Running the Setup WizardNote Although you can skip some initial configuration steps,Centrify recommends you complete all of the configuration steps,including those that set up the default zone, before you beginattempting to add computers to the domain. For more informationabout any configuration step, see the Centrify DirectControlAdministrator’s Guide.To start the Setup Wizard and update the Active Directory forest:1 Open the Centrify DirectControl Administrator Console.Chapter 3 • Installing Centrify DirectControl 41

• • • • • •2 Verify that the name of the domain controller displayed is amember of the Active Directory forest you want to update, thenclick OK.• If you want to connect to a different forest, type the name ofa domain controller in that forest.• If you want to connect to the forest with different credentials,select Connect as another user, then type a user name andpassword to connect as.3 At the Welcome page, click Next.4 Select Use currently connected user credentials to useyour current log on account or select Specify another user’scredentials and type a user name and password, then clickNext.5 Click Next to accept the default container location for licensekeys. Alternatively, you can click Browse to specify a differentcontainer location or create a new container object within ActiveDirectory.Note If you want to use an existing Active Directory container,you should determine which users need access to the CentrifyDirectControl Administrator Console and verify that those usershave read permission for the object and all child objects on thecontainer you want to use. For more information aboutpermission requirements, see the Centrify DirectControlAdministrator’s Guide.42 Evaluation Guide

6 Select Install 30 day evaluation license key, then clickNext.7 Select the Create default zone container option, then clickNext to accept the default container location for creating newzones in Active Directory. Alternatively, you can click Browseto specify a different container location or create a new containerobject within Active Directory.Note If you want to use an existing Active Directory container,you should determine which users should be able to create zonesand verify that those users have permission to create containerobjects for the selected object and all child objects on thecontainer you want to use. For more information aboutpermission requirements, see the Centrify DirectControlAdministrator’s Guide.8 Select the Create default zone option, then click Next toconfigure the “default” zone.9 Click Next to accept the default location and type for the“default” zone. See “Understanding Zone Types” on page 41 forinformation about choosing a zone type (container ororganizational unit).10 Leave the option, Specify a zone that contains Unixprofile information for users and groups, unchecked andclick Next. This option is more useful when adding zones aftercompleting the initial configuration of Centrify DirectControl,but not very useful during an evaluation or pilot deployment.11 Click Next to accept the default numeric user identifier (UID)to start with for new UNIX users in the “default” zone.12 Click Next to accept the default numeric group identifier (GID)to start with for new UNIX groups in the “default” zone.13 Click Next to accept the default home directory path forcreating new UNIX home directories in the “default” zone.Chapter 3 • Installing Centrify DirectControl 43

• • • • • •14 Select the type of UNIX shell to use by default for users in the“default” zone, click Set as default, then click Next.15 Click Browse to enter search criteria for selecting an existingActive Directory group to use for UNIX accounts. ClickBrowse and select the container in which to search, then clickOK. Leave the search criteria blank to search for all groups, thenclick Find Now.Select a group, then click OK. The Wizard supplies the UNIXGID and UNIX group name. Click Next.16 Leave Support Agentless Client deselected, then clickNext.17 Check the Grant computer accounts in the Computerscontainer permission to update their own accountinformation option to give each UNIX computer accountpermission to manage its own account password and operatingsystem information, then click Next.18 Leave Register administrative notification handler forMicrosoft Active Directory Users and Computerssnap-in unselected, then click Next.19 Confirm your configuration settings, then click Next.20 Click Finish to complete Centrify DirectControl set up.For more information about any step, see the Centrify DirectControlAdministrator’s Guide.Step 3: Install DirectControl on Linux, UNIX or Mac OSThe files and directories you need to install on each Linux andUNIX computer you want to manage through Active Directory arebundled together in a platform-specific software package andinstalled using a native installation mechanism for each platform.You can use the Centrify DirectControl installation script,install.sh, to automatically invoke the proper installation44 Evaluation Guide

mechanism for a computer’s local operating system with theappropriate command line options, or you can manually install anypackage by running the appropriate installation command yourself.Note The following steps assume you are using the CentrifyDirectControl installation script to install the CentrifyDirectControl Agent. If you want to install the package yourself, seeCentrify DirectControl Release Notes or the Centrify DirectControlAdministrator’s Guide for the installation command to use for thespecific version of Linux or UNIX you have running on thecomputer where you are installing the package.To install on a Linux, UNIX, or Mac OS X computer:1 Log on or switch to the root user if you are installing on acomputer running Linux or UNIX, or log on with a valid useraccount if you are installing on a computer with the Mac OS Xoperating system.Note Although you are not required to log on as the root user onthe Macintosh computer, you must know the password for theAdministrator account to complete the installation. In addition,joining the domain and configuring your environment is slightlydifferent on Macintosh computers than on other platforms.Therefore, you should follow the steps in the section “Joining thedomain from Mac OS X computers” on page 49 to join an ActiveDirectory domain on computers running the Mac OS Xoperating system.2 Mount the cdrom device using the appropriate command for thelocal computer’s operating environment. For example:mount /mnt/cdromNote If you have copied the package to another location ordownloaded the package from an FTP server or Web site and arenot using the CD, verify the location and go on to the next step.3 Change to the appropriate directory on the CD or to thedirectory where you have copied or downloaded the package.Chapter 3 • Installing Centrify DirectControl 45

• • • • • •For example, to install on a Linux or UNIX computer from theCentrify DirectControl CD, change to the unix directory:cd UnixSimilarly, if you are installing on a Mac OS X computer, changeto the MacOS directory.4 Run the install.sh script to start the installation of CentrifyDirectControl on the local computer’s operating environment.For example:./install.shThe install.sh script calls a utility, adcheck, which runs anumber of checks to verify that your domains are correctlyconfigured for Centrify DirectControl. You will see a number ofmessages indicating that the checks have passed or warnings andsuggestions on how to correct them. The adcheck utility verifiesDNS based on information in your configuration files.Follow the prompts displayed to select the services you want toinstall and the tasks you want to perform:• How do you want to proceed? (E |S|C|U|Q) [E]Enter E to install the Enterprise Edition of CentrifyDirectControl. Enterprise Edition installs everything youneed to evaluate Centrify DirectControl.Note Enterprise Edition includes the Centrify DirectAuditproduct, which is not covered in this evaluation guide. Toevaluate DirectAudit, see the Centrify DirectAudit EvaluationGuide.• Do you want to run adcheck to verify your ADenvironment?Enter N. If you specify Y, the install.sh script will calladcheck again to run operating system, network, and ActiveDirectory checks to verify that the specified domain iscorrectly configured for Centrify DirectControl. For thisevaluation, you can skip this check, then run it later if you46 Evaluation Guide

want to evaluate how it works, or to evaluate the readiness ofother machines or domains. See “Run adcheck on Linux,UNIX or Mac OS (Optional)” on page 52.• Join an Active Directory domain? [Y] You can answerY or N to join now or later. If you join now, you are promptedfor the domain name, authorized user, and password. You canclick Enter to accept the default values for the other prompts.See “Join the Active Directory domain on UNIX” on page 47for more information.• Enable auditing for all shells on this computer [Y]You can answer Y or N. This prompt is to enable auditing forCentrify DirectAudit, which is installed as part of CentrifySuite Enterprise Edition. DirectAudit is not part of theevaluation in this guide, however there is no harm in enablingauditing, and if you continue on to use the Centrify DirectAuditEvaluation Guide to evaluate DirectAudit, you’ll have a headstart.• Reboot the computer after installation? [Y] Enter Y.• Do you want to continue (Y) or re-enterinformation? Verify the information you have entered, thenenter Y and click return.If you chose not to join a domain, you may run the installationnow, then join a domain as described in the next section. If youchose to join a domain as part of the installation, you should stillread the information in the next section.Step 4: Join the Active Directory domain on UNIXWhen you install the Centrify DirectControl Agent on a Linux,UNIX, or Mac OS X computer, you can automatically join thatcomputer to an Active Directory domain by selecting this option inthe Centrify DirectControl installation script, install.sh. If youchoose to join the domain when you run the installation script, youare prompted to specify the domain and a user name and passwordChapter 3 • Installing Centrify DirectControl 47

• • • • • •for an Active Directory user with permission to add computers tothe domain.If you don’t want to join the domain when you run the installationscript, you can manually join a domain after installation using theadjoin command. Whether you add the computer to the domainautomatically from the install.sh script or manually using theadjoin command, once the computer is part of the domain, youcan enable any existing Active Directory users to log in to theUNIX system.Note On the Mac OS X, joining the domain and configuring yourenvironment is slightly different than on other platforms.Therefore, you should follow the steps in the section “Joining thedomain from Mac OS X computers” on page 49 to join an ActiveDirectory domain when the Centrify DirectControl Agent isinstalled on Mac OS X computers.To join an Active Directory domain manually after installation withthe Centrify DirectControl Agent on a Linux or UNIX computer:1 On the UNIX computer, log in as or switch to the root user.2 Run adjoin to join the Active Directory domain for yourevaluation environment.adjoin eval_domain_nameNote When you specify the domain name, you should use thefull domain name including the suffix. For example, by default,domains are created with a .LOCAL ending. There are also severalcommand line options to the adjoin command which have beenomitted here for simplicity, thus the defaults will be used.3 Type the password for the Administrator of this domain. IfCentrify DirectControl can connect to Active Directory and jointhe domain, a confirmation message is displayed. You are nowready to enable Active Directory users and groups to work withthis computer.48 Evaluation Guide

For more information about the options you can specify whenjoining a domain, see the man page for the adjoin command or the“Using adjoin” section in the Centrify DirectControl Administrator’sGuide.Joining the domain from Mac OS X computersWhen you install the Centrify DirectControl Agent on a computerrunning the Mac OS X operating system, the steps for joining anActive Directory domain are similar to the steps for joining thedomain on Linux or UNIX computers but there are a few slightdifferences.After you install the Centrify DirectControl Agent on a computerwith Mac OS X, do the following to join that computer to anActive Directory domain manually:1 Go to the Utilities folder and double-click Terminal to open anew terminal window.2 Type the following command:sudo adjoin domain_name3 When prompted for the password, type your MacintoshAdministrator password. For example:Password: ***4 When prompted for the Active Directory password, type thepassword for the Active Directory Administrator account. Forexample:Active Directory Password: ***Automounting files shares from Mac OS X computers If you configure NFS,SMB, or AFP network file sharing for your Mac OS X computers,you can automatically mount and log on to file shares using ActiveDirectory credentials.To enable Mac OS X users to log on to file shares when yournetwork is configured with NFS, SMB, or AFP network sharing:1 Open Active Directory Users and Computers or the CentrifyChapter 3 • Installing Centrify DirectControl 49

• • • • • •DirectControl Administrator Console.2 Select the user account for which you want to enableautomounting, right-click, then click Properties.3 Click the Centrify Profile tab and set the Home directorypath to use one of the following formats:• /Users/user_login_name to set the user’s home directory tothe default home directory location for all user homedirectories on Mac OS X computers.• /Network/Servers/server_name/path to automount a fileshare on the NFS server_name you specify.• /SMB/server_name/share[/path] to automount a file shareon the SMB server_name you specify.• /SMB/unix_username/server_name/share[/path] toautomount a file share when you are using Fast User Switchingon the SMB server_name you specify.• /AFP/server_name/share[/path] to automount a file shareon the Apple server_name you specify.• /AFP/unix_username/server_name/share[/path] toautomount a file share when you are using Fast User Switchingon the Apple server_name you specify.Note If you plan to use Fast User Switching to switch betweenActive Directory users on the same computer, you should usethe /SMB/unix_username/server_name/share[/path] or/AFP/unix_username/server_name/share[/path] format tospecify the user’s home directory to prevent conflicts betweenusers logging on using the same share. If you want to automounta share on an Apple file server using the Apple File Protocol(AFP), however, you must use Centrify DirectControl 3.0.1 orlater.Using SMB shares on a Windows server For any Mac OS X users to accessSMB shares on a Windows server, you also need to disable theWindows group policies that prevent this access.50 Evaluation Guide

To check and disable, if necessary, the Windows group policies thatprevent access to SMB shares:1 Open Active Directory Users and Computers, select thedomain, right-click, then select Properties.2 Click the Group Policy tab.• If the Default Domain Controller Policy is linked to thisdomain, click Edit, then click Computer Configuration >Windows Settings > Security Settings > Local Policies >Security Options > Microsoft network server: Digitallysign communications (always) and disable this policy.• If the Default Domain Policy is linked to this domain, clickEdit, then click Computer Configuration > WindowsSettings > Security Settings > Local Policies > SecurityOptions > Microsoft network server: Digitally signcommunications (always) and disable this policy.If these group policies are not currently defined, you can leavethem not configured. If either policy is enabled and linked to thedomain, however, Mac OS X computers will not be able to useSMB connections to automount the Windows file shares.3 If you change these policies on the domain controller, run thegpupdate command to refresh the group policies before loggingon to Mac OS X computers.Verifying the computer configurationTo verify the current configuration of the UNIX computer and toverify that it has joined the test domain, you can use the adinfocommand. This will provide you with information and status aboutthe current DirectControl configuration. This command providesinformation similar to what you find when you open SystemProperties and click Computer Name on a Windowsworkstation.Chapter 3 • Installing Centrify DirectControl 51

• • • • • •Note It is important that you check your DNS configuration on theUNIX computer to ensure that forward and reverse lookups resolveproperly for both the Domain Controller and the UNIX computers.Restarting services after joining a domainYou may need to restart some services on UNIX computers whereyou have installed the Centrify DirectControl Agent so that thoseservices will reread the name switch configuration file. Forexample, if you typically log on to the UNIX computer through agraphical desktop manager such as gdm, you need to either restartthe gdm service or reboot the workstation to force the service toread the updated configuration before Active Directory users canlog on. As an alternative to restarting individual services, you maywant to reboot the system to restart all services.Step 5: Add a workstation to the domain (optional)For the purposes of evaluation, you should add a Windows XPworkstation to the environment. The workstation should beconfigured to be a member of the Active Directory domain runningon the Windows Server 2003 computer you are using as a domaincontroller for the evaluation.Step 6: Run adcheck on Linux, UNIX or Mac OS(Optional)Centrify DirectControl provides a utility, adcheck, which runs anumber of operating system, network, and Active Directorychecks to verify that your domains are correctly configured forCentrify DirectControl.When you install using the install.sh script, adcheck is calledautomatically and shows you any warnings or errors regarding the52 Evaluation Guide

eadiness of your machine to join the domain. For the purposes ofthis evaluation, you do not need to run adcheck.However, if you are interested, you can run adcheck to check thereadiness of your machines in multiple domains for installation ofthe Centrify DirectControl agent. This is something you willdefinitely want to do once you are ready to install CentrifyDirectControl into a production environment.The install.sh script, which you ran in “Install DirectControl onLinux, UNIX or Mac OS” on page 44, installs adcheck in the/usr/share/centrifydc/bin directory. To run adcheck, specifythe domain you plan to join:/usr/share/centrifydc/bin/adcheck domainNameThis command performs three tests:• Operating system check to verify that the operating system issupported and at the correct patch levels, and that there issufficient disk space.• Network check to verify DNS and SSH.• Active Directory check to verify various aspects of the ActiveDirectory configuration, including the domain name, time anddomain synchronization, and checking up to 10 domaincontrollers (which can be extended by an adcheck parameterfor large domains).The output from adcheck includes, notes, warnings, and fatalerrors, including suggestions on how to fix them. For informationon the options you can specify, see the adcheck man page.Step 7: Create a snapshot or backup copy (optional)If you are using VMWare or Virtual PC images to simulate thecomputer environment for this evaluation, you may want to takesnapshots or create disk backups of the images now. Taking asnapshot or creating a backup copy of the environment will enableyou to return to this point in the configuration at any time.Chapter 3 • Installing Centrify DirectControl 53

• • • • • • Summary of Centrify DirectControl installationSummary of Centrify DirectControl installationAt this point, you have:• Installed Centrify DirectControl on a Windows computer in anActive Directory forest.• Installed the Centrify DirectControl Agent on at least oneUNIX computer.• Joined the UNIX computer to the Active Directory domain.You are now ready to begin evaluating DirectControl.54 Evaluation Guide

Chapter 4Using UNIX authentication servicesAfter you have installed DirectControl and joined the ActiveDirectory domain on the UNIX computer, you can enable users toaccess applications running on UNIX by granting them UNIX shellaccess, application access, or both.This chapter shows you how to enable a user to access the UNIXshell and demonstrates the range of account policies thatDirectControl enforces.The following topics are covered:• Creating Active Directory accounts• Enabling Active Directory users to access UNIX• Adding an existing Active Directory user to a zone• Verifying Active Directory authentication• Verifying workstation authorization policies• Verifying account lockout policies• Verifying password management policies• Verifying offline authentication• Testing other administrative tasks• Summary of UNIX authentication servicesCreating Active Directory accountsIf you are conducting your DirectControl evaluation using a newActive Directory test domain, you need to create one or moreActive Directory accounts to work with. For example, you need tocreate at least one Active Directory user account to try the55

• • • • • • Creating Active Directory accountsscenarios described in this chapter and validate the user’s access toUNIX systems. You may also want to create one or more ActiveDirectory security groups for evaluation purposes. For example, ifyou want to use normal Active Directory security groups for UNIXusers, you should create and configure at least one test groupaccount for this evaluation.The following steps describe how to set up and configure a normalActive Directory group account to be used for demonstrationpurposes on Windows 2003 or Windows XP.1 On a Windows computer with access to Active Directory, openthe Active Directory Users and Computers AdministrativeTool. For example, click Start > All Programs >Administrative Tools > Active Directory Users andComputers.2 Select a container, right-click, then click New > Group.3 Type a name for the demonstration group and check that thedefault group scope (global) and group type (security) areselected, then click OK. For example, type HRMgrs to createa new global security group for HR Managers.4 Select the new group account, right-click, then clickProperties.5 Click the Centrify Profile tab.6 Click Add, type all or part of the zone name (for example, type“de” for “default”), then click Find Now.7 Select the default zone in the results list, then click OK.56 Evaluation Guide

8 The Properties dialog box shows the default UNIX profile forthe group in this zone. You can change any of these settings, asneeded.9 Click OK to complete the configuration of this groups’s UNIXprofile.Enabling Active Directory users to access UNIXOnce you have one or more test user accounts, you can enablethose users to access to UNIX resources by configuring a UNIXprofile for them to use.The following steps show you how to set up and configure anaccount to be used for demonstration purposes on Windows 2003or Windows XP.1 On a Windows computer with access to Active Directory, openthe Active Directory Users and Computers AdministrativeTool. For example, click Start > All Programs >Administrative Tools > Active Directory Users andComputers.Chapter 4 • Using UNIX authentication services 57

• • • • • • Enabling Active Directory users to access UNIX2 Select a container, then click the Create New User command inthe toolbar to start the new user wizard.• Type a first and last name for the demonstration account. Forexample, type John Smith.• Type a user logon name for the demonstration account. Forexample, type john.smith, then click Next.• Type a password for the demonstration account, confirm thepassword, then click Next,• Review the account information, then click Finish.Note By default, this user must change the password you set atthe next logon. You can uncheck this option if you want to usethe same password throughout the evaluation. You may alsowant to create additional sample users with other passwordsettings. For example, you may want to create a user with apassword that never expires. (Do not set user John Smith’spassword to never expire. If you do, some of the tests in thischapter will not work correctly.)3 Select the new user account, right-click, then click Properties.4 Click the Centrify Profile tab.5 Click Add, type all or part of the zone name (for example, type“de” to display the default zone), then click Find Now.6 Select the default zone in the results list, then click OK.7 The Properties dialog box shows the default UNIX profile forthe user in this zone. You can change any of these settings, asneeded. For this evaluation:• Change the UNIX Login name to a more standardUNIX-style user name. For example, set the UNIX loginname to jsmith.• Click Browse next to Primary Group to select the ActiveDirectory group you are using for UNIX users. For example,if you created an HRMgrs Active Directory group, click58 Evaluation Guide

Browse and type “hr” to display the HRMgrs group, then clickFind Now.• Check that the Enable user access to this zone option isselected.The properties for the evaluation user should be similar to thefollowing:8 Click OK to complete the configuration of this user’s UNIXprofile.Note Adding an Active Directory group to a CentrifyDirectControl Zone sets up a UNIX profile for the group account,but it does not create UNIX profiles for any members of the groupor automatically give any group members access to the zone. Auser’s account must be explicitly enabled for each zone the user haspermission to access.Chapter 4 • Using UNIX authentication services 59

• • • • • • Adding an existing Active Directory user to a zoneAdding an existing Active Directory user to a zoneThe previous scenario described how to create a new ActiveDirectory user and configure a UNIX profile for the user throughActive Directory Users and Computers. Centrify DirectControlalso provides a shortcut for adding existing Active Directory usersand groups to a zone through the Centrify DirectControlAdministrator Console.To add an existing Active Directory user account to a CentrifyDirectControl Zone:1 Create another new user account in Active Directory Users andComputers. For example, create the new user account MarcoPerez.2 Open the Centrify DirectControl Administrator Console.3 In the console tree, click Zones and open the zone name towhich you want to add the Active Directory user. For example,open the default zone.4 Select Users, right-click, then click Add User to Zone.5 Type a search string to locate the user, then click Find Now.For example, type “ma” to display the Marco Perez account.6 Select the user account in the results, then click OK.7 Check the UNIX profile settings and make any changes, thenclick OK.Creating a private group for a userIn the Centrify Profile for a user, you can choose to automaticallycreate a private, UNIX-only group to assign as the primary groupfor the user. A private group, created by DirectControl, exists onthe managed UNIX machine only. It is not created in or managedby Active Directory.To automatically create a private group for a user:60 Evaluation Guide

1 Create another new user account in Active Directory Users andComputers. For example, create the new user account GlenMorris.2 Open the Centrify DirectControl Administrator Console.3 In the console tree, click Zones and open the zone name towhich you want to add the Active Directory user. For example,open the default zone.4 Select Users, right-click, then click Add User to Zone.5 Type a search string to locate the user, then click Find Now.For example, type “gl” to display the Glen Morris account.6 Select the user account in the results, then click OK. TheCentrify UNIX Profile settings are displayed.7 Click the Browse button next to Primary Group. Then selectthe option: Auto-private group GID and click OK.The primary group assigned to gmorris, is also gmorris, and theGID is identical to the UID:Chapter 4 • Using UNIX authentication services 61

• • • • • • Verifying Active Directory authenticationVerifying Active Directory authenticationNow that we have an Active Directory user account enabled forUNIX access, we can use that account to authenticate to the UNIXcomputer.Note If you want to authenticate users with the GDM interface, youwill need to either restart the gdm daemon or restart the computerbefore it will accept Active Directory user account logins.To verify the authentication of an Active Directory user logging onto a UNIX computer:1 Start the UNIX computer.2 When prompted for the User name, type the Active Directoryuser logon name for the demonstration user. For example, typejohn.smith and press Enter.Note Some versions of UNIX require a home directory for anew user to be created before the user is allowed to log in. If thatis the case for the UNIX you are using, log in as root and createthe home directory before attempting to log in as the ActiveDirectory user.3 When prompted for the Password, type the Active Directorypassword for the demonstration user. As long as CentrifyDirectControl can connect to Active Directory to authenticatethe account information, you will be logged on to the UNIXcomputer in the default home directory for the userjohn.smith.Note If you set the user account to require a password change atthe next logon, a message will be displayed to indicate you arerequired to change the password for this account and you areprompted to provide a new Active Directory password. Onceyou update the password, the logon continues.62 Evaluation Guide

4 Check the UNIX UID and GID assignments for the account. Forexample, type the following command in Terminal to display theUID and GID of the currently logged in user:id5 Type exit to log out of the current session.6 Log back on to the UNIX computer using the UNIX login namefor the demonstration account. For example, type jsmith.7 When prompted, type the Active Directory password for thedemonstration account.8 Check the UNIX UID and GID assignments for the account. Forexample, type the following command to display the UID andGID of the currently logged in user:idTo verify that Centrify DirectControl created a private group forthe user Glen Morris in the previous section:1 Log out and log back on using the login gmorris.2 Check the UNIX UID and GID assignments for the account. Forexample, type the following command in Terminal to display theUID and GID of the currently logged in user. You should seesomething similar to the following:iduid=10003(gmorris) gid=10003(gmorris) groups=10003(gmorris)Verifying workstation authorization policiesWith Centrify DirectControl, you can enforce Active Directoryaccount policies for UNIX users and computers. For example, youcan use Active Directory to specify which workstations a user isallowed to log on to and the hours they are allowed to log on tothose computers. These policies provide administrators withdetailed control over when and where a user’s account can be usedwithin the environment.Chapter 4 • Using UNIX authentication services 63

• • • • • • Verifying account lockout policiesTo prevent access to the UNIX computer for the demonstrationuser:1 Open Active Directory Users and Computers.2 Open the Properties for the user John Smith.3 Click the Account tab, then click Log On To.4 Click The following computers and type the computer nameof the Windows XP computer (so that the user can log on onlyto the Windows XP computer and not to the UNIX computer),click Add, then click OK.5 Try to use the John Smith account to log on to the UNIXcomputer.6 You should see a message informing you that you cannot log on.7 Go back to the Properties for the user John Smith in ActiveDirectory Users and Computers.8 Click the Account tab, then click Log On To.9 Click All computers, then click OK to remove the log onrestriction so that you can continue to use the John Smithaccount for the remainder of the evaluation.Verifying account lockout policiesYou can use Centrify DirectControl to enforce account lockoutpolicies if you have configured a lockout policy within ActiveDirectory and applied the policy using a Group Policy Object.Configuring a lockout policyIf you don’t already have an account lockout policy in place, youneed to configure one to verify the policy is correctly applied to theUNIX computer.64 Evaluation Guide

Note This test does not work if the user’s password is set to neverexpire. Use the Account tab for the user in Active Directory Usersand Computers to change this setting.To configure an account lockout policy for the evaluation:1 Open the Group Policy Object Editor to edit the DefaultDomain Policy object. For example:• Click Start > Run and type mmc, then click OK.• In the MMC console, click File > Add/Remove Snap-in.• Click Add, select the Group Policy Object Editor andclick Add.• In the Group Policy wizard, click Browse and select DefaultDomain Policy, then click OK.• Click Finish, then click Close and OK.2 In the MMC Console window, click Default Domain Policy> Computer Configuration > Windows Settings >Security Settings > Account Policies > AccountLockout Policy.3 Double-click the Account logout duration policy.Chapter 4 • Using UNIX authentication services 65

• • • • • • Verifying password management policies4 Click Define this policy setting to enable the setting usingthe default configuration of 30 minutes. This actionautomatically changes the configuration settings for theAccount logout threshold and Reset account lockoutcounter after policies. Click OK to accept the settingssuggested.If you accept the default settings, the account lockout policy isnow configured to lock out an account after 5 invalid logonattempts and to keep the account locked for 30 minutes, thenreset the lockout counter after 30 minutes.Testing the lockout policyTo test the account lockout policy on a UNIX computer:1 On the UNIX computer, attempt to log on using the John.Smithor jsmith user name and an incorrect password five consecutivetimes to lock the account.2 Open Active Directory Users and Computers.3 Open the Properties for the user John Smith.4 Click the Account tab and notice the account is locked out.5 Click the Account is locked out option to manually removethe lock, then click OK.Verifying password management policiesUsing Centrify DirectControl, you can enforce your ActiveDirectory password policies for UNIX users and computers. Forexample, you can use Active Directory settings to force users tochange their password the next time they log on, use passwords of acertain length or complexity, or set a new password after a certainnumber of days.66 Evaluation Guide

You can enforce any and all of these policies simply by setting themin Active Directory and DirectControl will enforce them whenusers log on to UNIX computers.To force a password change for the demonstration user:1 Open Active Directory Users and Computers.2 Right-click on the John Smith user object and select ResetPassword. (This option is not available if the user’s password isset to never expire.)3 Type in a new password and confirm it.4 Set the User must change password on next login option,then click OK.5 Log John Smith in to the UNIX computer with the newpassword and answer the dialogs prompting the user to create anew password.Verifying offline authenticationOffline authentication is very important because it enables users tolog on and use computers that are disconnected from the networkor that only have periodic access to the Active Directory domain.For example, users who have laptop computers need to be able tolog on and be successfully authenticated even when they are notconnected to the network.To handle these offline situations, DirectControl is configured tosecurely cache user account information locally. Once a user hassuccessfully logged on, the cached information can be used toauthenticate the user if Active Directory is not available.To verify offline authentication:1 Log on as the root user on the UNIX computer.2 Verify network connectivity by pinging the domain controller:ping eval_domain_controllerChapter 4 • Using UNIX authentication services 67

• • • • • • Verifying offline authentication3 Disconnect either the local computer or the Active Directorydomain controller from the network.Depending on your evaluation environment, you may want todo this by disconnecting a network cable, shutting down thedomain controller, or simulating a network interruption bydisabling the network interface. For example, on a Linuxcomputer, you can do this using the following command:ifdown eth04 Use the ping command to verify the network is down.ping eval_domain_controller5 Log out of the root account.6 Log on with the demonstration account. For example, enterjsmith or john.smith for the user name.After you type the user name, there is a slight delay while theCentrify DirectControl Agent attempts to contact ActiveDirectory and discovers that the network connection is down.When the connection fails, the agent displays the passwordprompt.7 Enter the Active Directory password for the demonstrationaccount.Because this account has logged on successfully in past scenarios,you should be able to log in with this account using thepreviously cached credentials. If you try to log on with an ActiveDirectory account that has not logged on successfully, the log onwill fail because there are no credentials in the cache.8 Log out and log back in as root.9 Reconnect the local computer or the Active Directory domaincontroller to the network by reconnecting the network cable,restarting the computer, or re-enabling the network interface.For example, if you are simulating the disconnection on Linux,run the following command:ifup eth068 Evaluation Guide

10 Run the adinfo command to see detailed information about theActive Directory configuration for the local computer, includingwhether Centrify DirectControl is connected:#adinfoLocal host name: centrifyJoined to domain: centrify.localJoined as:actds.centrify.localCurrent DC: centrify-l6iw0o.centrify.localPreferred site: Default-First-SiteZone:centrify.local/ProgramData/Centrify/Zones/defaultLast password set: 2008-01-23 09:20:30 PSTCentrifyDC mode: connectedIf the CentrifyDC mode is disconnected, run the followingcommand to restart Centrify DirectControl, then run adinfoagain to see if it is now connected:/etc/init.d/centrifydc restartTesting other administrative tasksYou may want to try several other typical administrative tasks thathave not been demonstrated in this chapter. For example, someadditional administrative tasks you may want to try include thefollowing:• Disabling a user’s account in Active Directory Users andComputers to prevent the user from accessing any computer orapplication managed by DirectControl.• Setting the specific hours when a user is allowed to log on orspecific hours when a user is denied access to a UNIX computer.• Changing the Active Directory password for an account usingthe passwd command or using the adpasswd command on aUNIX computer.• Prevalidating users or groups, which allows you to retrieve andstore credentials for specific users or groups of users oncomputers they may need access to, even though theprevalidated users have not previously logged onto the localChapter 4 • Using UNIX authentication services 69

• • • • • • Summary of UNIX authentication servicescomputer. See the Centrify DirectControl Planning and DeploymentGuide for more information.• Authenticating users from other trusted Active Directorydomains using their full domain user name. For example, if aUNIX computer is joined to the domain seattle.arcade.comand jeanluc belongs to the paris.arcade.com, the user wouldlog on to the UNIX computer usingjeanluc@paris.arcade.com.Summary of UNIX authentication servicesIn this chapter, you learned how DirectControl enables you toeasily grant an Active Directory user account access to a UNIXsystem. You were also able to test and verify several accountpolicies that DirectControl enforces and try offline authentication.From here, you can proceed to any of the following chapters toexplore features of specific interest to you.70 Evaluation Guide

Chapter 5Administering zonesAs discussed in “How does Centrify DirectControl work?” onpage 15, Centrify DirectControl Zones can help simplifysystem management and ease the migration of UNIX-based accountinformation into Active Directory. In this chapter, you will learnhow to create a new zone, add users and groups to a zone, andmanage zones.The following topics are covered:• Understanding the importance of zones• Creating new zones• Adding Active Directory users and groups to zones• Managing a zone• Using zones to control access• Delegating management of zones• Analyzing zones in an Active Directory forest• Summary of zone administrationNote The example in this chapter relies on the user account addedin the demonstration in Chapter 4, “Using UNIX authenticationservices.”71

• • • • • • Understanding the importance of zonesUnderstanding the importance of zonesOne of the key features that Centrify DirectControl supports is thecapability to organize computers and user’s access to thosecomputers through the use of zones.A Centrify DirectControl zone is similar to an Active Directorydomain or a NIS domain. Zones allow you to organize thecomputers in your organization in meaningful ways to simplifysystem management and the migration of account information intoActive Directory from existing local files, NIS databases, LDAPservers, and other sources.How you use zones will depend primarily on the needs of yourorganization. In some organizations, a default zone is sufficient. Inother organizations, using multiple zones may be a necessity. Ingeneral, you use zones in one of two ways:• To group computers with similar properties and requirements.For example, you may want to create one zone for all of yourRed Hat Linux workstations and another zone for all of yourSun Solaris UNIX servers because the users of the Linuxworkstations prefer a different login shell or belong to adifferent group than the users of the UNIX servers.• To separate computers with conflicting properties. Forexample, you may want to create separate zones when a user hasmultiple conflicting identities on multiple computers.In large organizations, zones are especially useful for migratingusers and computers into Active Directory from NIS, NIS+, localfiles, or LDAP. Using zones, administrators can migrate existinguser accounts to Active Directory users without having to ensurethat all UNIX UIDs are unique throughout the entire enterprise.72 Evaluation Guide

Creating new zonesWhen you start the Centrify DirectControl Administrator Consolefor the first time, you are prompted to create a zone container andconfigure properties for the default zone. Zone properties areimportant because they allow you to control the default settings forusers and groups in the zone, greatly simplifying the task ofconfiguring zone properties while adding new UNIX users andgroups to Active Directory.Although you typically create the default zone during the initialconfiguration of DirectControl, in many cases, you will find youneed to create and configure additional zones for betteradministrative control over the migration of accounts to ActiveDirectory. You can create new zones at any time, but you shouldkeep in mind that other information, such as the information aboutuser UNIX profiles and computer accounts, is organized under thezone object and that you can delegate the administration of users,groups, and computers by zone. In a production environment,therefore, it is best to do some planning for how you want to usezones.In addition, in a production environment, you decide whether tocreate individual zones as container objects or as organizationalunits. If you plan to attach group policies to the organizational unitsyou have created in Active Directory, it probably makes sense tocreate zones as organizational units. However, for this evaluation, inwhich you attach group policies at the domain level (see Chapter 7,“Using group policies for UNIX users and computers,”), createzones as container objects.To create a new zone:1 Open the Centrify DirectControl Administrator Console.2 Either click the Create Zone link in the details pane or, in theconsole tree, select Zones, right-click, then click Create NewZone.3 Type the zone name Finance, then click Next.Chapter 5 • Administering zones 73

• • • • • • Creating new zonesBy default, the zone is created under the Zones container youspecified during initial configuration.4 Click Standard zone, then click Next.5 Leave the option, Maintain 2.0 and 3.0 Unix agentcompatibility unchecked and click Next to create a new zonefor 4.x agents.6 Check the Specify a zone that contains Unix profileinformation for users and groups option so you can addusers or groups from an existing zone in the Active Directoryforest. This option enables you to use the existing profileinformation for users and groups when you add them to the newzone.Click Find to search for and select the zone that containsexisting user and group profiles (the Default zone), then clickNext.7 Type the numeric user identifier (UID) you want to use as astarting point for new UNIX users in this zone, then click Next.By default, new UNIX users are automatically assigned the nextavailable UID for the zone.8 Type the numeric group identifier (GID) you want to start withfor new UNIX groups in this zone, then click Next. By default,new UNIX groups are automatically assigned the next availableGID for the zone.9 Type the default location you want to use when creating newhome directories for new UNIX users, then click Next.The default setting uses the variable ${user} to create a newdirectory using the user’s UNIX login name. For example, if youare enabling access for the UNIX user account jsmith, thedefault home directory created is /home/jsmith. You can createa different home directory for any user, if desired.10 Select the type of UNIX shell you want to use as the default forusers in this zone, click Set as default, then click Next.74 Evaluation Guide

11 Click Browse to enter search criteria for selecting an existingActive Directory group to use for UNIX accounts. ClickBrowse and select the container in which to search, then clickOK. Leave the search criteria blank to search for all groups, thenclick Find Now.Select a group, then click OK. The Wizard supplies the UNIXGID and UNIX group name. Click Next.12 Leave Support Agentless Client unselected, then clickNext.13 Click Finish to complete the zone configuration.To get a better feel for how you might use zones to manage yourUNIX environment, try creating several zones for the variousdepartments or groups of computers that you have. You can usethem in the following exercises.You can create Centrify DirectControl zones by using ActiveDirectory Users and Computers as well as by using theDirectControl Administrator Console.To create a zone using Active Directory Users and Computers:1 Open Active Directory Users and Computers.2 Select Program Data\Centrify\Zones.3 Right-click and select New > Centrify Zone.4 Follow the steps in the previous procedure, beginning withStep 3 on page 73, to create a new zone.Adding Active Directory users and groups to zonesYou can use the Centrify DirectControl Administrator Console toadd existing Active Directory users and groups to any zone and toinstantly configure the default UNIX profile for the user or groupwithin the selected zone. The steps are essentially the same forChapter 5 • Administering zones 75

• • • • • • Adding Active Directory users and groups to zonesusers and groups, so the following demonstration illustrates how toadd users to a zone.To add existing Active Directory users to a zone:1 Select a zone, then select the Users object, right-click and selectAdd User to Zone.2 In Add User to Zone dialog box, type a portion of the nameof an existing user and click Find Now, then select the desireduser that was found and click OK.NoteYou can select multiple users, if applicable.3 Verify or change any of the default UNIX profile settings asdefined for the zone, then click OK.Note Depending on the format you typically use for the ActiveDirectory User logon Name, you may need to set the UNIXlogin name to be shorter or use a different format than theActive Directory logon name.If you selected more than one user, a profile is displayedsequentially for each user you are adding.Alternately, you may add users to a zone by dragging them fromActive Directory Users and Computers and dropping them into azone in the Centrify DirectControl Administrator Console.To add existing Active Directory users to a zone by dragging anddropping:1 In the Administrator Console, select a zone.2 In Active Directory Users and Computers, select the Usersobject that contains the users of interest.3 Select a user or use the Ctrl or Shift key to select multipleusers.4 Drag the users to the Administrator Console and drop them onthe Users object for the zone you selected.76 Evaluation Guide

5 Verify or change any of the default UNIX profile settings asdefined for the zone, then click OK.Note Depending on the format you typically use for the ActiveDirectory User logon Name, you may need to set the UNIXlogin name to be shorter or use a different format than theActive Directory logon name.If you selected more than one user, a profile is displayedsequentially for each user you are adding.Managing a zoneThe Centrify DirectControl Administrator Console enables you toview and manage the user accounts, groups, and computersassociated with each zone. The Centrify DirectControlAdministrator Console also allows you to perform administrativetasks for UNIX users, groups, and computers. For example, youcan use the Centrify DirectControl Administrator Console toimport users and groups from UNIX configuration files into ActiveDirectory, set permissions on UNIX objects, and delegate tasks tospecific users.Through the Centrify DirectControl Administrator Console youcan see all of the relevant UNIX information for users, groups, orcomputers at a glance. You can also run reports that summarizewhich users have access to specific UNIX computers orapplications. This makes the management of your UNIXenvironment much easier because it eliminates the need to gothrough each Active Directory user or group account to find theassociated UNIX profile.To view the UNIX profile for users, groups, or computers:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, select Zones, then select and expand thedefault zone.Chapter 5 • Administering zones 77

• • • • • • Using zones to control access3 Click on the Users, Groups or Computers containers to seethe objects associated with each, along with their most relevantattributes.4 Right click any user, group, or computer and select Propertiesto display the complete set of properties for that object. Theproperties displayed are the same displayed when you selectProperties for an object in Active Directory Users andComputers, enabling you to manage Active Directory objectswithout having to switch to a different management application.Using zones to control accessZones can be used to control which users can gain access to specificcomputers. Normally, you do this by selectively enabling the UNIXprofile for a user. For example, if you have three zones—OpenLab,FacultyLab, and Restricted—and the user cruz has permission toaccess all computers in the OpenLab using one UNIX profile, and allcomputers in the FacultyLab using a different, more restrictiveUNIX profile, and no computers in the Restricted zone, youwould only enable access to the OpenLab and FacultyLab zones forthe user cruz.To check whether a user has access to the computers in a specificzone:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, select Zones, then select and expand thezone you are interested in, for example, open the default zone.3 Click Users or Computers to see the objects associated witheach.Delegating management of zonesCentrify DirectControl is designed to store zone-relatedinformation in the directory so that it is possible to delegate the78 Evaluation Guide

administration of a zone to an individual user or group of usersdepending on your requirements. This level of delegation enableslarge organizations to grant administrative rights for each zone tothe UNIX systems administrators who are responsible for thecomputers within a zone. Delegation by zone also allows you togive existing Active Directory account operators control overspecific user account administration and management tasks. In thisway, UNIX administrators retain sufficient rights to control whocan access their systems and how users will interact with thesystems without having to create and manage Active Directoryaccounts.The following instructions illustrate how to set up twoadministrative groups with specific rights to manage their ownzones, but with account administration handled by the ActiveDirectory Account Operators group.1 In the Centrify DirectControl Administrator Console, followthe steps described in “Creating new zones” on page 73 to createa new zone named Engineering.Note You may need to explicitly open each zone you want towork with. To do this, select the zone name in the CentrifyDirectControl Administrator Console, right-click, then clickOpen Zone. If you close the Centrify DirectControlAdministrator Console, save your changes to have the samezones open the next time you start the console.2 In Active Directory Users and Computers, create a newdemonstration user, Fred Thomas, with a logon name offred.thomas. For information about creating a new user andgiving the user permission to access UNIX computers, see“Enabling Active Directory users to access UNIX” on page 57.3 In Active Directory Users and Computers, create two newglobal security groups called Engineering Admins andFinance Admins.• Add the user Fred Thomas as member of the EngineeringAdmins group.Chapter 5 • Administering zones 79

• • • • • • Delegating management of zones• Add the user John Smith as member of the Finance Adminsgroup.4 In the Centrify DirectControl Administrator Console, delegatecontrol of the Engineering zone to the Engineering Adminsgroup:• Right-click the Engineering zone, click Delegate ZoneControl, then click Next.• Click Add.• In the Find list, select Group, type Eng in the Name field, andclick Find Now.• Select the Engineering Admins group, click OK, thenclick Next.• Check the All checkbox (which selects all the options), clickNext, then Finish.5 Delegate control of the Finance zone to the Finance Adminsgroup:• Right-click the Finance zone, click Delegate ZoneControl, then click Next.• Click Add.• In the Find list, select Group, type Fin in the Name field, andclick Find Now.• Select the Finance Admins group, click OK, then clickNext.• Select All options, click Next, then Finish.Now you can check that the proper rights have been assigned to theappropriate groups by following the procedure below to log on asJohn Smith on the domain controller and validate that he has fullrights to manage the Finance zone but not the Engineering zone.To verify delegation:80 Evaluation Guide

1 Grant permission to John Smith to log on interactively on thedomain controller where you installed the CentrifyDirectControl Administrator Console. To do this:• Use the Administrator account to open the DomainController Security Policy and browse to SecuritySettings > Local Policies > User Rights Assignment.Depending on your Windows environment, the DomainController Security Policy may be available from AllPrograms > Administrative Tools, through the Group PolicyObject Editor, or from the Group Policy tab in ActiveDirectory.• Open the Allow log on locally policy and add John Smithto the list of users allowed to log on locally. You may need totype adgpupdate in a Command Prompt window to force thepolicy to update on the local machine depending on yourenvironment.• Restart, then log on as John Smith.2 Open the Centrify DirectControl Administrator Console.3 For each zone, click Properties. You should see that you canedit any of the settings for the Finance zone but cannot modifyproperties for any other zone. Similarly, you can add users to theFinance zone, but are prevented from adding them to any otherzones.Note You may need to explicitly open each zone you want towork with. To do this, right click on the Zones node and chooseOpen Zone. Type the name (or part of the name) of the zoneyou wish to open and click Find Now. Choose the zone from thelist and click OK. If you close the Centrify DirectControlAdministrator Console, save your changes to have the samezones open the next time you start the console.Chapter 5 • Administering zones 81

• • • • • • Analyzing zones in an Active Directory forestAnalyzing zones in an Active Directory forestYou may periodically need to check the integrity of the CentrifyDirectControl integration of UNIX users and computers that havebeen either created in or migrated into the Active Directory forest.The Analyze Forest command checks zones for potential problemssuch as duplicate user IDs, duplicate groups, empty zones,orphaned data objects, or computers that have joined more thanone zone.To check for problems with Centrify DirectControl information inthe Active Directory forest:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, select Centrify DirectControl,right-click, then select Analyze.3 Click Next, select All to check for any potential problems, thenclick Next.4 Click Finish to generate the report.5 Double-click the results in the details pane to display thecompleted report.Summary of zone administrationIn this chapter, you saw how DirectControl’s ability to group UNIXcomputers into zones can help simplify system management andease the migration of UNIX-based account information into ActiveDirectory. You saw how easily you can create a new zone and addusers to it.82 Evaluation Guide

Using the DirectControl Web ConsoleChapter 6In this chapter, you will learn how to use the CentrifyDirectControl Web Console to access DirectControl functionalityfrom machines that do not have the Administrator Consoleinstalled.The following topics are covered:• Understanding the DirectControl Web Console• Installing the DirectControl Web Console• Administering a zone with the Web Console• Adding Active Directory users and groups to zones with theWeb Console• Managing a zone with the Web Console• Summary of DirectControl Web ConsoleUnderstanding the DirectControl Web ConsoleThe Web Console is a Web-Browser based application hosted bythe Microsoft Internet Information Service (IIS). You install theWeb Console on a machine in the Active Directory forest, and canaccess the application through a URL from a browser on anymachine with access to the domain.The Web Console is primarily a tool for zone administrators,providing a subset of the functionality of the CentrifyDirectControl Administrator Console, including the ability tomanage zones and manage licenses.83

• • • • • • Installing the DirectControl Web ConsoleInstalling the DirectControl Web ConsoleYou install the Web Console on any Windows machine in theActive Directory forest.To install the Centrify Web Console, perform the following steps:1 Log on to the Windows machine or server you are using for theevaluation.2 Verify that Internet Information Services (IIS) is installed andrunning. IIS is required to host the Web Console service.To verify that IIS is installed and running, open Services (Start> Control Panel > Administrative Tools > ComponentServices > Services) and scroll to IIS. IIS should be configuredto start automatically.If IIS is not installed, you can do one of the following to install it:• On a Windows Server, click Start > Administrative Tools> Manage Your Server > Add a role, then chooseApplication server. Search for “IIS” in Help andSupport for details.• On a Windows workstation, click Start > Control Panel >Add or remove Programs > Add/Remove WindowsComponents, then select Internet InformationServices. Search for “IIS” in Help and Support for details.3 Browse to locate the WebConsole directory in the CentrifyDirectControl distribution media (either on the CD or in theextracted folders from the zip file).4 Double-click setup.exe to launch the Web Console installer.5 At the Welcome screen, Click Next.6 Type your name and company, select Anyone who uses thiscomputer (all users), then click Next.7 Select the default name for the Web Console virtual directory(DirectControl) and the default location for the Web Console84 Evaluation Guide

files (C:\Program Files\centrify\DirectControl WebConsole), and click Next.The Web Console is hosted by IIS. The virtual directory is thelocation that IIS uses to publish the Web Console. SeeAdministering a zone with the Web Console for moreinformation about the virtual directory.8 Click Next on the summary screen to begin copying the files.Then click Finish to complete the installation.Administering a zone with the Web ConsoleIn Chapter 5, “Administering zones,” you worked through someexamples of managing zones. The following sections take youthrough some of the same examples but using the Web Consoleinstead of the administrative console.Note This chapter assumes you have worked through the previouschapter and created some DirectControl zones. If not, do so nowbefore continuing with this chapter. Users of the Web Console areonly granted zone administrator privileges, which means they canwork with zones, for example by adding users, but they cannotcreate new zones.To launch the Web Console:1 Open an internet browser and enter the URL for the WebConsole.The virtual directory you created in Step 7 on page 84 is thelocation that IIS uses to publish the application pages for the WebConsole. The URL to the virtual directory is in the form:http://hostName/VirtualDirectorywhere hostname is the name of the machine on which youinstalled the Web Console and VirtualDirectory is the name ofthe IIS virtual directory in which you installed the Web Console.Chapter 6 • Using the DirectControl Web Console 85

• • • • • • Administering a zone with the Web ConsoleIf you access the Web Console from a browser on the machineon which the Web Console is installed, specify localhost forthe host:http://localhost/DirectControlIf you access the Web Console from a browser on a remotemachine, specify the name or IP address of the machine on whichthe Web Console is installed; for example:http://Sales11/DirectControlhttp://172.11.152.7/DirectControlNote Be certain to turn off the Internet Explorer pop-up blockerfor the Web Console site, otherwise, some Web Consolewindows will not be displayed.2 Click Add Zone to Web Console to open zones to view inthe Web Console.Zones are not shown by default. You must explicitly open themto view them in the Web Console. In the dialog box, enter all orpart of a zone name to find, or leave the Name field blank to findall zones; then click Find Now. A list of zones is returned.86 Evaluation Guide

3 Select the zones to display and click OK. The zones you selectappear in the tree in the left panel. Expand a zone to see theobjects in the zone.Chapter 6 • Using the DirectControl Web Console 87

• • • • • • Administering a zone with the Web ConsoleNavigating the Web ConsoleAs you can see, the Web Console provides a standard Web interfaceto Centrify DirectControl.On the home page, or when displaying zones, the left pane showsthe console tree. Expand the tree to show individual zones and theComputers, Groups, and Users containers for each zone.The right pane shows details of the item selected in the left pane,for example, a list of computers, groups, or users. For displays thatcover multiple pages, for example a list of users, you can click thefilter icon ( ) for an item and type criteria to limit the items thatare displayed. For example, names that begin with ‘m’.Click items on the menu bar to do the following:• Home to return to the home page. Icons on the home pageenable you to add a user to a zone, open zones to display, ordisplay the Centrify DirectControl documentation.• Setup to manage licenses.• Zones to view details of open zones. You can open additionalzones to view by clicking the Open button, or close currentlydisplayed zones by selecting the box for a zone and clickingClose.• Search to find users, groups, computers, or zones.• Log Off to exit the Web Console.88 Evaluation Guide

Adding Active Directory users and groups to zoneswith the Web ConsoleYou can use the Centrify DirectControl Web Console to addexisting Active Directory users and groups to any zone and toinstantly configure the default UNIX profile for the user or groupwithin the selected zone. The steps are essentially the same forusers and groups. In “Adding Active Directory users and groups tozones” on page 75 you added users; the following exampleillustrates how adding users to a zone with the Web Console is verysimilar to adding users with the Administrator Console.To add existing Active Directory users to a zone:1 Open an internet browser and enter the URL for the WebConsole. For example,http://localhost/DirectControl2 Expand Zones and any zone in the console tree in the left pane;for example, the Finance zone you created in the previouschapter.Note If no zones are visible, click Home and Add Zone toWeb Console to select the zones to open.Then select the Users object. The right pane shows the usersthat belong to the current zone, including any users you addedwith the Administrator Console following the instructions in theprevious chapter.3 Click Add.4 In the dialog box, type a portion of the name of an existingActive Directory user and click Find Now, then select thedesired user that was found. A dialog appears with the defaultUNIX profile for the group.Note If the Set UNIX User Profile dialog box does not appear,make certain you have turned off all Internet Explorer pop-upblockers.Chapter 6 • Using the DirectControl Web Console 89

• • • • • • Managing a zone with the Web Console5 Verify or change any of the default UNIX profile settings asdefined for the zone, then click OK.Managing a zone with the Web ConsoleThe Centrify DirectControl Web Console enables you to view andmanage the user accounts, groups, and computers associated witheach zone. You can see all of the relevant UNIX information forusers, groups, or computers at a glance. This makes themanagement of your UNIX environment much easier because iteliminates the need to go through each Active Directory user orgroup account to find the associated UNIX profile. In addition,because the Web Console is browser-based, you can use it on anymachine with which you can log into the domain, not simply onmachines with the Centrify DirectControl Administrator Consoleinstalled.To view the UNIX profile for users, groups, or computers:1 Open a browser and type the URL for the Web Console; forexample,.http://localhost/DirectControl2 In the console tree, select Zones, then select and expand thedefault zone.Note If default is not visible in the console, select Add Zoneto Web Console to open the zone for display.3 Click on the Users, Groups or Computers containers to seethe objects associated with each, along with their most relevantattributes.For example, click on Users to see a list of users and their90 Evaluation Guide

attributes, including UNX name, UID, shell, and so on.4 For any user, group, or computer click the User Properties icon( ) to display or modify the complete set of properties for thatobject. Click an object name, for example a user name, or theZone Settings icon ( ), to see or modify the Centrify Profile forthat object.5 Select the check box next to one or more objects to perform anaction on the object or objects. For example, select the boxes forone or more users and click:• Delete to delete the user or users.• Join a group to add the user or users to a group.• Reset password to reset the password for a user. Note thatyou may only select one user at a time to reset the password.If you select multiple users, this button is not activated.• Disable Unix account to disable the UNIX Account for theuser or users. If the UNIX account for a user is disabled, theEnable Unix Account button is activated when you selectthe user.Summary of DirectControl Web ConsoleIn this chapter, you learned how to install, launch, and navigate theCentrify DirectControl Web Console to add Active Directoryusers to zones and view the properties for zone objects.Chapter 6 • Using the DirectControl Web Console 91

• • • • • • Summary of DirectControl Web Console92 Evaluation Guide

Chapter 7Using group policies for UNIX users andcomputersCentrify DirectControl group policies allow administrators toextend the configuration management capabilities of WindowsGroup Policy Objects to managed UNIX computers and users. Thischapter provides an overview of what group policies provide, howthey are implemented and applied, and how you can define and linkgroup policies for UNIX computers and users.The following topics are covered:• Understanding Group Policy• Adding Centrify DirectControl group policies for UNIX• Setting the login banner• Changing the password prompt• Centrally managing the sudoers fileUnderstanding Group PolicyGroup policies allow you to specify a variety of configurationoptions and apply those settings to specific groups of computersand users. In a standard Windows environment, theseconfiguration settings control many aspects of computer operationand the user experience, including the user’s desktop environment,startup and shutdown scripts, local security enforcement, userandcomputer-based registry settings, and software installation andmaintenance services.When you define policy settings, they are stored in a Group PolicyObject (GPO). Each Group Policy Object can consist ofconfiguration information that applies to computers, configuration93

• • • • • • Adding Centrify DirectControl group policies for UNIXinformation that applies to users, or sections of policy specificallydevoted to each.Because configuration details on Windows computers are primarilycontrolled through registry settings, group policies are designed toenable an administrator to centrally define those registry settingsand propagate them to specific sets of computers on the networkthrough Active Directory. The scope of any policy is defined by thespecific site, domain, or organizational unit to which the GroupPolicy Object is applied.Centrify DirectControl provides a group policy framework thatintegrates UNIX systems into the Active Directory group policymanagement environment, enabling you to centrally defineconfiguration settings that can then be translated and applied tospecific UNIX configuration files locally. These group policies arethen enforced any time a computer with a policy applied starts up,at a policy-defined periodic interval, on-demand when you run anupdate command, and when users log on.Centrify DirectControl provides its own administrative templatefor UNIX-specific group policies to complement the limitednumber of Windows group policies that can be applied to UNIXusers and computers.Adding Centrify DirectControl group policies for UNIXGroup policies for UNIX are managed using the same tools that areused to manage Windows group policies. With Windows Server2003 and Windows Server 2008, there are two MMC snap-ins formanaging group policies:• The Group Policy Management Console is an optional MMCsnap-in you can download from the Microsoft Web site. You usethe Group Policy Management Console to create new GroupPolicy Objects, link Group Policy Objects to sites, domains,and organizational units, delegate group policy permissions tospecific users and groups, and perform other tasks.94 Evaluation Guide

• The Group Policy Object Editor allows you to enable, disable,and edit the configuration settings within any Group PolicyObject. You use the Group Policy Object Editor to set theconfiguration options you want to use and to assign values toconfiguration settings.To use the Centrify DirectControl group policies for UNIX, youmust add the Centrify DirectControl Administrative Templates tothe Group Policy Object you want to work with.To add the Centrify DirectControl Administrative Templates to theDefault Domain Policy:1 Log in as an administrator on a Windows computer where youcan perform administrative functions.2 Start the Group Policy Object Editor by clicking Start > Runand typing mmc, then:• Click File > Add/Remove Snap-in.• Click Add.• Select Group Policy Object Editor, click Add.• In the Select Group Policy Object dialog, click Browse andselect the Default Domain Policy, then click OK• Click Finish, then click Close, then click OK.3 In the Group Policy Object Editor, open Console Root >Default Domain Policy > Computer Configuration and selectCentrify Settings.4 Right-click, then click Add/Remove Templates.5 Click Add.6 Navigate to the directory that contains the CentrifyDirectControl administrative templates. By default, theadministrative template is located in the local \programfiles\Centrify\Centrify DirectControl\grouppolicy\policy directory.Chapter 7 • Using group policies for UNIX users and computers 95

• • • • • • Setting the login banner7 Select the centrifydc_settings.xml file, click Open to addthese templates to the list of Policy Templates, then click Close.Note The Centrify DirectControl Administrative Template file,centrifydc_settings.xml, includes both computer and userconfiguration policies.You will now be able to see the Centrify DirectControlAdministrative Templates for managing several aspects of theCentrify DirectControl solution as well as various other policies forthe UNIX system.Setting the login bannerTo set the login banner, follow the steps below. Because this policyis typically defined once and propagated across the entireEnterprise network, Centrify DirectControl supports this policyfor UNIX computers.To set the login banner for UNIX computers:1 Log in as an administrator on a Windows computer where youcan perform administrative functions and run the Group PolicyObject Editor as described above.2 Browse within the Computer Configuration to WindowsSettings > Security Settings > Local Policies > SecurityOptions and double-click the item Interactive logon:Message text for users attempting to log on.3 Select Define this policy setting and type a new logonbanner message in the text box, then click OK.Note To have changes to the policy reflected immediately on thelocal UNIX computer, manually update the policies by runningadgpupdate on the UNIX computer. You can run this commandas any currently logged in user. By default, the group policyupdate interval is set to refresh the policy at a 90 minute interval.4 To see the new login banner, restart the UNIX computer.96 Evaluation Guide

You should see the new login banner displayed during theconsole login sequence, before the graphical user interface(GUI) login manager starts. It might be on the screen onlybriefly, so watch for it.Changing the password promptYou can use a Centrify DirectControl group policy to change thetext displayed at the password prompt on UNIX computers.To set the password prompt for Active Directory users logging onto a UNIX computer:1 Log in as an administrator on a Windows computer where youcan perform administrative functions and run the Group PolicyObject Editor.2 Browse within the Computer Configuration to CentrifySettings > DirectControl Settings > Password Promptsand double-click the item Login Password Prompt in orderto edit its properties.3 Select Enabled and type a new password prompt in the textbox, then click OK.Note To have changes to the policy reflected on the local UNIX,manually update the policies by running adgpupdate on theUNIX computer. You can run this command as any currentlylogged in user. By default, the group policy update interval is setto refresh the policy at a 90 minute interval.4 To see the new password prompt, log out of the UNIXcomputer and try logging in again.You should see the new password prompt displayed duringlogin. Locally-defined UNIX users will continue to see thestandard password prompt because this new password prompt isonly displayed to those users logging on with a valid ActiveDirectory account.Chapter 7 • Using group policies for UNIX users and computers 97

• • • • • • Centrally managing the sudoers fileCentrally managing the sudoers fileYou can centrally define a set of sudo permissions that can beapplied to either a user, group of users, or all users across a site,domain, or Organizational Unit. For example, to manage the sudopermissions for all users within the domain, you edit the CentrifyDirectControl Sudo rights group policy setting in the DefaultDomain Policy.Note In order to work properly, the Sudo rights group policyrequires that the sudo package, including visudo and the sudoersfile, is installed on the UNIX machines managed by CentrifyDirectControl.When you select Enabled for the Sudo Rights group policy, youcan then add user names and commands.You add items to the text box just as you would to the sudoers file;that is, you type entries as you want them to appear in the sudoersfile.Note It is important to use the proper syntax for entries in thesudoers file. If the syntax isn’t valid, the sudo command interpretsthe sudoers file as corrupt and no users are allowed to runcommands using sudo rights. Therefore, in addition to the Explaintab, which describes the sudoers grammar in ExtendedBackus-Nauer Format (EBNF), this policy provides several otherways to help you enter and verify the correct syntax for yourentries:• The Sample tab shows sample sudoers file entries.• A right click menu provides templates for inserting alias entries,as well as the ability to browse for users.• Validation code verifies that there are no syntax errors in yourentries before writing the entries to the sudoers file.To apply a set of sudo permissions for all users in a domain:98 Evaluation Guide

1 Log in as an administrator on a Windows computer where youcan perform administrative functions and run the Group PolicyObject Editor.2 Browse within the Computer Configuration to CentrifySettings > Common Unix Settings and double-click theitem Sudo Rights to edit its properties.3 Select Enabled, then enter the following text in the box:jsmith ALL = /bin/catThis entry gives jsmith all privilege on the UNIX machine to runthe cat command. The user, jsmith, still needs to enter apassword to run this command. You can use the context menuto change the entry and remove the password requirement.4 After the ‘=’ sign, insert a space, then right-click and selectInsert Value > Cmnd > NOPASSWD: and NOPASSWD: isadded to the entry.The entry now should now look like this:jsmith ALL = NOPASSWD /bin/cat5 Click Apply or OK to save the entry.Note To have changes to the policy reflected on the local UNIXcomputer, manually update the policies by running adgpupdateon the UNIX computer. You can run this command as anycurrently logged in user. By default, the group policy updateinterval is set to refresh the policy at a 90 minute interval.6 Log on to the UNIX computer as the Active Directory userjsmith.7 Run the following command to see that John Smith does nothave permissions to view the file because it is owned by the rootuser and can be read only by root:cat /etc/sudoers8 Run the following command:sudo cat /etc/sudoersChapter 7 • Using group policies for UNIX users and computers 99

• • • • • • Centrally managing the sudoers fileYou should now see the contents of the file with the specificentry for this user at the bottom of the file as a result of thechange that group policy applied to the system.100 Evaluation Guide

Chapter 8Defining rights and rolesThis chapter describes how to activate and use DirectAuthorize todefine specific rights and assign users to specific roles to establishrole-based access controls on a zone-by-zone orcomputer-by-computer basis.The following topics are covered:• Understanding DirectAuthorize roles and rights• Getting started evaluating DirectAuthorize• Initializing DirectAuthorize for a zone• Defining job roles and rights• Verifying roles and rightsUnderstanding DirectAuthorize roles and rightsDirectAuthorize is a plug-in extension to the main CentrifyDirectControl Administrator Console that enables you to centrallymanage the operations users can perform onDirectControl-managed computers. In DirectAuthorize, a rightrepresents a specific operation a user is allowed to perform. Rightscan be defined for the following types of operations:• PAM Access rights identify the specific PAM-enabledapplications the user can access.• Privileged Commands identify specific commands the usercan run as another user account.• Restricted Shells provides a a strictly controlled environmentto control the set of commands the user is allowed as well as torun Privileged Commands automatically for the user.101

• • • • • • Understanding DirectAuthorize roles and rightsIndividual rights to perform specific operations can be combined todefine a role. In most cases, a role is a collection of rights thatreflect the needs of a specific job function, such as a databaseadministrator, backup operator, or web site developer.Roles can be active and available for use during specific hours of theday or days of the week. For example, you can specify that theBackup Operator role is only available on Wednesdays andFridays between the hours of 5:00PM and 9:00PM. When youassign users and groups to the role, they are allowed to perform theoperations associated with the role during the days and times youhave defined for the role.Within a role, an individual zone user or zone group roleassignment can be given an effective starting date and time, anexpiration date and time, or both. For example, if the user Jaeneeds to be a database administrator temporarily for four weeks inAugust, you can assign this user to the Database Administratorrole with a start date of Monday, August 4th, and an expiration dateof Friday, August 29th.Assigning an Active Directory user or a group to a role defines theuser or group’s role for an entire zone by default. You can alsoassociate a role assignment for a specific user or group to a specificcomputer in a zone. For example, you can assign the user “Chris” tothe “Local_Admin” role on the computer “fireline” to give that userspecific rights scoped for that computer rather than all computersin the zone.Keep in mind that any assignment to a specific computer is addedto the roles that the user has been assigned across the entire zone.All existing assignments of users or groups to a role at a zone levelcontinue to apply. For example, if the user Chris is assigned to theLocal_Admin role for the zone, his rights will apply to all of thecomputers in the zone, including the fireline computer.Assigning him to the Local_Admin role on the fireline computerwill not restrict him to performing Local_Admin operations onlyon the fireline computer.102 Evaluation Guide

Getting started evaluating DirectAuthorizeDirectAuthorize operates on a zone-by-zone basis. If youcompleted the earlier exercises in this manual, you have alreadycreated Active Directory users and Centrify zones.DirectAuthorize integrates seamlessly with Active Directory andCentrify DirectControl, so you can use DirectAuthorize to addroles and rights to specific users in an existing zone, while leavingother users in the zone as is.For the purposes of this evaluation, we are going to create a newzone, but feel free to use an existing zone if you are morecomfortable doing that.Setting up the evaluation environment for DirectAuthorizeYou should already have:• A Windows machine with Centrify DirectControl 4.2 or newerinstalled. Although DirectAuthorize is bundled with CentrifyDirectControl, it has more stringent requirements thanDirectControl. The functional level of the Active Directorydomain must be raised to Windows Server 2003, and you mustbe running one of the following:• Windows Server 2003 with SP2 or later.• Windows XP with SP2 or later• Windows Vista with SP1• Windows 2003 with SP1 or later.• A UNIX machine with the current DirectControl agentinstalled.To prepare for the DirectAuthorize evaluation:1 On the Windows machine, open the DirectControl Console.2 Select the Centrify DirectControl node and click CreateZone.Chapter 8 • Defining rights and roles 103

• • • • • • Initializing DirectAuthorize for a zone3 Enter a name for the zone, for example, DZTest.4 Click Next, and click Next on each screen to accept the default.5 Expand DZTest, right-click Users and select, Add User toZone. Then enter search criteria and click Find Now to findand select users to add to the zone. Add at least three users, forexample, Joe Cool, Jill Smith, and Sally User.Note You may have to browse for and add a primary group foreach user for this zone.6 Log on to the UNIX machine as root and join the machine to thedomain and the newly created zone:adjoin -z DZTest domain7 Return to the Centrify DirectControl Console, expandDZTest, then select Computers. Right-click and selectRefresh and you should see the UNIX machine you just joinedto the domain.You are now ready to initialize and begin using DirectAuthorize.Initializing DirectAuthorize for a zoneThe DirectAuthorize Console and application do not requireseparate installation — they are installed as part of Centrify104 Evaluation Guide

DirectControl. However, you must initialize DirectAuthorize foreach zone in which you intend to use it.Although you can install DirectAuthorize on any machine whereyou install the Centrify DirectControl Administrator Console, ithas system requirements that are different than those for theAdministrator Console. Before initializing DirectAuthorize verifythat the computer meets the following requirements:• The computer is running one of the following:• Windows Server 2003 with SP2 or later.• Windows XP with SP2 or later• Windows Vista with SP1• Windows 2003 with SP1 or later.• The functional level of the Active Directory domain has beenraised to Windows Server 2003.To initialize DirectAuthorize:1 Open the Centrify DirectControl Administrator Console.If you are prompted to connect to a forest, specify the forestdomain or domain controller to which you want to connect.2 In the console tree, select Zones to display the list of zones.3 Select the DZTest zone, or another zone you intend to use,right-click, then click Properties.Chapter 8 • Defining rights and roles 105

• • • • • • Initializing DirectAuthorize for a zone4 Click the DirectAuthorize tab. Then select the Enforcerights and roles box.The currently logged on user is automatically added to the list ofusers and groups allowed to configure DirectAuthorize.In a real-world environment, you could add users and groups tothe list of users and groups who are allowed to define rights androles for performing operations on computers managed byDirectControl. However, for the purposes of this evaluation,the logged-in user is sufficient.5 Click OK to save the zone properties and close the Propertiesdialog box.106 Evaluation Guide

If you expand DZTest, you see nodes named Roles and Rights.The roles and rights you create are added to these nodes.Defining job roles and rightsAlthough you can define rights and roles separately, they areessentially intertwined. Rights describe permission to performspecific operations. Rights are assigned to roles, allowing users inthe role to perform the specified rights.You can define rights and assign them to roles to control:• Who has permission to run specific privileged commands in azone. These rights provide functionality similar to the UNIXsudo command but are configured using DirectAuthorizesettings rather than through a sudoers configuration file.• Who can access which PAM applications in a zone.• Who must use a restricted shell within a zone.The rest of this section describes some typical use case scenariosand how to use DirectAuthorize to create roles and rights toimplement those scenarios. The roles are:• Standard system administrator — Has 24/7 access and theability to execute any command as root.• Backup operator — Has access during limited hours and canexecute only a small set of commands from a restrictedenvironment.Chapter 8 • Defining rights and roles 107

• • • • • • Defining job roles and rights• Contract system administrator — Has access during regularbusiness hours, can execute a specified set of commands, and iscoming in on contract for the next business quarter.Creating standard system administrator roleThis section explains how to create rights for a systemadministrator role. The person in this role can login via any PAMinterface and run any commands as root. This role is roughlyequivalent to %role ALL =(ALL) in the sudoers file.To create a system administrator role:1 Open the Centrify DirectControl Administrator Console.If you are prompted to connect to a forest, specify the forestdomain or domain controller to which you want to connect.2 In the console tree, select Zones to display the list of zones.3 Select and expand the zone initialized for DirectAuthorize, forexample, the DZTest zone.108 Evaluation Guide

4 In the console tree, select and expand Rights. Then right-clickPrivileged Commands and click New Command.5 Enter the following information:• Name: All• Description: Execute any command.• Command: *6 Click the RunAs tab.7 Select User list, then click Add.8 Type root for User name, then click OK.9 Click the Attributes tab and select the check boxesAuthentication required, User’s password, and Allownested command execution.Note Executing Centrify DirectControl and DirectAuthorizecommands such as dzinfo and centrifydc requires that you areable to execute nested commands, so the Allow nestedcommand execution attribute is checked by default.Chapter 8 • Defining rights and roles 109

• • • • • • Defining job roles and rightsClick OK to save the information and close the dialog box.10 Right-click Roles, then click Add Role.11 On the General tab, enter a name and description for the newrole; for example:• Name: Sys Admin• Description: Can execute any command as root and loginvia any PAM application.110 Evaluation Guide

12 Click the Commands Access tab, select Privilegedcommands, then click Add.13 Click Add, then select the All command (or right) that youcreated earlier. Click Add.14 Click the PAM Access tab, click Add, then New.15 Type * in Application name and optionally a description.Click Add, select * in the list, then click OK, then OK again toclose the dialog box and create the Sys Admin role.16 Right-click Sys Admin, then click Assign Users and Groupsto assign a user to the Sys Admin role. Enter search criteria tofind a user; for example, type s and click Find Now to find SallyUser, among others. Select Sally User and click OK.Verifying the System Administrator roleDirectAuthorize provides a number of tools in the CentrifyDirectControl Console and on the UNIX machine to monitor theChapter 8 • Defining rights and roles 111

• • • • • • Defining job roles and rightsroles and rights that you create. See “Verifying roles and rights” onpage 126.As a quick sanity check for this evaluation, you can log on to theUNIX machine with the user (Sally User) who you assigned to theSys Admin role and see if the role works as configured.To verify the Sys Admin role on the UNIX machine:1 Log in to any UNIX machine with access to the UNIX machineyou are using for the evaluation, including the UNIX evaluationmachine itself.2 SSH to the machine using the login of Sally User (suser), whoyou assigned to the Sys Admin role. When prompted, enter thepassword for suser:ssh machine -l susersuser@machine’s password:[suser@machine suser]$3 Run some simple UNIX commands to verify that normalcommands work, for example:lspwdwhoami4 Now run some commands normally, then in privileged mode tosee the difference.As you recall, for this role, the user can run any command inprivileged mode and privileged mode means running a commandas root. To run in privileged mode, you use the dzdo command.[suser]$iduid=10003(suser) gid=10000(domainus) groups=10000(domainus)[suser]$dzdo iduid=0(root) gid=0(root)groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)Notice that when you run id with the dzdo command, suser’suid is root.Run adflush, which requires root permission, as Sally User,then with dzdo:112 Evaluation Guide

[suser]$adflushError: adflush may only be run by root.[suser]$dzdo adflushGC and DC caches flushed successfullyNow go on to create a backup operator role that allows a restrictedset of commands to be run in a restricted shell.Creating a backup operator roleIn this scenario you are going to create a backup operator role,which provides a limited number of commands and restrictedhours of access. The specific restrictions for this role are as follows:• Can only log in on Sunday afternoon, between 12 noon andmidnight using SSH.• Uses the restricted environment.• Is limited to the following commands:• ls, cat, dzinfo• tar, mount, cpio (as root)To create the backup operator role:1 Open the Centrify DirectControl Administrator Console.If you are prompted to connect to a forest, specify the forestdomain or domain controller to which you want to connect.2 In the console tree, select Zones to display the list of zones.3 Select and expand the zone initialized for DirectAuthorize, forexample, the DZTest zone.Chapter 8 • Defining rights and roles 113

• • • • • • Defining job roles and rights4 In the console tree, select and expand Rights. Then right-clickRestricted Environments and click New RestrictedEnvironment.5 Enter a name and description for the shell, for example:• Name: BUShell• Description: Shell for backup operator.Click the Commands tab.114 Evaluation Guide

6 Click New.7 Enter the following commands and keep the default radiobuttons for each (Standard user path, Current user):ls, cat, dzinfoFor example:Name: lsDescription: List directory commandCommand: lsStandard user pathExecute as: Current userClick OK after entering the information for each command,then click New to create another command.8 Click New, then enter the following commands to be run asroot:tar, mount, cpioFor example:Chapter 8 • Defining rights and roles 115

• • • • • • Defining job roles and rightsName: tarDescription: Archive commandCommand: tarStandard user pathExecute as: Specific user account: rootNote Be certain to select Execute as Specific user accountand type root in the box.Click OK after entering the information for each command,then click New to create another command.9 When you have defined all the commands, click OK to close theProperties page.10 Right-click Roles, then click Add Role.11 On the General tab, enter a name and description for the newrole; for example:• Name: Backup Operator116 Evaluation Guide

• Description: Can execute ls, cat, dzinfotar, mount, cpio as root12 - 12 Sundays12 Click Available Times and change everything except Sunday,12 noon to 12 midnight, to Denied.13 Click the Commands Access tab. Then select Use Dzshshell and select BUShell from the drop down box.Chapter 8 • Defining rights and roles 117

• • • • • • Defining job roles and rightsClick OK.14 Click the PAM Access tab, click Add, then New.15 Type sshd in Application Name, and optionally a description,then click OK.16 Select sshd, then click OK.17 Click OK to exit the dialog and create the Backup Operator role.18 Right-click Backup Operator, then click Assign Users andGroups to assign a user to the Backup Operator role. Entersearch criteria to find a user; for example, type j and click FindNow to find Joe Cool, among others. Select Joe Cool and clickOK.Verifying the Backup Operator roleDirectAuthorize provides a number of tools in the CentrifyDirectControl Console and on the UNIX machine to monitor theroles and rights that you create. See “Verifying roles and rights” onpage 126.118 Evaluation Guide

As a quick sanity check for this evaluation, you can log on to theUNIX machine with the user (jcool) who you assigned to theBackup Operator role and see if the role works as configured.To verify the Backup Operator role on the UNIX machine:1 Log in to any UNIX machine with access to the UNIX machineyou are using for the evaluation, including the UNIX evaluationmachine itself.2 SSH to the machine using the login of Joe Cool (jcool), who youassigned to the Backup Operator role. When prompted, enterthe password for jcool:ssh machine -l jcooljcool@machine’s password:Connection to hostName closedYou receive the connection closed message because the BackupOperator role is available on Sundays, 12 noon to 12 midnight,therefore, logging in during the week does not work.3 Change the available days and hours by opening the CentrifyDirectControl Console, expanding the zone and the Rolesnode, then selecting Backup Operator. Right-click and selectProperties, then click Available Times. Make the roleavailable for the current day, then click OK and OK again to savethe changed information.4 Flush the cache.The machine caches the DirectAuthorize policy for the zone,which enables users to login when the Windows machine isoffline. However, since you made a change to a role in theDirectControl Console, you must flush the cache to retrieve thenew policy.To force the change to take place, you can flush the cache asfollows. Log in as root and run adflush.5 SSH to the UNIX machine as jcool:ssh machine -l jcooljcool@machine’s password:Chapter 8 • Defining rights and roles 119

• • • • • • Defining job roles and rights$6 Run some of the UNIX commands specified for jcool, such asls and dzinfo:$dzinfoZone Status: EnforcingUser: jcoolForced into sash shell: YesRole Name Description AvailShellBackup OperatorCan execute ls, cat dzinfoNo BUShellCommand Description Avail PatternSource Rolesls List directory command. Yes ls selfcat Concatenate command Yes cat selfdzinfo DirectAuthorize command Yes dzinfoselftar Archive command Yes tar rootmount Mount file system commandYes mount rootcpio Copy to archive command Yes cpio root7 Run any other command and you see an error:$ps -eps: command not allowed8 Verify that you can run a privileged command (as root):$tar -cf etc.tar /etc/to tar the /etc directory into the etc.tar file. Now run ls toverify that the file is owned by root:$ls -l etc.tartotal 11048 -rw------- 1 root root 11294720 Sep 18 01:02etc.tarCreating a contract system administrator roleIn this scenario you are going to create a contract systemadministrator role that provides a number of privileged commands.Access is during business hours and the position is temporary. Thespecific definition for this role is as follows:• Can log in Monday - Friday, 9:00 AM to 5:00 PM, using SSH orGDM.120 Evaluation Guide

• Contract will start at the beginning of the next quarter and runfor 3 months.• Has access to all commands as self and to the followingprivileged commands as root:• rpm• adinfoTo create the contract system administrator role:1 Open the Centrify DirectControl Administrator Console.If you are prompted to connect to a forest, specify the forestdomain or domain controller to which you want to connect.2 In the console tree, select Zones to display the list of zones.3 Select and expand the zone initialized for DirectAuthorize, theDZTest zone.4 Right-click Roles, then click Add Role.5 On the General tab, enter a name and description for the newrole; for example:Chapter 8 • Defining rights and roles 121

• • • • • • Defining job roles and rights• Name: Contract Sys Admin• Description: Can monitor the system9 - 5, M - F6 Click Available Times and allow M - F, 9:00AM to 5:00 PM.Click OK.7 Click the Commands Access tab, select New Privilegedcommand, then click Add and New.122 Evaluation Guide

8 Enter the following commands and keep the default radiobuttons for each (Standard user path, Current user):rpm, adinfoFor example:Name: rpmDescription: Install packagesCommand: rpmStandard user pathExecute as: Current userClick OK after entering the information for each command,then click New to create another command.9 When you have created all the commands, select all the ones youcreated and click Add to add them to the role.Note The All command was created for the standard Sys Adminrole. It provides root access to all commands. Do not add thisright to the Contract Sys Admin role.10 Click the PAM Access tab, click Add, then New.Chapter 8 • Defining rights and roles 123

• • • • • • Defining job roles and rights11 Type gdmd for Application Name, and Gnome DisplayManager for Description. Then click OK.12 Select sshd and gdmd, then click Add.Note Do not select * — it provides access to all PAMapplications and was created for the standard Sys Admin role.13 Click OK to create the role.14 Right-click Contract Sys Admin, then click Assign Users andGroups to assign a user to the role. Enter search criteria to finda user; for example, type j and click Find Now to find JillSmith, among others. Select Jill Smith and click OK.15 Deselect Start immediately, and enter the first day of thefollowing quarter (for example, October 1) as the start date.Deselect Never expires, and enter the last day of the followingquarter (for example, December 31 as the end date). Then clickOK.Verifying the Contract System Administrator roleDirectAuthorize provides a number of tools in the CentrifyDirectControl Console and on the UNIX machine to monitor theroles and rights that you create. See “Verifying roles and rights” onpage 126.As a quick sanity check for this evaluation, you can log on to theUNIX machine with the user (jsmith) who you assigned to theContract System Administrator role and see if the role works asconfigured.To verify the Contract System Administrator role on the UNIXmachine:1 Log in to any UNIX machine with access to the UNIX machineyou are using for the evaluation, including the UNIX evaluationmachine itself.124 Evaluation Guide

2 SSH to the machine using the login of Jill Smith (jsmith), whoyou assigned to the Contract System Administrator role. Whenprompted, enter the password for jsmith:ssh machine -l jsmithjcool@machine’s password:Read from remote host hostName: Connection reset by peerConnection to hostname closedThe connection is closed because the contractor, Jill Smith, isnot scheduled to start until the beginning of the next quarter.Suppose you assigned Jill Smith to the role, then decided to bringher in early. You could change the start date in the roleassignment.3 Change the start time.Open the Centrify DirectControl Console, then expand Rolesand select Contract Sys Admin. Right-click Jill Smith andclick Properties. Select Start immediately, then click OK.4 Flush the cache.When you make a change to a role in the DirectControlConsole, the change is not enforced on the UNIX machine untila specified interval. To force the change to take place, you canflush the cache as follows:NotesuadflushYou must be root to execute this command.5 SSH to the UNIX machine as jsmith:ssh machine -l jsmithjcool@machine’s password:bash$6 Run any UNIX commands such as ls, cd, and so on, and theyshould work normally.7 This role has rights to run adinfo as root.Running adinfo with the --diag option returns someChapter 8 • Defining rights and roles 125

• • • • • • Verifying roles and rightsinformation but requires root permission to successfully returnall information. If you run adinfo --diag without rootpermission, you’ll see the message:run adinfo as root to bind using machine credentialsTherefore, if you run the command with dzdo, you shouldn’t seethe message:bash$adinfo --diag |grep -i rootrun adinfo as root to bind using machine credentialsbash$dzdo adinfo --diag |grep -i rootbash$Not getting an error message shows that the privilegedcommand, adinfo, is working properly for this role.Verifying roles and rightsYou have already verified each role you created by logging into theUNIX machine as that user. DirectAuthorize also provides anumber of tools to report on the roles you create:• Effective rights for each user• The User Role Assignment Report and the User PrivilegeCommand Rights reports• The dzinfo command on the UNX machineViewing effective rightsDirectAuthorize allows you to view the effective rights for anyuser, whether they have been assigned a role or not.To view effective rights for any user:1 In the Centrify DirectControl Console, expand DZTest. Then,right-click Users and select All Tasks > Show User Rights.2 Type criteria to find a user, then click Find Now.126 Evaluation Guide

3 Select a user, for example, Sally User, then click OK.Running the role and rights reportsDirectAuthorize provides two reports:• User Role Assignments — On a zone-by-zone basis lists eachuser’s role assignments.• User Privilege Command Rights — For each user, lists theprivileged commands that have been defined.To run the reports:1 In the Centrify DirectControl Console, expand ReportCenter, then expand User Role Assignments.Chapter 8 • Defining rights and roles 127

• • • • • • Verifying roles and rights2 Right-click Current, then click Display Report.3 To see privileged commands you have defined and assigned,expand Report Center, then expand User PrivilegeCommand Rights.4 Right-click Current, then click Display Report.You can change the layout of each report, save them in different128 Evaluation Guide

formats, or print them. See the Centrify DirectControlAdministrator’s Guide for more information.Viewing roles and rights on the UNIX machine.DirectAuthorize provides a tool, dzinfo, that a systemadministrator can use to view roles and rights on a UNIX machine.To view roles and rights using the dzinfo command:1 Login to the UNIX machine as root.2 Run the dzinfo command for a specific user, for example jcool.dzinfo jcool:Zone Status: EnforcingUser: jcoolForced into sash shell: YesRole Name Description AvailShellBackup OperatorCan execute ls, cat dzinfoNo BUShellCommand Description Avail PatternSource Rolesls List directory command. No ls selfcat Concatenate command No cat selfdzinfo DirectAuthorize command No dzinfoselftar Archive command No tar rootmount Mount file system commandNo mount rootcpio Copy to archive command No cpio rootNote The command is being run at 11:00 AM on a weekday, andthe role is only valid on Sunday, from 12 noon to 12 midnight,so the command output shows that the role is unavailable.3 Run dzinfo without parameters to see the roles for the currentuser:dzinfoZone Status: EnforcingUser: rootForced into sash shell: No4 To see the rights a user has to a specific command, use the--test option; for example, to see if jcool can run the killcommand:Chapter 8 • Defining rights and roles 129

• • • • • • Verifying roles and rightsdzinfo jcool -t /bin/killTesting: User = jcool command = /bin/killUser jcool is not allowed to run the command via dzdoUser jcool is not allowed to run the command in restrictedenvironmentNote/bin/kill.You must specify the path to the command, that is,dzinfo jcool -t /bin/mountTesting: User = jcool command = /bin/mountUser jcool can run the command as 'root', authenticationwill not be required, noexec mode is offUser jcool can run the command in restricted environment.The command will execute as 'root', noexec mode is off130 Evaluation Guide

Chapter 9Managing NIS maps in Active DirectoryThis chapter describes how to set up the DirectControl adnisddaemon on a Centrify DirectControl-managed computer to enablethe local UNIX operating system to access NIS maps that aremanaged and securely distributed from Active Directory.The following topics are covered:• Understanding Centrify DirectControl NIS• Enabling the NIS map extensions• Creating and importing NIS maps in the default zone• Starting the adnisd daemon• Testing adnisdUnderstanding Centrify DirectControl NISFor computers and applications that submit lookup requestsdirectly to a NIS server listening on the NIS port, CentrifyDirectControl includes its own Network Information Service. ThisCentrify DirectControl Network Information Service relies on itsown daemon process, adnisd, to receive and respond to NIS clientrequests.The Centrify DirectControl Network Information Service is anoptional addition to the Centrify DirectControl Agent. It can beinstalled on a computer managed by the Centrify DirectControlAgent to provide NIS support. Once installed and running, theDirectControl Network Information Service functions just like astandard NIS server, but responds to NIS client lookup requestsusing the information stored in Active Directory.131

• • • • • • Enabling the NIS map extensionsEnabling the NIS map extensionsBecause the NIS map extensions are an optional component, theycan be added to the Centrify DirectControl Administrator Consolewhen you run the setup program or separately after you haveinstalled the Administrator Console.To add the NIS extensions to the Centrify DirectControlAdministrator Console:1 Open the Centrify DirectControl Administrator Console.2 Select File > Add/Remove Snap-in.3 Click the Extensions tab.4 Select Centrify DirectControl NIS Map in the list ofavailable extensions, then click OK.5 In the console tree, select Zones, right-click, then click OpenZone.6 Type a search string and click Find Now to find the zone youwant to work with, then click OK. For example, type “de” todisplay the “default” zone. For example:132 Evaluation Guide

Creating and importing NIS maps in the default zoneTo try this feature, you first need a set of NIS maps to import. Youcan either copy a set of maps from an existing NIS master server orcreate a set of text files for testing from the following sample NISmaps.To create a set of NIS maps using the sample maps on an ActiveDirectory server:1 Create a text file named netgroup.txt to store the samplenetgroup NIS map entries to import. You can create the file oneither the Windows computer or the UNIX computer, but thefile must be accessible from the Windows computer for you toimport it into Active Directory.2 Add entries similar to the following to the netgroup.txt file tosimulate a sample netgroup NIS map for import:clients (sparrow,,birds) (sparrow.mynet.home,,birds) \(chicken,,birds) (chicken.mynet.home,,birds) \(parrot,,birds) (parrot.mynet.home,,birds)servers (eagles,,birds)(eagle.mynet.home,,birds)nodes servers clients3 Create a text file named auto.master.txt to store the sampleauto.master NIS map entries to import.4 Add an entry similar to the following to the auto.master.txtfile to simulate a sample auto.master NIS map for import:/tools /etc/auto.tools5 Create a text file named auto.tools.txt to store the sampleauto.tools NIS map entries to import.6 Add an entry similar to the following to the auto.tools.txt fileto simulate a sample auto.tools NIS map for import:Centrify testlab-rhel3:/usr/share/centrifydc/binChapter 9 • Managing NIS maps in Active Directory 133

• • • • • • Starting the adnisd daemon7 For each of the NIS maps you created, select NIS Maps underthe default zone, right-click, then select Import Maps.8 Select the Unix NIS map source file option, click Browse tolocate the appropriate file name, then click Next.9 Check the map name to make sure it is represented accurately asthis name will be visible to the UNIX computers through NIS,click Next, then click Finish.10 Repeat these three steps two more times to import all three ofthe map files you created.You should now be able to browse and edit the NIS maps that wereimported by selecting the imported map name under NIS Maps inthe Centrify DirectControl Administrator Console. Within theCentrify DirectControl Administrator Console you can add newentries to any map or edit any existing entries as needed.Starting the adnisd daemonThe Centrify DirectControl Network Information Service, adnisd,is installed as a separate DirectControl component and needs to bestarted in order to serve NIS maps for the zone that the computerhas joined.To install the Centrify DirectControl Network InformationService, log on to the UNIX computer as root, navigate to yourworking directory where you have your Centrify UNIX installationfiles, and execute the appropriate installation commands for thelocal operating environment. For example, run the followingcommand for Red Hat Linux 9:rpm -Uhv --force --nodeps centrifydc-nis-release-rh9-i386.rpmOn Sun Solaris, run the following commands:gunzip centrifydc-nis-release-sol*-sparc-local.tgztar xvf centrifydc-nis-release-sol*-sparc-local.tarpkgadd -d CentrifyDC-nisOnce you have installed the Centrify DirectControl NetworkInformation Service, start the adnisd daemon at the command line134 Evaluation Guide

Testing adnisdby typing the appropriate start command for your Local operatingenvironment. For example, on Red Hat Linux, type the followingcommand:/sbin/service adnisd startOn Solaris, you can start the adnisd daemon by running/etc/init.d/adnisd start.To test the NIS service that Centrify DirectControl provides, youneed to configure your UNIX system to be a NIS client to its ownlocally running NIS server, adnisd. To do this, you first need to setup the NIS client, then you can access the NIS maps hosted inActive Directory.To set up the local NIS client on a computer:1 Set the NIS domain name for the UNIX computer to be the sameas the zone name. For example:domainname default2 Edit the NIS configuration file to specify the CentrifyDirectControl zone and the local host name of the UNIXcomputer. The location or name of the NIS configuration filemay vary depending on the client’s operating system. The mostcommon location for this file is /etc/yp.conf. For example,edit the file /etc/yp.conf to include a line similar to thefollowing:domain default server localhostNote If your NIS clients are configured for broadcast discovery,you can typically skip this step. For example, on Solaris, ypbinduses broadcast to locate its NIS server and does not use a NISconfiguration file, so you can skip this step if the client is a Solariscomputer.Chapter 9 • Managing NIS maps in Active Directory 135

• • • • • • Testing adnisd3 Start the ypbind service to enable the local computer to look upinformation in the NIS maps served by the local adnisd daemon.For example, on Red Hat Linux:/sbin/service ypbind startOn Solaris, you can start the service by running:/etc/init.d/ypbind startYou should be able to test that the maps that you imported earlierare visible to the local computer by using the following NIScommands:/usr/sbin/yptest -m netgroupypcat -m auto.masterypcat -M auto.toolsYou should now be able to try other operations that require the useof NIS maps such as automounting remote file systems.136 Evaluation Guide

Chapter 10Using DirectControl with Centrify SambaAfter you have installed DirectControl and joined the ActiveDirectory domain on the UNIX computer, you can set up a Sambafile server so that identity management and user credentials arehandled by DirectControl and Active Directory.This chapter shows you how to install the Centrify-providedversion of Samba and demonstrates how you can use DirectControlto browse shares on a UNIX machine from your Windows desktop.The following topics are covered:• About Samba and DirectControl• Installing Centrify Samba• Setting up Centrify Samba and DirectControl• Testing Samba on UNIX• Testing Samba from a Windows machine• SummaryAbout Samba and DirectControlThe Open Source project - Samba - is a popular solution for servingUNIX files and directories to Windows clients using nativeWindows file sharing protocols. Windows users can access the fileshares using the same software and procedures they would use toaccess them on other Windows systems. Samba is usually set up touse winbindd to resolve user information that is stored on anActive Directory domain controller. However, since certainUNIX-specific attributes such as a UID, GID, home directory, orlogin shell are not normally stored in a user's Active Directory137

• • • • • • About Samba and DirectControlaccount, Samba uses winbindd to set these attributes to somearbitrary values based on settings on each UNIX server. Without aseparate back-end ID mapper, the end result is a situation whereusers are assigned different settings for certain attributes, such astheir UID, from one machine to the next. For most enterprisesituations, this is not a workable solution.By combining DirectControl and Samba, however, users can haveboth SMB file serving on UNIX machines and consistent userattribute mapping across all machines that are joined to the ActiveDirectory domain with DirectControl.The Samba winbinddservice is used in conjunction with the Centrify DirectControl IDmapper back end (idmap), together with the CentrifyDirectControl daemon, adclient, to look up centrally stored userand group information in Active Directory.In addition, DirectControl provides new capabilities by enablingcentralized access control and authorization for Samba usersthrough Active Directory. If, for example, a user is currently in thecorporate finance department and is a member of the “Finance”DirectControl zone, Samba can be set up to share files only to userswho have been explicitly added as members of the Finance zone. Ifusers leave the finance department, they can be removed from thezone and will no longer have access to the Finance file shares - evenshares that are set with “public” access.The DirectControl solution for Samba has some key capabilitiesthat are not always available with Samba alone or with otherproducts. These capabilities include:• Support for multi-domain environments. Users fromone domain can access Samba shares on servers that aremembers of another trusted domain without being promptedfor their credentials. This is the same behavior that users wouldexpect when using an all-Windows environment.• NTLM authentication for Samba shares is supported.Users on older Windows systems such as Windows NT orWindows 9x can access Samba shares using NTLM138 Evaluation Guide

authentication instead of Kerberos authentication. NTLM is alsorequired when users use an IP address to access a Samba shareand in certain other situations that are typically beyond thecontrol of the user.• Large, multi-level group membership support. SomeUNIX operating systems limit the number of groups to which auser can belong. For example, a Solaris user can not be amember of more than 32 groups. Centrify’s solution overcomesthis limitation and also supports nested groups. This behavior isconsistent with what users would expect in an all-Windowsenvironment.Installing Centrify SambaBoth the DirectControl software and a precompiled version ofSamba that is provided by Centrify must be installed on each UNIXmachine where you intend to set up Samba-based SMB file servers.Note You must use the Centrify-compiled version of Samba ratherthan Samba compiled from the open source or another provider.The precompiled version of Samba provided by Centrify includespatches to the Samba winbindd program not currently available inthe Samba open source.To install DirectControl, see Installing Centrify DirectControl.This section gives instructions for installing Samba on your UNIXmachine.PreparationIf you have been running Samba and winbind in the past on thisUNIX system, you might want to save the existing winbind UIDand GID assignments and possibly import those maps into aDirectControl Zone. If winbind is currently configured in your/etc/nsswitch.conf file, then you can capture these settings withthe following commands:Chapter 10 • Using DirectControl with Centrify Samba 139

• • • • • • Installing Centrify Sambagetent passwd > /tmp/passwd.winbindgetent group > /tmp/group.winbindThese two files can then be used as import files with theDirectControl Administrator Console in Windows.Note that all users and groups known by the system are added tothese import files. If you wish to import only the Active Directoryusers and groups that were specifically mapped by winbind, thenwait until after you have run the adsamba.sh script as describedbelow. As part of the processing of this script two export files aregenerated, as follows:/var/centrifydc/samba/passwd/var/centrifydc/samba/groupFor more information on importing existing user and group maps,see Creating and importing NIS maps in the default zone.Although Samba is Open Source software, to use Centrify's idmapID mapper, you must use the precompiled version of Samba that isprovided by Centrify.For the following installation steps, it is recommended that all filesbe transferred into an empty directory to avoid potential conflictswith other versions of these packages.InstallationThe precompiled version of Samba is part of a tar archive. Placethis tar archive in your current working directory and run thefollowing commands to extract the files:gunzip centrifydc-samba*gztar xvf centrifydc-samba*.tarTo install Samba on Red Hat Linux, run the following command:rpm -Uhv --force --nodeps centrifydc-samba-3.0.*-rh9-i386.rpmTo install Samba on Sun Solaris, run the following commands:gunzip centrifydc-samba-3.0.*.gzpkgadd -d centrifydc-samba-3.0.*Note You do not have to install the idmap program and adsambaconfiguration utility, which work in conjunction with Samba,because they are installed automatically with the Centrify140 Evaluation Guide

DirectControl Agent in Centrify DirectControl, version 4.1 orlater.Setting up Centrify Samba and DirectControlThe following steps assume that DirectControl has been installedon a Windows system in the Active Directory domain and a zonehas been set up with some users and groups defined as members.See Adding Active Directory users and groups to zones. OnlyWindows users who are members of the DirectControl zone willbe able to access Samba shares on this machine.To configure DirectControl and Centrify Samba so that they worktogether properly:1 Make sure that DNS is set up correctly. The file/etc/resolv.conf should have an entry that includes thedomain name for the Active Directory domain that you arejoining. This can be accomplished by setting the “domain” or“search” parameter in /etc/resolv.conf. You also want toensure that the IP address for the DNS server for the ActiveDirectory domain is specified in a “nameserver” entry. Forexample, if your domain is example.com and the IP address of theActive Directory domain controller is 192.168.1.1, then/etc/resolv.conf would include the following lines:domain example.comsearch example.comnameserver 192.168.1.1See the MAN page for resolv.conf (4) for more information.2 Generally, it is also a good practice to include the local UNIXmachine and the Active Directory controller in your local/etc/hosts file. For example, if your host name is “linuxbox”with an IP address of 192.168.1.8 and the Active Directoryserver has a host name of “adserver” with an IP address of192.168.1.1, then the following lines should be included in your/etc/hosts file:Chapter 10 • Using DirectControl with Centrify Samba 141

• • • • • • Setting up Centrify Samba and DirectControl127.0.0.1 localhost192.168.1.8 linuxbox192.168.1.1 adserver3 You are now ready to run the Centrify script to configure Sambaand DirectControl to work together with Active Directory. Asthe root user, run the script by typing:sh /usr/share/centrifydc/bin/adsamba.shFollow the prompts and input the appropriate informationrelated to your domain name, the zone, and the account andpassword for joining the domain.4 The script creates a sample smb.conf file you can use for testing.This file is created in /etc/samba/smb.conf-CENTRIFY. You willbe offered the option of installing this auto-generated file. EnterY to do so. Your existing smb.conf file is automatically saved. Atest share directory is also created under /samba-test.5 To validate that the services smbd, nmbd, and winbind havestarted, use the commands:ps -aef | grep mbdps -aef | grep winbindIf these services are not running, execute the followingcommand:/etc/init.d/centrifydc-samba restart6 For testing purposes, a sample Samba configuration file iscreated in /etc/samba/smb.conf. Once you have completed thetesting steps in Testing Samba on UNIX, you should modify thisfile to include the appropriate shares for your system.Note The smb.conf file must include the following lines in the[global] section, where your Active Directory domain name isexample.com:142 Evaluation Guide

[global]security = ADSrealm = example.comworkgroup = examplenetbios name = myhostserver string = Samba-CDCauth methods = guest, sam, winbindmachine password timeout = 0idmap backend =/usr/share/centrifydc/lib/idmap_centrifydc.soidmap enable cache = Noidmap uid = 500-100000000idmap gid = 500-100000000winbind use default domain = Yeswinbind use default domain = Yeswinbind domain name required = Yeswinbind enum users = Nowinbind enum groups = Nowinbind nested groups = Yes7 If you make changes to the smb.conf file, run the Samba utilitytestparm to make sure there are no errors in your smb.conffile. You should see output similar to the following:[root@smbgiant samba]# testparm -sLoad smb config files from /etc/samba/smb.confProcessing section "[homes]"Processing section "[printers]"Processing section "[samba-test]"Loaded services file OK.[global]workgroup = EXAMPLErealm = EXAMPLE.COMserver string = Samba-CDCChapter 10 • Using DirectControl with Centrify Samba 143

• • • • • • Setting up Centrify Samba and DirectControlsecurity = ADSauth methods = guest, sam, winbindmachine password timeout = 0idmap backend =/usr/share/centrifydc/lib/idmap_centrifydc.soidmap enable cache = Noidmap uid = 500-100000000idmap gid = 500-100000000template shell = /bin/bashwinbind enum users = Nowinbind enum groups = Nowinbind use default domain = Yeswinbind domain name required = Yeswinbind nested groups = Yesmap archive = No[homes]comment = Home Directoriesread only = Nobrowseable = No[printers]comment = All Printerspath = /var/spool/sambaprintable = Yesbrowseable = No[samba-test]path = /samba-testread only = Noguest ok = Yes8 Check to make sure you have a home directory created for theuser account you will be using for testing. The home directoryshould be created automatically by DirectControl when you firstlog into the UNIX system (except on Solaris, where homedirectories are not automatically created).144 Evaluation Guide

Testing Samba on UNIXUse the following procedure to test Samba on a UNIX machine:1 Log on to the UNIX machine as an ordinary user who has anActive Directory logon account (see Enabling Active Directoryusers to access UNIX).2 Run the following command:smbclient -k -L localhost3 The smbclient program should display information aboutSamba and the SMB shares that are available on your machine.You should see a listing similar to the following:OS=[Unix] Server=[Samba 3.0.20]Sharename Type Comment--------- ---- -------samba-test DiskIPC$ IPC IPC Service (Samba-CDC)ADMIN$ IPC IPC Service (Samba-CDC)doug Disk Home directoriesOS=[Unix] Server=[Samba 3.0.20]ServerComment--------- -------WorkgroupMaster-------- -------EXAMPLEEXAMPLE-WS2K34 If instead of the results in the previous step, you get an error suchas NT_STATUS_LOGIN_FAILURE, try running the followingcommands to purge your Kerberos tickets and have themreissued after being prompted for your Active Directorypassword (the final command lists the Kerberos tickets issued toyou):/usr/share/centrifydc/kerberos/bin/kdestroy/usr/share/centrifydc/kerberos/bin/kinit/usr/share/centrifydc/kerberos/bin/klistChapter 10 • Using DirectControl with Centrify Samba 145

• • • • • • Testing Samba from a Windows machine5 If that does not resolve the problem, reconfirm that smbstatusruns correctly:smbstatus | grep versionIf the correct Samba version number is not displayed, first makesure that there are no old copies of smbstatus. If you have an oldversion of Samba installed, you must completely remove this oldversion and install a compatible version. If you have the correctversion of Samba installed, run smbstatus again, note the namesof any TDB files that do not exist, and try restoring them fromyour backup.6 If that does not resolve the problem, you need to rejoin thedomain. The easiest way to do this is to double check yoursettings and re-run the install script as outlined in InstallingCentrify Samba.Testing Samba from a Windows machineOnce you are able to see the shares as an Active Directory userlogged into the UNIX machine on which you installed Samba, youcan use the following procedure to test accessing the Samba sharesfrom a Windows machine:1 On a Windows machine that is joined to the domain, log out ofthe current session and log in as the same Active Directory useryou used in Testing Samba on UNIX.Note You must log out of any existing sessions and log in againon the Windows machine if the UNIX machine has beenconfigured using the adsamba.sh script2 Open Explorer and browse to the domain:My Network Places -> Entire Network -> Microsoft WindowsNetwork -> domainnameYou should see the UNIX server that is running Samba show up146 Evaluation Guide

as Samba-CDC (hostname).3 Open the server icon and browse the shares. Make sure you canopen existing files and create files. Confirm from both Windowsand UNIX that the files in the share directories are owned by thecorrect users.4 If the smbclient test succeeded but the Windows test failed,there are a few things to try to rectify the situation:• Check to make sure you have network connectivity betweenthe two systems.• Confirm that you do not have a firewall running on the UNIXsystem that is blocking access to the SMB ports.• To make sure there are no stale Kerberos tickets on yourWindows system, obtain the Windows kerbtray programfrom the Microsoft Web site, install it on the Windowssystem, and use it to purge your Kerberos tickets. Log out andlog in again to your Windows system and retest accessing theSamba shares from Windows.Chapter 10 • Using DirectControl with Centrify Samba 147

• • • • • • SummarySummaryIn this chapter, you learned how to use Samba and DirectControl toenable users to create file shares on UNIX computers that can beshared to Windows systems.148 Evaluation Guide

Chapter 11Using DirectControl with SSHAfter you have installed DirectControl and joined the ActiveDirectory domain on the UNIX computer, you can install aKerberized OpenSSH server on your system. There is an OpenSSHclient and server in the package, allowing a user to connect to aUNIX computer running Centrify DirectControl or connectbetween UNIX computers running DirectControl withoutentering a username or password.This chapter shows you how to install the Centrify release ofOpenSSH and demonstrates its use.The following topics are covered:• About SSH and DirectControl• Setting up SSH• Testing SSH on UNIX• Testing SSH from a Windows machine• SummaryAbout SSH and DirectControlAlthough many UNIX systems have an sshd server installed, mostare older implementations that do not support Kerberos. Centrifyprovides a compiled version of the latest OpenSSH distribution tomake it easier for you to install and use SSH with DirectControl forsecured authentication to Active Directory using Kerberos. Thiscompiled version of OpenSSH is automatically installed when yourun the installation script to install Centrify DirectControlExpress.149

• • • • • • About SSH and DirectControlCentrify has compiled the standard OpenSSH distributionunmodified, but in the compile process links OpenSSH with theDirectControl Kerberos libraries to ensure that sign-on works asexpected in an Active Directory environment. This providesseveral advantages, including:• DirectControl will accept connections to any of the computer'svalid host names, either fully qualified or not, because allcombinations are registered with Active Directory. This reducesKerberos’ dependency on accurate DNS entries.• The installation process makes direct access to the Kerberostools possible by automatically adding/usr/share/centrifydc/bin for all users and/usr/share/centrifydc/sbin for administrators and superusers to the $PATH environment.Centrify OpenSSH is installed as part of installing DirectControl.If you already have OpenSSH installed on your system, you need toremove the OpenSSH server. To do this on a Red Hat Linuxcomputer, log on as root and use the following command:rpm --nodeps -e openssh openssh-server openssh-clientsOn Sun Solaris, log on as root and use the following command:pkgrm SUNWsshdu SUNWsshdrConfirm with yes when prompted, then use the followingcommand to stop sshd:pkill sshdTo install DirectControl and join the AD domain, see InstallingCentrify DirectControl.The installation installs OpenSSH into the/usr/share/centrifydc/ directory structure, where the serverdaemon is in the sbin directory, the client applications are in thebin directory, and the man pages are in the man directory. Theinstallation process also configures the OpenSSH server to startautomatically on computer startup.150 Evaluation Guide

Setting up SSHAll configuration of the SSH server is taken care of for you by theinstallation. The only thing left to do is to start the server and testconnectivity to the sshd server process.The first time the server starts, it tries to find the current set ofhost keys in /etc/ssh and import them. If it doesn’t find the keys,it generates new keys and stores them in /etc/centrifydc/ssh.To start the server, run the following command (Red Hat Linuxonly):service centrify-sshd startFor Sun Solaris, or as an alternative method on Red Hat Linux,run the following command:/etc/init.d/centrify-sshd startYou can test the server by connecting to the local host to make surethat SSH is running and accepting connections. The followingcommand should result in a local connection to the SSH server:/usr/share/centrifydc/bin/ssh root@localhostTesting SSH on UNIXTo test SSH on your UNIX system, log on to the UNIX system as anordinary Active Directory user and execute the followingcommand, where hostname is the hostname of the SSH server:/usr/share/centrifydc/bin/ssh hostnameThis command should result in a silent connection to the SSHserver.Testing SSH from a Windows machineOn a Windows computer joined to the same Active Directorydomain, you can now use PuTTY as distributed by Centrify(available on the Centrify Resource Center) or any other SSHChapter 11 • Using DirectControl with SSH 151

• • • • • • SummarySummarysolution that supports Kerberos. But first you must configure thefollowing setting in PuTTY:To configure PuTTY for SSH login:1 Open PuTTY.2 In the Category window, expand Connection > SSH.3 In Kerberos flags, select Attempt Kerberos auth (SSH2).4 Save the settings.You can now see the Centrify Resource Center for a list of testedclients, and connect to the UNIX computer without beingprompted for user ID or password as long as the user has a validUNIX profile and permissions to log in to the UNIX computer.In this chapter, you learned how to use SSH and DirectControl toenable users to log on to UNIX computers remotely using theirActive Directory credentials.152 Evaluation Guide

Working with DirectControl reportsChapter 12In this chapter, you will learn how DirectControl’s reports helpyou better manage users, groups, and computers.The following topics are covered:• Understanding DirectControl reporting• Running DirectControl reports• Creating and modifying report definitions• Summary of DirectControl reportingUnderstanding DirectControl reportingReports provide you with information about the users, groups,computers, and zones you are managing and the propertiesassociated with them. They can be useful for auditing who hasaccess to different systems, the availability of licenses, and thecurrent status of accounts. Reports can also be used as a way toperiodically check the integrity of zones across the ActiveDirectory forest and to verify which users have permission toperform specific tasks.Pre-built reports are provided for Users, Groups, Computers,Zones, and Centrify Licenses. You may customize these reports byfiltering, grouping, sorting, and formatting the informationincluded for the objects being reported on. You may also use theNew Report Wizard to create your own custom reports. Theresults from any report can be exported in a variety of popularformats such as PDF, XLS, DOC, and RTF.153

• • • • • • Running DirectControl reportsRunning DirectControl reportsEach report definition can be used to retrieve a “current” report oflive data at any point of time. You can also use the report definitionto a take a “snapshot” of the live data to save the result retrieved in adated report that can be accessed later. For example, you may wantto take a weekly or monthly snapshot of data to compare the resultsof a specific report over time.Centrify DirectControl retrieves the “current” results the first timeyou click the Current node for any report definition. When youclick Current the first time, Centrify DirectControl retrieves theappropriate information from Active Directory as it exists at thatmoment. The results are not updated continuously, however. Youcan refresh the current results at any time by selecting Current,right-clicking, then clicking Refresh.To retrieve the current results for an existing report definition:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, click the Report Center.3 Expand the report definition name for which you want toretrieve results, then click Current. For example, to retrievethe current information for the Users Report, expand the UsersReport report definition, then click Current.As you can see, the data is not formatted into a static report.Instead, the results are presented in nested form using the panesdisplayed and you can select the objects included in the results to154 Evaluation Guide

perform additional tasks. For example, in the Users Report, theresults for each zone are nested under the Current node.Select a zone to see the zone’s usersdisplayed in the results paneYou can select a zone to see user information for that zonedisplayed in the results pane.The results data is ‘live’ allowing you to perform actions on it. Forexample, you can select an individual user in the results pane,right-click, and select a user-related task to perform, such asediting the zone settings.Taking a snapshot of resultsThe “current” data for any report definition is subject to change asyou add or delete accounts or change account properties. In somecases, however, it is useful to have historical reports that capturedata at specific points in time, for example, for quarterly reports orChapter 12 • Working with DirectControl reports 155

• • • • • • Running DirectControl reportsyear-end analysis. To save the results from a report so they can beaccessed later, you can create a snapshot of the data.To take a snapshot for a report definition:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, click the Report Center.3 Select the report definition for which you want a snapshot,right-click, then click Take a Snapshot. For example, to takea snapshot of the results of the User Account Report, selectUser Account Report, then right-click and select Take aSnapshot.The report is saved under the User Account Report node withthe current date and time.Generating a static reportAfter you run a report, you can generate a static report from thecurrent or saved results. A static report is a formatted view of theresults that may be displayed, printed or saved.To generate a static report from an existing report definition:1 Select a Current or Saved report definition. For example, selectand expand the Users Report, then right-click Current andclick Display Report.The report is displayed in a new window. From this window youcan customize the report format, save the report in a specificformat, or print the report.2 To format the report, click Report > Format.3 Select the Group tab to change how the information in thereport is grouped or to add grouping criteria. For example, thereport is grouped by OpenedZone.Name. To group by adifferent property, select OpenedZone.Name and clickRemove. In the pull-down box selectZoneUser.PrimaryGroupName and click Add.156 Evaluation Guide

Click Apply to group by the new criteria.4 Click Sort to change how the results are sorted. The currentreport is sorted by ZoneUser.ADUser in ascending alphabeticalorder. To sort by descending order, first selectZoneUser.ADUser in the Sort by box and click Remove.Then select ZoneUser.ADUser from the pull-down menu andselect Descending from the other pull-down menu and clickAdd.Click Apply to save the changes.5 Click Layout to select the columns to display and the order inwhich to show them. Experiment with changing the layout. Forexample, select a check box to add a column to display, ordeselect a box to remove a column. Select a column name andclick Move up or Move down to change the placement of thecolumn in the output. Select a column name and type a newname in Display name for selected column if you wish.Note Columns are automatically formatted based on the widthof the display names. You may manually adjust the width bytyping a number or using the arrow keys to select a number inWidth of selected column.When you are finished, click Apply to save the changes.6 Select Font & Color if you want to experiment with changingthe look of the table.In Style, select Custom. Then select any of the Display itemsand change the font, size, style, foreground color, orbackground color as desired.Click Apply to save any changes.7 Click Report > Save As, then select one of the formats inwhich to save the report:• Excel Document• HTML DocumentChapter 12 • Working with DirectControl reports 157

• • • • • • Creating and modifying report definitions• PDF Document• XMLBrowse to a location in which to save the file, enter a filename,and click Save.8 To print a report, click Report > Print, select a printer, thenclick Print.Creating and modifying report definitionsReport definitions define the content and format of reports. Thereport definition describes the information—the objects and theirproperties and relationships—to retrieve, and how the informationretrieved should be grouped and sorted in report output. You candelete, modify, or rename any existing report definition, includingthe default report definitions, using the Report Wizard. You canalso create your own custom report definitions.The following procedure steps you through the process of creatinga report definition to report on users for the Finance zone. Thereport is modeled on the Users Report but will return data for theFinance zone only.To create a new report definition:1 Open the Centrify DirectControl Administrator Console.2 In the console tree, click the Report Center object.3 Right-click Report Center and click New Report Wizard.Click Next at the Welcome screen.4 Enter a name and optional description for the report. Forexample, “User Report Finance Zone”. Then click Next.5 From the pull-down menu, select Zones.Typically, reports retrieve data for opened zones becausereporting on all zones can drastically impact performance.158 Evaluation Guide

However, later on in the wizard you will filter the report toretrieve data for a zone only, so you do not need to worry aboutperformance. By selecting Zones rather than Opened Zones,you can report on the Finance zone whether it’s open in theconsole or not.Click Next.6 Select Yes, then select (Zones that) contain Zone Usersfrom the pull-down menu. Then click Next.7 Select No, then click Next.8 Select the properties to display:• Select Zones in the Objects box, then select Name in theProperties box (it should already be selected).• Select Zone Users, then select ADUser,HomeDirectory, Name, and UID. Then click Next.9 Create a filter to return data for the Finance zone by entering thefollowing information in the criteria boxes:ForestZoneName |starts with | Fi. Then click Add.Click Next.10 Review the report definition you have created, then clickFinish.11 In the Console tree, expand User Report Finance Zone,then double-click Current. Double-click the Finance object tosee the report data.Note If you see a report with headings but no data, it meansthere are no users in the zone. Add users by expanding theFinances zone, right-clicking the Users object, and selectingAdd User to Zone (see “Adding Active Directory users andgroups to zones” on page 75). Refresh the report data by doingthe following: click Report Center, right-click User ReportFinance Zone, and select Refresh. Then double-click theFinance object to see the report with the newly added users.Chapter 12 • Working with DirectControl reports 159

• • • • • • Summary of DirectControl reportingSummary of DirectControl reportingIn this chapter, you learned how:• To run Centrify DirectControl reports and that you canperform actions on the returned data.• To save the data in different formats and manipulate the layout.• To take snapshots of report data.• To create custom reports.160 Evaluation Guide

Chapter 13Completing the evaluationDuring this evaluation, you installed Centrify DirectControl andlearned how it is used to manage accounts for non-Windowsworkstations and servers in an Active Directory environment. Youexperienced working with the product as an end-user andmanaging the Centrify DirectControl environment as anadministrator. Using the test scenarios and examples, you had theopportunity to see many of Centrify DirectControl’s featureshighlighted.Although this guide provides a good starting point forunderstanding how to use DirectControl, you may want to explorefurther. If you want to conduct a more in-depth analysis of anyproduct features or learn more about how Centrify DirectControlworks, you should review the Centrify DirectControl Administrator’sGuide, which provides more detailed information aboutconfiguring, managing, and using Centrify DirectControl.We value the time you spent evaluating Centrify DirectControl andlook forward to hearing from you. For any questions or commentsyou may have about this evaluation of Centrify DirectControl, sendemail to support@centrify.com. For information about purchasingCentrify products, send email to info@centrify.com.Using the evaluation checklistThe Centrify DirectControl Evaluation Checklist is designed tohelp you evaluate Centrify DirectControl as a complete solutionthat integrates your UNIX, Linux, Mac OS X, Web applications,and database servers with Active Directory for authentication,authorization, and access control, as well as audit and policy161

• • • • • • Using the evaluation checklistenforcement. You can also use this checklist to see how CentrifyDirectControl matches your specific needs and compares withother products.To use the checklist:1 Rank the significance of each of the listed features for yourorganization.2 For each feature, determine a score for DirectControl and forthe other product that you are evaluating.3 Multiply the Significance by the Score for each product to comeup with the Weighted Score.4 Add up the Weighted Scores to determine the Total WeightedScore.Centrify DirectControl Evaluation ChecklistItem Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)Functionality: AuthenticationAU 1AU 2AU 3AU 4Active Directory “client” for UNIX,Linux and Mac (includes ability to“join” non-Microsoft system to ADdomain); fully supports Kerberos andoffers broad platform support (e.g.200+ platforms)Works with existing Active Directoryschema; i.e. does not require schemaextensionsSupports RFC 2307 without need foradditional proprietary schemaextensionsWebApp Support: Supports AD- andADFS-based authentication for JavaandJ2EE-based applications runningon both UNIX/Linux *and* Windowssystems162 Evaluation Guide

Item Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)AU 5AU 6AU 7AU 8AU 9AU 10AU 11AU 12AU 13AU 14AU 15AU 16DB/ERP Support: Supports AD-basedauthentication for DB2, Informix,Oracle and SAP R/3Storage support: Supports AD-basedidentity mapping for NetApp Filersand EMC CelerraNIS Support: Offers NIS Serverintegrated with Active Directory,allowing for centralized NIS settings— includes support for “agentlessmodeVirtualization support: SupportszLinux, AIX WPAR/LPAR, HP-UX vPars,Solaris Containers/LDOM/xVM, CitrixXen and VMwareSupport for multiple UNIX identitiestied to a single AD Account, i.e. doesnot force UID rationalizationCross-forest / one-way trust supportSupport for local caching ofcredentials (enables offline login)Supports pre-population of offlinecache (for specific users or groups ofusers)Provides a LDAP Proxy to enableLDAP-aware apps to securelyintegrate with AD (e.g. encryptedcommunication)Supports Linux systems running SELinux and AppArmor (i.e. does notrequire you to disable SELinux/AppArmor)Provides optional technical supportand tested executables for opensource products such as Samba,OpenSSH and PuTTYSupports Mac smartcard loginChapter 13 • Completing the evaluation 163

• • • • • • Using the evaluation checklistItem Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)AU 17Microsoft Windows 2003, Windows2008, Red Hat and SUSECertificationsFunctionality: AuthorizationAZ 1AZ 2AZ 3AZ 4AZ 5AZ 6Grant users rights to executecommands with elevated privilegesto eliminate need for access toprivileged accounts and passwordsAbility to assign users a “RestrictedEnvironment” with access only to aspecific “whitelist” of commandsAbility to control how a user accessesa system via PAM-enabled apps andinterfaces (e.g. ssh, telnet, etc.)Set time periods when a role canaccess a systemAbility to tie UNIX entitlementsdirectly to an AD user and/or groupStores roles and rights inside ActiveDirectory thus eliminating need foradditional servers and infrastructure164 Evaluation Guide

Item Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)Functionality: Access ControlAC 1AC 2AC 3AC 4AC 5Provides interface to enableadministrators to easily “see” andrestrict computer access to selectedgroups of usersAbility to report on and easily viewresulting set of user access for agiven computer (or group ofcomputers)Ability to delegate different adminrights to different administrators foreach secure ZoneDoes not force delegation ofadministrative privileges along OUboundariesCan also enforce access controllocally and via group policyFunctionality: Group PolicyGP 1GP 2GP 3GP 4GP 5Provides large number of AD-basedGroup Policy objects for UNIX/Linux*and* MacDelivers group policies specific tomanaging SSH deploymentsDelivers User group policies inaddition to Computer group policiesSupports advanced group policycapabilities such as filtering andloopback processingOffers Group Policy editor thatdelivers free-form editing, a syntaxchecker and the ability to insertstandard commands (e.g. for thesudo policy)Chapter 13 • Completing the evaluation 165

• • • • • • Using the evaluation checklistItem Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)Functionality: Auditing *AD 1AD 2AD 3AD 4AD 5AD 6Detailed, non-intrusive capture ofuser sessions on UNIX/Linux systemsVisual replay of user sessionsthrough an easy-to-use consoleReal-time monitoring with anat-a-glance view of all current useractivityComprehensive, easy-to-use query,search and reporting capabilities ofuser session activityStores detailed user-level audit datain a SQL database for ease ofreporting and archivingFault-tolerant collection of dataFunctionality: Server ProtectionSP 1SP 2SP 3SP 4SP 5SP 6SP 7Blocks untrusted systems fromcommunicating with trusted systemsDelivers tiered network access byfurther isolating specific groups ofserversEnables optional end-to-endencryption of data in motionSoftware and policy based solution;no hardware requiredRequires no changes to networktopology or applicationsAutomates provisioning ofcertificates on UNIX systemsSupports DirectAccess, ActiveDirectory and the native IPsecsupport in modern operatingsystems166 Evaluation Guide

Item Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)Functionality: ManageabilityMA 1MA 2MA 3MA 4MA 5MA 6MA 7MA 8MA 9MA 10MA 11Provides centralized pre-installationcheck capabilityProvides centralized pushtechnology of software and/orupdatesSimple licensing; does not requireper-user licensing for UNIX systemsCentralized license management;does not require reinstall or licensekey deployment on each systemSingle product architecture forauthentication + group policy +authorization + auditing + appsupportSingle, integrated Windows MMCconsole for all user, group andcomputer management as well asmigration and reporting (beyonddelivering ADUC extension)Offers web console to administerUNIX-enabled AD users and groups(in addition to Win32 console andcommand line interface)Provisioning agent that allows ADgroup membership to control whichusers can access which groups ofsystemsIntegrates with existing provisioningsystems such as Microsoft FIMPre-packaged and customizablereports that provide filtering andgrouping and can be saved to Word,Excel, etc.Reporting enables snapshots forcomparison purposesChapter 13 • Completing the evaluation 167

• • • • • • Using the evaluation checklistItem Description Significance DirectControl Other product(0-5) Score(0-5)WeightedScore (0-5)Score(0-5)WeightedScore (0-5)MA 12MA 13MA 14MA 15MA 16Does not charge extra for migrationtools and utilitiesTools or easy methods for resolvingimport conflicts (e.g., UIDs) and UIDrationalizationSupport for deployment via McAfeeePO or Apple Remote DesktopOffers Planning and DeploymentGuideVendor provides pre-packagedservice and training offerings toassist in deployments*.Auditing is provided by Centrify DirectAudit., which is not covered in thisevaluation. See the Centrify DirectAudit Evaluation Guide for details.If you would like a spreadsheet version of this table to makecalculation of the weighted scores easier, send an email toinfo@centrify.com.168 Evaluation Guide

• • • • • •IndexAaccess controlusing zones 78account lockout policies 64accountscreating 55Active Directoryadding users and groups to zones 75,89joining the domain 48knowledge of 5Active Directory authenticationverifying 62Active Directory Users and Computersproperty extensions 18adclient 138administrative tasks, testing 69Administrator Consoleinstallation requirements 25key tasks 18adnisd 131 to 136starting 134testing 135Apachesupported environment 27authenticationoffline 67verifying 62authorizationverifying policies 63CCentOS Linux supported operatingsystem 26Centrify DirectControlAgent 14, 15documentation 9initial configuration 40joining the domain 48leveraging Active Directory 14Management Tools 14, 15, 17preparing a test environment 23technical support 11UNIX installation 44UNIX requirements 26Windows and UNIX components 15Windows requirements 25Centrify DirectControl AgentDNS lookups 31key tasks 16memory and disk usage 30Centrify DirectControl ManagementToolsdefault components installed 39Centrify web site 11Citrix XenServer supported operatingsystem 26conventions, documentation 8DDebian Linuxsupported operating system 26DirectAuthorize 101 to 130169

• • • • • •DNS 141documentationadditional 9conventions 8intended audience 5dynamic provisioning 21Eetc/hosts 141etc/ssh 151etc/sudoers 99etc/yp.conf 135evaluationchecklist 161demonstration accounts 55preparing a test environment 23recommended configuration 25GGIDnew zone creation 43group policies 93 to 100about 93adding 94testing 96Group Policy Object Editor 95groupscreating for evaluation 56default GID setting 43private 60Hheterogeneous environmentscentralized management 5HP-UXsupported operating system 26IIBM AIXsupported operating system 27idmap 138installationpreparing for 23prerequisitesAdministrator Console 26web applications 27restarting services 52running setup on Windows 37 to 39UNIX components 44Windows prerequisites 25IRIX supported operating system 27JJava authenticationdevelopment environment 28JBosssupported environment 27LLinuxjoining the domain 48naming convention 8MMacintoshconfiguring WINS 49naming convention 6, 8, 15supported operating system 27man pagesadjoin command 49source of information 10Management Tools 17multi-domain environments 138NNetwork Information Service see NISNIS 131 to 136about 131170 Evaluation Guide

creating maps 133importing maps 133map extensions 132starting the adnisd daemon 134testing 135NTLM authentication 138Ooffline authentication 67Oracle Enterprise Linux supportedoperating system 27Ppassword management policies 66private group 60QQuick Start 9RRed Hat Linuxsupported operating system 27reportingpurpose of 153reports 153 to 160root userinstallation requirement 45SSamba 137 to 148installing 139NTLM authentication 138setting up 141testing on UNIX 145testing on Windows 146Scientific Linux supported operatingsystem 27Setup Wizard 40SGI IRIX supported operating system 27SMB 138smb.conf file 142Solarisgroup limitations 139installing adnisd 134installing idmap 140starting adnisd 135supported operating system 27SSH 149 to 152about 149installing 150setting up 151testing on UNIX 151testing on Windows 151sudo permissions, defining 98sudoers file 98SuSEsupported operating system 27Ttechnical support 11Tomcatsupported environment 27UUbuntu Linux supported operating system27UIDnew zone creation 43using multiple zones 20verifying 63UNIXinstallation 44knowledge of 5naming convention 8restarting services 52system requirements 26UNIX authentication services 55 to 70Index 171

• • • • • •usersdefault UID setting 43dynamic provisioning 21migrating using zones 20Vvirtual environmentconfiguring DNS 33creating backups 53machine instances 32preparing 23recommended configuration 32VMware ESXsupported operating system 27WWeb Console 83 to 91adding users and groups to zones 89managing zones with 90WebLogicsupported environment 27winbindd 137Windowschecking system requirements 25DNS server role 31knowledge of 5workstation authorization policies 63adding an AD user 60analyzing 82and access control 78creating new 73creating new with Active DirectoryUsers and Computers 75default GID setting 43default UID setting 43delegating administration 22delegating management 78group policies 22home directory setting 43importance of 72introduction 16managing 77, 90organizing principles 21UIDs 20user profiles 19XXenServer supported operating system 26Yypbind service 136Zzones 71 to 82access control 20adding AD users and groups 75, 89172 Evaluation Guide